Cisco Nexus 7000 Series Security Command Reference

show

To display information about which I/O modules are configured with the command, use the show command.

show

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

If no I/O modules are configured with the command, the show command has no output.

Examples

This example shows how to display the I/O modules that are configured with the command:


switch# show 
  Module 1 enabled
  Module 3 enabled
switch#

show aaa accounting

To display AAA accounting configuration information, use the show aaa accounting command.

show aaa accounting

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the configuration of the accounting log:


switch# show aaa accounting
         default: local

show aaa authentication

To display AAA authentication configuration information, use the show aaa authentication command.

show aaa authentication [login error-enable | login chap | login mschap | login mschapv2 | login ascii-authentication]

Syntax Description


login error-enable	(Optional) Displays the configuration for login error messages.
login chap	(Optional) Displays the configuration for CHAP authentication.
login mschap	(Optional) Displays the configuration for MS-CHAP authentication.
login mschapv2	(Optional) Displays the configuration for MS-CHAP V2 authentication.
login ascii-authentication	(Optional) Displays the configuration for ASCII authentication for passwords on TACACS+ servers.

Command Default

Displays the console and login authentication methods configuration.

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	Added the chap keyword
4.2(1)	Added the mschapv2 keyword.
4.1(2)	Added the ascii-authentication keyword.
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the configured authentication parameters:


switch# show aaa authentication
         default: local
         console: local
         dot1x: not configured
         eou: not configured

This example shows how to display the authentication-login error-enable configuration:


switch# show aaa authentication login error-enable
disabled

This example shows how to display the authentication-login CHAP configuration:


switch# show aaa authentication login chap
disabled

This example shows how to display the authentication-login MSCHAP configuration:


switch# show aaa authentication login mschap
disabled

This example shows how to display the authentication-login MSCHAP V2 configuration:


switch# show aaa authentication login mschapv2
enabled

This example shows how to display the status of the ASCII authentication for passwords feature :


switch(config)# show aaa authentication login ascii-authentication
disabled

Related Commands


Command	Description
aaa authentication login ascii-authentication	Enables ASCII authentication for passwords on a TACACS+ server.
aaa authentication login chap enable	Enables CHAP authentication.
aaa authentication login error-enable	Configures the AAA authentication failure message to display on the console.
aaa authentication login mschap enable	Enables MSCHAP authentication.
aaa authentication login mschapv2 enable	Enables MSCHAP V2 authentication.

show aaa authorization

To display AAA authorization configuration information, use the show aaa authorization command.

show aaa authorization [all]

Syntax Description


all	(Optional) Displays configured and default values.

Command Default

Displays the configured information.

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the configured authorization methods:


switch# show aaa authorization
		 pki-ssh-cert: local
         pki-ssh-pubkey: local
AAA command authorization:
         default authorization for config-commands: none
         cts: group radius

This example shows how to display the configured authorization methods and defaults:


switch# show aaa authorization all
		 pki-ssh-cert: local
         pki-ssh-pubkey: local
AAA command authorization:
         default authorization for config-commands: none
         default authorization for commands: local
         cts: group radius

Related Commands


Command	Description
aaa authorization	Configures the default AAA authorization method.
feature cts	Enables the Cisco TrustSec feature.
feature ldap	Enables the LDAP feature.
feature tacacs+	Enables the TACACS+ feature.

show aaa groups

To display AAA server group configuration, use the show aaa groups command.

show aaa groups

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display AAA group information:


switch# show aaa groups
radius
TacServer

show aaa local user blocked

To display the blocked users, use the show aaa local user blocked command.

show aaa local user blocked

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
7.3(0)D1(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the blocked users:


switch# show aaa local user blocked
Local-user       State
testuser         Watched (till 11:34:42 IST Feb 5 2015)

Related Commands


Command	Description
aaa authentication rejected	Configures the login block per user.
clear aaa local user blocked	Clears the blocked users.

show aaa user default-role

To display the AAA user default role configuration, use the show aaa user default-role command.

show aaa user default-role

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(3)	This command was introduced.

Usage Guidelines

User the aaa user default-role command to configure the AAA user default role.

This command does not require a license.

Examples

This example shows how to display the AAA user default role configuration:


switch# show aaa user default-role
enabled

Related Commands


Command	Description
aaa user default-role	Enables the AAA user default role.

show access-list status module

To display the access control list (ACL) capture configuration, use the show access-list status module command.

show access-list status module slot

Syntax Description


slot	Slot ID. The range is from 1 to 18.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the access control list (ACL) capture configuration:


switch(config)# show access-list status module 5
Non-Atomic ACL updates Disabled.
TCAM Default Result is Deny.
Resource-pooling: Disabled
switch(config)#

Related Commands


Command	Description
access-list capture	Enables access control list (ACL) capture on all virtual device contexts (VDCs).

show access-lists

To display all IPv4, IPv6, and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.

show access-lists [access-list-name] [expanded | summary]

Syntax Description


`access-list-name`	(Optional) Name of an ACL, which can be up to 64 alphanumeric, case-sensitive characters.
expanded	(Optional) Specifies that the contents of object groups appear rather than the names of object groups only.
summary	(Optional) Specifies that the command displays information about the ACL. For more information, see the “Usage Guidelines” section.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Command output is sorted alphabetically by the ACL names. Support was added for the fragments command.
4.1(2)	Support for IPv6 ACLs was added.
4.0(1)	This command was introduced.

Usage Guidelines

The device shows all ACLs unless you use the access-list-name argument to specify an ACL.

If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.

The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups. For more information about object groups, see the object-group ip address , object-group ipv6 address , and object-group ip port commands.

The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:

Whether per-entry statistics are configured for the ACL.
Whether the fragments command is configured for an IP ACL.
The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
The interfaces that the ACL is applied to.
The interfaces that the ACL is active on.

The show access-lists command displays statistics for each entry in an ACL if the following conditions are both true:

The ACL configuration contains the statistics per-entry command.
The ACL is applied to an interface that is administratively up.

If an IP ACL includes the fragments command, it appears before the explicit permit and deny rules, but the device applies the fragments command to noninitial fragments only if they do not match all other explicit rules in the ACL.

This command does not require a license.

Examples

This example shows how to use the show access-lists command without specifying an ACL name on a device that has one IP ACL and one MAC ACL configured:


switch# show access-lists
IP access list ip-v4-filter
        10 permit ip any any
MAC access list mac-filter
        10 permit 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ip

This example shows how to use the show access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web, including per-entry statistics for the entries except for the MainLab object group:


switch# show access-lists ipv4-RandD-outbound-web
IP access list ipv4-RandD-outbound-web
        statistics per-entry
        1000 permit ahp any any [match=732]
        1005 permit tcp addrgroup MainLab any eq telnet
        1010 permit tcp any any eq www [match=820421]

This example shows how to use the show access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web. The expanded keyword causes the contents of the object group from the previous example to appear, including the per-entry statistics:


switch# show access-lists ipv4-RandD-outbound-web expanded
IP access list ipv4-RandD-outbound-web
        statistics per-entry
        1000 permit ahp any any [match=732]
        1005 permit tcp 10.52.34.4/32 any eq telnet [match=5032]
        1005 permit tcp 10.52.34.27/32 any eq telnet [match=433]
        1010 permit tcp any any eq www [match=820421]

This example shows how to use the show access-lists command with the summary keyword to display information about an IPv4 ACL named ipv4-RandD-outbound-web, such as which interfaces the ACL is applied to and active on:


switch# show access-lists ipv4-RandD-outbound-web summary
IPV4 ACL ipv4-RandD-outbound-web
        Statistics enabled
        Total ACEs Configured: 4
        Configured on interfaces:
                Ethernet2/4 - ingress (Router ACL)
        Active on interfaces:
                Ethernet2/4 - ingress (Router ACL)

Related Commands


Command	Description
fragments	Configures how an IP ACL processes noninitial fragments.
ip access-list	Configures an IPv4 ACL.
ipv6 access-list	Configures an IPv6 ACL.
mac access-list	Configures a MAC ACL.
show ip access-lists	Displays all IPv4 ACLs or a specific IPv4 ACL.
show ipv6 access-lists	Displays all IPv6 ACLs or a specific IPv6 ACL.
show mac access-lists	Displays all MAC ACLs or a specific MAC ACL.

show accounting log

To display the accounting log contents, use the show accounting log command.

show accounting log [size | last-index | start-seqnum number | start-time year month day HH : MM : SS]

Syntax Description


`size`	(Optional) Size of the log to display in bytes. The range is from 0 to 250000.
last-index `number`	(Optional) Displays the last index number in the log.
start-seqnum	(Optional) Specifies a sequence number in the log at which to begin display output. The range is from 1 to 1000000.
start-time`year` `month` `day` `HH` :`MM` :`SS`	(Optional) Specifies a start time in the log at which to begin displaying output. The `year` argument is in `yyyy` format. The `month` is the three-letter English abbreviation. The `day` argument range is from 1 to 31. The `HH` :`MM` :`SS` argument is in the standard 24-hour format.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Added the last-index and start-seqnum keyword options.
4.0(1)	This command was introduced.

Usage Guidelines

When you make a change to the configuration, the results are shown in the output for show accounting log . There three results for the configuration change:

Success : indicates the configuration change was successful.
Failure : indicates the configuration change was unsuccessful.
Redirect : indicates the configuration change was not issued directly from the Command Line Interface (CLI) but was issued as a result of another CLI command. For example, the following output is issued as a result of the port-profile type command:


Fri Sep 27 16:15:08 2013:type=update:id=console0:user=admin:cmd=switchto ; configure terminal ; port-profile type port-channel GANETTI-OKEANOS ; switchport trunk allowed vlan add 71 (REDIRECT)

This command does not require a license.

Examples

This example shows how to display the entire accounting log:


switch# show accounting log 
Sat Feb 16 10:44:24 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime
Sat Feb 16 10:44:25 2008:update:/dev/pts/1_172.28.254.254:admin:show clock
Sat Feb 16 10:45:20 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log
file start-time 2008 Feb 16 10:44:11
Sat Feb 16 10:45:23 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting
log start-time 2008 Feb 16 10:08:57
Sat Feb 16 10:45:24 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime
Sat Feb 16 10:45:25 2008:update:/dev/pts/1_172.28.254.254:admin:show clock
Sat Feb 16 10:46:20 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log
file start-time 2008 Feb 16 10:45:11
Sat Feb 16 10:46:22 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting

This example shows how to display 400 bytes of the accounting log:


switch# show accounting log 400
Sat Feb 16 21:15:24 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log start-time 2008 Feb 16 18:31:21
Sat Feb 16 21:15:25 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime
Sat Feb 16 21:15:26 2008:update:/dev/pts/1_172.28.254.254:admin:show clock

This example shows how to display the accounting log starting at 16:00:00 on February 16, 2008:


switch(config)# show accounting log start-time 2008 Feb 16 16:00:00
Sat Feb 16 16:00:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file start-time 2008 Feb 16 15:59:16
Sat Feb 16 16:00:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log start-time 2008 Feb 16 12:05:16
Sat Feb 16 16:00:27 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime
Sat Feb 16 16:00:28 2008:update:/dev/pts/1_172.28.254.254:admin:show clock
Sat Feb 16 16:01:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file start-time 2008 Feb 16 16:00:16
Sat Feb 16 16:01:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log start-time 2008 Feb 16 12:05:16
Sat Feb 16 16:01:27 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime
Sat Feb 16 16:01:29 2008:update:/dev/pts/1_172.28.254.254:admin:show clock
Sat Feb 16 16:02:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file start-time 2008 Feb 16 16:01:16
Sat Feb 16 16:02:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log start-time 2008 Feb 16 12:05:16
Sat Feb 16 16:02:28 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime

This example shows how to display the last index number:


switch# show accounting log last-index
accounting-log last-index : 1814

This example shows how to display the result of configuration changes:


switch# show accounting log
Fri Mar 15 10:19:58 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 (SUCCESS)
Fri Mar 15 10:19:59 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 ; shutdown (REDIRECT)
Fri Mar 15 10:19:59 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 ; shutdown (SUCCESS)
Fri Mar 15 10:20:03 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 ; no shutdown (REDIRECT)
Fri Mar 15 10:20:03 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 ; no shutdown (SUCCESS)

Related Commands


Command	Description
clear accounting log	Clears the accounting log.

show arp access-lists

To display all ARP access control lists (ACLs) or a specific ARP ACL, use the show arp access-lists command.

show arp access-lists [access-list-name]

Syntax Description


`access-list-name`	(Optional) Name of an ARP ACL, which can be up to 64 alphanumeric, case-sensitive characters.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

The device shows all ARP ACLs, unless you use the access-list-name argument to specify an ACL.

This command does not require a license.

Examples

This example shows how to use the show arp access-lists command to display all ARP ACLs on a device that has two ARP ACLs:


switch# show arp access-lists
ARP access list arp-permit-all
10 permit ip any mac any
ARP access list arp-lab-subnet
10 permit request ip 10.32.143.0 255.255.255.0 mac any

This example shows how to use the show arp access-lists command to display an ARP ACL named arp-permit-all:


switch# show arp access-lists arp-permit-all
ARP access list arp-permit-all
10 permit ip any mac any

Related Commands


Command	Description
arp access-list	Configures an ARP ACL.
ip arp inspection filter	Applies an ARP ACL to a VLAN.

show class-map type control-plane

To display control plane class map information, use the show class-map type control-plane command.

show class-map type control-plane [class-map-name]

Syntax Description


`class-map-name`	(Optional) Name of the control plane class map.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to display control plane class map information:


switch# show class-map type control-plane
    class-map type control-plane match-any copp-system-class-critical
      match access-grp name copp-system-acl-arp
      match access-grp name copp-system-acl-msdp
    class-map type control-plane match-any copp-system-class-important
      match access-grp name copp-system-acl-gre
      match access-grp name copp-system-acl-tacas
    class-map type control-plane match-any copp-system-class-normal
      match access-grp name copp-system-acl-icmp
      match redirect dhcp-snoop
      match redirect arp-inspect
      match exception ip option
      match exception ip icmp redirect
      match exception ip icmp unreachable

show cli syntax roles network-admin

To display the syntax of the commands that the network-admin role can use but the vdc-admin role cannot, use the show cli syntax roles network-admin command.

show cli syntax roles network-admin

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.1(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the syntax of the commands that the network-admin role can use but the vdc-admin role cannot:


switch# show cli syntax roles network-admin
MODE exec
(0) show debug license
(1) show debug bootvar
(2) show debug cmpproxy
(3) show debug exceptionlog
(4) show debug device_test
(5) show debug diagmgr
(6) show debug diagclient
(7) show debug ntp
(8) show debug port_lb
(9) show debug copp
(10) show debug copp bypass
(11) show license usage vdc-all [ { detail | <license-feature> } ]
(12) show system internal license event-history
(13) show system internal license mem-stats [ detail ]
(14) show system internal loader configuration
(15) show system internal bootvar log
(16) show system internal cmpproxy install-logs
(17) show system internal cmpproxy [ event-history ] errors
(18) show system internal cmpproxy [ event-history ] msgs
(19) show system internal cmpproxy mem-stats [ detail ]
(20) show system internal epld logging
(21) c status [ ]
(22) show system internal copp ppf-database { policy { subscriptions | sessions
| instances | all } }
(23) show system internal copp [ event-history ] errors
(24) show system internal copp [ event-history ] logs
(25) show system internal copp [ event-history ] msgs
(26) show system internal copp mem-stats [ detail ]
(27)  show system internal copp info
(28) show system reset-reason
(29) show system reset-reason module <module>
(30) show system reset-reason <s0> <santa-cruz-range>
(31) show system redundancy status
(32) show system redundancy ha status
(33) show logging level { license | licmgr }
(34) show logging level bootvar
(35) show logging level cmpproxy
(36) show logging level diagnostic device_test
(37) show logging level diagnostic diagmgr
(38) show logging level diagnostic diagclient
(39) show logging level ntp
(40) show logging level copp
(41) show running-config res_mgr
(42) show running-config vdc [ all ]
(43) show running-config diagnostic [ all ]
(44) show running-config cmp
(45) show running-config ntp [ all ]
(46) show running-config vdc-all [ all ]
(47) show running-config copp [ all ]
(48) show startup-config vdc [ all ]
(49) show startup-config diagnostic [ all ]
(50) show startup-config ntp [ all ]
(51) show startup-config vdc-all
(52) show startup-config copp [ all ]
(53) show tech-support gold
(54) show tech-support cmp
(55) show tech-support dcbx
(56) show tech-support ntp
(57) show tech-support forwarding l2 multicast vdc-all
(58) show tech-support forwarding l3 unicast vdc-all [ module <module> ]
--More--

Related Commands


Command	Description
show cli syntax roles network-operator	Displays the syntax of the commands that the network-operator role can use but the vdc-operator role cannot.

show cli syntax roles network-operator

To display the syntax of the commands that the network-operator role can use but the vdc-operator role cannot, use the show cli syntax roles network-operator command.

show cli syntax roles network-operator

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.1(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the syntax of the commands that the network-operator role can use but the vdc-operator role cannot:


switch# show cli syntax roles network-operator
MODE exec
(0) show debug license
(1) show debug cmpproxy
(2) show debug exceptionlog
(3) show debug device_test
(4) show debug diagmgr
(5) show debug diagclient
(6) show debug ntp
(7) show debug port_lb
(8) show debug copp
(9) show license usage vdc-all [ { detail | <license-feature> } ]
(10) show system internal license event-history
(11) show system internal license mem-stats [ detail ]
(12) show system internal loader configuration
(13) show system internal bootvar log
(14) show system internal cmpproxy install-logs
(15) show system internal cmpproxy [ event-history ] errors
(16) show system internal cmpproxy [ event-history ] msgs
(17) show system internal cmpproxy mem-stats [ detail ]
(18) show system internal epld logging
(19) show system internal access-list status [ ]
(20) show system internal copp ppf-database { policy { subscriptions | sessions
| instances | all } }
(21) show system internal copp [ event-history ] errors
--More--

Related Commands


Command	Description
show cli syntax roles network-admin	Displays the syntax of the commands that the network-admin role can use but the vdc-admin role cannot.

show copp diff profile

To display the difference between the previous and latest Control Plane Policing (CoPP) best practice policies or between the currently applied default CoPP best practice policy and the latest CoPP best practice policy, use the show copp diff profile command.

show copp diff profile {lenient | moderate | strict} [prior-ver] profile {lenient | moderate | strict}

Syntax Description


lenient	Displays the lenient profile.
moderate	Displays the moderate profile.
strict	Displays the strict profile.
profile	Specifies the profile.
prior-ver	Specifies the previous profile.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.2(1)	This command was introduced.

Usage Guidelines

When you do not include the prior-ver option, this command displays the difference between two currently applied default CoPP best practice policies (such as the currently applied strict and currently applied moderate policies).

When you include the prior-ver option, this command displays the difference between a currently applied default CoPP best practice policy and a previously applied default CoPP best practice policy (such as the currently applied strict and the previously applied lenient policies).

This command does not require a license.

Examples

This example shows how to display the difference between the currently applied default CoPP best practice policy and the latest CoPP best practice policy:


switch# show copp diff profile moderate applied latest

Related Commands


Command	Description
show copp profile	Displays the details of the CoPP best practice policy, along with the classes and policer values.

show copp profile

To display the details of the Control Plane Policing (CoPP) best practice policy, along with the classes and policer values, use the show copp profile command.

show copp profile {lenient | moderate | strict}

Syntax Description


lenient	Displays the lenient profile.
moderate	Displays the moderate profile.
strict	Displays the strict profile.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the details of the CoPP best practice policy, along with the classes and policer values:


switch# show copp profile moderate
ip access-list copp-system-p-acl-bgp
  permit tcp any gt 1024 any eq bgp
  permit tcp any eq bgp any gt 1024
ipv6 access-list copp-system-p-acl-bgp6
  permit tcp any gt 1024 any eq bgp
  permit tcp any eq bgp any gt 1024
ip access-list copp-system-p-acl-cts
  permit tcp any any eq 64999
  permit tcp any eq 64999 any
ip access-list copp-system-p-acl-dhcp
  permit udp any eq bootpc any
  permit udp any neq bootps any eq bootps
ip access-list copp-system-p-acl-dhcp-relay-response
  permit udp any eq bootps any
  permit udp any any eq bootpc
ip access-list copp-system-p-acl-eigrp
  permit eigrp any any
ip access-list copp-system-p-acl-ftp
  permit tcp any any eq ftp-data
  permit tcp any any eq ftp
  permit tcp any eq ftp-data any
  permit tcp any eq ftp any
ip access-list copp-system-p-acl-glbp
  permit udp any eq 3222 224.0.0.0/24 eq 3222
--More--

Related Commands


Command	Description
copp profile
copp clone profile
show copp diff profile	Displays the difference between the currently applied default CoPP best practice policy and the latest or previous CoPP best practice policy.
show copp status	Displays the CoPP status, including the last configuration operation and its status.
show running-config copp	Displays the CoPP configuration in the running configuration.

show copp status

To display the control plane policing (CoPP) configuration status, use the show copp status command.

show copp status

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(2)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to display the CoPP configuration status information:


switch# show copp status
Last Config Operation: service-policy input copp-system-policy
Last Config Operation Timestamp: 21:57:58 UTC Jun  4 2008
Last Config Operation Status: Success
Policy-map attached to the control-plane: new-copp-policy

show crypto ca certificates

To display configured trustpoint certificates, use the show crypto ca certificates command.

show crypto ca certificates trustpoint-label

Syntax Description


`trustpoint-label`	Name of the trustpoint. The name is case sensitive.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

Use this command to display the fields in the identity certificate, if present, followed by the fields in the CA certificate (or each CA certificate if it is a chain, starting from the lowest to the self-signed root certificate), or the trustpoint. If the trustpoint name is not specified, all trustpoint certificate details are displayed.

This command does not require a license.

Examples

This example shows how to display configured trustpoint certificates:


switch# show crypto ca certificates
Trustpoint: admin-ca
certificate:
subject= /CN=switch160
issuer= /C=US/O=cisco/CN=Aparna CA2
serial=6CDB2D9E000100000006
notBefore=Jun  9 10:51:45 2005 GMT
notAfter=May  3 23:10:36 2006 GMT
MD5 Fingerprint=0A:22:DC:A3:07:2A:9F:9A:C2:2C:BA:96:EC:D8:0A:95
purposes: sslserver sslclient ike
CA certificate 0:
subject= /C=US/O=cisco/CN=Aparna CA2
issuer= /emailAddress=amandke@cisco.com/C=IN/ST=Maharashtra/L=Pune/O=cisco/OU=ne
tstorage/CN=Aparna CA1
serial=14A3A877000000000005
notBefore=May  5 18:43:36 2005 GMT
notAfter=May  3 23:10:36 2006 GMT
MD5 Fingerprint=32:50:26:9B:16:B1:40:A5:D0:09:53:0A:98:6C:14:CC
purposes: sslserver sslclient ike
CA certificate 1:
subject= /emailAddress=amandke@cisco.com/C=IN/ST=Maharashtra/L=Pune/O=cisco/OU=n
etstorage/CN=Aparna CA1
issuer= /emailAddress=amandke@cisco.com/C=IN/ST=Karnataka/L=Bangalore/O=Cisco/OU
=netstorage/CN=Aparna CA
serial=611B09A1000000000002
notBefore=May  3 23:00:36 2005 GMT
notAfter=May  3 23:10:36 2006 GMT
MD5 Fingerprint=65:CE:DA:75:0A:AD:B2:ED:69:93:EF:5B:58:D4:E7:AD
purposes: sslserver sslclient ike
CA certificate 2:
subject= /emailAddress=amandke@cisco.com/C=IN/ST=Karnataka/L=Bangalore/O=Cisco/O
U=netstorage/CN=Aparna CA
issuer= /emailAddress=amandke@cisco.com/C=IN/ST=Karnataka/L=Bangalore/O=Cisco/OU
=netstorage/CN=Aparna CA
serial=0560D289ACB419944F4912258CAD197A
notBefore=May  3 22:46:37 2005 GMT
notAfter=May  3 22:55:17 2007 GMT
MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12
purposes: sslserver sslclient ike

Related Commands


Command	Description
crypto ca authenticate	Authenticates the certificate of the CA.
show ca trustpoints	Displays trustpoint configurations.

show crypto ca certstore

To display the cert-store configuration, use the show crypto ca certstore command.

show crypto ca certstore

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the cert-store configuration:


switch# show crypto ca certstore
Certstore lookup: REMOTE

Related Commands


Command	Description
crypto ca lookup	Specifies the cert-store to be used for certificate authentication.
show crypto ca remote-certstore	Displays the remote cert-store configuration.

show crypto ca crl

To display configured certificate revocation lists (CRLs), use the show crypto ca crl command.

show crypto ca crl trustpoint-label

Syntax Description


`trustpoint-label`	Name of the trustpoint. The label is case sensitive.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

Use this command to list the serial numbers of the revoked certificates in the CRL of the specified trustpoint.

