Table Of Contents
show class-map type control-plane
show cli syntax roles network-admin
show cli syntax roles network-operator
show crypto ca remote-certstore
show cts role-based access-list
show hardware access-list resource pooling
show hardware access-list status module
show ip access-lists capture session
show ip arp inspection interface
show ip arp inspection statistics
show ip dhcp snooping statistics
show policy-map type control-plane
show running-config port-security
show startup-config port-security
show system internal pktmgr internal control sw-rate-limit
Show Commands
This chapter describes the Cisco NX-OS security show commands.
show aaa accounting
To display AAA accounting configuration information, use the show aaa accounting command.
show aaa accounting
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the configuration of the accounting log:
switch# show aaa accountingdefault: localshow aaa authentication
To display AAA authentication configuration information, use the show aaa authentication command.
show aaa authentication [login error-enable | login chap | login mschap | login mschapv2 | login ascii-authentication]
Syntax Description
Defaults
Displays the console and login authentication methods configuration.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification5.0(2)
Added the chap keyword
4.2(1)
Added the mschapv2 keyword.
4.1(2)
Added the ascii-authentication keyword.
4.0(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the configured authentication parameters:
switch# show aaa authenticationdefault: localconsole: localdot1x: not configuredeou: not configuredThis example shows how to display the authentication-login error-enable configuration:
switch# show aaa authentication login error-enabledisabledThis example shows how to display the authentication-login CHAP configuration:
switch# show aaa authentication login chapdisabledThis example shows how to display the authentication-login MSCHAP configuration:
switch# show aaa authentication login mschapdisabledThis example shows how to display the authentication-login MSCHAP V2 configuration:
switch# show aaa authentication login mschapv2enabledThis example shows how to display the status of the ASCII authentication for passwords feature:
switch(config)# show aaa authentication login ascii-authentication
disabledRelated Commands
show aaa authorization
To display AAA authorization configuration information, use the show aaa authorization command.
show aaa authorization [all]
Syntax Description
Defaults
Displays the configured information.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the configured authorization methods:
switch# show aaa authorizationpki-ssh-cert: localpki-ssh-pubkey: localAAA command authorization:default authorization for config-commands: nonects: group radiusThis example shows how to display the configured authorization methods and defaults:
switch# show aaa authorization allpki-ssh-cert: localpki-ssh-pubkey: localAAA command authorization:default authorization for config-commands: nonedefault authorization for commands: localcts: group radiusRelated Commands
show aaa groups
To display AAA server group configuration, use the show aaa groups command.
show aaa groups
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display AAA group information:
switch# show aaa groupsradiusTacServershow aaa user default-role
To display the AAA user default role configuration, use the show aaa user default-role command.
show aaa user default-role
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
User the aaa user default-role command to configure the AAA user default role.
This command does not require a license.
Examples
This example shows how to display the AAA user default role configuration:
switch# show aaa user default-roleenabledRelated Commands
show access-lists
To display all IPv4, IPv6, and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.
show access-lists [access-list-name] [expanded | summary]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
The device shows all ACLs unless you use the access-list-name argument to specify an ACL.
If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.
The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups. For more information about object groups, see the object-group ip address, object-group ipv6 address, and object-group ip port commands.
The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:
•Whether per-entry statistics are configured for the ACL.
•Whether the fragments command is configured for an IP ACL.
•The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
•The interfaces that the ACL is applied to.
•The interfaces that the ACL is active on.
The show access-lists command displays statistics for each entry in an ACL if the following conditions are both true:
•The ACL configuration contains the statistics per-entry command.
•The ACL is applied to an interface that is administratively up.
If an IP ACL includes the fragments command, it appears before the explicit permit and deny rules, but the device applies the fragments command to noninitial fragments only if they do not match all other explicit rules in the ACL.
This command does not require a license.
Examples
This example shows how to use the show access-lists command without specifying an ACL name on a device that has one IP ACL and one MAC ACL configured:
switch# show access-listsIP access list ip-v4-filter10 permit ip any anyMAC access list mac-filter10 permit 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ipThis example shows how to use the show access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web, including per-entry statistics for the entries except for the MainLab object group:
switch# show access-lists ipv4-RandD-outbound-webIP access list ipv4-RandD-outbound-webstatistics per-entry1000 permit ahp any any [match=732]1005 permit tcp addrgroup MainLab any eq telnet1010 permit tcp any any eq www [match=820421]This example shows how to use the show access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web. The expanded keyword causes the contents of the object group from the previous example to appear, including the per-entry statistics:
switch# show access-lists ipv4-RandD-outbound-web expandedIP access list ipv4-RandD-outbound-webstatistics per-entry1000 permit ahp any any [match=732]1005 permit tcp 10.52.34.4/32 any eq telnet [match=5032]1005 permit tcp 10.52.34.27/32 any eq telnet [match=433]1010 permit tcp any any eq www [match=820421]This example shows how to use the show access-lists command with the summary keyword to display information about an IPv4 ACL named ipv4-RandD-outbound-web, such as which interfaces the ACL is applied to and active on:
switch# show access-lists ipv4-RandD-outbound-web summaryIPV4 ACL ipv4-RandD-outbound-webStatistics enabledTotal ACEs Configured: 4Configured on interfaces:Ethernet2/4 - ingress (Router ACL)Active on interfaces:Ethernet2/4 - ingress (Router ACL)Related Commands
show accounting log
To display the accounting log contents, use the show accounting log command.
show accounting log [size | last-index | start-seqnum number | start-time year month day HH:MM:SS]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification4.2(1)
Added the last-index and start-seqnum keyword options.
4.0(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the entire accounting log:
switch# show accounting logSat Feb 16 10:44:24 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptimeSat Feb 16 10:44:25 2008:update:/dev/pts/1_172.28.254.254:admin:show clockSat Feb 16 10:45:20 2008:update:/dev/pts/1_172.28.254.254:admin:show logging logfile start-time 2008 Feb 16 10:44:11Sat Feb 16 10:45:23 2008:update:/dev/pts/1_172.28.254.254:admin:show accountinglog start-time 2008 Feb 16 10:08:57Sat Feb 16 10:45:24 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptimeSat Feb 16 10:45:25 2008:update:/dev/pts/1_172.28.254.254:admin:show clockSat Feb 16 10:46:20 2008:update:/dev/pts/1_172.28.254.254:admin:show logging logfile start-time 2008 Feb 16 10:45:11Sat Feb 16 10:46:22 2008:update:/dev/pts/1_172.28.254.254:admin:show accountingThis example shows how to display 400 bytes of the accounting log:
switch# show accounting log 400Sat Feb 16 21:15:24 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log start-time 2008 Feb 16 18:31:21Sat Feb 16 21:15:25 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptimeSat Feb 16 21:15:26 2008:update:/dev/pts/1_172.28.254.254:admin:show clockThis example shows how to display the accounting log starting at 16:00:00 on February 16, 2008:
switch(config)# show accounting log start-time 2008 Feb 16 16:00:00Sat Feb 16 16:00:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file start-time 2008 Feb 16 15:59:16Sat Feb 16 16:00:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log start-time 2008 Feb 16 12:05:16Sat Feb 16 16:00:27 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptimeSat Feb 16 16:00:28 2008:update:/dev/pts/1_172.28.254.254:admin:show clockSat Feb 16 16:01:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file start-time 2008 Feb 16 16:00:16Sat Feb 16 16:01:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log start-time 2008 Feb 16 12:05:16Sat Feb 16 16:01:27 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptimeSat Feb 16 16:01:29 2008:update:/dev/pts/1_172.28.254.254:admin:show clockSat Feb 16 16:02:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file start-time 2008 Feb 16 16:01:16Sat Feb 16 16:02:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log start-time 2008 Feb 16 12:05:16Sat Feb 16 16:02:28 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptimeThis example shows how to display the last index number:
switch# show accounting log last-indexaccounting-log last-index : 1814Related Commands
show arp access-lists
To display all ARP access control lists (ACLs) or a specific ARP ACL, use the show arp access-lists command.