This command does not require a license.

Examples

This example shows how to display a configured CRL:


switch# show crypto ca crl admin-ca
Trustpoint: admin-ca
CRL:
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /emailAddress=rviyyoka@cisco.com/C=IN/ST=Kar/L=Bangalore/O=Cisco
 Systems/OU=1/CN=cisco-blr
        Last Update: Sep 22 07:05:23 2005 GMT
        Next Update: Sep 29 19:25:23 2005 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
            keyid:CF:72:E1:FE:14:60:14:6E:B0:FA:8D:87:18:6B:E8:5F:70:69:05:3F
            1.3.6.1.4.1.311.21.1:
                ...
Revoked Certificates:
    Serial Number: 1E0AE838000000000002
        Revocation Date: Mar 15 09:12:36 2005 GMT
    Serial Number: 1E0AE9AB000000000003
        Revocation Date: Mar 15 09:12:45 2005 GMT
    Serial Number: 1E721E50000000000004
        Revocation Date: Apr  5 11:04:20 2005 GMT
    Serial Number: 3D26E445000000000005
        Revocation Date: Apr  5 11:04:16 2005 GMT
    Serial Number: 3D28F8DF000000000006
        Revocation Date: Apr  5 11:04:12 2005 GMT
    Serial Number: 3D2C6EF3000000000007
        Revocation Date: Apr  5 11:04:09 2005 GMT
    Serial Number: 3D4D7DDC000000000008
        Revocation Date: Apr  5 11:04:05 2005 GMT
    Serial Number: 5BF1FE87000000000009
        Revocation Date: Apr  5 11:04:01 2005 GMT
    Serial Number: 5BF22FB300000000000A
        Revocation Date: Apr  5 11:03:45 2005 GMT
    Serial Number: 5BFA4A4900000000000B
        Revocation Date: Apr  5 11:03:42 2005 GMT
    Serial Number: 5C0BC22500000000000C
        Revocation Date: Apr  5 11:03:39 2005 GMT
    Serial Number: 5C0DA95E00000000000D
        Revocation Date: Apr  5 11:03:35 2005 GMT
    Serial Number: 5C13776900000000000E
        Revocation Date: Apr  5 11:03:31 2005 GMT
    Serial Number: 4864FD5A00000000000F
        Revocation Date: Apr  5 11:03:28 2005 GMT
    Serial Number: 48642E2E000000000010
        Revocation Date: Apr  5 11:03:24 2005 GMT
    Serial Number: 486D4230000000000011
        Revocation Date: Apr  5 11:03:20 2005 GMT
    Serial Number: 7FCB75B9000000000012
        Revocation Date: Apr  5 10:39:12 2005 GMT
    Serial Number: 1A7519000000000013
        Revocation Date: Apr  5 10:38:52 2005 GMT
    Serial Number: 20F1B0000000000014
        Revocation Date: Apr  5 10:38:38 2005 GMT
    Serial Number: 436E43A9000000000023
        Revocation Date: Sep  9 09:01:23 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            Cessation Of Operation
    Serial Number: 152D3C5E000000000047
        Revocation Date: Sep 22 07:12:41 2005 GMT
    Serial Number: 1533AD7F000000000048
        Revocation Date: Sep 22 07:13:11 2005 GMT
    Serial Number: 1F9EB8EA00000000006D
        Revocation Date: Jul 19 09:58:45 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            Cessation Of Operation
    Serial Number: 1FCA9DC600000000006E
        Revocation Date: Jul 19 10:17:34 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            Cessation Of Operation
    Serial Number: 2F1B5E2E000000000072
        Revocation Date: Jul 22 09:41:21 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            Cessation Of Operation
    Signature Algorithm: sha1WithRSAEncryption
        4e:3b:4e:7a:55:6b:f2:ec:72:29:70:16:2a:fd:d9:9a:9b:12:
        f9:cd:dd:20:cc:e0:89:30:3b:4f:00:4b:88:03:2d:80:4e:22:
        9f:46:a5:41:25:f4:a5:26:b7:b6:db:27:a9:64:67:b9:c0:88:
        30:37:cf:74:57:7a:45:5f:5e:d0

Related Commands


Command	Description
crypto ca crl request	Configures a CRL or overwrites the existing one for the trustpoint CA.

show crypto ca remote-certstore

To display the remote cert-store configuration, use the show crypto ca remote-certstore command.

show crypto ca remote-certstore

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the remote cert-store configuration:


switch# show crypto ca remote-certstore
Remote Certstore: NONE

Related Commands


Command	Description
crypto ca lookup	Specifies the cert-store to be used for certificate authentication.
show crypto ca certstore	Displays the configured cert-store.

show crypto ca trustpoints

To display trustpoint configurations, use the show crypto ca trustpoints command.

show crypto ca trustpoints

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display configured trustpoints:


switch# show crypto ca trustpoints
trustpoint: CAname; key:
revokation methods:  crl

Related Commands


Command	Description
crypto ca authenticate	Authenticates the certificate of the CA.
crypto ca trustpoint	Declares the trustpoint certificate authority that the device should trust.
show crypto ca certificates	Displays configured trustpoint certificates.

show crypto certificatemap

To display the certificate mapping filters, use the show crypto certificatemap command.

show crypto certificatemap

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the certificate mapping filters:


switch# show crypto certificatemap

Related Commands


Command	Description
crypto certificatemap mapname	Creates a filter map.
filter	Configures one or more certificate mapping filters within the filter map.

show crypto key mypubkey rsa

To display the RSA public key configurations, use the show crypto key mypubkey rsa command.

show crypto key mypubkey rsa

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display RSA public key configurations:


switch# show crypto key mypubkey rsa
key label: myrsa
key size: 512
exportable: yes

Related Commands


Command	Description
crypto ca enroll	Requests certificates for the switch’s RSA key pair.
crypto key generate rsa	Generate an RSA key pair.
rsakeypair	Configure trustpoint RSA key pair details

show crypto ssh-auth-map

To display the mapping filters configured for SSH authentication, use the ssh-auth-mapshowcrypto ssh-auth-map command.

show crypto ssh-auth-map

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the mapping filters configured for SSH authentication:


switch# show crypto ssh-auth-map
Default Map     : filtermap1

Related Commands


Command	Description
crypto certificatemap mapname	Creates a filter map.
crypto cert ssh-authorize	Configures a certificate mapping filter for the SSH protocol.
filter	Configures one or more certificate mapping filters within the filter map.

show cts

To display the global Cisco TrustSec configuration, use the show cts command.

show cts

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec global configuration:


switch# show cts
CTS Global Configuration
==============================
  CTS support           : enabled
  CTS device identity   : Device1
  CTS caching support   : disabled
  Number of CTS interfaces in
    DOT1X mode : 0
    Manual mode : 0

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts capability interface

To display the Cisco TrustSec capability of all interfaces or a specific Ethernet interface, use the show cts capability interface command.

show cts capability interface {all | ethernet}

Syntax Description


all	Displays the Cisco TrustSec capability of all interfaces.
ethernet slot/port	Displays the Cisco TrustSec capability of the specific interface.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
6.2(2)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec capability of all interfaces:


switch# show cts capability interface all
CTS capability information for interface(s)
--------- --- ------ ---------------------------------------
Interface SGT MacSec Comments
--------- --- ------ ---------------------------------------
Eth6/1    Yes Yes    cts dot1x and manual configs allowed
Eth8/1    Yes Yes    cts dot1x and manual configs allowed
Eth8/17   Yes Yes    cts dot1x and manual configs allowed
Eth8/33   Yes Yes    cts dot1x and manual configs allowed
Eth6/2    Yes Yes    cts dot1x and manual configs allowed
Eth8/2    Yes Yes    cts dot1x and manual configs allowed
Eth8/18   Yes Yes    cts dot1x and manual configs allowed
Eth8/34   Yes Yes    cts dot1x and manual configs allowed
Eth6/3    Yes Yes    cts dot1x and manual configs allowed
Eth8/3    Yes Yes    cts dot1x and manual configs allowed
Eth8/19   Yes Yes    cts dot1x and manual configs allowed
Eth8/35   Yes Yes    cts dot1x and manual configs allowed
Eth6/4    Yes Yes    cts dot1x and manual configs allowed
Eth8/4    Yes Yes    cts dot1x and manual configs allowed
Eth8/20   Yes Yes    cts dot1x and manual configs allowed
Eth8/36   Yes Yes    cts dot1x and manual configs allowed
Eth6/5    Yes Yes    cts dot1x and manual configs allowed
Eth8/5    Yes Yes    cts dot1x and manual configs allowed

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.
show cts	Displays the global Cisco TrustSec configuration.

show cts credentials

To display the Cisco TrustSec device credentials configuration, use the show cts credentials command.

show cts credentials

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec credentials configuration:


switch# show cts credentials
CTS password is defined in keystore, device-id = Device1

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts environment-data

To display the global Cisco TrustSec environment data, use the show cts environment-data command.

show cts environment-data

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

The Cisco NX-OS device downloads the Cisco TrustSec environment data from the ACS after you have configured the Cisco TrustSec credentials for the device and configured authentication, authorization, and accounting (AAA).

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec environment data:


switch# show cts environment-data
CTS Environment Data
==============================
  Current State           : CTS_ENV_DNLD_ST_ENV_DOWNLOAD_DONE
  Last Status             : CTS_ENV_SUCCESS
  Local Device SGT        : 0x0002
  Transport Type          : CTS_ENV_TRANSPORT_DIRECT
  Data loaded from cache  : FALSE
  Env Data Lifetime       : 300 seconds after last update
  Last Update Time        : Sat Jan  5 16:29:52 2008
  Server List             : ACSServerList1
     AID:74656d706f72617279 IP:10.64.65.95 Port:1812

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts interface

To enable SGT propagation on Layer 2 (L2) Cisco TrustSec interfaces, use the propagate-sgt command. To disable SGT propagation, use the no form of this command.

propagate-sgt [ l2-control]

no propagate-sgt [ l2-control]

Syntax Description


l2-control	Specifies SGT propagation of the L2 control packets.

Command Default

Enabled

Command Modes

Global configuration

Command History


Release	Modification
8.1(1)	Added the l2-control keyword.
6.2(10)	Support was added for F3 Series modules.
4.0(3)	This command was introduced.

Usage Guidelines

You can disable the SGT propagation feature on an interface if the peer device connected to the interface can not handle Cisco TrustSec packets tagged with an SGT.

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

After using this command, you must enable and disable the interface using the shutdown /no shutdown command sequence for the configuration to take effect.

Use the no propagate-sgt l2-control command to enable SGT tagging exemption for L2 control packets. This exemption ensures that the L2 control protocols are transmitted without any SGT tags from the Cisco TrustSec enabled-ports. The no propagate-sgt l2-control command is supported only on the Cisco M3 Series module ports without Cisco TrustSec MACSec.

You can also enable or disable SGT tagging of the L2 control packets under a port profile and a port channel.

This command requires the Advanced Services license.

Examples

This example shows how to disable SGT propagation:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# no propagate-sgt
switch(config-if-cts-dot1x)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown

This example shows how to enable SGT propagation:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# propagate-sgt
switch(config-if-cts-dot1x)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown

This example shows how to enable SGT tagging exemption for the L2 control protocols.

switch# configure terminal
switch(config)# interface ethernet 2/27
switch(config-if)# cts manual
switch(config-if-cts-manual)# no propagate-sgt l2-control

This example displays the error message when you enable SGT tagging exemption for the L2 protocols on non-supported modules:

switch# configure terminal
switch(config)# interface ethernet 7/2
switch(config-if)# cts manual
switch(config-if-cts-manual)# no propagate-sgt l2-control
ERROR: 'no propagate-sgt l2-control' is not allowed on any port of this line card type.

Related Commands


Command	Description
cts dot1x	Enters Cisco TrustSec 802.1X configuration mode for an interface.
feature cts	Enables the Cisco TrustSec feature.
show cts interface	Displays the Cisco TrustSec configuration for interfaces.

show cts l3 interface

To display the Layer 3 Cisco TrustSec configuration on the interfaces, use the show cts l3 interface command.

show cts l3 interface

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Layer 3 Cisco TrustSec configuration for the interfaces:


switch# show cts l3 interface

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts l3 mapping

To display the Layer 3 Cisco TrustSec mapping configuration for the device, use the show cts l3 mapping command.

show cts l3 mapping

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Layer 3 Cisco TrustSec mapping for the device:


switch# show cts l3 mapping

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts pacs

To display the Cisco TrustSec protect access credentials (PACs) provisioned by EAP-FAST, use the show cts pacs command.

show cts pacs

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec global configuration:


switch# show cts pacs
PAC Info :
==============================
  PAC Type            : unknown
  AID                 : 74656d706f72617279
  I-ID                : india1
  AID Info            : ACS Info
  Credential Lifetime : Thu Apr  3 00:36:04 2008
  PAC Opaque          : 0002008300020004000974656d706f7261727900060070000101001d
6321a2a55fa81e05cd705c714bea116907503aab89490b07fcbb2bd455b8d873f21b5b6b403eb1d8
125897d93b94669745cfe1abb0baf01a00b77aacf0bda9fbaf7dcd54528b782d8206a7751afdde42
1ff4a3db6a349c652fea81809fba4f30b1fffb7bfffaf9a6608

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts propagate-status

To display interfaces configured with SGT tagging exemption for L2 control protocols, use the show cts propagate-status command.

show cts propagate-status [interface {ethernet slot/port | port-channel channel-number}]

Syntax Description


interface	(Optional) Specifies that the output is limited for a particular interface.
ethernet `slot/port`	(Optional) Specifies that the output is limited to bindings for the Ethernet interface given.
port-channel `channel-number`	(Optional) Specifies that the output is limited to the specified port-channel interface. Valid port-channel numbers are from 1 to 4096.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
8.1(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

The following example displays all interfaces configured with SGT tagging exemption for L2 control protocols.


switch(config)# show cts propagate-status
Interface: Ethernet2/13
Propagate Exemption:
        Protocols: CDP, LLDP, LACP, EAPoL, BPDUs

Interface: Ethernet2/27
Propagate Exemption:
        Protocols: CDP, LLDP, LACP, EAPoL, BPDUs

Related Commands


Command	Description
propagate-sgt	Enable SGT propagation on Layer 2 Cisco TrustSec interfaces.
feature cts	Enables the Cisco TrustSec feature.

show cts role-based access-list

To display the global Cisco TrustSec security group access control list (SGACL) configuration, use the show cts role-based access-list command.

show cts role-based access-list [list-name]

Syntax Description


`list-name`	(Optional) SGACL name.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.2(1)	Added list name argument.
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SGACL configuration:


switch# show cts role-based access-list
rbacl:test-3
        deny ip
rbacl:test-1
        deny ip
        deny icmp
        deny tcp src eq 1000 dest eq 2000
        deny udp src range 1000 2000
rbacl:test-2
        permit icmp
        permit igmp
        permit tcp src lt 2000
        permit udp dest gt 4000

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts role-based counters

To display the configuration status of role-based access control list (RBACL) statistics and list the statistics for all RBACL policies, use the show cts role-based counters command.

show cts role-based counters [sgt {sgt-value | any | unknown}] [dgt {dgt-value | any | unknown}]

Syntax Description


sgt	Specifies the source security group tag (SGT).
`sgt-value`	Source SGT value. The range is from 0 to 65519.
any	Specifies any SGT or DGT.
unknown	Specifies an unknown SGT or DGT.
dgt	Specifies the destination security group tag (DGT).
`dgt-value`	Destination SGT value. The range is from 0 to 65519.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
8.0(1)	The command output was updated.
5.0(2)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the configuration status of RBACL statistics and the total number of packets that match RBACL policies for a specific SGT and DGT:


switch(config)# show cts role-based counters
RBACL policy counters enabled
Counters last cleared: 08/22/2016 at 09:16:07 AM
sgt:unknown dgt:unknown [0]
rbacl:deny_ip(monitored)
deny ip [0]
sgt:unknown dgt:2000(2000) [0]
rbacl:Deny IP(monitored)
deny ip [0]
sgt:10(10) dgt:20(20) [0]
rbacl:rb1(monitored)
deny udp [0]
permit tcp [0]
deny ip [0]
rbacl:dummy_test (monitored)
permit icmp [0]
permit tcp [0]
permit ip log [0]
sgt:any dgt:any [0]
rbacl:Permit IP(monitored)
permit ip [0]

Related Commands


Command	Description
clear cts role-based counters	Clears the RBACL statistics so that all counters are reset to 0.
cts role-based counters enable	Enables the RBACL statistics.

show cts role-based disabled-interface

To display interfaces where Cisco TrustSec security group access control list (SGACL) enforcement policy is disabled, use the show cts role-based disabled-interface command.

show cts role-based disabled-interface

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode.

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to verify that SGACL policy enforcement is disabled on interfaces.


switch# show cts role-based disabled-interface
Ethernet4/5
Ethernet4/17

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts role-based enable

To display the Cisco TrustSec security group access control list (SGACL) enable status for VLANs and Virtual Routing and Forwarding instances (VRFs), use the show cts role-based enable command.

show cts role-based enable

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SGACL enforcement status:


switch# show cts role-based enable
vlan:1
vrf:1
vrf:3

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts role-based policy

To display the global Cisco TrustSec security group access control list (SGACL) policies, use the show cts role-based policy command.

show cts role-based policy [sgt {sgt-value | any | unknown} | dgt {dgt-value | any | unknown}| configured| downloaded| monitored]

Syntax Description


sgt	Specifies the source security group tag (SGT).
`sgt-value`	Source SGT value. The range is from 0 to 65535.
any	Specifies any SGT or DGT.
unknown	Specifies an unknown SGT or DGT.
dgt	Specifies the destination security group tag (DGT).
`dgt-value`	Destination SGT value. The range is from 0 to 65535.
configured	Displays the SGACLs configured by using CLI.
downloaded	Displays the SGACLs downloaded from ISE.
monitored	Displays the monitored SGACLs.

Command Default

None

Command Modes

Any configuration mode.

Command History


Release	Modification
8.0(1)	The sgt , dgt , configured , downloaded , and monitored keywords were added. Additionally, the command output was updated.
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SGACL policies:


switch# show cts role-based policy
sgt:unknown
dgt:unknown rbacl:deny_ip(Downloaded,Monitored)
deny ip
sgt:101(101)
dgt:102(102) rbacl:rb2(Configured)
deny eigrp
sgt:101(101)
dgt:102(102) rbacl:ise_rbacl_1_ace(Downloaded)
deny gre

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts role-based sgt vlan

To display the Cisco TrustSec Security Group Tag (SGT) mapping configuration for a specific VLAN, use the show cts role-based sgt vlan command.

show cts role-based sgt vlan {all | vlan-id}

Syntax Description


all	Displays the configured SGT for all VLANs.
`vlan-id`	Configured SGT for the specific VLAN. The range is from 1 to 4094.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
6.2(2)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec SGT mapping configuration for all VLANs:


switch# show cts role-based sgt vlan all

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.
show cts role-based sgt-map	Displays the global Cisco TrustSec SGT mapping configuration.
cts role-based sgt	Configures mapping of Cisco TrustSec SGTs to an SGACL.

show cts role-based sgt-map

To display the global Cisco TrustSec Security Group Tag (SGT) mapping configuration, use the show cts role-based sgt-map command.

show cts role-based sgt-map [summary | sxp peer peer-ipv4-addr | vlan vlan-id | vrf vrf-name]

Syntax Description


summary	(Optional) Displays a summary of the SGT mappings.
sxp peer `peer-ipv4-addr`	(Optional) Displays the SGT map configuration for a specific SGT Exchange Protocol (SXP) peer.
vlan `vlan-id`	(Optional) Displays the SGT map configuration for a specific VLAN.
vrf `vrf-name`	(Optional) Displays the SGT map configuration for a specific virtual routing and forwarding (VRF).

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
6.2(2)	The summary, sxp peer `peer-ipv4-addr` , vlan `vlan-id` , and vrf `vrf-name` keywords and arguments were added.
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SGT mapping configuration:


switch# show cts role-based sgt-map
IP ADDRESS              SGT             VRF/VLAN        SGT CONFIGURATION
5.5.5.5                 5               vlan:10         CLI Configured
5.5.5.6                 6               vlan:10         CLI Configured
5.5.5.7                 7               vlan:10         CLI Configured
5.5.5.8                 8               vlan:10         CLI Configured
10.10.10.10             10              vrf:3           CLI Configured
10.10.10.20             20              vrf:3           CLI Configured
10.10.10.30             30              vrf:3           CLI Configured

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.
cts role-based sgt-map	Manually configures the Cisco TrustSec SGT mapping to IP addresses.

show cts sap pmk

To display the Cisco TrustSec Security Association Protocol (SAP) pairwise master key (PMK) configuration, use the show cts sap pmk command.

show cts sap pmk {all | interface ethernet slot/port}

Syntax Description


all	Displays the hexadecimal value of the configured PMK for all interfaces.
interface ethernet `slot/port`	Displays the hexadecimal value of the configured PMK for the specific Ethernet interface.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
6.2(2)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command does not require a license.

Examples

This example shows how to display the Cisco TrustSec SAP PMK configuration:


switch# show cts sap pmk interface ethernet 2/2

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.
sap pmk	Configures the Cisco TrustSec SAP PMK.

show cts sxp

To display Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (CTS-SXP) connection or source IP-to-SGT mapping information, use the show cts sxp command in user EXEC or privileged EXEC mode.

show cts sxp {connections | sgt-map} [detail | vrf instance-name]

Syntax Description


connections	Displays Cisco TrustSec SXP connections information.
sgt-map	Displays the IP-to-SGT mappings received through SXP.
detail	(Optional) Displays detailed SXP information.
vrf `instance-name`	(Optional) Displays the SXP information for the specified Virtual Routing and Forwarding (VRF) instance name.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	The keywords connections, sgt-map, detail, and vrf were introduced.
7.3(0)D1(1)	The output was modified to include details about the SXPv3 version and network map expansion limit.
4.0(1)	This command was introduced.

Examples

The following example displays the CTS-SXP connections:


switch# show cts sxp connections

 SXP              : Enabled
 Default Password : Set
 Default Source IP: Not Set
Connection retry open period: 10 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------
Peer IP          : 10.10.10.1
Source IP        : 10.10.10.2
Set up           : Peer
Conn status      : On
Connection mode  : SXP Listener
Connection inst# : 1
TCP conn fd      : 1
TCP conn password: not set (using default SXP password)
Duration since last state change: 0:00:01:25 (dd:hr:mm:sec)
----------------------------------------------
Peer IP          : 10.10.2.1
Source IP        : 10.10.2.2
Set up           : Peer
Conn status      : On
Connection mode  : SXP Listener
TCP conn fd      : 2
TCP conn password: not set (using default SXP password)
Duration since last state change: 0:00:01:25 (dd:hr:mm:sec)
Total num of SXP Connections = 2

The following example displays the CTS-SXP connections for a bi-directional connection when the device is both the speaker and listener:


switch# show cts sxp connections

SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
----------------------------------------------
Peer IP : 2.0.0.2
Source IP : 1.0.0.2
Conn status : On (Speaker) :: On (Listener)
Conn version : 4
Local mode : Both
Connection inst# : 1
TCP conn fd : 1(Speaker) 3(Listener)
TCP conn password: default SXP password
Duration since last state change: 1:03:38:03 (dd:hr:mm:sec) :: 0:00:00:46 (dd:hr:mm:sec)

The following example displays output from a CTS-SXP listener with a torn down connection to the SXP speaker. Source IP-to-SGT mappings are held for 120 seconds, the default value of the Delete Hold Down timer.


switch# show cts sxp connections

 SXP              : Enabled
 Default Password : Set
 Default Source IP: Not Set
Connection retry open period: 10 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------
Peer IP          : 10.10.10.1
Source IP        : 10.10.10.2
Set up           : Peer
Conn status      : Delete_Hold_Down
Connection mode  : SXP Listener
Connection inst# : 1
TCP conn fd      : -1
TCP conn password: not set (using default SXP password)
Delete hold down timer is running
Duration since last state change: 0:00:00:16 (dd:hr:mm:sec)
----------------------------------------------
Peer IP          : 10.10.2.1
Source IP        : 10.10.2.2
Set up           : Peer
Conn status      : On
Connection inst# : 1
TCP conn fd      : 2
TCP conn password: not set (using default SXP password)
Duration since last state change: 0:00:05:49 (dd:hr:mm:sec)
Total num of SXP Connections = 2

Related Commands


Command	Description
cts sxp connection peer	Enters the Cisco TrustSec SXP peer IP address and specifies if a password is used for the peer connection
cts sxp default password	Configures the Cisco TrustSec SXP default password.
cts sxp default source-ip	Configures the Cisco TrustSec SXP source IPv4 address.
cts sxp enable	Enables Cisco TrustSec SXP on a device.
cts sxp log	Enables logging for IP-to-SGT binding changes.
cts sxp reconciliation	Changes the Cisco TrustSec SXP reconciliation period.
cts sxp retry	Changes the Cisco TrustSec SXP retry period timer.

show cts sxp connection

To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information, use the show cts sxp connection command.

show cts sxp connection

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information:


switch# show cts sxp connection
PEER_IP_ADDR  VRF        PEER_SXP_MODE   SELF_SXP_MODE   CONNECTION STATE    VERSION
30.1.1.3      default    listener        speaker         connected           3

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show data-corruption

To display data inconsistency errors, use the show data-corruption command.

show data-corruption

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

None.

Examples

This example shows how to display the data inconsistency errors:

switch# show data-corruption
DATACORRUPTION-DATAINCONSISTENCY: -Traceback= vmtracker libhmm_dll.so+0x1b4d0 libhmm.so+0x2cf0 libhmm_dll.so +0x1ba0a libhmm_dll.so+0x1c9e7 libhmm.so+0x2f49 +0x209d0 libvmtracker.so+0x4d586 libvmtracker.so+0x9b0c1 libvmtracker.so+0x43154 libvmtracker.so+0x42c happened 20 times since Mon Feb 15 09:05:20 2016
DATACORRUPTION-DATAINCONSISTENCY: -Traceback= hmm +0x40faf +0xbf870 +0xc0b4c +0x40292 +0xa37fa +0xa9f29 +0xc05aa +0xc060e +0xc0765 +0x42c35 +0x2c339 librsw.so+0xacc33 libpthread.so.0+0x6b75 libc.so.6+0xee02e happened 1 time since Fri Feb 12 00:01:16 2016

show dot1x

To display the 802.1X feature status, use the show dot1x command.

show dot1x

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must enable the 802.1X feature by using the feature dot1x command before using this command.

This command does not require a license.

Examples

This example shows how to display the 802.1X feature status:


switch# show dot1x
           Sysauthcontrol Enabled
   Dot1x Protocol Version 2

Related Commands


Command	Description
feature dot1x	Enables the 802.1X feature.

show dot1x all

To display all 802.1X feature status and configuration information, use the show dot1x all command.

show dot1x all [details | statistics | summary]

Syntax Description


details	(Optional) Displays detailed information about the 802.1X configuration.
statistics	(Optional) Displays 802.1X statistics.
summary	(Optional) Displays a summary of 802.1X information.

Command Default

Displays global and interface 802.1X configuration

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must enable the 802.1X feature by using the feature dot1x command before using this command.

This command does not require a license.

Examples

This example shows how to display all 802.1X feature status and configuration information:


switch# show dot1x all
           Sysauthcontrol Enabled
   Dot1x Protocol Version 2
Dot1x Info for Ethernet2/1
-----------------------------------
                      PAE = AUTHENTICATOR
              PortControl = FORCE_AUTH
                 HostMode = SINGLE HOST
         ReAuthentication = Disabled
              QuietPeriod = 60
            ServerTimeout = 30
              SuppTimeout = 30
             ReAuthPeriod = 3600 (Locally configured)
                ReAuthMax = 2
                   MaxReq = 2
                 TxPeriod = 30
          RateLimitPeriod = 0

Related Commands


Command	Description
feature dot1x	Enables the 802.1X feature.

show dot1x interface ethernet

To display the 802.1X feature status and configuration information for an Ethernet interface, use the show dot1x interface ethernet command.

show dot1x interface ethernet slot/port [details | statistics | summary]

Syntax Description


`slot/port` /	Slot and port identifiers for the interface.
details	(Optional) Displays detailed 802.1X information for the interface.
statistics	(Optional) Displays 802.1X statistics for the interface.
summary	(Optional) Displays a summary of the 802.1X information for the interface.

Command Default

Displays the interface 802.1X configuration

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must enable the 802.1X feature by using the feature dot1x command before using this command.

This command does not require a license.

Examples

This example shows how to display the 802.1X feature status and configuration information for an Ethernet interface:


switch# show dot1x interface ethernet 2/1
Dot1x Info for Ethernet2/1
-----------------------------------
                      PAE = AUTHENTICATOR
              PortControl = FORCE_AUTH
                 HostMode = SINGLE HOST
         ReAuthentication = Disabled
              QuietPeriod = 60
            ServerTimeout = 30
              SuppTimeout = 30
             ReAuthPeriod = 3600 (Locally configured)
                ReAuthMax = 2
                   MaxReq = 2
                 TxPeriod = 30
          RateLimitPeriod = 0

Related Commands


Command	Description
feature dot1x	Enables the 802.1X feature.

show encryption service stat

To display the status of the encryption service, use the show encryption service stat command.

show encryption service stat

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the status of the encryption service:


switch# show encryption service stat
Encryption service is enabled
Master Encryption Key is configured.
Type-6 encryption is being used
switch#

Related Commands


Command	Description
show key chain	Displays the configuration for a specific keychain.

show eou

To display Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) status and configuration information, use the show eou command.

show eou [all | authentication {clientless | eap | static} | interface ethernetslot/port | ip-address ipv4-address | mac-address mac-address | posturetoken [name]]

Syntax Description


all	(Optional) Displays all EAPoUDP sessions.
authentication	(Optional) Displays EAPoUDP sessions for specific authentication types.
clientless	Specifies sessions authenticated using clientless posture validation.
eap	Specifies sessions authenticated using EAPoUDP.
static	Specifies sessions statically authenticated using statically configured exception lists.
interface ethernet slot/ port	(Optional) Displays the EAPoUDP sessions for a specific interface.
ip-address`ipv4-address`	(Optional) Displays the EAPoUDP sessions for a specific IPv4 address.
mac-address`mac-address`	(Optional) Displays the EAPoUDP sessions for a specific MAC address.
posturetoken `[name]`	(Optional) Displays the EAPoUDP sessions for posture tokens.
name	(Optional) Token name.

Command Default

Displays the global EAPoUDP configuration

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must enable the 802.1X feature by using the feature eou command before using this command.

This command does not require a license.

Examples

This example shows how to display all 802.1X feature status and configuration information:


switch# show eou all

This example shows how to display 802.1X clientless authentication information:


switch# show eou authentication clientless

This example shows how to display 802.1X EAP authentication information:


switch# show eou authentication eap

This example shows how to display 802.1X static authentication information:


switch# show eou interface ethernet 2/1

This example shows how to display 802.1X information for an Ethernet interface:


switch# show eou ip-address 10.10.10.1

This example shows how to display 802.1X information for a MAC address:


switch# show eou mac-address 0019.076c.dac4

This example shows how to display 802.1X information for a MAC address:


switch# show eou posturetoken healthy

Related Commands


Command	Description
feature eou	Enables the 802.1X feature.

show fips status

To display the status of Federal Information Processing Standards (FIPS) mode, use the show fips status command.

show fips status

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any

Command History


Release	Modification
5.1(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the status of FIPS mode:


switch# show fips status
FIPS mode is disabled

Related Commands


Command	Description
fips mode enable	Enables FIPS mode.

show hardware access-list feature-combo

To display the bank mapping matrix, use the show hardware access-list feature- combo command.

show hardware access-list {input | output} {interface | vlan} feature-combo features

Syntax Description


input	Displays input/ingress policies.
output	Displays output/egress policies..
interface	Specifies interface.
vlan	Specifies VLAN.
feature-combo	Specifies the feature combination.
`features`	Specifies the features.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
6.2(10)	This command was introduced.

Usage Guidelines

This command does not require a license.

The following are the features you can enter:

arp—Address Resolution Protocol
bfd—Bidirectional Forwarding Detection
cbts—Class-Based Tunnel Selection
cts_impl_tunnel—CTS Implicit Tunnel
dhcp—Dynamic Host Configuration Protocol
erspan_dst—Encapsulated Remote Switched Port Analyzer (destination)
erspan_src—Encapsulated Remote Switched Port Analyzer (source)
lisp—Locator/ID Separation Protocol
lisp_inst—LISP Multitenant Policy
netflow—NetFlow
netflow_svi—NetFlow on SVI
netflow_sampler—NetFlow Sampler
netflow_sampler_svi—NetFlow Sampler on SVI
otv—Overlay Transport Virtualization
pacl—Port ACL
pbr—Policy-Based Routing without statistics
pbr_stats—Policy-Based Routing with statistics
qos—Quality of Service
racl—Router ACL without statistics
racl_stats—Router ACL with statistics
rbacl—Role-based ACL
tunnel-decap—Tunnel Decap
vacl—VLAN ACL without statistics
vacl_stats—VLAN ACL with statistics
wccp—Web Cache Communication Protocol

If the feature is not supported, the switch returns the following message:


This feature combination is not supported !

Examples

This example shows how to display a feature combination check on the ingress policy on a Layer 3 interface with the following features—racl with no stats, pbr with stats, wccp, qos and netflow:


switch# show hardware access-list input interface feature-combo racl pbr_stats wccp qos netflow
______________________________________________________________________________
Feature                     Rslt Type      T0B0      T0B1      T1B0      T1B1
______________________________________________________________________________
RACL Interface                  Acl         X
Netflow                         Acl         X
QoS Interface                   Qos                             X
WCCP Interface                  Acl         X
PBR Interface Stats             Acl                   X

This example shows how to display a feature combination check on the ingress policy on a VLAN/SVI with the following features—vacl with stats, racl on svi, pbr on svi, dhcp snoop on vlan and wccp:


switch# show hardware access-list input vlan feature-combo vacl_stat racl pbr dhcp wccp
______________________________________________________________________________
Feature                     Rslt Type      T0B0      T0B1      T1B0      T1B1
______________________________________________________________________________
RACL                            Acl                                       X
PBR                             Acl                                       X
DHCP                            Acl                             X
SPM WCCP                        Acl                                       X
VACL Stats                      Acl                             X

This example shows how to display a f eature combination check on the ingress policy on a Layer 2 interface with the following features —pacl and l2 qos:


switch# show hardware access-list input vlan feature-combo pacl
______________________________________________________________________________
Feature                     Rslt Type      T0B0      T0B1      T1B0      T1B1
______________________________________________________________________________
PACL                            Acl         X
QoS                             Qos                   X

Related Commands


Command	Description
hardware access-list resource feature bank-mapping	Configures the device to allow ACL TCAM bank mappings.

show hardware rate-limiter

To display the hardware rate limit configuration and statistics, use the show hardware rate-limiter command.

show hardware rate-limiter {access-list-log [module module] | copy [module module] | f1 {rl-1 [module module] | rl-2 [module module] | rl-3 [module module] | rl-4 [module module] | rl-5 [module module]} | layer-2 {l2pt [module module] | mcast-snooping [module module] | port-security [module module] | storm-control [module module] | vpc-low [module module]} | layer-3 {control [module module] | glean [module module] | glean-fast [module module] mtu [module module] | multicast {directly-connect [module module] | local-groups [module module] | rpf-leak [module module]} | ttl [module module]} | module module | receive [module module]}

Syntax Description


access-list-log	Specifies rate-limit statistics for access-list log packets.
module`module`	Specifies a module number. The range is from 1 to 18.
copy	Specifies rate-limit statistics for copy packets.
f1	Specifies the control packets from the F1 modules to the supervisor.
rl-1	Specifies the F1 rate-limiter 1.
rl-2	Specifies the F1 rate-limiter 2.
rl-3	Specifies the F1 rate-limiter 3.
rl-4	Specifies the F1 rate-limiter 4.
rl-5	Specifies the F1 rate-limiter 5.
layer-2	(Optional) Displays Layer 2 packet rate limits.
l2pt	Specifies rate-limit statistics for Layer 2 Tunnel Protocol (L2TP) packets.
mcast-snooping	Specifies rate-limit statistics for Layer 2 multicast-snooping packets.
port-security	Specifies rate-limit statistics for Layer 2 port-security packets.
storm-control	Specifies rate-limit statistics for Layer 2 storm-control packets.
vpc-low	Specifies rate-limit statistics for Layer 2 control packets over the virtual port channel (vPC) low queue.
layer-3	(Optional) Displays Layer 3 packet rate limits.
control	Specifies rate-limit statistics for Layer 3 control packets.
glean	Specifies rate-limit statistics for Layer 3 glean packets.
glean-fast	Specifies rate-limit statistics for Layer 3 glean fast-path packets.
mtu	Specifies rate-limit statistics for Layer 3 maximum transmission unit (MTU) packets.
multicast	Specifies Layer 3 multicast rate limits.
directly-connected	Specifies rate-limit statistics for Layer 3 directly connected multicast packets.
local-groups	Specifies rate-limit statistics for Layer 3 local group multicast packets.
rpf-leak	Specifies rate-limit statistics for Layer 3 reverse path forwarding (RPF) leak multicast packets.
ttl	Specifies rate-limit statistics for Layer 3 time-to-live (TTL) packets.
receive	(Optional) Displays rate-limit statistics for receive packets.

Command Default

Displays all rate-limit statistics.

Command Modes

Any command mode

Command History


Release	Modification
6.2(2)	Added the glean-fast keyword.
5.1(1)	Added the f1, rl-1, rl-2, rl-3, rl-4, rl-5, and module keywords.
5.0(2)	Added the l2pt keyword.
4.0(3)	Added the port-security keyword.
4.0(1)	This command was introduced.

Usage Guidelines

You can use the command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to display all the hardware rate-limit configuration and statistics:


switch# show hardware rate-limiter
Units for Config: packets per second
Allowed, Dropped & Total: aggregated since last clear counters
Rate Limiter Class                       Parameters
------------------------------------------------------------
layer-3 mtu                              Config    : 500
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-3 ttl                              Config    : 500
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-3 control                          Config    : 10000
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-3 glean                            Config    : 100
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-3 multicast directly-connected     Config    : 3000
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-3 multicast local-groups           Config    : 3000
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-3 multicast rpf-leak               Config    : 500
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-2 storm-control                    Config    : Disabled
access-list-log                          Config    : 100
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
copy                                     Config    : 30000
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
receive                                  Config    : 30000
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-2 port-security                    Config    : Disabled
layer-2 mcast-snooping                   Config    : 10000
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-2 vpc-low                          Config    : 4000
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0
layer-2 l2pt                             Config    : 500
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0

This example shows how to display the rate-limit configuration and statistics for access-list log packets:


switch# show hardware rate-limiter access-list-log
Units for Config: packets per second
Allowed, Dropped & Total: aggregated since last clear counters
Rate Limiter Class                       Parameters
------------------------------------------------------------
access-list-log                          Config    : 100
                                         Allowed   : 0
                                         Dropped   : 0
                                         Total     : 0

Related Commands


Command	Description
clear hardware rate-limiter	Clears rate-limit statistics.
hardware rate-limiter	Configures rate limits.

show identity policy

To display the identity policies, use the show identity policy command.

show identity policy [policy-name]

Syntax Description


`policy-name`	(Optional) Name of a policy. The name is case sensitive.

Command Default

Displays information for all identity policies.

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display information for all of the identity policies:


switch# show identity policy

This example shows how to display information for a specific identity policy:


switch# show identity policy AdminPolicy

Related Commands


Command	Description
identity policy	Configures identity policies.

show identity profile

To display the identity profiles, use the show identity profile command.

show identity profile [eapoudp]

Syntax Description


eapoudp	(Optional) Displays the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) identity profile.

Command Default

Displays information for all identity profiles.

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the identity profiles:


switch# show identity profile

This example shows how to display the EAPoUDP identity profile configuration:


switch# show identity profile eapoudp

Related Commands


Command	Description
identity profile eapoudp	Configures EAPoUDP identity profiles.

show ip access-lists

To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-lists command.

show ip access-lists [access-list-name] [expanded | summary]

Syntax Description


`access-list-name`	(Optional) Name of an IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters.
expanded	(Optional) Specifies that the contents of IPv4 address groups or port groups show rather than the names of object groups only.
summary	(Optional) Specifies that the command displays information about the ACL rather than the ACL configuration. For more information, see the “Usage Guidelines” section.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Command output is sorted alphabetically by the ACL names. Support was added for the fragments command.
4.0(1)	This command was introduced.

Usage Guidelines

The device shows all IPv4 ACLs, unless you use the access-list-name argument to specify an ACL.

If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.

IPv4 address object groups and IP port object groups show only by name, unless you use the expanded keyword.

The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups. For more information about object groups, see the object-group ip address and object-group ip port commands.

The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:

Whether per-entry statistics are configured for the ACL.
Whether the fragments command is configured for the ACL.
The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
The interfaces that the ACL is applied to.
The interfaces that the ACL is active on.

The show ip access-lists command displays statistics for each entry in an ACL if the following conditions are both true:

The ACL configuration contains the statistics per-entry command.
The ACL is applied to an interface that is administratively up.

If an IP ACL includes the fragments command, it appears before the explicit permit and deny rules, but the device applies the fragments command to noninitial fragments only if they do not match all other explicit rules in the ACL.

This command does not require a license.

Examples

This example shows how to use the show ip access-lists command to display all IPv4 ACLs on a device that has a single IPv4 ACL:


switch# show ip access-lists
IP access list ipv4-open-filter
        10 permit ip any any

This example shows how to use the show ip access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web, including per-entry statistics for the entries except for the MainLab object group:


switch# show ip access-lists ipv4-RandD-outbound-web
IP access list ipv4-RandD-outbound-web
        statistics per-entry
        fragments deny-all
        1000 permit ahp any any [match=732]
        1005 permit tcp addrgroup MainLab any eq telnet
        1010 permit tcp any any eq www [match=820421]

This example shows how to use the show ip access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web. The expanded keyword causes the contents of the object group from the previous example to appear, including the per-entry statistics:


switch# show ip access-lists ipv4-RandD-outbound-web expanded
IP access list ipv4-RandD-outbound-web
        statistics per-entry
        1000 permit ahp any any [match=732]
        1005 permit tcp 10.52.34.4/32 any eq telnet [match=5032]
        1005 permit tcp 10.52.34.27/32 any eq telnet [match=433]
        1010 permit tcp any any eq www [match=820421]

This example shows how to use the show ip access-lists command with the summary keyword to display information about an IPv4 ACL named ipv4-RandD-outbound-web, such as which interfaces the ACL is applied to and active on:


switch# show ip access-lists ipv4-RandD-outbound-web summary
IPV4 ACL ipv4-RandD-outbound-web
        Statistics enabled
        Total ACEs Configured: 4
        Configured on interfaces:
                Ethernet2/4 - ingress (Router ACL)
        Active on interfaces:
                Ethernet2/4 - ingress (Router ACL)

Related Commands


Command	Description
fragments	Configures how an IP ACL processes noninitial fragments.
ip access-list	Configures an IPv4 ACL.
show access-lists	Displays all ACLs or a specific ACL.
show ipv6 access-lists	Displays all IPv6 ACLs or a specific IPv6 ACL.
show mac access-lists	Displays all MAC ACLs or a specific MAC ACL.
statistics per-entry	Starts recording statistics for packets permitted or denied by each entry in an ACL.

show ip access-lists capture session

To display the ACL capture session configuration, use the show ip access-lists capture session command.

show ip access-lists capture session session

Syntax Description


session	Session ID. The range is from 0 to 4294967295.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the ACL capture session configuration:


switch# show ip access-lists capture session 5
switch#

Related Commands


Command	Description
monitor session `session` type acl-capture	Configures an ACL capture session.
destination interface	Configures a destination for ACL capture packets.

show ip arp inspection

To display the Dynamic ARP Inspection (DAI) configuration status, use the show ip arp inspection command.

show ip arp inspection

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the status of the DAI configuration:


switch# show ip arp inspection
 
Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled
Vlan : 1
-----------
Configuration    : Enabled
Operation State  : Active
ARP Req Forwarded  = 0
ARP Res Forwarded  = 0
ARP Req Dropped    = 0
ARP Res Dropped    = 0
DHCP Drops         = 0
DHCP Permits       = 0
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req   = 0
IP Fails-ARP Res   = 0

Related Commands


Command	Description
ip arp inspection vlan	Enables DAI for a specified list of VLANs.
show ip arp inspection interface	Displays the trust state and the ARP packet rate for a specified interface.
show ip arp inspection log	Displays the DAI log configuration.
show ip arp inspection statistics	Displays the DAI statistics.
show ip arp inspection vlan	Displays DAI status for a specified list of VLANs.
show running-config dhcp	Displays DHCP snooping configuration, including DAI configuration.

show ip arp inspection interface

To display the trust state and the ARP packet rate for the specified interface, use the show ip arp inspection interface command.