show arp access-lists [access-list-name]
Syntax Description
access-list-name
(Optional) Name of an ARP ACL, which can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
The device shows all ARP ACLs, unless you use the access-list-name argument to specify an ACL.
This command does not require a license.
Examples
This example shows how to use the show arp access-lists command to display all ARP ACLs on a device that has two ARP ACLs:
switch# show arp access-listsARP access list arp-permit-all10 permit ip any mac anyARP access list arp-lab-subnet10 permit request ip 10.32.143.0 255.255.255.0 mac anyThis example shows how to use the show arp access-lists command to display an ARP ACL named arp-permit-all:
switch# show arp access-lists arp-permit-allARP access list arp-permit-all10 permit ip any mac anyRelated Commands
Command Descriptionarp access-list
Configures an ARP ACL.
ip arp inspection filter
Applies an ARP ACL to a VLAN.
show class-map type control-plane
To display control plane class map information, use the show class-map type control-plane command.
show class-map type control-plane [class-map-name]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to display control plane class map information:
switch# show class-map type control-planeclass-map type control-plane match-any copp-system-class-criticalmatch access-grp name copp-system-acl-arpmatch access-grp name copp-system-acl-msdpclass-map type control-plane match-any copp-system-class-importantmatch access-grp name copp-system-acl-grematch access-grp name copp-system-acl-tacasclass-map type control-plane match-any copp-system-class-normalmatch access-grp name copp-system-acl-icmpmatch redirect dhcp-snoopmatch redirect arp-inspectmatch exception ip optionmatch exception ip icmp redirectmatch exception ip icmp unreachableshow cli syntax roles network-admin
To display the syntax of the commands that the network-admin role can use but the vdc-admin role cannot, use the show cli syntax roles network-admin command.
show cli syntax roles network-admin
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the syntax of the commands that the network-admin role can use but the vdc-admin role cannot:
switch# show cli syntax roles network-admin
MODE exec(0) show debug license(1) show debug bootvar(2) show debug cmpproxy(3) show debug exceptionlog(4) show debug device_test(5) show debug diagmgr(6) show debug diagclient(7) show debug ntp(8) show debug port_lb(9) show debug copp(10) show debug copp bypass(11) show license usage vdc-all [ { detail | <license-feature> } ](12) show system internal license event-history(13) show system internal license mem-stats [ detail ](14) show system internal loader configuration(15) show system internal bootvar log(16) show system internal cmpproxy install-logs(17) show system internal cmpproxy [ event-history ] errors(18) show system internal cmpproxy [ event-history ] msgs(19) show system internal cmpproxy mem-stats [ detail ](20) show system internal epld logging(21) show system internal access-list status [ ](22) show system internal copp ppf-database { policy { subscriptions | sessions| instances | all } }(23) show system internal copp [ event-history ] errors(24) show system internal copp [ event-history ] logs(25) show system internal copp [ event-history ] msgs(26) show system internal copp mem-stats [ detail ](27) show system internal copp info(28) show system reset-reason(29) show system reset-reason module <module>(30) show system reset-reason <s0> <santa-cruz-range>(31) show system redundancy status(32) show system redundancy ha status(33) show logging level { license | licmgr }(34) show logging level bootvar(35) show logging level cmpproxy(36) show logging level diagnostic device_test(37) show logging level diagnostic diagmgr(38) show logging level diagnostic diagclient(39) show logging level ntp(40) show logging level copp(41) show running-config res_mgr(42) show running-config vdc [ all ](43) show running-config diagnostic [ all ](44) show running-config cmp(45) show running-config ntp [ all ](46) show running-config vdc-all [ all ](47) show running-config copp [ all ](48) show startup-config vdc [ all ](49) show startup-config diagnostic [ all ](50) show startup-config ntp [ all ](51) show startup-config vdc-all(52) show startup-config copp [ all ](53) show tech-support gold(54) show tech-support cmp(55) show tech-support dcbx(56) show tech-support ntp(57) show tech-support forwarding l2 multicast vdc-all(58) show tech-support forwarding l3 unicast vdc-all [ module <module> ]--More--Related Commands
Command Descriptionshow cli syntax roles network-operator
Displays the syntax of the commands that the network-operator role can use but the vdc-operator role cannot.
show copp diff profile
To display the difference between the previous and latest Control Plane Policing (CoPP) best practice policies or between the currently applied default CoPP best practice policy and the latest CoPP best practice policy, use the show copp diff profile command.
show copp diff profile {lenient | moderate | strict} [prior-ver] profile {lenient | moderate | strict}
Syntax Description
lenient
Displays the lenient profile.
moderate
Displays the moderate profile.
strict
Displays the strict profile.
profile
Specifies the profile.
prior-ver
Specifies the previous profile.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
When you do not include the prior-ver option, this command displays the difference between two currently applied default CoPP best practice policies (such as the currently applied strict and currently applied moderate policies).
When you include the prior-ver option, this command displays the difference between a currently applied default CoPP best practice policy and a previously applied default CoPP best practice policy (such as the currently applied strict and the previously applied lenient policies).
This command does not require a license.
Examples
This example shows how to display the difference between the currently applied default CoPP best practice policy and the latest CoPP best practice policy:
switch# show copp diff profile moderate applied latest
Related Commands
Command Descriptionshow copp profile
Displays the details of the CoPP best practice policy, along with the classes and policer values.
show copp profile
To display the details of the Control Plane Policing (CoPP) best practice policy, along with the classes and policer values, use the show copp profile command.
show copp profile {lenient | moderate | strict}
Syntax Description
lenient
Displays the lenient profile.
moderate
Displays the moderate profile.
strict
Displays the strict profile.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the details of the CoPP best practice policy, along with the classes and policer values:
switch# show copp profile moderate
ip access-list copp-system-p-acl-bgppermit tcp any gt 1024 any eq bgppermit tcp any eq bgp any gt 1024ipv6 access-list copp-system-p-acl-bgp6permit tcp any gt 1024 any eq bgppermit tcp any eq bgp any gt 1024ip access-list copp-system-p-acl-ctspermit tcp any any eq 64999permit tcp any eq 64999 anyip access-list copp-system-p-acl-dhcppermit udp any eq bootpc anypermit udp any neq bootps any eq bootpsip access-list copp-system-p-acl-dhcp-relay-responsepermit udp any eq bootps anypermit udp any any eq bootpcip access-list copp-system-p-acl-eigrppermit eigrp any anyip access-list copp-system-p-acl-ftppermit tcp any any eq ftp-datapermit tcp any any eq ftppermit tcp any eq ftp-data anypermit tcp any eq ftp anyip access-list copp-system-p-acl-glbppermit udp any eq 3222 224.0.0.0/24 eq 3222--More--Related Commands
show cli syntax roles network-operator
To display the syntax of the commands that the network-operator role can use but the vdc-operator role cannot, use the show cli syntax roles network-operator command.
show cli syntax roles network-operator
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the syntax of the commands that the network-operator role can use but the vdc-operator role cannot:
switch# show cli syntax roles network-operator
MODE exec(0) show debug license(1) show debug cmpproxy(2) show debug exceptionlog(3) show debug device_test(4) show debug diagmgr(5) show debug diagclient(6) show debug ntp(7) show debug port_lb(8) show debug copp(9) show license usage vdc-all [ { detail | <license-feature> } ](10) show system internal license event-history(11) show system internal license mem-stats [ detail ](12) show system internal loader configuration(13) show system internal bootvar log(14) show system internal cmpproxy install-logs(15) show system internal cmpproxy [ event-history ] errors(16) show system internal cmpproxy [ event-history ] msgs(17) show system internal cmpproxy mem-stats [ detail ](18) show system internal epld logging(19) show system internal access-list status [ ](20) show system internal copp ppf-database { policy { subscriptions | sessions| instances | all } }(21) show system internal copp [ event-history ] errors--More--Related Commands
Command Descriptionshow cli syntax roles network-admin
Displays the syntax of the commands that the network-admin role can use but the vdc-admin role cannot.
show copp status
To display the control plane policing (CoPP) configuration status, use the show copp status command.
show copp status
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to display the CoPP configuration status information:
switch# show copp statusLast Config Operation: service-policy input copp-system-policyLast Config Operation Timestamp: 21:57:58 UTC Jun 4 2008Last Config Operation Status: SuccessPolicy-map attached to the control-plane: new-copp-policyshow crypto ca certificates
To display configured trustpoint certificates, use the show crypto ca certificates command.
show crypto ca certificates trustpoint-label
Syntax Description
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
Use this command to display the fields in the identity certificate, if present, followed by the fields in the CA certificate (or each CA certificate if it is a chain, starting from the lowest to the self-signed root certificate), or the trustpoint. If the trustpoint name is not specified, all trustpoint certificate details are displayed.
This command does not require a license.
Examples
This example shows how to display configured trustpoint certificates:
switch# show crypto ca certificates
Trustpoint: admin-cacertificate:subject= /CN=switch160issuer= /C=US/O=cisco/CN=Aparna CA2serial=6CDB2D9E000100000006notBefore=Jun 9 10:51:45 2005 GMTnotAfter=May 3 23:10:36 2006 GMTMD5 Fingerprint=0A:22:DC:A3:07:2A:9F:9A:C2:2C:BA:96:EC:D8:0A:95purposes: sslserver sslclient ikeCA certificate 0:subject= /C=US/O=cisco/CN=Aparna CA2issuer= /emailAddress=amandke@cisco.com/C=IN/ST=Maharashtra/L=Pune/O=cisco/OU=netstorage/CN=Aparna CA1serial=14A3A877000000000005notBefore=May 5 18:43:36 2005 GMTnotAfter=May 3 23:10:36 2006 GMTMD5 Fingerprint=32:50:26:9B:16:B1:40:A5:D0:09:53:0A:98:6C:14:CCpurposes: sslserver sslclient ikeCA certificate 1:subject= /emailAddress=amandke@cisco.com/C=IN/ST=Maharashtra/L=Pune/O=cisco/OU=netstorage/CN=Aparna CA1issuer= /emailAddress=amandke@cisco.com/C=IN/ST=Karnataka/L=Bangalore/O=Cisco/OU=netstorage/CN=Aparna CAserial=611B09A1000000000002notBefore=May 3 23:00:36 2005 GMTnotAfter=May 3 23:10:36 2006 GMTMD5 Fingerprint=65:CE:DA:75:0A:AD:B2:ED:69:93:EF:5B:58:D4:E7:ADpurposes: sslserver sslclient ikeCA certificate 2:subject= /emailAddress=amandke@cisco.com/C=IN/ST=Karnataka/L=Bangalore/O=Cisco/OU=netstorage/CN=Aparna CAissuer= /emailAddress=amandke@cisco.com/C=IN/ST=Karnataka/L=Bangalore/O=Cisco/OU=netstorage/CN=Aparna CAserial=0560D289ACB419944F4912258CAD197AnotBefore=May 3 22:46:37 2005 GMTnotAfter=May 3 22:55:17 2007 GMTMD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12purposes: sslserver sslclient ikeRelated Commands
Command Descriptioncrypto ca authenticate
Authenticates the certificate of the CA.
show ca trustpoints
Displays trustpoint configurations.
show crypto ca certstore
To display the cert-store configuration, use the show crypto ca certstore command.
show crypto ca certstore
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the cert-store configuration:
switch# show crypto ca certstoreCertstore lookup: REMOTERelated Commands
Command Descriptioncrypto ca lookup
Specifies the cert-store to be used for certificate authentication.
show crypto ca remote-certstore
Displays the remote cert-store configuration.
show crypto ca crl
To display configured certificate revocation lists (CRLs), use the show crypto ca crl command.
show crypto ca crl trustpoint-label
Syntax Description
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
Use this command to list the serial numbers of the revoked certificates in the CRL of the specified trustpoint.
This command does not require a license.