Syntax Description

show ip arp inspection interfaceethernet slot/port | port-channel channel-number


ethernet slot /port	(Optional) Specifies that the output is for an Ethernet interface.
port-channel `channel-number`	(Optional) Specifies that the output is for a port-channel interface. Valid port-channel numbers are from 1 to 4096.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the trust state and the ARP packet rate for a trusted interface:


switch# show ip arp inspection interface ethernet 2/1
 
 Interface        Trust State    Rate (pps)    Burst Interval
 -------------    -----------    ----------    --------------
 Ethernet2/46        Trusted           15             5
switch#

Related Commands


Command	Description
ip arp inspection vlan	Enables Dynamic ARP Inspection (DAI) for a specified list of VLANs.
show ip arp inspection	Displays the DAI configuration status.
show ip arp inspection log	Displays the DAI log configuration.
show ip arp inspection statistics	Displays the DAI statistics.
show ip arp inspection vlan	Displays DAI status for a specified list of VLANs.
show running-config dhcp	Displays DHCP snooping configuration, including DAI configuration.

show ip arp inspection log

To display the Dynamic ARP Inspection (DAI) log configuration, use the show ip arp inspection log command.

show ip arp inspection log

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the DAI log configuration:


switch# show ip arp inspection log
 
Syslog Buffer Size : 32
Syslog Rate        : 5 entries per 1 seconds
switch#

Related Commands


Command	Description
clear ip arp inspection log	Clears the DAI logging buffer.
ip arp inspection log-buffer	Configures the DAI logging buffer size.
show ip arp inspection	Displays the DAI configuration status.
show ip arp inspection interface	Displays the trust state and the ARP packet rate for a specified interface.
show running-config dhcp	Displays DHCP snooping configuration, including DAI configuration.

show ip arp inspection statistics

Use the show ip arp inspection statistics command to display the Dynamic ARP Inspection (DAI) statistics. You can specify a VLAN or range of VLANs.

show ip arp inspection statistics [vlan vlan-list]

Syntax Description


vlan `vlan-list`	(Optional) Specifies the list of VLANs for which to display DAI statistics. Valid VLAN IDs are from 1 to 4096.

Command Default

None

Command Modes

Any command mode

Supported User Roles

network-admin

network-operator

vdc-admin

vdc-operator

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the DAI statistics for VLAN 1:


switch# show ip arp inspection statistics vlan 1
 
Vlan : 1
-----------
ARP Req Forwarded  = 0
ARP Res Forwarded  = 0
ARP Req Dropped    = 0
ARP Res Dropped    = 0
DHCP Drops         = 0
DHCP Permits       = 0
SMAC Fails-ARP Req = 0
SMAC Fails-ARP Res = 0
DMAC Fails-ARP Res = 0
IP Fails-ARP Req   = 0
IP Fails-ARP Res   = 0
switch#

Related Commands


Command	Description
clear ip arp inspection statistics vlan	Clears the DAI statistics for a specified VLAN.
show ip arp inspection	Displays the DAI configuration status.
show ip arp inspection interface	Displays the trust state and the ARP packet rate for a specified interface.
show ip arp inspection log	Displays the DAI log configuration.
show running-config dhcp	Displays DHCP snooping configuration, including DAI configuration.

show ip arp inspection vlan

Use the show ip arp inspection vlan command to display Dynamic ARP Inspection (DAI) status for the specified list of VLANs.

show ip arp inspection vlan vlan-list

Syntax Description


vlan-list	VLANs with DAI status that this command shows. The `vlan-list` argument allows you to specify a single VLAN ID, a range of VLAN IDs, or comma-separated IDs and ranges (see the “Examples” section). Valid VLAN IDs are from 1 to 4096.

Command Default

None

Command Modes

Any command mode

Supported User Roles

network-admin

network-operator

vdc-admin

vdc-operator

Command History


Release	Modification
4.0(1)	This command was introduced.

Examples

This example shows how to display DAI status for VLANs 1 and 13:


switch# show ip arp inspection vlan 1,13
 
Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled
Vlan : 1
-----------
Configuration    : Enabled
Operation State  : Active
Vlan : 13
-----------
Configuration    : Enabled
Operation State  : Inactive
switch#

Related Commands


Command	Description
clear ip arp inspection statistics vlan	Clears the DAI statistics for a specified VLAN.
ip arp inspection vlan	Enables DAI for a specified list of VLANs.
show ip arp inspection	Displays the DAI configuration status.
show ip arp inspection interface	Displays the trust state and the ARP packet rate for a specified interface.
show running-config dhcp	Displays DHCP snooping configuration, including DAI configuration.

show ip device tracking

To display IP device tracking information, use the show ip device tracking command.

show ip device tracking all | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address

Syntax Description


all	Displays all IP device tracking information.
interface ethernet slot/ port	Displays IP tracking device information for an interface.
ip-address`ipv4-address`	Displays IP tracking device information for an IPv4 address in the A.B.C.D format.
mac-address`mac-address`	Displays IP tracking information for a MAC address in the XXXX.XXXX.XXXX format.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display all IP device tracking information:


switch# show ip device tracking all

This example shows how to display the IP device tracking information for an interface:


switch# show ip device tracking ethernet 1/2

This example shows how to display the IP device tracking information for an IP address:


switch# show ip device tracking ip-address 10.10.1.1

This example shows how to display the IP device tracking information for a MAC address:


switch# show ip device tracking mac-address 0018.bad8.3fbd

Related Commands


Command	Description
ip device tracking	Configures IP device tracking.

show ip dhcp relay

To display DHCP snooping relay status, including DHCP server address configuration details, use the show ip dhcp relay command.

show ip dhcp relay

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.
7.2(0)D1(1)	This command was modified. An example for a helper address configuration on a bridge domain interface (BDI) was added.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the DHCP relay status and configured DHCP server addresses:


switch# show ip dhcp relay
DHCP relay service is enabled
Insertion of option 82 is enabled
Insertion of VPN suboptions is enabled
Helper addresses are configured on the following interfaces:
 Interface        Relay Address     VRF Name
 -------------    -------------     --------
 Ethernet1/4       10.10.10.1       red

This example shows how to display the DHCP relay status and configured DHCP server addresses. In this example, the helper address is configured on a bridge domain interface.


switch# show ip dhcp relay
DHCP relay service is enabled
Insertion of option 82 is enabled
Insertion of VPN suboptions is enabled
Global smart-relay is disabled
Relay Trusted Port is Globally disabled
Relay Trusted functionality is disabled
Smart-relay is enabled on the following interfaces:
-----------------------------------------------------
Subnet-broadcast is enabled on the following interfaces:
------------------------------------------------------
Helper addresses are configured on the following interfaces:
Interface        Relay Address     VRF Name
 -------------    -------------     --------
Bdi14 	192.0.2.120 				 management

Related Commands


Command	Description
feature dhcp	Enables the DHCP snooping feature on the device.
ip dhcp relay	Enables the DHCP relay agent.
show ip dhcp relay address	Shows DHCP server addresses configured on the device.

show ip dhcp relay address

To display DHCP server addresses configured on the device, use the show ip dhcp relay address command.

show ip dhcp relay address [interface {ethernet list | port-channel list}]

show ip dhcp relay address [interface interface-list]

Syntax Description


interface	(Optional) Restricts the output to a DHCP addresses configured on range or set of Ethernet or port-channel interfaces and subinterfaces.
ethernet	(Optional) Restricts the output to a DHCP addresses configured on range or set of Ethernet interfaces and subinterfaces.
`list`	Single interface, range of interfaces, or comma-separated interfaces and ranges (see the “Examples” section).
port-channel	(Optional) Restricts the output to a DHCP addresses configured on range or set of port-channel interfaces and subinterfaces.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	Support was added for the interface keyword and for VRF awareness.
4.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display all the DHCP relay addresses configured on a device:


switch# show ip dhcp relay address
 Interface        Relay Address     VRF Name
 -------------    -------------     --------
 Ethernet1/2       10.1.1.1
 Ethernet1/3       10.1.1.1         red
 Ethernet1/4       10.1.1.1         red
 Ethernet1/5       10.1.1.1         red
 Ethernet1/6       10.1.1.1         red
 Ethernet1/7       10.1.1.1         red
 Ethernet1/8       10.1.1.1         red
switch#

This example shows how to display the DHCP relay addresses configured Ethernet interfaces 1/2 through 1/4 and Ethernet 1/8:


switch(config-if)# show ip dhcp relay address interface ethernet 1/2-4,ethernet 1/8
 Interface        Relay Address     VRF Name
 -------------    -------------     --------
 Ethernet1/2       10.1.1.1
 Ethernet1/3       10.1.1.1         red
 Ethernet1/4       10.1.1.1         red
 Ethernet1/8       10.1.1.1         red

Related Commands


Command	Description
feature dhcp	Enables the DHCP snooping feature on the device.
ip dhcp relay	Enables the DHCP relay agent.
show ip dhcp relay	Shows DHCP relay status and server addresses configured on the device.

show ip dhcp relay statistics

To display the DHCP relay statistics, use the show ip dhcp relay statistics command.

show ip dhcp relay statistics [interface interface]

Syntax Description


interface`interface`	Displays the DHCP relay address of the interface. The supported interface types are ethernet, port-channel, and VLAN.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
6.2(2)	This command was introduced.
7.2(0)D1(1)	This command was modified. An example for DHCP relay statistics information for a Bridge Domain Interface (BDI) was added.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display DHCP relay statistics for an interface:


switch# show ip dhcp relay statistics interface bdi 14
--------------------------------------------------------
Message Type             Rx              Tx           Drops
----------------------------------------------------------------------
Discover                  7               7               0
Offer                     0               0               0
Request(*)                0               0               0
Ack                       0               0               0
Release(*)                0               0               0
Decline                   0               0               0
Inform(*)                 0               0               0
Nack                      0               0               0
----------------------------------------------------------------------
Total                     7               7               0
----------------------------------------------------------------------
DHCP server stats:
----------------------------------------------------------------------------
Server           Vrf                                 Request       Response
----------------------------------------------------------------------------
10.64.66.242     management                                7              0
----------------------------------------------------------------------
DHCP L3 FWD:
Total Packets Received                           : 0
Total Packets Forwarded                       : 			0
Total Packets Dropped                            :         0
Non DHCP:
Total Packets Received                            :         0
Total Packets Forwarded                        :         0

Related Commands


Command	Description
ip dhcp relay	Enables the DHCP relay agent.
show ip dhcp relay	Displays the DHCP configuration.

show ip dhcp snooping

To display general status information for DHCP snooping, use the show ip dhcp snooping command.

show ip dhcp snooping

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Displayed Statistics

Packets processed —The number of packets containing DHCP messages.
Packets forwarded —The number of packets containing DHCP messages forwarded by the relay agent.
Total packets dropped —The total number of packets containing DHCP messages that were dropped. The reasons for dropping the packets are as follows:
- Received from untrusted ports —The number of packets containing DHCP messages, particularly DHCPOFFER packets, received from untrusted ports.
- MAC address check failure —
- Option 82 insertion failure —
- O/P Intf unknown —
- Unknown reason —

Examples

This example shows how to display general status information about DHCP snooping:


switch# show ip dhcp snooping
DHCP snooping service is enabled
Switch DHCP snooping is enabled
DHCP snooping is configured on the following VLANs:
1,13
DHCP snooping is operational on the following VLANs:
1
Insertion of Option 82 is disabled
Verification of MAC address is enabled
DHCP snooping trust/rate is configured on the following interfaces:
Interface             Trusted         Rate limit (pps)
------------          -------         ----------------
Ethernet2/3           Yes
switch#

Related Commands


Command	Description
feature dhcp	Enables the DHCP snooping feature on the device.
ip dhcp snooping	Globally enables DHCP snooping on the device.
show ip dhcp snooping binding	Displays IP-MAC address bindings, including the static IP source entries.
show ip dhcp snooping statistics	Displays DHCP snooping statistics.
show running-config dhcp	Displays DHCP snooping configuration.

show ip dhcp snooping binding

To display IP-to-MAC address bindings for all interfaces or a specific interface, use the show ip dhcp snooping binding command. It includes static IP source entries. Static entries appear with the term “static” in the Type column.

show ip dhcp snooping binding [ IP-address] [ MAC-address] [interface ethernet slot/port] [ vlan vlan-id]

show ip dhcp snooping binding [dynamic]

show ip dhcp snooping binding [static]

Syntax Description


`IP-address`	(Optional) IPv4 address that the bindings shown must include. Valid entries are in dotted-decimal format.
`MAC-address`	(Optional) MAC address that the bindings shown must include. Valid entries are in dotted-hexadecimal format.
interface ethernet`slot/port` /	(Optional) Specifies the Ethernet interface that the bindings shown must be associated with.
vlan `vlan-id`	(Optional) Specifies a VLAN ID that the bindings shown must be associated with. Valid VLAN IDs are from 1 to 4096.
dynamic	(Optional) Limits the output to all dynamic IP-MAC address bindings.
static	(Optional) Limits the output to all static IP-MAC address bindings.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display all bindings:


switch# show ip dhcp snooping binding
MacAddress         IpAddress        LeaseSec  Type        VLAN  Interface
-----------------  ---------------  --------  ----------  ----  -------------
0f:00:60:b3:23:33  10.3.2.2         infinite  static      13    Ethernet2/46
0f:00:60:b3:23:35  10.2.2.2         infinite  static      100   Ethernet2/10
switch#

Related Commands


Command	Description
clear ip dhcp snooping binding	Clears the DHCP snooping binding database.
feature dhcp	Enables the DHCP snooping feature on the device.
ip dhcp relay	Enables or disables the DHCP relay agent.
ip dhcp snooping	Globally enables DHCP snooping on the device.
show ip dhcp snooping	Displays general information about DHCP snooping.
show ip dhcp snooping statistics	Displays DHCP snooping statistics.
show running-config dhcp	Displays DHCP snooping configuration, including IP Source Guard configuration.

show ip dhcp snooping statistics

To display DHCP snooping statistics, use the show ip dhcp snooping statistics command.

show ip dhcp snooping statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Displayed Statistics

Packets processed —The number of packets containing DHCP messages.
Packets forwarded —The number of packets containing DHCP messages forwarded by the relay agent.
Total packets dropped —The total number of packets containing DHCP messages that were dropped. The reasons for dropping the packets are as follows:
- Received from untrusted ports —The number of packets containing DHCP messages, particularly DHCPOFFER packets, received from untrusted ports.
- MAC address check failure —
- Option 82 insertion failure —
- O/P Intf unknown —
- Unknown reason —

Examples

This example shows how to display DHCP snooping statistics:


switch# show ip dhcp snooping statistics
Packets processed 0
Packets received through cfsoe 0
Packets forwarded 0
Packets forwarded on cfsoe 0
Total packets dropped 0
Packets dropped from untrusted ports 0
Packets dropped due to MAC address check failure 0
Packets dropped due to Option 82 insertion failure 0
Packets dropped due to o/p intf unknown 0
Packets dropped which were unknown 0
Packets dropped due to dhcp relay not enabled 0
Packets dropped due to no binding entry 0
Packets dropped due to interface error/no interface 0
Packets dropped due to max hops exceeded 0
switch#

Related Commands


Command	Description
feature dhcp	Enables the DHCP snooping feature on the device.
ip dhcp snooping	Globally enables DHCP snooping on the device.
service dhcp	Enables or disables the DHCP relay agent.
show ip dhcp snooping	Displays general information about DHCP snooping.
show ip dhcp snooping binding	Displays IP-MAC address bindings, including the static IP source entries.
show running-config dhcp	Displays DHCP snooping configuration.

show ip udp relay

To display the configuration details of the UDP relay feature, use the show ip udp relay command.

show ip udp relay [interface [ethernet slot/port-number | port-channel port-channel-number] | object-group object-group-name]

Syntax Description


`slot/port-number`	Specifies the slot and port number.
`port-channel-number`	Specifies the port channel number.
`object-grp-name`	Specifies the name of the object group.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
7.3(0)D1(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the details of the UDP relay feature:


switch# show ip udp relay
UDP relay service is enabled
UDP relay on default UDP ports:
Default UDP Ports Status
--------------------------- -------------
Time service                   (port 37 ) enabled
IEN-116 Name Service           (port 42 ) enabled
TACACS service                 (port 49 ) enabled
Domain Naming System           (port 53 ) enabled
Trivial File Transfer Protocol (port 69 ) enabled
NetBIOS Name Server            (port 137) enabled 
NetBIOS Datagram Server        (port 138) enabled 
UDP relay is enabled on the following non-default UDP ports: 
----------------------------------------------------------------- 
Object-group and Subnet-broadcast configurations: 
Interface Subnet-broadcast Object-group 
---------- ---------------- ------------ 
Vlan700 disabled iSmart 
Vlan800 enabled iHello

Related Commands


Command	Description
ip forward-protocol udp	Enables the UDP relay feature.
object-group udp relay ip address	Configures the object group.

show ip verify source

To display the IP-to-MAC address bindings, use the show ip verify source command.

show ip verify source [interface {ethernetslot/port | port-channel channel-number}]

Syntax Description


interface	(Optional) Specifies that the output is limited to IP-to-MAC address bindings for a particular interface.
ethernet`slot/port`	(Optional) Specifies that the output is limited to bindings for the Ethernet interface given.
port-channel `channel-number`	(Optional) Specifies that the output is limited to bindings for the port-channel interface given. Valid port-channel numbers are from 1 to 4096.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the IP-to-MAC address bindings:


switch# show ip verify source
 
switch#

Related Commands


Command	Description
ip source binding	Creates a static IP source entry for the specified Ethernet interface.
ip verify source dhcp-snooping-vlan	Enables IP Source Guard on an interface.
show running-config dhcp	Displays DHCP snooping configuration, including IP Source Guard configuration.

show ipv6 access-lists

To display all IPv6 access-control lists (ACLs) or a specific IPv6 ACL, use the show ipv6 access-lists command.

show ipv6 access-lists [access-list-name] [expanded | summary]

Syntax Description


`access-list-name`	(Optional) Name of an IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters.
expanded	(Optional) Specifies that the contents of IPv6 address groups or port groups show rather than the names of object groups only.
summary	(Optional) Specifies that the command displays information about the ACL rather than the ACL configuration. For more information, see the “Usage Guidelines” section.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Command output is sorted alphabetically by the ACL names. Support was added for the fragments command.
4.1(2)	This command was introduced.

Usage Guidelines

The device shows all IPv6 ACLs, unless you use the access-list-name argument to specify an ACL.

If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.

IPv6 address object groups and IP port object groups show only by name, unless you use the expanded keyword.

The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups. For more information about object groups, see the object-group ipv6 address and object-group ip port commands.

The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:

Whether per-entry statistics are configured for the ACL.
Whether the fragments command is configured for the ACL.
The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
The interfaces that the ACL is applied to.
The interfaces that the ACL is active on.

The show ipv6 access-lists command displays statistics for each entry in an ACL if the following conditions are both true:

The ACL configuration contains the statistics per-entry command.
The ACL is applied to an interface that is administratively up.

If an IP ACL includes the fragments command, it appears before the explicit permit and deny rules, but the device applies the fragments command to noninitial fragments only if they do not match all other explicit rules in the ACL.

This command does not require a license.

Examples

This example shows how to use the show ipv6 access-lists command to display all IPv6 ACLs on a device that has a single IPv6 ACL:


switch# show ipv6 access-lists
IPv6 access list ipv6-main-filter
        10 permit ipv6 any any

This example shows how to use the show ipv6 access-lists command to display an IPv6 ACL named ipv6-RandD-outbound-web, including per-entry statistics for the entries except for the LowerLab object group:


switch# show ipv6 access-lists ipv6-RandD-outbound-web
IPv6 access list ipv6-RandD-outbound-web
        statistics per-entry
        fragments deny-all
        1000 permit ahp any any [match=732]
        1005 permit tcp addrgroup LowerLab any eq telnet
        1010 permit tcp any any eq www [match=820421]

This example shows how to use the show ipv6 access-lists command to display an IPv6 ACL named ipv6-RandD-outbound-web. The expanded keyword causes the contents of the object group from the previous example to appear, including the per-entry statistics:


switch# show ipv6 access-lists ipv6-RandD-outbound-web expanded
IPv6 access list ipv6-RandD-outbound-web
        statistics per-entry
        1000 permit ahp any any [match=732]
        1005 permit tcp 2001:db8:0:3ab0::1/128 any eq telnet [match=5032]
        1005 permit tcp 2001:db8:0:3ab0::32/128 any eq telnet [match=433]
        1010 permit tcp any any eq www [match=820421]

This example shows how to use the show ipv6 access-lists command with the summary keyword to display information about an IPv6 ACL named ipv6-RandD-outbound-web, such as which interfaces the ACL is applied to and active on:


switch# show ipv6 access-lists ipv6-RandD-outbound-web summary
IPV6 ACL ipv6-RandD-outbound-web
        Statistics enabled
        Total ACEs Configured: 4
        Configured on interfaces:
                Ethernet2/4 - ingress (Router ACL)
        Active on interfaces:
                Ethernet2/4 - ingress (Router ACL)

Related Commands


Command	Description
fragments	Configures how an IP ACL processes noninitial fragments.
ipv6 access-list	Configures an IPv6 ACL.
show access-lists	Displays all ACLs or a specific ACL.
show ip access-lists	Displays all IPv4 ACLs or a specific IPv4 ACL.
show mac access-lists	Displays all MAC ACLs or a specific MAC ACL.
statistics per-entry	Starts recording statistics for packets permitted or denied by each entry in an ACL.

show ipv6 dhcp relay

To display the DHCPv6 relay global or interface-level configuration, including DHCPv6 server addresses configured on interfaces, use the show ipv6 dhcp relay command.

show ipv6 dhcp relay [interface interface]

Syntax Description


interface`interface`	(Optional) Displays the DHCPv6 relay address of the interface. The supported interface types are ethernet, port-channel, and VLAN.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
6.2(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the globally configured DHCPv6 relay status and DHCPv6 server addresses:


switch# show ipv6 dhcp relay
DHCPv6 relay service : Enabled
Insertion of VPN options : Disabled
Insertion of CISCO options : Disabled
DHCPv6 Relay is configured on the following interfaces:
Interface        Relay Address     VRF Name
 -------------    -------------     --------
 Ethernet1/4 									red

Related Commands


Command	Description
ipv6 dhcp relay	Enables the DHCPv6 relay agent.
show ipv6 dhcp relay statistics	Displays statistics relating to DHCPv6.

show ipv6 dhcp relay statistics

To display the DHCPv6 relay statistics, use the show ipv6 dhcp relay statistics command.

show ipv6 dhcp relay statistics [interface interface]

Syntax Description


interface `interface`	(Optional) Displays the DHCPv6 relay address of the interface. The supported interface types are ethernet, port-channel, and VLAN.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
6.2(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the globally configured DHCPv6 relay statistics:


switch# show ipv6 dhcp relay statistics

Related Commands


Command	Description
ipv6 dhcp relay	Enables the DHCPv6 relay agent.
show ipv6 dhcp relay	Displays the DHCPv6 configuration.

show ipv6 dhcp-ldra

To display configuration details and statistics for the Lightweight DHCPv6 Relay Agent (LDRA), use the show ipv6 dhcp-ldra command.

show ipv6 dhcp-ldra [statistics]

Syntax Description


statistics	(Optional) Displays LDRA-related statistics.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
7.3(0)D1(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the LDRA feature by using the ipv6 dhcp-ldra command.

Examples

This example shows how to enable the LDRA feature on the specified interface:


switch(config)# ipv6 dhcp-ldra
switch(config)# show ipv6 dhcp-ldra statistics
    DHCPv6 LDRA client facing statistics.
Messages received              2
Messages sent                  2
Messages discarded             0
Messages Received
SOLICIT                        1
REQUEST                        1
Messages Sent
RELAY-FORWARD                  2
    DHCPv6 LDRA server facing statistics.
Messages received              2
Messages sent                  2
Messages discarded             0
Messages Received
RELAY-REPLY                    2
Messages Sent
ADVERTISE                      1
REPLY                          1

Related Commands


Command	Description
ipv6 dhcp-ldra	Enables the LDRA feature.

show ipv6 dhcp guard policy

To display Dynamic Host Configuration Protocol for IPv6 (DHCPv6) guard information, use the show ipv6 dhcp guard policy command.

show ipv6 dhcp guard policy [policy-name]

Syntax Description


`policy-name`	(Optional) DHCPv6 guard policy name.

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

If the policy-name argument is specified, only the specified policy information is displayed. If the policy-name argument is not specified, information is displayed for all policies.

Examples

The following is sample output:


switch# show ipv6 dhcp guard policy

Dhcp guard policy: default
        Device Role: dhcp client
        Target: Et0/3 

Dhcp guard policy: test1
        Device Role: dhcp server
        Target: vlan 0    vlan 1    vlan 2    vlan 3    vlan 4   
        Max Preference: 200
        Min Preference: 0
        Source Address Match Access List: acl1
        Prefix List Match Prefix List: pfxlist1

Dhcp guard policy: test2
        Device Role: dhcp relay
        Target: Et0/0 Et0/1 Et0/2

The table below describes the significant fields shown in the display.

Table 1. show ipv6 dhcp guard policy
Field	Description
Device Role	The role of the device. The role is either client, server or relay.
Target	The name of the target. The target is either an interface or a VLAN.

show ipv6 nd raguard policy

To display a router advertisements (RAs) guard policy on all interfaces configured with the RA guard feature, use the show ipv6 nd raguard policy command.

show ipv6 nd raguard policy [policy-name]

Syntax Description


`policy-name`	(Optional) RA guard policy name.

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

The show ipv6 nd raguard policy command displays the options configured for the policy on all interfaces configured with the RA guard feature.

Examples

The following example shows the policy configuration for a policy named raguard1 and all the interfaces where the policy is applied:


switch# show ipv6 nd raguard policy interface raguard1 

Policy raguard1 configuration: 
  device-role host
Policy applied on the following interfaces:
  Et0/0        vlan all 
  Et1/0        vlan all

The table below describes the significant fields shown in the display.

Table 2. show ipv6 nd raguard policy Field Descriptions
Field	Description
Policy raguard1 configuration:	Configuration of the specified policy.
device-role host	The role of the device attached to the port. This device configuration is that of host.
Policy applied on the following interfaces:	The specified interface on which the RA guard feature is configured.

show ipv6 neighbor binding

To display contents of a binding table, use the show ipv6 neighbor binding command.

show ipv6 neighbor binding [vlan vlan-id|interface type number|ipv6 ipv6-address|mac mac-address]

Syntax Description


vlan `vlan-id`	(Optional) Displays the binding table entries that match the specified VLAN.
interface `type number`	(Optional) Displays the binding table entries that match the specified interface type and number.
ipv6 `ipv6-address`	(Optional) Displays the binding table entries that match the specified IPv6 address.
mac `mac-address`	(Optional) Displays the binding table entries that match the specified Media Access Control (MAC) address.

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

This command displays the contents of the binding table. The display output can be specified by the specified VLAN, interface, IPv6 address, or MAC address. If no keywords or arguments are entered, all binding table contents are displayed.

Examples

The following example displays the contents of a binding table:


switch# show ipv6 neighbor binding

address DB has 4 entries
Codes: L - Local, S - Static, ND - Neighbor Discovery
Preflevel (prlvl) values:
1:Not secure          2:MAC and LLA match   3:Cga authenticated   
4:Dhcp assigned       5:Cert authenticated  6:Cga and Cert auth   
7:Trusted port        8:Statically assigned 
    IPv6 address            Link-Layer addr Interface   vlan  prlvl age state    Time left
ND  FE80::A8BB:CCFF:FE01:F500  AABB.CC01.F500  Et0/0     100  0002    0 REACHABLE  8850
L   FE80::21D:71FF:FE99:4900   001D.7199.4900  Vl100     100  0080 7203 DOWN       N/A
ND  2001:600::1                AABB.CC01.F500  Et0/0     100  0003    0 REACHABLE  3181
ND  2001:300::1                AABB.CC01.F500  Et0/0     100  0007    0 REACHABLE  9559
ND  2001:100::2                AABB.CC01.F600  Et1/0     200  0002    0 REACHABLE  9196
L   2001:400::1                001D.7199.4900  Vl100     100  0080 7188 DOWN       N/A
S   2001:500::1                000A.000B.000C  Fa4/13    300  0080 8676 STALE      N/A

The table below describes the significant fields shown in the display.

Table 3. show ipv6 neighbor binding Field Descriptions
Field	Description
address DB has n entries	Number of entries in the specified database.

show ipv6 snooping capture-policy

To display message capture policies, use the show ipv6 snooping capture-policy command.

show ipv6 snooping capture-policy [interface type number]

Syntax Description


interface `type` `number`	(Optional) Displays first-hop message types on the specified interface type and number.

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

The show ipv6 snooping capture-policy command displays IPv6 first-hop message capture policies.

Examples

The following example shows show ipv6 snooping capture-policy command output on the Ethernet 0/0 interface, on which the IPv6 Neighbor Discovery Protocol (NDP) Inspection and Router Advertisement (RA) Guard features are configured:


switch# show ipv6 snooping capture-policy

Hardware policy registered on Et0/0
Protocol  Protocol value  Message  Value  Action  Feature
ICMP      58              RS       85     punt    RA Guard
                                          punt    ND Inspection
ICMP      58              RA       86     drop    RA guard
                                          punt    ND Inspection
ICMP      58              NS       87     punt    ND Inspection
ICMP      58              NA       88     punt    ND Inspection
ICMP      58              REDIR    89     drop    RA Guard
                                          punt    ND Inspection

The table below describes the significant fields shown in the display.

Table 4. show ipv6 snooping capture-policy Field Descriptions
Field	Description
Hardware policy registered on Fa4/11	A hardware policy contains a programmatic access list (ACL), with a list of access control entries (ACEs).
Protocol	The protocol whose packets are being inspected.
Message	The type of message being inspected.
Action	Action to be taken on the packet.
Feature	The inspection feature for this information.

show ipv6 snooping counters

To display information about the packets counted by the interface counter, use the show ipv6 snooping counters command.

show ipv6 snooping counters {interface type number | vlan vlan-id}

Syntax Description


interface `type` `number`	Displays first-hop packets that match the specified interface type and number.
vlan `vlan-id`	Displays first-hop packets that match the specified VLAN ID.

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

The show ipv6 snooping counters command displays packets handled by the switch that are being counted in interface counters. The switch counts packets captured per interface and records whether the packet was received, sent, or dropped. If a packet is dropped, the reason for the drop and the feature that caused the drop are both also provided.

Examples

The following examples shows information about packets counted on Fast Ethernet interface 4/12:


switch# show ipv6 snooping counters interface Fa4/12
Received messages on Fa4/12:
Protocol        Protocol message
ICMPv6          RS      RA      NS      NA      REDIR   CPS     CPA     
                0       4256    0       0       0       0       0       
Bridged messages from Fa4/12:
Protocol        Protocol message
ICMPv6          RS      RA      NS      NA      REDIR   CPS     CPA     
                0       4240    0       0       0       0       0       
Dropped messages on Fa4/12:
Feature/Message RS      RA      NS      NA      REDIR   CPS     CPA     
RA guard        0       16      0       0       0       0       0       
Dropped reasons on Fa4/12:
RA guard         16   RA drop - reason:RA/REDIR received on un-authorized port

The table below describes the significant fields shown in the display.

Table 5. show ipv6 snooping counters Field Descriptions
Field	Description
Received messages on:	The messages received on an interface.
Protocol	The protocol for which messages are being counted.
Protocol message	The type of protocol messages being counted.
Bridged messages from:	Bridged messages from the interface.
Dropped messages on:	The messages dropped on the interface.
Feature/message	The feature that caused the drop, and the type and number of messages dropped.
RA drop - reason:	The reason that these messages were dropped.

show ipv6 snooping features

To display information about about snooping features configured on the router, use the show ipv6 snooping features command.

show ipv6 snooping features

Syntax Description

This command has no arguments or keywords.

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

The show ipv6 snooping features command displays the first-hop features that are configured on the router.

Examples

The following example shows that both IPv6 NDP inspection and IPv6 RA guard are configured on the router:


Router# show ipv6 snooping features

Feature name   priority state
RA guard          100   READY
NDP inspection     20   READY

The table below describes the significant fields shown in the display.

Table 6. show ipv6 snooping features Field Descriptions
Field	Description
Feature name	The names of the IPv6 global policy features configured on the router.
priority	The priority of the specified feature.
state	The state of the specified feature.

show ipv6 snooping policies

To display information about the configured policies and the interfaces to which they are attached, use the show ipv6 snooping policies command.

show ipv6 snooping policies {interface type number | vlan vlan-id}

Syntax Description


interface `type` `number`	Displays policies that match the specified interface type and number.
vlan `vlan-id`	Displays first-hop packets that match the specified VLAN ID.

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

The show ipv6 snooping policies command displays all policies that are configured and lists the interfaces to which they are attached.

Examples

The following example shows information about all policies configured:


switch# show ipv6 snooping policies

NDP inspection policies configured: 
Policy      Interface    Vlan 
------      ---------    ---- 
trusted      Et0/0        all 
             Et1/0        all 
untrusted    Et2/0        all 
RA guard policies configured: 
Policy      Interface    Vlan 
------      ---------    ---- 
host         Et0/0        all 
             Et1/0        all 
router       Et2/0        all

The table below describes the significant fields shown in the display.

Table 7. show ipv6 snooping policies Field Descriptions
Field	Description
NDP inspection policies configured:	Description of the policies configured for a specific feature.
Policy	Whether the policy is trusted or untrusted.
Interface	The interface to which a policy is attached.

show key chain

To display the configuration for a specific keychain, use the show key chain command.

show key chain [keychain-name | | mode decrypt]

Syntax Description


`keychain-name`	(Optional) Name of the keychain that is configured, up to 63 alphanumerical characters.
mode decrypt	(Optional) Shows the key text configuration in cleartext. This option is available only when the device is accessed with a user account that is assigned a network-admin or vdc-admin user role.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
8.2(1)	This command was modified to display the details of the MACsec keychains configured.
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the keychain configuration for the glbp-key keychain that contains one key (key 13) with specific accept and send lifetimes:


switch# show key chain
Key-Chain glbp-keys
  Key 13 -- text 7 071a33595c1d0c1702170203163e3e21213c20361a021f11
    accept lifetime UTC (00:00:00 Jun 13 2008) - (23:59:59 Sep 12 2008)
    send lifetime UTC (00:00:00 Jun 13 2008) - (23:59:59 Aug 12 2008)

This example shows how to display the MACsec keychain configuration for the k1 MACsec keychain that contains the 01 MACsec key:


switch# show key chain k1
Key-Chain k1 Macsec
  Key 01 -- text 7 "075f701e1d5d4c53404a520d052829272b63647040534355560e005952560c001b"
    cryptographic-algorithm AES_128_CMAC
    send lifetime (always valid) [active]

Related Commands


Command	Description
accept-lifetime	Configures an accept lifetime for a key.
key	Configures a key.
key chain	Configures a keychain.
key-octet-string	Configures the text for a MACsec key.
key-string	Configures a key string.
send-lifetime	Configures a send lifetime for a key.

show ldap-search-map

To display information about the configured Lightweight Directory Access Protocol (LDAP) attribute maps, use the show ldap -search-map command.

show ldap-search-map

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

You must use the feature ldap command before you can display LDAP information.

This command does not require a license.

Examples

This example shows how to display information about the configured LDAP attribute maps:


switch# show ldap-search-map
total number of search maps : 1
following LDAP search maps are configured:
    SEARCH MAP  s0:
      User Profile:
        BaseDN: DN1
        Attribute Name: map1
        Search Filter: filter1

Related Commands


Command	Description
attribute-name	Configures the attribute name, search filter, and base-DN for the user profile, trusted certificate, CRL, certificate DN match, public key match, or user-switchgroup lookup search operation.
feature ldap	Enables LDAP.
ldap search-map	Configures an LDAP search map.
ldap-server host	Specifies the IPv4 or IPv6 address or hostname for an LDAP server.

show ldap-server

To display the Lightweight Directory Access Protocol (LDAP) server configuration, use the show ldap-server command.

show ldap-server

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

You must use the feature ldap command before you can display LDAP information.

This command does not require a license.

Examples

This example shows how to display the LDAP server configuration:


switch# show ldap-server
	 timeout : 5
        port : 389
    deadtime : 0
total number of servers : 0

Related Commands


Command	Description
feature ldap	Enables LDAP.
ldap-server host	Specifies the IPv4 or IPv6 address or hostname for an LDAP server.

show ldap-server groups

To display the Lightweight Directory Access Protocol (LDAP) server group configuration, use the show ldap-server groups command.

show ldap-server groups

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

You must use the feature ldap command before you can display LDAP information.

This command does not require a license.

Examples

This example shows how to display the LDAP server group configuration:


switch# show ldap-server groups
total number of groups: 1
following LDAP server groups are configured:
    group LDAPgroup1:
        Use-vrf: default
        Mode: UnSecure
        Authentication: Search and Bind
        Bind and Search : append with basedn (cn=$userid)
        Authentication: Do bind instead of compare
        Bind and Search : compare passwd attribute userPassword
        Authentication Mech: Default(PLAIN)
        Search map:

Related Commands


Command	Description
aaa group server ldap	Creates an LDAP server group and enters the LDAP server group configuration mode for that group.
feature ldap	Enables LDAP.

show ldap-server statistics

To display the Lightweight Directory Access Protocol (LDAP) server statistics, use the show ldap-server statistics command.

show ldap-server statistics {ipv4-address | ipv6-address | host-name}

Syntax Description


`ipv4-address`	Server IPv4 address in the A.B.C.D format.
`ipv6-address`	Server IPv6 address in the X:X:X:X format.
`host-name`	Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

You must use the feature ldap command before you can display LDAP information.

This command does not require a license.

Examples

This example shows how to display the statistics for an LDAP server:


switch# show ldap-server statistics 10.10.1.1
Server is not monitored
Authentication Statistics
        failed transactions: 0
        sucessfull transactions: 0
        requests sent: 0
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0

Related Commands


Command	Description
feature ldap	Enables LDAP.
ldap-server host	Specifies the IPv4 or IPv6 address or hostname for an LDAP server.

show mac access-lists

To display all MAC access control lists (ACLs) or a specific MAC ACL, use the show mac access-lists command.

show mac access-lists [access-list-name] [expanded | summary]

Syntax Description


`access-list-name`	(Optional) Name of a MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters.
expanded	(Optional) Specifies that the contents of object groups show rather than the names of object groups only.
summary	(Optional) Specifies that the command displays information about the ACL rather than the ACL configuration. For more information, see the “Usage Guidelines” section.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Command output is sorted alphabetically by the ACL names.
4.0(1)	This command was introduced.

Usage Guidelines

The device shows all MAC ACLs, unless you use the access-list-name argument to specify an ACL.

If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.

The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups. For more information about object groups, see the object-group ip address , object-group ipv6 address , and object-group ip port commands.

The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:

Whether per-entry statistics are configured for the ACL.
The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
The interfaces that the ACL is applied to.
The interfaces that the ACL is active on.

The show mac access-lists command displays statistics for each entry in an ACL if the following conditions are both true:

The ACL configuration contains the statistics per-entry command.
The ACL is applied to an interface that is administratively up.

This command does not require a license.

Examples

This example shows how to use the show mac access-lists command to show all MAC ACLs on a device with a single MAC ACL:


switch# show mac access-lists
MAC access list mac-filter
        10 permit any any ip

This example shows how to use the show mac access-lists command to display a MAC ACL named mac-lab-filter, including per-entry statistics:


switch# show mac access-lists mac-lab-filter
MAC access list mac-lab-filter
        statistics per-entry
        10 permit 0600.ea5f.22ff 0000.0000.0000 any [match=820421]
        20 permit 0600.050b.3ee3 0000.0000.0000 any [match=732]

This example shows how to use the show mac access-lists command with the summary keyword to display information about a MAC ACL named mac-lab-filter, such as which interfaces the ACL is applied to and active on:


switch# show mac access-lists mac-lab-filter summary
MAC ACL mac-lab-filter
        Statistics enabled
        Total ACEs Configured: 2
        Configured on interfaces:
                Ethernet2/3 - ingress (Port ACL)
        Active on interfaces:
                Ethernet2/3 - ingress (Port ACL)

Related Commands


Command	Description
mac access-list	Configures a MAC ACL.
show access-lists	Displays all ACLs or a specific ACL.
show ip access-lists	Displays all IPv4 ACLs or a specific IPv4 ACL.
show ipv6 access-lists	Displays all IPv6 ACLs or a specific IPv6 ACL.

show macsec mka

To display the details of MACsec Key Agreement (MKA), use the show macsec mka command.

show macsec mka [capability interface {all | ethernet slot-number/ port-number} | session [interface ethernet slot/ port] [details] [internal-details] | statistics [interface ethernet slot/ port] | summary]

Syntax Description


capability interface	(Optional) Shows the capability of MKA in the interfaces.
all	Shows the capability of all the interfaces.
ethernet `slot/` `port`	Shows capability of the specified Ethernet interface.
session	(Optional) Shows MKA session information.
interface ethernet `slot/` `port`	(Optional) Shows information about the specified Ethernet interface.
details	(Optional) Shows detailed information about MKA.
internal-details	(Optional) Shows internal detailed information about MKA.
statistics	(Optional) Shows MKA statistics.
summary	(Optional) Shows MKA summary information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
8.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the details of an MKA session:


switch# show macsec mka session details

Detailed Status for MKA Session
-----------------------------------
Interface Name          : Ethernet11/25    
Session Status                      : Secured    
Local Tx-SCI                        : 00b0.e135.9c24/0001    
Local Tx-SSCI                       : 3    
MKA Port Identifier                 : 3    
CAK Name (CKN)                      : 0100000000000000000000000000000000000000000000000000000000000000    
Member Identifier (MI)              : 17173194E288E086B275A49F    
Message Number (MN)                 : 12465    
MKA Policy Name                     : p1    
Key Server Priority                 : 9    
Key Server                          : No    
SAK Cipher Suite                    : GCM-AES-XPN-128    
SAK Cipher Suite (Operational)      : GCM-AES-XPN-128    
Replay Window Size                  : 0    
Confidentiality Offset              : CONF-OFFSET-0    
Confidentiality Offset (Operational): CONF-OFFSET-0    
Latest SAK Status                   : Rx & TX    
Latest SAK AN                       : 0    
Latest SAK KI                       : 10314879    
Latest SAK KN                       : 57    
Last SAK key time                   : 06:59:24 UTC Wed Apr 19 2017    
Number of Macsec Capable Live Peers: 3    
Number of SA consumed in Hardware  : 3    
Number of Macsec Capable Live Peers Responded: 0
Live Peer List:
MI                        MN        SCI                SSCI Key-Server Priority
-----------------------------------------------------------------------------------------
7F649D00075CA2B14065F50D  12466      00b0.e135.9c23/0001 4     9
67DF7F5DE06AFC9A2F125914  12464      9c57.adfd.8acb/0001 2     9
57BCB803EB00453525F7382C  12466      9c57.adfd.8acc/0001 1     9

Detailed Status for MKA Session
-----------------------------------
Interface Name          : Ethernet4/27
    Session Status                      : Secured
    Local Tx-SCI                        : 5006.ab91.9f4e/0001
    Local Tx-SSCI                       : 2
    MKA Port Identifier                 : 2
    CAK Name (CKN)                      : 1000000000000000000000000000000000000000000000000000000000000000
    Member Identifier (MI)              : 4B18586C685B28F2354B1E2B
    Message Number (MN)                 : 49
    MKA Policy Name                     : mustsecureks
    Key Server Priority                 : 9
    Key Server                          : Yes
    SAK Cipher Suite                    : GCM-AES-256
    SAK Cipher Suite (Operational)      : GCM-AES-256
    Replay Window Size                  : 0
    Confidentiality Offset              : CONF-OFFSET-0
    Confidentiality Offset (Operational): CONF-OFFSET-0
    Latest SAK Status                   : Rx & TX
    Latest SAK AN                       : 2
    Latest SAK KI                       : 1817712715
    Latest SAK KN                       : 1
    Last SAK key time                   : 20:42:51 UTC Thu May 04 2017
    Number of Macsec Capable Live Peers: 2
    Number of SA consumed in Hardware  : 2
    Number of Macsec Capable Live Peers Responded: 2
Live Peer List:
MI                        MN        SCI                SSCI Key-Server-Priority Tx/Rx Programmed
------------------------------------------------------------------------------- ----------------
3634B7ADE028833E219C2304  7624       9c57.adfc.0f34/0001 1     16                    Yes
92D6F93C2BC4058AD25FA0E5  7655       5006.ab91.4584/0001 3     16                    Yes

This example shows how to display the MKA statistics for a specified interface:

switch#  show macsec mka statistics interface ethernet 11/25

Per-CA MKA Statistics for Session on interface (Ethernet11/25) with CKN 0x1
============================================================================
CA Statistics
   Pairwise CAK Rekeys..... 0
 
SA Statistics
   SAKs Generated.......... 0
   SAKs Rekeyed............ 0
   SAKs Received........... 60
   SAK Responses Received.. 0
 
MKPDU Statistics
   MKPDUs Transmitted...... 18676
      "Distributed SAK".. 0
 
   MKPDUs Validated & Rx... 55986
      "Distributed SAK".. 60

MKA Statistics for Session on interface (Ethernet11/25)
=======================================================
CA Statistics
   Pairwise CAK Rekeys..... 0
 
SA Statistics
   SAKs Generated.......... 0
   SAKs Rekeyed............ 0
   SAKs Received........... 60
   SAK Responses Received.. 0
 
MKPDU Statistics
   MKPDUs Transmitted...... 18676
      "Distributed SAK".. 0
   MKPDUs Validated & Rx... 55986
      "Distributed SAK".. 60

MKA IDB Statistics
   MKPDUs Tx Success.......... 19147
   MKPDUs Tx Fail............. 0
   MKPDUS Tx Pkt build fail... 0
   MKPDUS No Tx on intf down.. 0
   MKPDUS No Rx on intf down.. 0
   MKPDUs Rx CA Not found..... 0
   MKPDUs Rx Error............ 0
   MKPDUs Rx Success.......... 55986
 
MKPDU Failures
   MKPDU Rx Validation ..................... 0
   MKPDU Rx Bad Peer MN..................... 0
   MKPDU Rx Non-recent Peerlist MN.......... 0
   MKPDU Rx Drop SAKUSE, KN mismatch........ 0
   MKPDU Rx Drop SAKUSE, Rx Not Set......... 0
   MKPDU Rx Drop SAKUSE, Key MI mismatch.... 0
   MKPDU Rx Drop SAKUSE, AN Not in Use...... 0
   MKPDU Rx Drop SAKUSE, KS Rx/Tx Not Set... 16956
   MKPDU Rx Drop Packet, Ethertype Mismatch. 0
 
SAK Failures
   SAK Generation................... 0
   Hash Key Generation.............. 0
   SAK Encryption/Wrap.............. 0
   SAK Decryption/Unwrap............ 0
 
CA Failures
   ICK Derivation................... 0
   KEK Derivation................... 0
   Invalid Peer MACsec Capability... 0
 
MACsec Failures
   Rx SA Installation............... 12
   Tx SA Installation............... 0

This example shows how to display the MKA summary:

switch# show macsec mka summary

Interface      Status   Cipher           Key-Server   MACSEC-policy  CKN                                                              Keychain
-------------- -------- ---------------- ------------ -------------- ---------------------------------------------------------------- ---------
Ethernet11/25  Secured  GCM-AES-XPN-128  No           p1             0100000000000000000000000000000000000000000000000000000000000000 k1
Ethernet11/31  Secured  GCM-AES-XPN-128  Yes          p1             0300000000000000000000000000000000000000000000000000000000000000 k3

Related Commands


Command	Description
cipher suite	Configures the cipher suite for encrypting traffic with MACsec.
conf-offset	Configures the confidentiality offset for MKA encryption.
feature mka	Enables the MKA feature.
key	Creates a key or enters the configuration mode of an existing key.
key chain `keychain-name`	Creates a keychain or enters the configuration mode of an existing keychain.
key-octet-string	Configures the text for a MACsec key.
key-server-priority	Configures the preference for a device to serve as the key server for MKA encryption.
macsec keychain policy	Configures the MACsec keychain policy.
macsec policy	Configures the MACsec policy.
sak-expiry-time `time`	Sets an expiry time for a force SAK rekey.
show key chain	Displays the configuration of the specified keychain.
show macsec policy	Displays all the MACsec policies in the system.
show run mka	Displays the status of MKA.

show macsec policy

To display the details of the MACsec policies, use the show macsec policy command.

show macsec policy [policy-name]

Syntax Description


`policy-name`	(Optional) Name of the MACsec policy.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
8.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the details of all the MACsec policies:


switch# show macsec policy
MACsec Policy                    Cipher           Pri  Window   Offset   Security     SAK Rekey time
-------------------------------- ---------------- ---- -------- -------- ------------ --------------
p1                               GCM-AES-XPN-128  9    0        0        must-secure  60          
system-default-macsec-policy     GCM-AES-XPN-256  16   0        0        must-secure  pn-exhaust

This example shows how to display the details of the user-defined MACsec policy:

switch# show macsec policy p1
MACsec Policy                    Cipher           Pri  Window   Offset   Security     SAK Rekey time
-------------------------------- ---------------- ---- -------- -------- ------------ --------------
p1                               GCM-AES-XPN-128  9    0        0        must-secure  60

Related Commands


Command	Description
cipher suite	Configures the cipher suite for encrypting traffic with MACsec.
conf-offset	Configures the confidentiality offset for MKA encryption.
feature mka	Enables the MKA feature.
key	Creates a key or enters the configuration mode of an existing key.
key chain `keychain-name`	Creates a keychain or enters the configuration mode of an existing keychain.
key-octet-string	Configures the text for a MACsec key.
key-server-priority	Configures the preference for a device to serve as the key server for MKA encryption.
macsec keychain policy	Configures the MACsec keychain policy.
macsec policy	Configures the MACsec policy.
sak-expiry-time `time`	Sets an expiry time for a force SAK rekey.
show key chain	Displays the configuration of the specified keychain.
show macsec mka	Displays the details of MKA.
show run mka	Displays the status of MKA.

show password secure-mode

To display the secure mode for changing password, use the show password secure-mode command.

show password secure-mode

Syntax Description

This command has no arguments or keywords.