Examples
This example shows how to display a configured CRL:
switch# show crypto ca crl admin-ca
Trustpoint: admin-caCRL:Certificate Revocation List (CRL):Version 2 (0x1)Signature Algorithm: sha1WithRSAEncryptionIssuer: /emailAddress=rviyyoka@cisco.com/C=IN/ST=Kar/L=Bangalore/O=CiscoSystems/OU=1/CN=cisco-blrLast Update: Sep 22 07:05:23 2005 GMTNext Update: Sep 29 19:25:23 2005 GMTCRL extensions:X509v3 Authority Key Identifier:keyid:CF:72:E1:FE:14:60:14:6E:B0:FA:8D:87:18:6B:E8:5F:70:69:05:3F1.3.6.1.4.1.311.21.1:...Revoked Certificates:Serial Number: 1E0AE838000000000002Revocation Date: Mar 15 09:12:36 2005 GMTSerial Number: 1E0AE9AB000000000003Revocation Date: Mar 15 09:12:45 2005 GMTSerial Number: 1E721E50000000000004Revocation Date: Apr 5 11:04:20 2005 GMTSerial Number: 3D26E445000000000005Revocation Date: Apr 5 11:04:16 2005 GMTSerial Number: 3D28F8DF000000000006Revocation Date: Apr 5 11:04:12 2005 GMTSerial Number: 3D2C6EF3000000000007Revocation Date: Apr 5 11:04:09 2005 GMTSerial Number: 3D4D7DDC000000000008Revocation Date: Apr 5 11:04:05 2005 GMTSerial Number: 5BF1FE87000000000009Revocation Date: Apr 5 11:04:01 2005 GMTSerial Number: 5BF22FB300000000000ARevocation Date: Apr 5 11:03:45 2005 GMTSerial Number: 5BFA4A4900000000000BRevocation Date: Apr 5 11:03:42 2005 GMTSerial Number: 5C0BC22500000000000CRevocation Date: Apr 5 11:03:39 2005 GMTSerial Number: 5C0DA95E00000000000DRevocation Date: Apr 5 11:03:35 2005 GMTSerial Number: 5C13776900000000000ERevocation Date: Apr 5 11:03:31 2005 GMTSerial Number: 4864FD5A00000000000FRevocation Date: Apr 5 11:03:28 2005 GMTSerial Number: 48642E2E000000000010Revocation Date: Apr 5 11:03:24 2005 GMTSerial Number: 486D4230000000000011Revocation Date: Apr 5 11:03:20 2005 GMTSerial Number: 7FCB75B9000000000012Revocation Date: Apr 5 10:39:12 2005 GMTSerial Number: 1A7519000000000013Revocation Date: Apr 5 10:38:52 2005 GMTSerial Number: 20F1B0000000000014Revocation Date: Apr 5 10:38:38 2005 GMTSerial Number: 436E43A9000000000023Revocation Date: Sep 9 09:01:23 2005 GMTCRL entry extensions:X509v3 CRL Reason Code:Cessation Of OperationSerial Number: 152D3C5E000000000047Revocation Date: Sep 22 07:12:41 2005 GMTSerial Number: 1533AD7F000000000048Revocation Date: Sep 22 07:13:11 2005 GMTSerial Number: 1F9EB8EA00000000006DRevocation Date: Jul 19 09:58:45 2005 GMTCRL entry extensions:X509v3 CRL Reason Code:Cessation Of OperationSerial Number: 1FCA9DC600000000006ERevocation Date: Jul 19 10:17:34 2005 GMTCRL entry extensions:X509v3 CRL Reason Code:Cessation Of OperationSerial Number: 2F1B5E2E000000000072Revocation Date: Jul 22 09:41:21 2005 GMTCRL entry extensions:X509v3 CRL Reason Code:Cessation Of OperationSignature Algorithm: sha1WithRSAEncryption4e:3b:4e:7a:55:6b:f2:ec:72:29:70:16:2a:fd:d9:9a:9b:12:f9:cd:dd:20:cc:e0:89:30:3b:4f:00:4b:88:03:2d:80:4e:22:9f:46:a5:41:25:f4:a5:26:b7:b6:db:27:a9:64:67:b9:c0:88:30:37:cf:74:57:7a:45:5f:5e:d0Related Commands
Command Descriptioncrypto ca crl request
Configures a CRL or overwrites the existing one for the trustpoint CA.
show crypto ca remote-certstore
To display the remote cert-store configuration, use the show crypto ca remote-certstore command.
show crypto ca remote-certstore
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the remote cert-store configuration:
switch# show crypto ca remote-certstoreRemote Certstore: NONERelated Commands
Command Descriptioncrypto ca lookup
Specifies the cert-store to be used for certificate authentication.
show crypto ca certstore
Displays the configured cert-store.
show crypto ca trustpoints
To display trustpoint configurations, use the show crypto ca trustpoints command.
show crypto ca trustpoints
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display configured trustpoints:
switch# show crypto ca trustpoints
trustpoint: CAname; key:revokation methods: crlRelated Commands
show crypto certificatemap
To display the certificate mapping filters, use the show crypto certificatemap command.
show crypto certificatemap
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the certificate mapping filters:
switch# show crypto certificatemap
Related Commands
Command Descriptioncrypto certificatemap mapname
Creates a filter map.
filter
Configures one or more certificate mapping filters within the filter map.
show crypto key mypubkey rsa
To display the RSA public key configurations, use the show crypto key mypubkey rsa command.
show crypto key mypubkey rsa
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display RSA public key configurations:
switch# show crypto key mypubkey rsa
key label: myrsakey size: 512exportable: yesRelated Commands
Command Descriptioncrypto ca enroll
Requests certificates for the switch's RSA key pair.
crypto key generate rsa
Generate an RSA key pair.
rsakeypair
Configure trustpoint RSA key pair details
show crypto ssh-auth-map
To display the mapping filters configured for SSH authentication, use the show crypto ssh-auth-map command.
show crypto ssh-auth-map
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the mapping filters configured for SSH authentication:
switch# show crypto ssh-auth-mapDefault Map : filtermap1Related Commands
show cts
To display the global Cisco TrustSec configuration, use the show cts command.
show cts
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec global configuration:
switch# show ctsCTS Global Configuration==============================CTS support : enabledCTS device identity : Device1CTS caching support : disabledNumber of CTS interfaces inDOT1X mode : 0Manual mode : 0Related Commands
show cts credentials
To display the Cisco TrustSec device credentials configuration, use the show cts credentials command.
show cts credentials
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec credentials configuration:
switch# show cts credentialsCTS password is defined in keystore, device-id = Device1Related Commands
show cts environment-data
To display the global Cisco TrustSec environment data, use the show cts environment-data command.
show cts environment-data
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
The Cisco NX-OS device downloads the Cisco TrustSec environment data from the ACS after you have configured the Cisco TrustSec credentials for the device and configured authentication, authorization, and accounting (AAA).