Command Default

Enabled

Command Modes

Any command mode

Command History


Release	Modification
6.1.4	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the secure mode for changing password:


switch# show password secure-mode
Password secure mode is enabled

Related Commands


Command	Description
password strength-check	Enables password-strength checking.

show password strength-check

To display password-strength checking status, use the show password strength-check command.

show password strength-check

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(3)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display password-strength checking status:


switch# show password strength-check
Password strength check enabled

Related Commands


Command	Description
password strength-check	Enables password-strength checking.
show running-config security	Displays security feature configuration in the running configuration.

show policy-map interface control-plane

To display packet-level statistics for all classes that are part of the applied control plane policing (CoPP) policy, use the show policy-map interface control-plane command.

show policy-map interface control-plane { [module module-number [inst-all]] [class {class-name | violated}] | [class {class-name | violated}] [module module-number [inst-all]]}

Syntax Description


class `class-name`	Displays the packet-level statistics for the specific class.
module `module-number`	Displays the packet-level statistics for the specific module. The range is from 1 to 18.
violated	Displays classes that have violated the police rate.
inst-all	Displays per-instance statistics.

Command Modes

Any command mode

Command History


Release	Modification
8.1(1)	Added the inst-all keyword.
6.2(2)	This command was introduced.

Usage Guidelines

Use this command to display the policy values with associated class maps and drops per policy or class map. It also displays the scale factor values when a CoPP policy is applied. When the scale factor value is the default (1.00), it is not displayed.

Note

The scale factor changes the CIR, BC, PIR, and BE values internally on each module, but the display shows the configured CIR, BC, PIR, and BE values only. The actual applied value on a module is the scale factor multiplied by the configured value.

This command does not require a license.

Examples

This example shows how to monitor CoPP:


switch# show policy-map interface control-plane
Control Plane
service-policy input: copp-system-policy-default
class-map copp-system-class-igmp (match-any)
match protocol igmp
police cir 1024 kbps , bc 65535 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
class-map copp-system-class-pim-hello (match-any)
match protocol pim
police cir 1024 kbps , bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes;
....

This example shows the 5-minute moving averages and peaks of the conformed and violated byte counts in the output of the show policy-map interface control-plane command. In this example, the 5-minute offered rate is the 5-minute moving average of the conformed bytes, the 5-minute violate rate is the 5-minute moving average of the violated bytes, and the peak rate is the highest value since bootup or counter reset, with the peak occurring at the time stamp shown.


module 9:
  conformed 0 bytes,
    5-min offered rate 10 bytes/sec
    peak rate 12 bytes/sec at 12:29:38.654 UTC Sun Jun 30 2013
  violated 0 bytes,
   5-min violate rate 20 bytes/sec
   peak rate 22 bytes/sec at 12:26:22.652 UTC Sun Jun 30 2013

This example displays the per-instance statistics for all classes that are part of the applied control plane policing (CoPP) policy for a module.

switch(config)# show policy-map interface control-plane module 9 inst-all
Control Plane
  service-policy input copp-system-p-policy-strict

    class-map copp-system-p-class-critical (match-any)
      match access-group name copp-system-p-acl-bgp
      match access-group name copp-system-p-acl-rip
      match access-group name copp-system-p-acl-vpc
      match access-group name copp-system-p-acl-bgp6
      match access-group name copp-system-p-acl-lisp
      match access-group name copp-system-p-acl-ospf
      match access-group name copp-system-p-acl-rip6
      match access-group name copp-system-p-acl-rise
      match access-group name copp-system-p-acl-eigrp
      match access-group name copp-system-p-acl-lisp6
      match access-group name copp-system-p-acl-ospf6
      match access-group name copp-system-p-acl-rise6
      match access-group name copp-system-p-acl-eigrp6
      match access-group name copp-system-p-acl-otv-as
      match access-group name copp-system-p-acl-mac-l2pt
      match access-group name copp-system-p-acl-mpls-ldp
      match access-group name copp-system-p-acl-mpls-rsvp
      match access-group name copp-system-p-acl-mac-l3-isis
      match access-group name copp-system-p-acl-mac-otv-isis
      match access-group name copp-system-p-acl-mac-fabricpath-isis
      match protocol mpls router-alert
      set cos 7
      police cir 36000 kbps bc 250 ms
        conform action: transmit
        violate action: drop
      module 9:
      inst 0:
        conformed 3215360 bytes,
          5-min offered rate 7 bytes/sec
          peak rate 9 bytes/sec at Fri Apr 28 11:58:48 2017
      inst 1:
        conformed 3210508 bytes,
          5-min offered rate 7 bytes/sec
          peak rate 8 bytes/sec at Wed May 03 05:19:24 2017
      inst 2:
        conformed 0 bytes,
          5-min offered rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 3:
        conformed 0 bytes,
          5-min offered rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 4:
        conformed 0 bytes,
          5-min offered rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 5:
        conformed 0 bytes,
          5-min offered rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 0:
        violated 0 bytes,
          5-min violate rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 1:
        violated 0 bytes,
          5-min violate rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 2:
        violated 0 bytes,
          5-min violate rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 3:
        violated 0 bytes,
          5-min violate rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 4:
        violated 0 bytes,
          5-min violate rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 5:
        violated 0 bytes,
          5-min violate rate 0 bytes/sec
          peak rate 0 bytes/sec

    class-map copp-system-p-class-important (match-any)
      match access-group name copp-system-p-acl-cts
      match access-group name copp-system-p-acl-glbp
      match access-group name copp-system-p-acl-hsrp
      match access-group name copp-system-p-acl-vrrp
      match access-group name copp-system-p-acl-wccp
      match access-group name copp-system-p-acl-hsrp6
      match access-group name copp-system-p-acl-vrrp6
      match access-group name copp-system-p-acl-opflex
      match access-group name copp-system-p-acl-mac-lldp
      match access-group name copp-system-p-acl-mac-mvrp
      match access-group name copp-system-p-acl-mac-flow-control
      set cos 6
      police cir 1400 kbps bc 1500 ms
        conform action: transmit
        violate action: drop
      module 9:
      inst 0:
        conformed 0 bytes,
          5-min offered rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 1:
        conformed 0 bytes,
          5-min offered rate 0 bytes/sec
          peak rate 0 bytes/sec
      inst 2:
        conformed 0 bytes,
          5-min offered rate 0 bytes/sec
          peak rate 0 bytes/sec

Related Commands


Command	Description
show copp status	Displays the CoPP status, including the last configuration operation and its status.

show policy-map type control-plane

To display control plane policy map information, use the show policy-map type control-plane command.

show policy-map type control-plane [expand] [name policy-map-name]

Syntax Description


expand	(Optional) Displays expanded control plane policy map information.
name `policy-map-name`	(Optional) Specifies the name of the control plane policy map. The name is case sensitive.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to display control plane policy map information:


switch# show policy-map type control-plane
  policy-map type control-plane copp-system-policy
    class copp-system-class-critical
      police cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit
        exceed transmit violate drop
    class copp-system-class-important
      police cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit
        exceed transmit violate drop
    class copp-system-class-normal
      police cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit 
        exceed transmit violate drop
    class class-default
      police cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit
        exceed transmit violate drop

show port-security

To show the state of port security on the device, use the show port-security command.

show port-security [state]

Syntax Description


state	(Optional) Shows that port security is enabled.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to use the show port-security command to view the status of the port security feature on a device:


switch# show port-security
Total Secured Mac Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 8192
----------------------------------------------------------------------------
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
----------------------------------------------------------------------------
Ethernet1/4           5              1              0              Shutdown
============================================================================
switch#

Related Commands


Command	Description
feature port-security	Enables the port security feature.
show port-security address	Shows MAC addresses secured by the port security feature.
show port-security interface	Shows the port security status for a specific interface.
switchport port-security	Configures port security on a Layer 2 interface.

show port-security address

To show information about MAC addresses secured by the port security feature, use the show port-security address command.

show port-security address [interface {port-channel channel-number | ethernet slot/port}]

Syntax Description


interface	(Optional) Limits the port-security MAC address information to a specific interface.
port-channel `channel-number`	Specifies a Layer 2 port-channel interface. The `channel-number` argument can be a whole number from 1 to 4096.
ethernet `slot/port`	Specifies an Ethernet interface.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to use the show port-security address command to view information about all MAC addresses secured by port security:


switch# show port-security address
Total Secured Mac Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 8192
----------------------------------------------------------------------
                    Secure Mac Address Table
----------------------------------------------------------------------
Vlan    Mac Address             Type             Ports      Remaining Age
                                                              (mins)
----    -----------            ------            -----     -------------
   1    0054.AAB3.770F         STATIC        port-channel1     0
   1    00EE.378A.ABCE         STATIC        Ethernet1/4       0
======================================================================
switch#

This example shows how to use the show port-security address command to view the MAC addresses secured by the port security feature on the Ethernet 1/4 interface:


switch# show port-security address interface ethernet 1/4
                     Secure Mac Address Table
----------------------------------------------------------------------
Vlan    Mac Address             Type             Ports      Remaining Age
                                                              (mins)
----    -----------            ------            -----     -------------
   1    00EE.378A.ABCE         STATIC        Ethernet1/4       0
----------------------------------------------------------------------
switch#

Related Commands


Command	Description
feature port-security	Enables the port security feature.
show port-security	Shows the status of the port security feature.
show port-security interface	Shows the port security status for a specific interface.
switchport port-security	Configures port security on a Layer 2 interface.

show port-security interface

To show the state of port security on a specific interface, use the show port-security interface command.

show port-security interface {port-channel channel-number | ethernet slot/port}

Syntax Description


port-channel `channel-number`	Specifies a Layer 2 port-channel interface. The `channel-number` argument can be a whole number from 1 to 4096.
ethernet `slot/port`	Specifies an Ethernet interface.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to use the show port-security interface command to view the status of the port security feature on the Ethernet 1/4 interface:


switch# show port-security interface ethernet 1/4
Port Security              : Enabled
Port Status                : Secure Down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
Maximum MAC Addresses      : 5
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Security violation count   : 0
switch#

Related Commands


Command	Description
feature port-security	Enables the port security feature.
show port-security	Shows the status of the port security feature.
show port-security address	Shows MAC addresses secured by the port security feature.
switchport port-security	Configures port security on a Layer 2 interface.

show privilege

To show the current privilege level, username, and status of cumulative privilege support, use the show privilege command.

show privilege

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to use the show privilege command to view the current privilege level, username, and status of cumulative privilege support:


switch# show privilege
User name: admin
Current privilege level: -1
Feature privilege: Enabled
switch#

Related Commands


Command	Description
enable `level`	Enables a user to move to a higher privilege level.
enable secret priv-lvl	Enables a secret password for a specific privilege level.
feature privilege	Enables the cumulative privilege of roles for command authorization on TACACS+ servers.
username `username` priv-lvl	Enables a user to use privilege levels for authorization.

show radius

To display the RADIUS Cisco Fabric Services (CFS) distribution status and other details, use the show radius command.

show radius {distribution status | merge status | pending [cmds] | pending-diff | session status | status}

Syntax Description


distribution status	Displays the status of the RADIUS CFS distribution.
merge status	Displays the status of a RADIUS merge.
pending	Displays the pending configuration that is not yet applied to the running configuration.
cmds	(Optional) Displays the commands for the pending configuration.
pending-diff	Displays the difference between the active configuration and the pending configuration.
session status	Displays the status of the RADIUS CFS session.
status	Displays the status of the RADIUS CFS.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the RADIUS CFS distribution status:


switch# show radius distribution status
distribution : enabled
session ongoing: no
session db: does not exist
merge protocol status: not yet initiated after enable
last operation: enable
last operation status: success

This example shows how to display the RADIUS merge status:


switch# show radius merge status
Result: Waiting

This example shows how to display the RADIUS CFS session status:


switch# show radius session status
Last Action Time Stamp     : None
Last Action                : Distribution Enable
Last Action Result         : Success
Last Action Failure Reason : none

This example shows how to display the RADIUS CFS status:


switch# show radius status
distribution : enabled
session ongoing: no
session db: does not exist
merge protocol status: not yet initiated after enable
last operation: enable
last operation status: success

This example shows how to display the pending RADIUS configuration:


switch# show radius pending
radius-server host 10.10.1.1 key 7 qxz123aaa group server radius aaa-private-sg

This example shows how to display the pending RADIUS configuration commands:


switch# show radius pending cmds
radius-server host 10.10.1.1 key 7 qxz12345 auth_port 1812 acct_port 1813 authentication accounting

This example shows how to display the differences between the pending RADIUS configuration and the current RADIUS configuration:


switch(config)# show radius pending-diff
    +radius-server host 10.10.1.1 authentication accounting

show radius-server

To display RADIUS server information, use the show radius-server command.

Syntax Description


`hostname`	(Optional) RADIUS server Domain Name Server (DNS) name. The name is case sensitive.
`ipv4-address`	(Optional) RADIUS server IPv4 address in the A.B.C.D format.
`ipv6-address`	(Optional) RADIUS server IPv6 address in the X: X: X: X format.
directed-request	(Optional) Displays the directed request configuration.
groups	(Optional) Displays information about the configured RADIUS server groups.
sorted	(Optional) Displays sorted-by-name information about the RADIUS servers.
statistics	(Optional) Displays RADIUS statistics for the RADIUS servers.

Command Default

Displays the global RADIUS server configuration

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys.

This command does not require a license.

Examples

This example shows how to display information for all RADIUS servers:


switch# show radius-server 
Global RADIUS shared secret:********
retransmission count:1
timeout value:5
deadtime value:0
total number of servers:2
following RADIUS servers are configured:
        10.10.1.1:
                available for authentication on port:1812
                available for accounting on port:1813
        10.10.2.2:
                available for authentication on port:1812
                available for accounting on port:1813

This example shows how to display information for a specified RADIUS server:


switch# show radius-server 10.10.1.1
        10.10.1.1:
                available for authentication on port:1812
                available for accounting on port:1813
                idle time:0
                test user:test
                test password:********

This example shows how to display the RADIUS directed request configuration:


switch# show radius-server directed-request
enabled

This example shows how to display information for RADIUS server groups:


switch# show radius-server groups
total number of groups:2
following RADIUS server groups are configured:
        group radius:
                server: all configured radius servers
        group RadServer:
                deadtime is 0
                vrf is management

This example shows how to display information for a specified RADIUS server group:


switch# show radius-server groups RadServer
        group RadServer:
                deadtime is 0
                vrf is management

This example shows how to display sorted information for all RADIUS servers:


switch# show radius-server sorted
Global RADIUS shared secret:********
retransmission count:1
timeout value:5
deadtime value:0
total number of servers:2
following RADIUS servers are configured:
        10.10.0.0:
                available for authentication on port:1812
                available for accounting on port:1813
        10.10.1.1:
                available for authentication on port:1812
                available for accounting on port:1813

This example shows how to display statistics for a specified RADIUS server:


switch# show radius-server statistics 10.10.1.1
Server is not monitored
Authentication Statistics
        failed transactions: 0
        sucessfull transactions: 0
        requests sent: 0
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0
Accounting Statistics
        failed transactions: 0
        sucessfull transactions: 0
        requests sent: 0
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0

Related Commands


Command	Description
show running-config radius	Displays the RADIUS information in the running configuration file.

show role

To display the user role configuration, use the show role command.

show role [name role-name]

Syntax Description


name `role-name`	(Optional) Displays information for a specific user role name. The role name is case sensitive.

Command Default

Displays information for all user roles.

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display information for a specific user role:


switch(config)# show role name MyRole
role: MyRole
  description: new role
  vlan policy: deny
  permitted vlan
  1-10
  interface policy: deny
  permitted interface
  Ethernet2/1-8
  vrf policy: permit (default)

This example shows how to display information for all user roles in the default virtual device context (VDC):


switch(config)# show role
role: network-admin
  description: Predefined network admin role has access to all commands
  on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write
role: network-operator
  description: Predefined network operator role has access to all read
  commands on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read
role: vdc-admin
  description: Predefined vdc admin role has access to all commands within
  a VDC instance
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write
role: vdc-operator
  description: Predefined vdc operator role has access to all read commands
  within a VDC instance
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read
role: MyRole
  description: new role
  vlan policy: deny
  permitted vlan
  1-10
  interface policy: deny
  permitted interface
  Ethernet2/1-8
  vrf policy: permit (default)

This example shows how to display information for all user roles in a nondefault virtual device context (VDC):


switch-MyVDC# show role
role: vdc-admin
  description: Predefined vdc admin role has access to all commands within
  a VDC instance
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read-write
role: vdc-operator
  description: Predefined vdc operator role has access to all read commands
  within a VDC instance
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity
  -------------------------------------------------------------------
  1       permit  read

Related Commands


Command	Description
role name	Configures user roles.

show role feature

To display the user role features, use the show role feature command.

show role feature [detail | name feature-name]

Syntax Description


detail	(Optional) Displays detailed information for all features.
name `feature-name`	(Optional) Displays detailed information for a specific feature. The feature name is case sensitive.

Command Default

Displays a list of user role feature names.

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the user role features:


switch(config)# show role feature
feature: aaa
feature: access-list
feature: arp
feature: callhome
feature: cdp
feature: crypto
feature: gold
feature: install
feature: l3vm
feature: license
feature: ping
feature: platform
feature: qosmgr
feature: radius
feature: scheduler
feature: snmp
feature: syslog
<content deleted>

This example shows how to display detailed information for all the user role features:


switch(config)# show role feature detail
feature: aaa
  show aaa *
  config t ; aaa *
  aaa *
  clear aaa *
  debug aaa *
  show accounting *
  config t ; accounting *
  accounting *
  clear accounting *
  debug accounting *
feature: access-list
  show ip access-list *
  show ipv6 access-list *
  show mac access-list *
  show arp access-list *
  show vlan access-map *
  config t ; ip access-list *
  config t ; ipv6 access-list *
  config t ; mac access-list *
  config t ; arp access-list *
  config t ; vlan access-map *
  clear ip access-list *
  clear ipv6 access-list *
  clear mac access-list *
  clear arp access-list *
  clear vlan access-map *
  debug aclmgr *
feature: arp
  show arp *
  show ip arp *
  config t; ip arp *
  clear ip arp *
  debug ip arp *
  debug-filter ip arp *
<content deleted>

This example shows how to display detailed information for a specific user role feature:


switch(config)# show role feature name dot1x
feature: dot1x
  show dot1x *
  config t ; dot1x *
  dot1x *
  clear dot1x *
  debug dot1x *

Related Commands


Command	Description
role feature-group	Configures feature groups for user roles.
rule	Configures rules for user roles.

show role feature-group

To display the user role feature groups, use the show role feature-group command.

show role feature-group [detail | name group-name]

Syntax Description


detail	(Optional) Displays detailed information for all feature groups.
name `group-name`	(Optional) Displays detailed information for a specific feature group. The group name is case sensitive.

Command Default

Displays a list of user role feature groups.

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the user role feature groups:


switch(config)# show role feature-group
feature group: L3
feature: router-bgp
feature: router-eigrp
feature: router-isis
feature: router-ospf
feature: router-rip
feature group: SecGroup
feature: aaa
feature: radius
feature: tacacs

This example shows how to display detailed information about all the user role feature groups:


switch(config)# show role feature-group detail
feature group: L3
feature: router-bgp
  show bgp *
  config t ; bgp *
  bgp *
  clear bgp *
  debug bgp *
  show ip bgp *
  show ip mbgp *
  show ipv6 bgp *
  show ipv6 mbgp *
  clear ip bgp *
  clear ip mbgp *
  debug-filter ip *
  debug-filter ip bgp *
  config t ; router bgp *
feature: router-eigrp
  show eigrp *
  config t ; eigrp *
  eigrp *
  clear eigrp *
  debug eigrp *
  show ip eigrp *
  clear ip eigrp *
  debug ip eigrp *
  config t ; router eigrp *
feature: router-isis
  show isis *
  config t ; isis *
  isis *
  clear isis *
  debug isis *
  debug-filter isis *
  config t ; router isis *
feature: router-ospf
  show ospf *
  config t ; ospf *
  ospf *
  clear ospf *
  debug ospf *
  show ip ospf *
  show ospfv3 *
  show ipv6 ospfv3 *
  debug-filter ip ospf *
  debug-filter ospfv3 *
  debug ip ospf *
  debug ospfv3 *
  clear ip ospf *
  clear ip ospfv3 *
  config t ; router ospf *
  config t ; router ospfv3 *
feature: router-rip
  show rip *
  config t ; rip *
  rip *
  clear rip *
  debug rip *
  show ip rip *
  show ipv6 rip *
  overload rip *
  debug-filter rip *
  clear ip rip *
  clear ipv6 rip *
  config t ; router rip *

This example shows how to display information for a specific user role feature group:


switch(config)# show role feature-group name SecGroup
feature group: SecGroup
feature: aaa
feature: radius
feature: tacacs

Related Commands


Command	Description
role feature-group	Configures feature groups for user roles.
rule	Configures rules for user roles.

show role pending

To display the pending user role configuration differences for the Cisco Fabric Services distribution session, use the show role pending command.

show role pending

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example displays the user role configuration differences for the Cisco Fabric Services session:


switch# show role pending
Role: test-user
  Description: new role
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope           Entity
  -------------------------------------------------------------------
  1       permit  read-write  feature             aaa

Related Commands


Command	Description
role distribute	Enables Cisco Fabric Services distribution for the user role configuration.

show role pending-diff

To display the differences between the pending user role configuration for the Cisco Fabric Services distribution session and the running configuration, use the show role pending-diff command.

show role pending-diff

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example displays the user role configuration differences for the Cisco Fabric Services session:


switch# show role pending
+Role: test-user
    +  Description: new role
    +  Vlan policy: permit (default)
    +  Interface policy: permit (default)
    +  Vrf policy: permit (default)
    +  -------------------------------------------------------------------
    +  Rule    Perm    Type        Scope           Entity
    +  -------------------------------------------------------------------
    +  1       permit  read-write  feature             aaa

Related Commands


Command	Description
role distribute	Enables Cisco Fabric Services distribution for the user role configuration.

show role session

To display the status information for a user role Cisco Fabric Services session, use the show role session command.

show role session status

Syntax Description


status	(Optional) Displays the role session status.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example displays the user role configuration differences for the Cisco Fabric Services session:


switch# show role session status
Last Action Time Stamp     : Thu Nov 20 12:43:26 2008
Last Action                : Distribution Enable
Last Action Result         : Success
Last Action Failure Reason : none

Related Commands


Command	Description
role distribute	Enables Cisco Fabric Services distribution for the user role configuration.

show role status

To display the status for the Cisco Fabric Services distribution for the user role feature, use the show role status command.

show role status

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example displays the user role configuration differences for the Cisco Fabric Services session:


switch# show role status
Distribution: Enabled
Session State: Locked

Related Commands


Command	Description
role distribute	Enables Cisco Fabric Services distribution for the user role configuration.

show run mka

To display the running configuration of MACsec Key Agreement (MKA), use the show run mka command.

show run mka

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
8.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the running configuration of MKA:


switch# show run mka
!Command: show running-config mka
!Time: Wed Apr 19 05:08:01 2017
version 8.2(0)SK(1)
feature mka
macsec policy p1  
   cipher-suite GCM-AES-XPN-128  
   key-server-priority 9  
   security-policy must-secure  
   sak-expiry-time 60

Related Commands


Command	Description
cipher suite	Configures the cipher suite for encrypting traffic with MACsec.
conf-offset	Configures the confidentiality offset for MKA encryption.
feature mka	Enables the MKA feature.
key	Creates a key or enters the configuration mode of an existing key.
key chain `keychain-name`	Creates a keychain or enters the configuration mode of an existing keychain.
key-octet-string	Configures the text for a MACsec key.
key-server-priority	Configures the preference for a device to serve as the key server for MKA encryption.
macsec keychain policy	Configures the MACsec keychain policy.
macsec policy	Configures the MACsec policy.
sak-expiry-time `time`	Sets an expiry time for a force SAK rekey.
show key chain	Displays the configuration of the specified keychain.
show macsec policy	Displays all the MACsec policies in the system.

show running-config aaa

To display authentication, authorization, and accounting (AAA) configuration information in the running configuration, use the show running-config aaa command.

show running-config aaa [all]

Syntax Description


all	(Optional) Displays configured and default information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the configured AAA information in the running configuration:


switch# show running-config aaa
version 4.0(1)

show running-config aclmgr

To display the user-configured access control lists (ACLs) in the running configuration, use the show running-config aclmgr command.

show running-config aclmgr [all | inactive-if-config]

Syntax Description


all	Displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.
inactive-if-config	Displays the inactive policies in the running configuration.

Command Default

None

Command Modes

Any

Command History


Release	Modification
5.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display user-configured ACLs in the running configuration:


switch# show running-config aclmgr all
!Command: show running-config aclmgr all
!Time: Wed May 25 08:03:46 2011
version 5.2(1)
ip access-list acl1
ip access-list cisco123-copp-acl-bgp
  10 permit tcp any gt 1024 any eq bgp
  20 permit tcp any eq bgp any gt 1024
ipv6 access-list cisco123-copp-acl-bgp6
  10 permit tcp any gt 1024 any eq bgp
  20 permit tcp any eq bgp any gt 1024
ip access-list cisco123-copp-acl-cts
  10 permit tcp any any eq 64999
  20 permit tcp any eq 64999 any
ip access-list cisco123-copp-acl-dhcp
  10 permit udp any eq bootpc any
  20 permit udp any neq bootps any eq bootps
ip access-list cisco123-copp-acl-dhcp-relay-response
  10 permit udp any eq bootps any
  20 permit udp any any eq bootpc
ip access-list cisco123-copp-acl-eigrp
  10 permit eigrp any any
ip access-list cisco123-copp-acl-ftp
  10 permit tcp any any eq ftp-data
  20 permit tcp any any eq ftp
  30 permit tcp any eq ftp-data any
  40 permit tcp any eq ftp any
ip access-list cisco123-copp-acl-glbp
  10 permit udp any eq 3222 224.0.0.0/24 eq 3222
ip access-list cisco123-copp-acl-hsrp
  10 permit udp any 224.0.0.0/24 eq 1985
ipv6 access-list cisco123-copp-acl-hsrp6
  10 permit udp any ff02::66/128 eq 2029
ip access-list cisco123-copp-acl-icmp
  10 permit icmp any any echo
  20 permit icmp any any echo-reply
ipv6 access-list cisco123-copp-acl-icmp6
  10 permit icmp any any echo-request
  20 permit icmp any any echo-reply
ipv6 access-list cisco123-copp-acl-icmp6-msgs
  10 permit icmp any any router-advertisement
  20 permit icmp any any router-solicitation
  30 permit icmp any any nd-na
  40 permit icmp any any nd-ns
  50 permit icmp any any mld-query
  60 permit icmp any any mld-report
  70 permit icmp any any mld-reduction
ip access-list cisco123-copp-acl-igmp
  10 permit igmp any 224.0.0.0/3
mac access-list cisco123-copp-acl-mac-cdp-udld-vtp
  10 permit any 0100.0ccc.cccc 0000.0000.0000
mac access-list cisco123-copp-acl-mac-cfsoe
  10 permit any 0180.c200.000e 0000.0000.0000 0x8843
mac access-list cisco123-copp-acl-mac-dot1x
  10 permit any 0180.c200.0003 0000.0000.0000 0x888e
mac access-list cisco123-copp-acl-mac-fabricpath-isis
  10 permit any 0180.c200.0015 0000.0000.0000
  20 permit any 0180.c200.0014 0000.0000.0000
mac access-list cisco123-copp-acl-mac-flow-control
  10 permit any 0180.c200.0001 0000.0000.0000 0x8808
mac access-list cisco123-copp-acl-mac-gold
  10 permit any any 0x3737
mac access-list cisco123-copp-acl-mac-l2pt
  10 permit any 0100.0ccd.cdd0 0000.0000.0000
mac access-list cisco123-copp-acl-mac-lacp
  10 permit any 0180.c200.0002 0000.0000.0000 0x8809
mac access-list cisco123-copp-acl-mac-lldp
  10 permit any 0180.c200.000c 0000.0000.0000 0x88cc
mac access-list cisco123-copp-acl-mac-otv-isis
  10 permit any 0100.0cdf.dfdf 0000.0000.0000
mac access-list cisco123-copp-acl-mac-sdp-srp
  10 permit any 0180.c200.000e 0000.0000.0000 0x3401
mac access-list cisco123-copp-acl-mac-stp
  10 permit any 0100.0ccc.cccd 0000.0000.0000
  20 permit any 0180.c200.0000 0000.0000.0000
mac access-list cisco123-copp-acl-mac-undesirable
  10 permit any any
--More--

Related Commands


Command	Description
show running-config copp	Displays the CoPP configuration in the running configuration.
show startup-config aclmgr	Displays the user-configured ACLs in the startup configuration.
show startup-config copp	Displays the CoPP configuration in the startup configuration.

show running-config copp

To display control plane policing configuration information in the running configuration, use the show running-config copp command.

show running-config copp [all]

Syntax Description


all	(Optional) Displays configured and default information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to display the configured control plane policing information in the running configuration:


switch# show running-config copp
version 4.0(1)
class-map type control-plane match-any copp-system-class-critical
  match access-group name copp-system-acl-arp
  match access-group name copp-system-acl-msdp
class-map type control-plane match-any copp-system-class-important
  match access-group name copp-system-acl-gre
  match access-group name copp-system-acl-tacas
class-map type control-plane match-any copp-system-class-normal
  match access-group name copp-system-acl-icmp
  match redirect dhcp-snoop
  match redirect arp-inspect
  match exception ip option
  match exception ip icmp redirect
  match exception ip icmp unreachable
policy-map type control-plane copp-system-policy
  class copp-system-class-critical
    police cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class copp-system-class-important
    police cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class copp-system-class-normal
    police cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class class-default
    police cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate drop

This example shows how to display the configured and default control plane policing information in the running configuration:


switch# show running-config copp all
version 4.0(1)
class-map type control-plane match-any copp-system-class-critical
  match access-group name copp-system-acl-arp
  match access-group name copp-system-acl-msdp
class-map type control-plane match-any copp-system-class-important
  match access-group name copp-system-acl-gre
  match access-group name copp-system-acl-tacas
class-map type control-plane match-any copp-system-class-normal
  match access-group name copp-system-acl-icmp
  match redirect dhcp-snoop
  match redirect arp-inspect
  match exception ip option
  match exception ip icmp redirect
  match exception ip icmp unreachable
policy-map type control-plane copp-system-policy
  class copp-system-class-critical
    police cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class copp-system-class-important
    police cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class copp-system-class-normal
    police cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class class-default
    police cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate drop

show running-config cts

To display the Cisco TrustSec configuration in the running configuration, use the show running-config cts command.

show running-config cts

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any configuration mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec configuration in the running configuration:


switch# show running-config cts
version 4.0(1)
feature cts
cts role-based enforcement
cts role-based sgt-map 10.10.1.1 10
cts role-based access-list MySGACL
  permit icmp
cts role-based sgt 65535 dgt 65535 access-list MySGACL
cts sxp enable
cts sxp connection peer 10.10.3.3 source 10.10.2.2 password default mode listener
vlan 1
  cts role-based enforcement
vrf context MyVRF
  cts role-based enforcement

Related Commands


Command	Description
feature cts	Enables the Cisco TrustSec feature.

show running-config dhcp

To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the running configuration and verify other DHCP configurations on a device, use the show running-config dhcp command.

show running-config dhcp [all]

Syntax Description


all	(Optional) Displays configured and default information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.
7.2(0)D1(1)	This command was modified. A sample output for DHCP relay configuration on a Bridge Domain Interface (BDI) was added.

Usage Guidelines

To use this command, you must enable the DHCP snooping feature using the feature dhcp command.

This command does not require a license.

Examples

This example shows how to display the DHCP snooping configuration:


switch# show running-config dhcp
version 4.0(1)
feature dhcp
interface Ethernet2/46
  ip verify source dhcp-snooping-vlan
  ip arp inspection trust
ip dhcp snooping
ip arp inspection validate src-mac dst-mac ip
ip source binding 10.3.2.2 0f00.60b3.2333 vlan 13 interface Ethernet2/46
ip source binding 10.2.2.2 0060.3454.4555 vlan 100 interface Ethernet2/10
ip dhcp snooping vlan 1
ip arp inspection vlan 1
ip dhcp snooping vlan 13
ip arp inspection vlan 13

This example shows how to verify DHCP configurations on the device. DHCP relay configuration information is also displayed in the example.


switch# show running-config dhcp
version 7.1(0)D1(1)
feature dhcp
service dhcp
ip dhcp relay
ip dhcp relay information option
ip dhcp relay information option vpn
ipv6 dhcp relay
interface Bdi14
  ip dhcp relay address 10.64.66.242 use-vrf management

Related Commands


Command	Description
feature dhcp	Enables the DHCP snooping feature on the device.
ip dhcp snooping	Globally enables DHCP snooping on the device.
service dhcp	Enables or disables the DHCP relay agent.
show ip dhcp snooping	Displays general information about DHCP snooping.
show ip dhcp snooping binding	Displays IP-MAC address bindings, including the static IP source entries.

show running-config dot1x

To display 802.1X configuration information in the running configuration, use the show running-config dot1x command.

show running-config dotx1 [all]

Syntax Description


all	(Optional) Displays configured and default information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must enable the 802.1X feature by using the feature dot1x command before using this command.

This command does not require a license.

Examples

This example shows how to display the configured 802.1X information in the running configuration:


switch# show running-config dot1x
version 4.0(1)

show running-config eou

To display the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) configuration information in the running configuration, use the show running-config eou command.

show running-config eou [all]

Syntax Description


all	(Optional) Displays configured and default information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must enable the EAPoUDP feature by using the feature eou command before using this command.

This command does not require a license.

Examples

This example shows how to display the configured EAPoUDP information in the running configuration:


switch# show running-config eou
version 4.0(1)

show running-config ldap

To display Lightweight Directory Access Protocol (LDAP) server information in the running configuration, use the show running-config ldap command.

show running-config ldap [all]

Syntax Description


all	(Optional) Displays default LDAP configuration information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

You must use the feature ldap command before you can display LDAP information.

This command does not require a license.

Examples

This example shows how to display LDAP information in the running configuration:


switch# show running-config ldap

Related Commands


Command	Description
show ldap-server	Displays LDAP information.

show running-config port-security

To display port-security information in the running configuration, use the show running-config port-security command.

show running-config port-security [all]

Syntax Description


all	(Optional) Displays default port-security configuration information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(3)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display information for port-security in the running configuration:


switch# show running-port-security
version 4.0(3)
feature port-security
logging level port-security 5
interface Ethernet2/3
  switchport port-security

Related Commands


Command	Description
show startup-config port-security	Displays port-security information in the startup configuration.

show running-config radius

To display RADIUS server information in the running configuration, use the show running-config radius command.

show running-config radius [all]

Syntax Description


all	(Optional) Displays default RADIUS configuration information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display information for RADIUS in the running configuration:


switch# show running-config radius

Related Commands


Command	Description
show radius-server	Displays RADIUS information.

show running-config security

To display a user account, Secure Shell (SSH) server, and Telnet server information in the running configuration, use the show running-config security command.

show running-config security [all]

Syntax Description


all	(Optional) Displays the default user account, SSH server, and Telnet server configuration information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display user account, SSH server, and Telnet server information in the running configuration:


switch# show running-config security
version 5.1(1)
username admin password 5 $1$7Jwq/LDM$XF0M/UWeT43DmtjZy8VP91  role network-admin
username adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na.  role network-operator
username user1 password 5 $1$qEclQ5Rx$CAX9fXiAoFPYSvbVzpazj/  role network-operator
telnet server enable
ssh key rsa 1024 force

show running-config tacacs+

To display TACACS+ server information in the running configuration, use the show running-config tacacs+ command.

show running-config tacacs+ [all]

Syntax Description


all	(Optional) Displays default TACACS+ configuration information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must use the feature tacacs+ command before you can display TACACS+ information.

This command does not require a license.

Examples

This example shows how to display TACACS+ information in the running configuration:


switch# show running-config tacacs+

Related Commands


Command	Description
show tacacs-server	Displays TACACS+ information.

show security system state

To display the status of system related security features, use the show security system state command.

show security system state

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

None.

Examples

This example shows how to display the status of system related security features:

switch# show security system state
  XSPACE:
        Non-Executable stack:   Yes
        Non-Executable heap:    Yes
        Non-Writable text:      Yes
  ASLR:
        ASLR enabled:           Yes
        CVE-offset2lib Patch:   Present
        Randomization entropy:  Good
  OSC:
        Version:                1.0.0
  SafeC:
        Version:                3.0.1

show software integrity

To display information regarding the runtime integrity feature, use the show software integrity command.

show software integrity {index value | total}

Syntax Description


index `value`	Specifies the index value to display hash digest entries. Index 0 indicates starting from the beginning. The index value range is from 0 to 4294967295.
total	Displays the total number of entries in the measurement list.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
8.0(1)	This command was introduced.

Usage Guidelines

None.

Examples

This example shows how to display the hash digest entries:


switch# show software integrity index 0
index pcr template-hash template-name
algorithm:filedata-hash filename-hint
-------------------------------------------------------------------------------------------------------------------------------------------------------------
1 10 1d8d532d463c9f8c205d0df7787669a85f93e260 ima-ng sha1:0000000000000000000000000000000000000000 boot_aggregate
2 10 1cb9d1e2795a75857f70d6a23cb77e4843467617 ima-ng sha256:850c63f1b32f19b2dcde9fa199a83da920c9e377e1e2dc52a6c7fdd045a21475 /etc/r
c.d/rcS.d/S98admin-login
3 10 d07e9ebb0f9b548dd41558a6ec56f62e22b354a0 ima-ng sha256:941c993b3ffda0e0157442d849304e9a7e96f5f7da551754105023cb2ab8392a /bin/b
ash

switch# show software integrity total
1139

show ssh key

To display the Secure Shell (SSH) server key for a virtual device context (VDC), use the show ssh key command.

show ssh key

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command is available only when SSH is enabled using the feature ssh command.

This command does not require a license.

Examples

This example shows how to display the SSH server key:


switch# show ssh key
**************************************
rsa Keys generated:Wed Aug 11 11:45:14 2010
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDypfN6FSHZDbFPWEoz7sgWCamhfoqjqYNoZMvySSb4
056LhWZ75D90KPo+G+XTo7QAyQMpLJSkwKcRkidgD4lwJaDd/Ic/Sl5SJ3i0jyM61Bwvi+8+J3JoIdft
AvgH47GT5BdDD6hM7aUHq+efSQSq8pGyDAR4Cw6UdY9HNAWoTw==
bitcount:1024
fingerprint:
cd:8d:e3:0c:2a:df:58:d3:6e:9c:bd:72:75:3f:2e:45
**************************************
could not retrieve dsa key information
**************************************

Related Commands


Command	Description
ssh server key	Configures the SSH server key.

show ssh server

To display the Secure Shell (SSH) server status for a virtual device context (VDC), use the show ssh server command.

show ssh server

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the SSH server status:


switch# show ssh server
ssh is enabled
version 2 enabled

Related Commands


Command	Description
feature ssh	Enables the SSH server.

show startup-config aaa

To display authentication, authorization, and accounting (AAA) configuration information in the startup configuration, use the show startup-config aaa command.

show startup-config aaa

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the AAA information in the startup configuration:


switch# show startup-config aaa
version 4.0(1)

show startup-config aclmgr

To display the user-configured access control lists (ACLs) in the startup configuration, use the show startup-config aclmgr command.

show startup-config aclmgr [all]

Syntax Description


all	Displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.

Command Default

None

Command Modes

Any

Command History


Release	Modification
5.2(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the user-configured ACLs in the startup configuration:


switch(config)# show startup-config aclmgr all
!Command: show startup-config aclmgr all
!Time: Wed May 25 08:04:36 2011
!Startup config saved at: Mon May 23 05:44:16 2011
version 5.2(1)
ip access-list acl1
ip access-list copp-system-p-acl-bgp
  10 permit tcp any gt 1024 any eq bgp
  20 permit tcp any eq bgp any gt 1024
ipv6 access-list copp-system-p-acl-bgp6
  10 permit tcp any gt 1024 any eq bgp
  20 permit tcp any eq bgp any gt 1024
ip access-list copp-system-p-acl-cts
  10 permit tcp any any eq 64999
  20 permit tcp any eq 64999 any
ip access-list copp-system-p-acl-dhcp
  10 permit udp any eq bootpc any
  20 permit udp any neq bootps any eq bootps
ip access-list copp-system-p-acl-dhcp-relay-response
  10 permit udp any eq bootps any
  20 permit udp any any eq bootpc
ip access-list copp-system-p-acl-eigrp
  10 permit eigrp any any
ip access-list copp-system-p-acl-ftp
  10 permit tcp any any eq ftp-data
  20 permit tcp any any eq ftp
  30 permit tcp any eq ftp-data any
  40 permit tcp any eq ftp any
ip access-list copp-system-p-acl-glbp
  10 permit udp any eq 3222 224.0.0.0/24 eq 3222
ip access-list copp-system-p-acl-hsrp
  10 permit udp any 224.0.0.0/24 eq 1985
ipv6 access-list copp-system-p-acl-hsrp6
  10 permit udp any ff02::66/128 eq 2029
ip access-list copp-system-p-acl-icmp
  10 permit icmp any any echo
  20 permit icmp any any echo-reply
ipv6 access-list copp-system-p-acl-icmp6
  10 permit icmp any any echo-request
  20 permit icmp any any echo-reply
ipv6 access-list copp-system-p-acl-icmp6-msgs
  10 permit icmp any any router-advertisement
  20 permit icmp any any router-solicitation
  30 permit icmp any any nd-na
  40 permit icmp any any nd-ns
  50 permit icmp any any mld-query
  60 permit icmp any any mld-report
  70 permit icmp any any mld-reduction
ip access-list copp-system-p-acl-igmp
  10 permit igmp any 224.0.0.0/3
mac access-list copp-system-p-acl-mac-cdp-udld-vtp
  10 permit any 0100.0ccc.cccc 0000.0000.0000
mac access-list copp-system-p-acl-mac-cfsoe
  10 permit any 0180.c200.000e 0000.0000.0000 0x8843
mac access-list copp-system-p-acl-mac-dot1x
  10 permit any 0180.c200.0003 0000.0000.0000 0x888e
mac access-list copp-system-p-acl-mac-fabricpath-isis
  10 permit any 0180.c200.0015 0000.0000.0000
  20 permit any 0180.c200.0014 0000.0000.0000
mac access-list copp-system-p-acl-mac-flow-control
--More--

Related Commands


Command	Description
show running-config aclmgr	Displays the user-configured ACLs in the running configuration.
show running-config copp	Displays the CoPP configuration in the running configuration.
show startup-config copp	Displays the CoPP configuration in the startup configuration.

show startup-config copp

To display the Control Plane Policing (CoPP) configuration information in the startup configuration, use the show startup-config copp command.

show startup-config copp

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to display the control plane policing information in the startup configuration:


switch# show startup-config copp
version 4.0(1)
class-map type control-plane match-any MyClassMap
  match redirect dhcp-snoop
class-map type control-plane match-any copp-system-class-critical
  match access-group name copp-system-acl-arp
  match access-group name copp-system-acl-msdp
class-map type control-plane match-any copp-system-class-important
  match access-group name copp-system-acl-gre
  match access-group name copp-system-acl-tacas
class-map type control-plane match-any copp-system-class-normal
  match access-group name copp-system-acl-icmp
  match redirect dhcp-snoop
  match redirect arp-inspect
  match exception ip option
  match exception ip icmp redirect
  match exception ip icmp unreachable
policy-map type control-plane MyPolicyMap
  class MyClassMap
    police cir 0 bps bc 0 bytes conform drop violate drop
policy-map type control-plane copp-system-policy
  class copp-system-class-critical
    police cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class copp-system-class-important
    police cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class copp-system-class-normal
    police cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit exceed transmit violate drop
  class class-default
    police cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate drop
policy-map type control-plane x
  class class-default
    police cir 0 bps bc 0 bytes conform drop violate drop

show startup-config dhcp

To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the startup configuration, use the show startup-config dhcp command.

show startup-config dhcp [all]

Syntax Description


all	(Optional) Displays configured and default information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the DHCP snooping feature using the feature dhcp command.

This command does not require a license.