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec environment data:
switch# show cts environment-dataCTS Environment Data==============================Current State : CTS_ENV_DNLD_ST_ENV_DOWNLOAD_DONELast Status : CTS_ENV_SUCCESSLocal Device SGT : 0x0002Transport Type : CTS_ENV_TRANSPORT_DIRECTData loaded from cache : FALSEEnv Data Lifetime : 300 seconds after last updateLast Update Time : Sat Jan 5 16:29:52 2008Server List : ACSServerList1AID:74656d706f72617279 IP:10.64.65.95 Port:1812Related Commands
show cts interface
To display the Cisco TrustSec information for interfaces, use the show cts interface command.
show cts interface {all | ethernet slot/port}
Syntax Description
all
Displays Cisco TrustSec information for all interfaces.
interface slot/port
Displays Cisco TrustSec information for the specific interface.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec configuration for all interfaces:
switch# show cts interface allCTS Information for Interface Ethernet2/24:CTS is enabled, mode: CTS_MODE_DOT1XIFC state: CTS_IFC_ST_CTS_OPEN_STATEAuthentication Status: CTS_AUTHC_SUCCESSPeer Identity: india1Peer is: CTS Capable802.1X role: CTS_ROLE_AUTHLast Re-Authentication:Authorization Status: CTS_AUTHZ_SUCCESSPEER SGT: 2Peer SGT assignment: TrustedGlobal policy fallback access list:SAP Status: CTS_SAP_SUCCESSConfigured pairwise ciphers: GCM_ENCRYPTReplay protection: EnabledReplay protection mode: StrictSelected cipher: GCM_ENCRYPTCurrent receive SPI: sci:1b54c1fbff0000 an:0Current transmit SPI: sci:1b54c1fc000000 an:0CTS Information for Interface Ethernet2/25:CTS is enabled, mode: CTS_MODE_DOT1XIFC state: CTS_IFC_ST_CTS_OPEN_STATEAuthentication Status: CTS_AUTHC_SUCCESSPeer Identity: india1Peer is: CTS Capable802.1X role: CTS_ROLE_SUPLast Re-Authentication:Authorization Status: CTS_AUTHZ_SUCCESSPEER SGT: 2Peer SGT assignment: TrustedGlobal policy fallback access list:SAP Status: CTS_SAP_SUCCESSConfigured pairwise ciphers: GCM_ENCRYPTReplay protection: EnabledReplay protection mode: StrictSelected cipher: GCM_ENCRYPTCurrent receive SPI: sci:1b54c1fc000000 an:0Current transmit SPI: sci:1b54c1fbff0000 an:0This example shows how to display the Cisco TrustSec configuration for a specific interface:
switch# show cts interface ethernet 2/24CTS Information for Interface Ethernet2/24:CTS is enabled, mode: CTS_MODE_DOT1XIFC state: CTS_IFC_ST_CTS_OPEN_STATEAuthentication Status: CTS_AUTHC_SUCCESSPeer Identity: india1Peer is: CTS Capable802.1X role: CTS_ROLE_AUTHLast Re-Authentication:Authorization Status: CTS_AUTHZ_SUCCESSPEER SGT: 2Peer SGT assignment: TrustedGlobal policy fallback access list:SAP Status: CTS_SAP_SUCCESSConfigured pairwise ciphers: GCM_ENCRYPTReplay protection: EnabledReplay protection mode: StrictSelected cipher: GCM_ENCRYPTCurrent receive SPI: sci:1b54c1fbff0000 an:0Current transmit SPI: sci:1b54c1fc000000 an:0Table 1 provides information about the values displayed in the show cts interface command output.
Related Commands
show cts pacs
To display the Cisco TrustSec protect access credentials (PACs) provisioned by EAP-FAST, use the show cts pacs command.
show cts pacs
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec global configuration:
switch# show cts pacsPAC Info :==============================PAC Type : unknownAID : 74656d706f72617279I-ID : india1AID Info : ACS InfoCredential Lifetime : Thu Apr 3 00:36:04 2008PAC Opaque : 0002008300020004000974656d706f7261727900060070000101001d6321a2a55fa81e05cd705c714bea116907503aab89490b07fcbb2bd455b8d873f21b5b6b403eb1d8125897d93b94669745cfe1abb0baf01a00b77aacf0bda9fbaf7dcd54528b782d8206a7751afdde421ff4a3db6a349c652fea81809fba4f30b1fffb7bfffaf9a6608Related Commands
show cts role-based access-list
To display the global Cisco TrustSec security group access control list (SGACL) configuration, use the show cts role-based access-list command.
show cts role-based access-list [list-name]
Syntax Description
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec SGACL configuration:
switch# show cts role-based access-listrbacl:test-3deny iprbacl:test-1deny ipdeny icmpdeny tcp src eq 1000 dest eq 2000deny udp src range 1000 2000rbacl:test-2permit icmppermit igmppermit tcp src lt 2000permit udp dest gt 4000Related Commands
show cts role-based counters
To display the configuration status of role-based access control list (RBACL) statistics and list the statistics for all RBACL policies, use the show cts role-based counters command.
show cts role-based counters [sgt {sgt-value | any | unknown}] [dgt {dgt-value | any | unknown}]
Syntax Description
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the configuration status of RBACL statistics and the total number of packets that match RBACL policies for a specific SGT and DGT:
switch# show cts role-based counters sgt 10 dgt 20RBACL policy counters enabledsgt: 10 dgt: 20 [180]rbacl test1:deny tcp src eq 1111 dest eq 2222 [75]deny tcp src eq 2222 dest eq 3333 [25]rbacl test2:deny udp src eq 1111 dest eq 2222 [30]deny udp src eq 2222 dest eq 3333 [50]Related Commands
Command Descriptionclear cts role-based counters
Clears the RBACL statistics so that all counters are reset to 0.
cts role-based counters enable
Enables the RBACL statistics.
show cts role-based enable
To display the Cisco TrustSec security group access control list (SGACL) enable status for VLANs and Virtual Routing and Forwarding instances (VRFs), use the show cts role-based enable command.
show cts role-based enable
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec SGACL enforcement status:
switch# show cts role-based enablevlan:1vrf:1vrf:3Related Commands
show cts role-based policy
To display the global Cisco TrustSec security group access control list (SGACL) policies, use the show cts role-based policy command.
show cts role-based policy
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec SGACL policies:
switch# show cts role-based policysgt:unknowndgt:unknown rbacl:test-2permit icmppermit igmppermit tcp src lt 2000permit udp dest gt 4000sgt:1000dgt:2000 rbacl:test-1deny ipdeny icmpdeny tcp src eq 1000 dest eq 2000deny udp src range 1000 2000sgt:anydgt:any rbacl:test-3deny ipRelated Commands
show cts role-based sgt-map
To display the global Cisco TrustSec Security Group Tag (SGT) mapping configuration, use the show cts role-based sgt-map command.
show cts role-based sgt-map
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec SGT mapping configuration:
switch# show cts role-based sgt-mapIP ADDRESS SGT VRF/VLAN SGT CONFIGURATION5.5.5.5 5 vlan:10 CLI Configured5.5.5.6 6 vlan:10 CLI Configured5.5.5.7 7 vlan:10 CLI Configured5.5.5.8 8 vlan:10 CLI Configured10.10.10.10 10 vrf:3 CLI Configured10.10.10.20 20 vrf:3 CLI Configured10.10.10.30 30 vrf:3 CLI ConfiguredRelated Commands
show cts sxp
To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) configuration, use the show cts sxp command.
show cts sxp
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec SXP configuration:
switch# show cts sxpCTS SXP Configuration:SXP enabledSXP retry timeout:60SXP reconcile timeout:120Related Commands
show cts sxp connection
To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information, use the show cts sxp connection command.
show cts sxp connection
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information:
switch# show cts sxp connectionPEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE10.10.3.3 default listener speaker initializingRelated Commands
show dot1x
To display the 802.1X feature status, use the show dot1x command.
show dot1x
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must enable the 802.1X feature by using the feature dot1x command before using this command.
This command does not require a license.
Examples
This example shows how to display the 802.1X feature status:
switch# show dot1xSysauthcontrol EnabledDot1x Protocol Version 2Related Commands
show dot1x all
To display all 802.1X feature status and configuration information, use the show dot1x all command.
show dot1x all [details | statistics | summary]
Syntax Description
details
(Optional) Displays detailed information about the 802.1X configuration.
statistics
(Optional) Displays 802.1X statistics.
summary
(Optional) Displays a summary of 802.1X information.
Defaults
Displays global and interface 802.1X configuration
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must enable the 802.1X feature by using the feature dot1x command before using this command.
This command does not require a license.
Examples
This example shows how to display all 802.1X feature status and configuration information:
switch# show dot1x allSysauthcontrol EnabledDot1x Protocol Version 2Dot1x Info for Ethernet2/1-----------------------------------PAE = AUTHENTICATORPortControl = FORCE_AUTHHostMode = SINGLE HOSTReAuthentication = DisabledQuietPeriod = 60ServerTimeout = 30SuppTimeout = 30ReAuthPeriod = 3600 (Locally configured)ReAuthMax = 2MaxReq = 2TxPeriod = 30RateLimitPeriod = 0Related Commands
show dot1x interface ethernet
To display the 802.1X feature status and configuration information for an Ethernet interface, use the show dot1x interface ethernet command.
show dot1x interface ethernet slot/port [details | statistics | summary]
Syntax Description
Defaults
Displays the interface 802.1X configuration
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must enable the 802.1X feature by using the feature dot1x command before using this command.
This command does not require a license.
Examples
This example shows how to display the 802.1X feature status and configuration information for an Ethernet interface:
switch# show dot1x interface ethernet 2/1Dot1x Info for Ethernet2/1-----------------------------------PAE = AUTHENTICATORPortControl = FORCE_AUTHHostMode = SINGLE HOSTReAuthentication = DisabledQuietPeriod = 60ServerTimeout = 30SuppTimeout = 30ReAuthPeriod = 3600 (Locally configured)ReAuthMax = 2MaxReq = 2TxPeriod = 30RateLimitPeriod = 0Related Commands
show encryption service stat
To display the status of the encryption service, use the show encryption service stat command.
show encryption service stat
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the status of the encryption service:
switch# show encryption service stat
Encryption service is enabledMaster Encryption Key is configured.Type-6 encryption is being usedswitch#Related Commands
show eou
To display Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) status and configuration information, use the show eou command.
show eou [all | authentication {clientless | eap | static} | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address | posturetoken [name]]
Syntax Description
Defaults
Displays the global EAPoUDP configuration
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must enable the 802.1X feature by using the feature eou command before using this command.
This command does not require a license.
Examples
This example shows how to display all 802.1X feature status and configuration information:
switch# show eou allThis example shows how to display 802.1X clientless authentication information:
switch# show eou authentication clientlessThis example shows how to display 802.1X EAP authentication information:
switch# show eou authentication eapThis example shows how to display 802.1X static authentication information:
switch# show eou interface ethernet 2/1This example shows how to display 802.1X information for an Ethernet interface:
switch# show eou ip-address 10.10.10.1This example shows how to display 802.1X information for a MAC address:
switch# show eou mac-address 0019.076c.dac4This example shows how to display 802.1X information for a MAC address:
switch# show eou posturetoken healthyRelated Commands
show fips status
To display the status of Federal Information Processing Standards (FIPS) mode, use the show fips status command.
show fips status
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the status of FIPS mode:
switch# show fips status
FIPS mode is disabledRelated Commands
show hardware access-list resource pooling
To display information about which I/O modules are configured with the hardware access-list resource pooling command, use the show hardware access-list resource pooling command.
show hardware access-list resource pooling
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
If no I/O modules are configured with the hardware access-list resource pooling command, the show hardware access-list resource pooling command has no output.
Examples
This example shows how to display the I/O modules that are configured with the hardware access-list resource pooling command:
switch# show hardware access-list resource poolingModule 1 enabledModule 3 enabledswitch#Related Commands
Command Descriptionhardware access-list resource pooling
Allows ACL-based features to use more than one TCAM bank on one or more I/O modules.
show hardware access-list status module
To display the access control list (ACL) capture configuration, use the show hardware access-list status module command.
show hardware access-list status module slot
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the access control list (ACL) capture configuration:
switch(config)# show hardware access-list status module 5
Non-Atomic ACL updates Disabled.TCAM Default Result is Deny.Resource-pooling: Disabledswitch(config)#Related Commands
Command Descriptionhardware access-list capture
Enables access control list (ACL) capture on all virtual device contexts (VDCs).
show hardware rate-limiter
To display rate limit configuration and statistics, use the show hardware rate-limiter command.
show rate-limiter hardware rate-limiter {access-list-log [module module] | copy [module module] | f1 {rl-1 [module module] | rl-2 [module module] | rl-3 [module module] | rl-4 [module module] | rl-5 [module module]} | layer-2 {l2pt [module module ] | mcast-snooping [module module] | port-security [module module] | storm-control [module module] | vpc-low [module module]} | layer-3 {control [module module] | glean [module module] | mtu [module module] | multicast {directly-connect [module module] | local-groups [module module] | rpf-leak [module module]} | ttl [module module]} | module module | receive [module module]
Syntax Description
Defaults
Displays all rate-limit statistics.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
Command History
Release Modification5.1(1)
Added the f1, rl-1, rl-2, rl-3, rl-4, rl-5, and module keywords.
5.0(2)
Added the l2pt keyword.
4.0(3)
Added the port-security keyword.
4.0(1)
This command was introduced.
Usage Guidelines
You can use the command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to display all the rate-limit configuration and statistics:
switch# show hardware rate-limiterUnits for Config: packets per secondAllowed, Dropped & Total: aggregated since last clear countersRate Limiter Class Parameters------------------------------------------------------------layer-3 mtu Config : 500Allowed : 0Dropped : 0Total : 0layer-3 ttl Config : 500Allowed : 0Dropped : 0Total : 0layer-3 control Config : 10000Allowed : 0Dropped : 0Total : 0layer-3 glean Config : 100Allowed : 0Dropped : 0Total : 0layer-3 multicast directly-connected Config : 3000Allowed : 0Dropped : 0Total : 0layer-3 multicast local-groups Config : 3000Allowed : 0Dropped : 0Total : 0layer-3 multicast rpf-leak Config : 500Allowed : 0Dropped : 0Total : 0layer-2 storm-control Config : Disabledaccess-list-log Config : 100Allowed : 0Dropped : 0Total : 0copy Config : 30000Allowed : 0Dropped : 0Total : 0receive Config : 30000Allowed : 0Dropped : 0Total : 0layer-2 port-security Config : Disabledlayer-2 mcast-snooping Config : 10000Allowed : 0Dropped : 0Total : 0layer-2 vpc-low Config : 4000Allowed : 0Dropped : 0Total : 0layer-2 l2pt Config : 500Allowed : 0Dropped : 0Total : 0This example shows how to display the rate-limit configuration and statistics for access-list log packets:
switch# show hardware rate-limiter access-list-logUnits for Config: packets per secondAllowed, Dropped & Total: aggregated since last clear countersRate Limiter Class Parameters------------------------------------------------------------access-list-log Config : 100Allowed : 0Dropped : 0Total : 0Related Commands
Command Descriptionclear hardware rate-limiter
Clears rate-limit statistics.
hardware rate-limiter
Configures rate limits.
show identity policy
To display the identity policies, use the show identity policy command.
show identity policy [policy-name]
Syntax Description
Defaults
Displays information for all identity policies.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display information for all of the identity policies:
switch# show identity policyThis example shows how to display information for a specific identity policy:
switch# show identity policy AdminPolicyRelated Commands
show identity profile
To display the identity profiles, use the show identity profile command.
show identity profile [eapoudp]
Syntax Description
eapoudp
(Optional) Displays the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) identity profile.
Defaults
Displays information for all identity profiles.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the identity profiles:
switch# show identity profileThis example shows how to display the EAPoUDP identity profile configuration:
switch# show identity profile eapoudpRelated Commands
show ip access-lists
To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-lists command.
show ip access-lists [access-list-name] [expanded | summary]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification4.2(1)
Command output is sorted alphabetically by the ACL names.
Support was added for the fragments command.
4.0(1)
This command was introduced.
Usage Guidelines
The device shows all IPv4 ACLs, unless you use the access-list-name argument to specify an ACL.
If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.
IPv4 address object groups and IP port object groups show only by name, unless you use the expanded keyword.
The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups. For more information about object groups, see the object-group ip address and object-group ip port commands.
The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:
•Whether per-entry statistics are configured for the ACL.
•Whether the fragments command is configured for the ACL.
•The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
•The interfaces that the ACL is applied to.
•The interfaces that the ACL is active on.
The show ip access-lists command displays statistics for each entry in an ACL if the following conditions are both true:
•The ACL configuration contains the statistics per-entry command.
•The ACL is applied to an interface that is administratively up.
If an IP ACL includes the fragments command, it appears before the explicit permit and deny rules, but the device applies the fragments command to noninitial fragments only if they do not match all other explicit rules in the ACL.
This command does not require a license.
Examples
This example shows how to use the show ip access-lists command to display all IPv4 ACLs on a device that has a single IPv4 ACL:
switch# show ip access-listsIP access list ipv4-open-filter10 permit ip any anyThis example shows how to use the show ip access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web, including per-entry statistics for the entries except for the MainLab object group:
switch# show ip access-lists ipv4-RandD-outbound-webIP access list ipv4-RandD-outbound-webstatistics per-entryfragments deny-all1000 permit ahp any any [match=732]1005 permit tcp addrgroup MainLab any eq telnet1010 permit tcp any any eq www [match=820421]This example shows how to use the show ip access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web. The expanded keyword causes the contents of the object group from the previous example to appear, including the per-entry statistics:
switch# show ip access-lists ipv4-RandD-outbound-web expandedIP access list ipv4-RandD-outbound-webstatistics per-entry1000 permit ahp any any [match=732]1005 permit tcp 10.52.34.4/32 any eq telnet [match=5032]1005 permit tcp 10.52.34.27/32 any eq telnet [match=433]1010 permit tcp any any eq www [match=820421]This example shows how to use the show ip access-lists command with the summary keyword to display information about an IPv4 ACL named ipv4-RandD-outbound-web, such as which interfaces the ACL is applied to and active on:
switch# show ip access-lists ipv4-RandD-outbound-web summaryIPV4 ACL ipv4-RandD-outbound-webStatistics enabledTotal ACEs Configured: 4Configured on interfaces:Ethernet2/4 - ingress (Router ACL)Active on interfaces:Ethernet2/4 - ingress (Router ACL)Related Commands
show ip access-lists capture session
To display the ACL capture session configuration, use the show ip access-lists capture session command.
show ip access-lists capture session session
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the ACL capture session configuration:
switch# show ip access-lists capture session 5
switch#Related Commands
Command Descriptionmonitor session session type acl-capture
Configures an ACL capture session.
destination interface
Configures a destination for ACL capture packets.
show ip arp inspection
To display the Dynamic ARP Inspection (DAI) configuration status, use the show ip arp inspection command.
show ip arp inspection
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the status of the DAI configuration:
switch# show ip arp inspectionSource Mac Validation : EnabledDestination Mac Validation : EnabledIP Address Validation : EnabledVlan : 1-----------Configuration : EnabledOperation State : ActiveARP Req Forwarded = 0ARP Res Forwarded = 0ARP Req Dropped = 0ARP Res Dropped = 0DHCP Drops = 0DHCP Permits = 0SMAC Fails-ARP Req = 0SMAC Fails-ARP Res = 0DMAC Fails-ARP Res = 0IP Fails-ARP Req = 0IP Fails-ARP Res = 0Related Commands
show ip arp inspection interface
To display the trust state for the specified interface, use the show ip arp inspection interface command.
show ip arp inspection interface {ethernet slot/port | port-channel channel-number}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the trust state for a trusted interface:
switch# show ip arp inspection interface ethernet 2/1Interface Trust State------------- -----------Ethernet2/46 Trustedswitch#Related Commands
show ip arp inspection log
To display the Dynamic ARP Inspection (DAI) log configuration, use the show ip arp inspection log command.
show ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the DAI log configuration:
switch# show ip arp inspection logSyslog Buffer Size : 32Syslog Rate : 5 entries per 1 secondsswitch#Related Commands
show ip arp inspection statistics
Use the show ip arp inspection statistics command to display the Dynamic ARP Inspection (DAI) statistics. You can specify a VLAN or range of VLANs.
show ip arp inspection statistics [vlan vlan-list]
Syntax Description
vlan vlan-list
(Optional) Specifies the list of VLANs for which to display DAI statistics. Valid VLAN IDs are from 1 to 4096.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the DAI statistics for VLAN 1:
switch# show ip arp inspection statistics vlan 1Vlan : 1-----------ARP Req Forwarded = 0ARP Res Forwarded = 0ARP Req Dropped = 0ARP Res Dropped = 0DHCP Drops = 0DHCP Permits = 0SMAC Fails-ARP Req = 0SMAC Fails-ARP Res = 0DMAC Fails-ARP Res = 0IP Fails-ARP Req = 0IP Fails-ARP Res = 0switch#Related Commands
show ip arp inspection vlan
Use the show ip arp inspection vlan command to display Dynamic ARP Inspection (DAI) status for the specified list of VLANs.
show ip arp inspection vlan vlan-list
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Examples
This example shows how to display DAI status for VLANs 1 and 13:
switch# show ip arp inspection vlan 1,13Source Mac Validation : EnabledDestination Mac Validation : EnabledIP Address Validation : EnabledVlan : 1-----------Configuration : EnabledOperation State : ActiveVlan : 13-----------Configuration : EnabledOperation State : Inactiveswitch#Related Commands
show ip device tracking
To display IP device tracking information, use the show ip device tracking command.
show ip device tracking {all | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display all IP device tracking information:
switch# show ip device tracking allThis example shows how to display the IP device tracking information for an interface:
switch# show ip device tracking ethernet 1/2This example shows how to display the IP device tracking information for an IP address:
switch# show ip device tracking ip-address 10.10.1.1This example shows how to display the IP device tracking information for a MAC address:
switch# show ip device tracking mac-address 0018.bad8.3fbdRelated Commands
show ip dhcp relay
To display DHCP snooping relay status, including DHCP server addresses configured on interfaces, use the show ip dhcp relay command.
show ip dhcp relay
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the DHCP relay status and configured DHCP server addresses:
switch# show ip dhcp relayDHCP relay service is enabledInsertion of option 82 is enabledInsertion of VPN suboptions is enabledHelper addresses are configured on the following interfaces:Interface Relay Address VRF Name------------- ------------- --------Ethernet1/4 10.10.10.1 redswitch#Related Commands
show ip dhcp relay address
To display DHCP server addresses configured on the device, use the show ip dhcp relay address command.
show ip dhcp relay address [interface {ethernet list | port-channel list}]
show ip dhcp relay address [interface interface-list]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification5.0(2)
Support was added for the interface keyword and for VRF awareness.
4.2(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display all the DHCP relay addresses configured on a device:
switch# show ip dhcp relay addressInterface Relay Address VRF Name------------- ------------- --------Ethernet1/2 10.1.1.1Ethernet1/3 10.1.1.1 redEthernet1/4 10.1.1.1 redEthernet1/5 10.1.1.1 redEthernet1/6 10.1.1.1 redEthernet1/7 10.1.1.1 redEthernet1/8 10.1.1.1 redswitch#This example shows how to display the DHCP relay addresses configured Ethernet interfaces 1/2 through 1/4 and Ethernet 1/8:
switch(config-if)# show ip dhcp relay address interface ethernet 1/2-4,ethernet 1/8Interface Relay Address VRF Name------------- ------------- --------Ethernet1/2 10.1.1.1Ethernet1/3 10.1.1.1 redEthernet1/4 10.1.1.1 redEthernet1/8 10.1.1.1 redRelated Commands
show ip dhcp snooping
To display general status information for DHCP snooping, use the show ip dhcp snooping command.
show ip dhcp snooping
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display general status information about DHCP snooping:
switch# show ip dhcp snoopingDHCP snooping service is enabledSwitch DHCP snooping is enabledDHCP snooping is configured on the following VLANs:1,13DHCP snooping is operational on the following VLANs:1Insertion of Option 82 is disabledVerification of MAC address is enabledDHCP snooping trust is configured on the following interfaces:Interface Trusted------------ -------Ethernet2/3 Yesswitch#Related Commands
show ip dhcp snooping binding
To display IP-to-MAC address bindings for all interfaces or a specific interface, use the show ip dhcp snooping binding command. It includes static IP source entries. Static entries appear with the term "static" in the Type column.
show ip dhcp snooping binding [IP-address] [MAC-address] [interface ethernet slot/port] [vlan vlan-id]
show ip dhcp snooping binding [dynamic]
show ip dhcp snooping binding [static]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display all bindings:
switch# show ip dhcp snooping bindingMacAddress IpAddress LeaseSec Type VLAN Interface----------------- --------------- -------- ---------- ---- -------------0f:00:60:b3:23:33 10.3.2.2 infinite static 13 Ethernet2/460f:00:60:b3:23:35 10.2.2.2 infinite static 100 Ethernet2/10switch#Related Commands
show ip dhcp snooping statistics
To display DHCP snooping statistics, use the show ip dhcp snooping statistics command.
show ip dhcp snooping statistics
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display DHCP snooping statistics:
switch# show ip dhcp snooping statisticsPackets processed 0Packets received through cfsoe 0Packets forwarded 0Packets forwarded on cfsoe 0Total packets dropped 0Packets dropped from untrusted ports 0Packets dropped due to MAC address check failure 0Packets dropped due to Option 82 insertion failure 0Packets dropped due to o/p intf unknown 0Packets dropped which were unknown 0Packets dropped due to dhcp relay not enabled 0Packets dropped due to no binding entry 0Packets dropped due to interface error/no interface 0Packets dropped due to max hops exceeded 0switch#Related Commands
show ip verify source
To display the IP-to-MAC address bindings, use the show ip verify source command.
show ip verify source [interface {ethernet slot/port | port-channel channel-number}]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the IP-to-MAC address bindings:
switch# show ip verify sourceswitch#Related Commands
show ipv6 access-lists
To display all IPv6 access-control lists (ACLs) or a specific IPv6 ACL, use the show ipv6 access-lists command.
show ipv6 access-lists [access-list-name] [expanded | summary]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification4.2(1)
Command output is sorted alphabetically by the ACL names.
Support was added for the fragments command.
4.1(2)
This command was introduced.
Usage Guidelines
The device shows all IPv6 ACLs, unless you use the access-list-name argument to specify an ACL.
If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.
IPv6 address object groups and IP port object groups show only by name, unless you use the expanded keyword.
The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups. For more information about object groups, see the object-group ipv6 address and object-group ip port commands.
The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:
•Whether per-entry statistics are configured for the ACL.
•Whether the fragments command is configured for the ACL.
•The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
•The interfaces that the ACL is applied to.
•The interfaces that the ACL is active on.
The show ipv6 access-lists command displays statistics for each entry in an ACL if the following conditions are both true:
•The ACL configuration contains the statistics per-entry command.
•The ACL is applied to an interface that is administratively up.
If an IP ACL includes the fragments command, it appears before the explicit permit and deny rules, but the device applies the fragments command to noninitial fragments only if they do not match all other explicit rules in the ACL.
This command does not require a license.
Examples
This example shows how to use the show ipv6 access-lists command to display all IPv6 ACLs on a device that has a single IPv6 ACL:
switch# show ipv6 access-listsIPv6 access list ipv6-main-filter10 