Examples

This example shows how to display the DHCP snooping configuration in the startup configuration:


switch# show startup-config dhcp
version 4.0(1)
feature dhcp
interface Ethernet2/46
  ip verify source dhcp-snooping-vlan
  ip arp inspection trust
ip dhcp snooping
ip arp inspection validate src-mac dst-mac ip
ip source binding 10.3.2.2 0f00.60b3.2333 vlan 13 interface Ethernet2/46
ip source binding 10.2.2.2 0060.3454.4555 vlan 100 interface Ethernet2/10
ip dhcp snooping vlan 1
ip arp inspection vlan 1
ip dhcp snooping vlan 13
ip arp inspection vlan 13
switch#

Related Commands


Command	Description
feature dhcp	Enables the DHCP snooping feature on the device.
show running-config dhcp	Shows DHCP snooping configuration in the running configuration.

show startup-config dot1x

To display 802.1X configuration information in the startup configuration, use the show startup-config dot1x command.

show startup-config dot1x

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must enable the 802.1X feature by using the feature dot1x command before using this command.

This command does not require a license.

Examples

This example shows how to display the 802.1X information in the startup configuration:


switch# show startup-config dot1x
version 4.0(1)

show startup-config eou

To display the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) configuration information in the startup configuration, use the show startup-config eou command.

show startup-config eou

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You must enable the EAPoUDP feature by using the feature eou command before using this command.

This command does not require a license.

Examples

This example shows how to display the EAPoUDP information in the startup configuration:


switch# show startup-config eou
version 4.0(1)

show startup-config ldap

To display Lightweight Directory Access Protocol (LDAP) configuration information in the startup configuration, use the show startup-config ldap command.

show startup-config ldap

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

You must use the feature ldap command before you can display LDAP information.

This command does not require a license.

Examples

This example shows how to display the LDAP information in the startup configuration:


switch# show startup-config ldap
!Command: show startup-config ldap
!Time: Wed Feb 17 13:02:31 2010
!Startup config saved at: Wed Feb 17 10:32:23 2010
version 5.0(2)
feature ldap
aaa group server ldap LDAPgroup1
  no ldap-search-map
aaa group server ldap LdapServer1
  no ldap-search-map

Related Commands


Command	Description
show ldap-server	Displays LDAP information.

show startup-config port-security

To display port-security information in the startup configuration, use the show startup-config port-security command.

show startup-config port-security [all]

Syntax Description


all	(Optional) Displays default port-security configuration information.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(3)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display information for port-security in the startup configuration:


switch# show startup-port-security
version 4.0(3)
feature port-security
logging level port-security 5
interface Ethernet2/3
  switchport port-security

Related Commands


Command	Description
show running-config port-security	Displays port-security information in the running configuration.

show startup-config radius

To display RADIUS configuration information in the startup configuration, use the show startup-config radius command.

show startup-config radius

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the RADIUS information in the startup configuration:


switch# show startup-config radius
version 4.0(1)

show startup-config security

To display user account, Secure Shell (SSH) server, and Telnet server configuration information in the startup configuration, use the show startup-config security command.

show startup-config security

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration:


switch# show startup-config security
version 5.1(1)
username admin password 5 $1$7Jwq/LDM$XF0M/UWeT43DmtjZy8VP91  role network-admin
username adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na.  role network-operator
username user1 password 5 $1$qEclQ5Rx$CAX9fXiAoFPYSvbVzpazj/  role network-operator
telnet server enable
ssh key rsa 1024 force

show startup-config tacacs+

To display TACACS+ configuration information in the startup configuration, use the show startup-config tacacs+ command.

show startup-config tacacs+

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the TACACS+ information in the startup configuration:


switch# show startup-config tacacs+
version 4.0(1)

show system internal access-list feature bank-chain map

To display the access control list (ACL) ternary content addressable memory (TCAM) bank mapping feature group and combination tables, use the show system internal access-list feature bank-chain map command.

show system internal access-list feature bank-chain map vlan-vlan {egress | ingress}| port-vlan {egress | {interface ingress | vlan egress}} [module module]

Syntax Description


port-vlan	Specifies the PORT-VLAN mode.
vlan-vlan	Specifies the VLAN-VLAN mode.
ingress	Displays feature class information for ingress modules.
egress	Displays feature class information for egress modules.
module `module`	(Optional) Displays the module.
interface	Displays the mapping output for PORT-VLAN TCAM bank chaining mode for an interface.
vlan	Displays the mapping output for PORT-VLAN TCAM bank chaining mode for a VLAN.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
7.3(0)D1(1)	This command was introduced.
8.1(1)	The vlan and interface keywords were introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the feature group and class combination tables for ingress module 2:


switch# show system internal access-list feature bank-chain map vlan-vlan ingress module 2
_________________________________________________________________________
Feature                Rslt Type      T0B0      T0B1      T1B0      T1B1
_________________________________________________________________________
QoS                        Qos         X         X
RACL                       Acl                             X         X
PBR                        Acl                             X         X
VACL                       Acl                             X         X
DHCP                       Acl                             X         X
ARP                        Acl                             X         X
Netflow                    Acl                             X         X
Netflow (SVI)              Acl                             X         X
Netflow Sampler            Acc         X         X
Netflow Sampler (SVI)      Acc         X         X
SPM WCCP                   Acl                             X         X
BFD                        Acl                             X         X
SPM OTV                    Acl                             X         X
ACLMGR ERSPAN (source)     Acl                             X         X
SPM_VINCI_PROXY            Acl                             X         X
SPM_VINCI_ANYCAST          Acl                             X         X
SPM_VINCI_FABRIC_VLAN      Acl                             X         X
SPM ITD                    Acl                             X         X
SPM EVPN ARP               Acl                             X         X

The following example displays the mapping output for PORT-VLAN TCAM bank chaining mode for VLAN:

# show system internal access-list feature bank-chain map port-vlan vlan ingress 
_________________________________________________________________________               
Feature                Rslt Type      T0B0      T0B1      T1B0      T1B1                
_________________________________________________________________________               
QoS                        Qos                             X         X                  
RACL                       Acl                             X         X                  
PBR                        Acl                             X         X                  
VACL                       Acl                             X         X                  
DHCP                       Acl                             X         X                  
DHCP_FHS                   Acl                             X         X                  
DHCP_LDRA                  Acl                             X         X                  
ARP                        Acl                             X         X                  
Netflow                    Acl                             X         X                  
Netflow (SVI)              Acl                             X         X                  
Netflow Sampler            Acc                             X         X                  
Netflow Sampler (SVI)      Acc                             X         X                  
SPM WCCP                   Acl                             X         X                  
BFD                        Acl                             X         X                  
SPM OTV                    Acl                             X         X                  
ACLMGR ERSPAN (source)     Acl                             X         X                  
SPM_VINCI_PROXY            Acl                             X         X                  
SPM_VINCI_ANYCAST          Acl                             X         X                  
SPM_VINCI_FABRIC_VLAN      Acl                             X         X
SPM ITD                    Acl                             X         X
SPM EVPN ARP               Acl                             X         X
UDP RELAY                  Acl                             X         X
SPM_VXLAN_OAM              Acl                             X         X

Related Commands


Command	Description
hardware access-list resource feature bank-mapping	Enables ACL TCAM bank mapping for feature groups and classes.

show system internal access-list feature bank-class map

To display the access control list (ACL) ternary content addressable memory (TCAM) bank mapping feature group and class combination tables, use the show system internal access-list feature bank-class map command.

show system internal access-list feature bank-class map {ingress | egress} [module module]

Syntax Description


ingress	Displays feature class information for ingress modules.
egress	Displays feature class information for egress modules.
module `module`	(Optional) Displays the module. The range is from 1 to 18.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
6.2(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the feature group and class combination tables for ingress module 4:


switch(config)# show system internal access-list feature bank-class map ingress module 4
Feature Class Definition:
0. CLASS_QOS :
QoS,
1. CLASS_INBAND :
Tunnel Decap, SPM LISP, SPM ERSPAN (termination),
2. CLASS_PACL :
PACL, Netflow,
3. CLASS_DHCP :
DHCP, Netflow, ARP, VACL,
4. CLASS_RACL :
RACL, RACL_STAT, Netflow (SVI), ARP,
5. CLASS_VACL :
VACL, VACL_STAT, ARP, FEX, Netflow,
6. CLASS_RV_ACL :
RACL, PBR, BFD, ARP, SPM WCCP, VACL, SPM OTV, FEX, CTS
implicit Tunnel

Related Commands


Command	Description
hardware access-list resource feature bank-mapping	Enables ACL TCAM bank mapping for feature groups and classes.

show system internal access-list globals

To display the access control list (ACL) ternary content addressable memory (TCAM) common information along with the bank chaining mode, use the show system internal access-list globals command.

show system internal access-list globals

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
7.3(0)D1(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the bank chaining mode:


switch# show system internal access-list globals
slot  2
=======
        Atomic Update : ENABLED
  Default ACL   : DENY
  Bank Chaining : VLAN-VLAN
  Seq Feat Model : NO_DENY_ACE_SUPPORT
  This pltfm supports seq feat model
  Bank Class Model : DISABLED
  This pltfm supports bank class model
  Fabric path DNL : DISABLED
  Seq Feat Model : NO_DENY_ACE_SUPPORT
  This pltfm supports seq feat model
  L4 proto CAM extend : DISABLED
  This pltfm supports L4 proto CAM extend
  MPLS Topmost As Pipe Mode : DISABLED
  This pltfm supports mpls topmost as pipe mode
  LOU Threshold Value : 5
slot  3
=======
  Atomic Update : ENABLED
  Default ACL   : DENY
  Bank Chaining : PORT-VLAN
  Seq Feat Model : NO_DENY_ACE_SUPPORT
  This pltfm supports seq feat model
  Bank Class Model : DISABLED
  This pltfm supports bank class model
  Fabric path DNL : DISABLED
  Seq Feat Model : NO_DENY_ACE_SUPPORT
  This pltfm supports seq feat model
  L4 proto CAM extend : DISABLED
  This pltfm supports L4 proto CAM extend
  MPLS Topmost As Pipe Mode : DISABLED
  This pltfm supports mpls topmost as pipe mode
  LOU Threshold Value : 5

Related Commands


Command	Description
hardware access-list resource feature bank-mapping	Enables ACL TCAM bank mapping for feature groups and classes.

show system internal pktmgr internal control sw-rate-limit

To display the inband and outband global rate limit configuration for packets that reach the supervisor module, use the show system internal pktmgr internal control sw-rate-limit command.

show system internal pktmgr internal control sw-rate-limit

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any

Command History


Release	Modification
5.1(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the inband and outband global rate limit configuration for packets that reach the supervisor module:


switch# show system internal pktmgr internal control sw-rate-limit
inband pps global threshold 12500  outband pps global threshold 15500
switch#

Related Commands


Command	Description
rate-limit cpu direction pps action log	Configures rate limits globally on the device for packets that reach the supervisor module.

show system internal udp-relay database

To display the configuration details of the UDP relay feature, use the show system internal udp-relay database command.

show system internal udp-relay database

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
7.3(0)D1(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the details of the UDP relay feature:


switch# show system internal udp-relay database
 UDP Relay enabled : Yes
 Relay enabled on the following UDP Ports:
 ---------------------------------------------------------------
 Sr No.    UDP-Port          Default Port?
 ------    ---------------   ----------------------
   1.        37                  Yes
   2.        42                  Yes
   3.        49                  Yes
   4.        53                  Yes
   5.        69                  Yes
   6.       137                 Yes
   7.       138                 Yes
  -----------------------------------------
 Object Groups information:
 -------------------------------------------
 --------------------------------------------------------
 Object-Group Name      :  iHello
 No. of Relay Addresses :  3
    1 . IP-Addr : 2.6.8.12        Netmask : 255.255.255.255
    2 . IP-Addr : 9.8.7.6         Netmask : 255.255.255.255
    3 . IP-Addr : 2.4.6.8         Netmask : 255.255.0.0
 Associated Interfaces:
 -----------------------------------
    Vlan800             Subnet-broadcast enabled
 ---------------------------------------------------------------
 Object-Group Name      :  iSmart
 No. of Relay Addresses :  1
    1 . IP-Addr : 4.5.6.7         Netmask : 255.255.0.0
 Associated Interfaces:
 -----------------------------------
    Vlan700             Subnet-broadcast disabled

Related Commands


Command	Description
ip forward-protocol udp	Enables the UDP relay feature.
object-group udp relay ip address	Configures the object group.

show tacacs+

To display the TACACS+ Cisco Fabric Services (CFS) distribution status and other details, use the show tacacs+ command.

show tacacs+ {distribution status | pending [cmds] | pending-diff}

Syntax Description


distribution status	Displays the status of the TACACS+ CFS distribution.
pending	Displays the pending configuration that is not yet applied to the running configuration.
cmds	(Optional) Displays the commands for the pending configuration.
pending-diff	Displays the difference between the active configuration and the pending configuration.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the TACACS+ CFS status:


switch# show tacacs+ distribution status
distribution : enabled
session ongoing: no
session db: does not exist
merge protocol status: not yet initiated after enable
last operation: enable
last operation status: success

This example shows how to display the TACACS+ merge status:


switch# show tacacs+ merge status
Result: Waiting

This example shows how to display the pending TACACS+ configuration:


switch# show tacacs+ pending
tacacs-server host 10.10.2.2 key 7 qxz12345

This example shows how to display the pending TACACS+ configuration commands:


switch# show tacacs+ pending cmds
 tacacs-server host 10.10.2.2 key 7 qxz12345 port 49

This example shows how to display the differences between the pending TACACS+ configuration and the current TACACS+configuration:


switch# show tacacs+ pending-diff
    +tacacs-server host 10.10.2.2

show tacacs-server

To display TACACS+ server information, use the show tacacs-server command.

Syntax Description


`hostname`	(Optional) TACACS+ server Domain Name Server (DNS) name. The maximum character size is 256.
`ipv4-address`	(Optional) TACACS+ server IPv4 address in the A.B.C.D format.
`ipv6-address`	(Optional) TACACS+ server IPv6 address in the X: X: X:: X format.
directed-request	(Optional) Displays the directed request configuration.
groups	(Optional) Displays information about the configured TACACS+ server groups.
sorted	(Optional) Displays sorted-by-name information about the TACACS+ servers.
statistics	(Optional) Displays TACACS+ statistics for the TACACS+ servers.

Command Default

Displays the global TACACS+ server configuration

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys.

You must use the feature tacacs+ command before you can display TACACS+ information.

This command does not require a license.

Examples

This example shows how to display information for all TACACS+ servers:


switch# show tacacs-server 
Global TACACS+ shared secret:********
timeout value:5
deadtime value:0
total number of servers:2
following TACACS+ servers are configured:
        10.10.2.2:
                available on port:49
        10.10.1.1:
                available on port:49

This example shows how to display information for a specified TACACS+ server:


switch# show tacacs-server 10.10.2.2
        10.10.2.2:
                available for authentication on port:1812
                available for accounting on port:1813
                idle time:0
                test user:test
                test password:********

This example shows how to display the TACACS+ directed request configuration:


switch# show tacacs-server directed-request
enabled

This example shows how to display information for TACACS+ server groups:


switch# show tacacs-server groups
total number of groups:1
following TACACS+ server groups are configured:
        group TacServer:
                server 10.10.2.2 on port 49
                deadtime is 0
                vrf is vrf3

This example shows how to display information for a specified TACACS+ server group:


switch# show tacacs-server groups TacServer
        group TacServer:
                server 10.10.2.2 on port 49
                deadtime is 0
                vrf is vrf3

This example shows how to display sorted information for all TACACS+ servers:


switch# show tacacs-server sorted
Global TACACS+ shared secret:********
timeout value:5
deadtime value:0
total number of servers:2
following TACACS+ servers are configured:
        10.10.1.1:
                available on port:49
        10.10.2.2:
                available on port:49

This example shows how to display statistics for a specified TACACS+ servers:


switch# show tacacs-server statistics 10.10.2.2
Server is not monitored
Authentication Statistics
        failed transactions: 0
        sucessfull transactions: 0
        requests sent: 0
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0
Authorization Statistics
        failed transactions: 0
        sucessfull transactions: 0
        requests sent: 0
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0
Accounting Statistics
        failed transactions: 0
        sucessfull transactions: 0
        requests sent: 0
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0

Related Commands


Command	Description
show running-config tacacs+	Displays the TACACS+ information in the running configuration file.

show telnet server

To display the Telnet server status for a virtual device context (VDC), use the show telnet server command.

show telnet server

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the Telnet server status:


switch# show telnet server
telnet service enabled

Related Commands


Command	Description
telnet server enable	Enables the Telnet server.

show time-range

To display all time ranges or a specific time range, use the show time-range command.

show time-range [time-range-name]

Syntax Description


`time-range-name`	(Optional) Name of a time range, which can be up to 64 alphanumeric, case-sensitive characters.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

The device shows all time ranges unless you use the time-range-name argument to specify a time range.

If you do not specify a time-range name, the device lists time ranges alphabetically by the time-range names.

The output of the show time-range command indicates whether a time range is active, which means that the current system time on the device falls within the configured time range.

This command does not require a license.

Examples

This example shows how to use the show time-range command without specifying a time-range name on a device that has two time ranges configured, where one of the time ranges is inactive and the other is active:


switch(config-time-range)# show time-range
time-range entry: december (inactive)
   10 absolute start 0:00:00 1 December 2009 end 11:59:59 31 December 2009
time-range entry: november (active)
   10 absolute start 0:00:00 1 November 2009 end 23:59:59 30 November 2009

Related Commands


Command	Description
time-range	Configures a time range.
permit (IPv4)	Configures a permit rule for an IPv4 ACL.
ipv6 access-list	Configures an IPv6 ACL.
permit (IPv6)	Configures a permit rule for an IPv6 ACL.
permit (MAC)	Configures a permit rule for a MAC ACL.
show ipv6 access-lists	Displays all IPv6 ACLs or a specific IPv6 ACL.
show access-lists	Displays all ACLs or a specific ACL.

show user-account

To display information for the user accounts in a virtual device context (VDC), use the show user-account command.

show user-account

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display information for user accounts in the default virtual device context (VDC):


switch# show user-account
user:admin
        this user account has no expiry date
        roles:network-admin
user:adminbackup
        this user account has no expiry date
        roles:network-operator

This example shows how to display information for user accounts in a nondefault VDC:


switch-MyVDC# show user-account
user:admin
        this user account has no expiry date
        roles:vdc-admin

Related Commands


Command	Description
telnet server enable	Enables the Telnet server.

show username

To display the public key for the specified user, use the show username command.

show username username keypair

Syntax Description


`username`	Name of the user. You can enter up to 28 alphanumeric characters.
keypair	Displays the Secure Shell (SSH) user keys.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

This command does not require a license.

For security reasons, this command does not show the private key.

Examples

This example shows how to display the public key for the specified user:


switch# show username admin keypair
**************************************
rsa Keys generated:Mon Feb 15 08:10:45 2010
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0+rIeMgXwv004lt/hwOoyqIKbFGl1tmkFNm/tozuazfL
4dH/asAXZoJePDdiO1ILBGfrQgzyS5u3prXuXfgnWkTu0/4WlD0DF/EPdsd3NNzNbpPFzNDVylPDyDfR
X5SfVICioEirjX9Y59DZP+Nng6rJD7Z/YHVXs/jRNLPBOIs=
bitcount:262144
fingerprint:
a4:a7:b1:d1:43:09:49:6f:7c:f8:60:62:8e:a2:c1:d1
**************************************
could not retrieve dsa key information
**************************************
switch#

Related Commands


Command	Description
username username keypair generate	Generates the SSH public and private keys and stores them in the home directory of the Cisco NX-OS device for the specified user.

show users

To display the user session information for a virtual device context (VDC), use the show users command.

show users

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display user session information in the default virtual device context (VDC):


switch# show users
NAME     LINE         TIME         IDLE          PID COMMENT
admin    pts/1        Mar 17 15:18   .          5477 (172.28.254.254)
admin    pts/9        Mar 19 11:19   .         23101 (10.82.234.56)*

This example shows how to display information for user accounts in a nondefault VDC:


switch-MyVDC# show users
admin     pts/10       Mar 19 12:54   .         30965 (10.82.234.56)*

Related Commands


Command	Description
username	Configures user accounts.

show vlan access-list

To display the contents of the IPv4 access control list (ACL), IPv6 ACL, or MAC ACL associated with a specific VLAN access map, use the show vlan access-list command.

show vlan access-list access-list-name

Syntax Description


`access-list-name`	Name of the VLAN access map, which can be up to 64 alphanumeric, case-sensitive characters.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to use the show vlan access-list command to display the contents of the ACL that the VLAN access map named vacl-01 is configured to use:


switch# show vlan access-list vacl-01
IP access list ipv4acl
        5 deny ip 10.1.1.1/32 any
        10 permit ip any any

Related Commands


Command	Description
vlan access-map	Configures an VLAN access map.
show access-lists	Displays all ACLs or a specific ACL.
show ip access-lists	Displays all IPv4 ACLs or a specific IPv4 ACL.
show ipv6 access-lists	Displays all IPv6 ACLs or a specific IPv6 ACL.
show mac access-lists	Displays all MAC ACLs or a specific MAC ACL.
show vlan access-map	Displays all VLAN access maps or a specific VLAN access map.

show vlan access-map

To display all VLAN access maps or a VLAN access map, use the show vlan access-map command.

show vlan access-map map-name

Syntax Description


`map-name`	VLAN access map, which can be up to 64 alphanumeric, case-sensitive characters.

Command Default

None

Command Modes

Any command mode

Command History


Release	Modification
4.2(1)	Command output is sorted alphabetically by the ACL names.
4.0(1)	This command was introduced.

Usage Guidelines

The device shows all VLAN access maps, unless you use the map-name argument to specify an access map.

If you do not specify an access-map name, the device lists VLAN access maps alphabetically by access-map name.

For each VLAN access map displayed, the device shows the access-map name, the ACL specified by the match command, and the action specified by the action command.

Use the show vlan filter command to see which VLANs have a VLAN access map applied to them.

This command does not require a license.

Examples

This example shows how to remove dynamically learned, secure MAC addresses from the Ethernet 2/1 interface:


switch# show vlan access-map
Vlan access-map austin-vlan-map
        match ip: austin-corp-acl
        action: forward

Related Commands


Command	Description
action	Specifies an action for traffic filtering in a VLAN access map.
match	Specifies an ACL for traffic filtering in a VLAN access map.
show vlan filter	Displays information about how a VLAN access map is applied.
vlan access-map	Configures a VLAN access map.
vlan filter	Applies a VLAN access map to one or more VLANs.

show vlan filter

To display information about instances of the vlan filter command, including the VLAN access-map and the VLAN IDs affected by the command, use the show vlan filter command.

show vlan filter [access-map map-name | vlan vlan-ID]

Syntax Description


access-map `map-name`	(Optional) Limits the output to VLANs that the specified access map is applied to.
vlan `vlan-ID`	(Optional) Limits the output to access maps that are applied to the specified VLAN only. Valid VLAN IDs are from 1 to 4096.

Command Default

The device shows all instances of VLAN access maps applied to a VLAN, unless you use the access-map keyword and specify an access map, or you use the vlan keyword and specify a VLAN ID.

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display all VLAN access map information on a device that has only one VLAN access map applied (austin-vlan-map) to VLANs 20 through 35 and 42 through 80:


switch# show vlan filter
vlan map austin-vlan-map:
        Configured on VLANs:    20-35,42-80

Related Commands


Command	Description
action	Specifies an action for traffic filtering in a VLAN access map.
match	Specifies an ACL for traffic filtering in a VLAN access map.
show vlan access-map	Displays all VLAN access maps or a VLAN access map.
vlan access-map	Configures a VLAN access map.
vlan filter	Applies a VLAN access map to one or more VLANs.

Bias-Free Language

Results

Chapter: Show Commands

Show Commands

show

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

show aaa accounting

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

show aaa authentication

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show aaa authorization

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show aaa groups

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

show aaa local user blocked

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show aaa user default-role

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show access-list status module

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show access-lists

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

show accounting log

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines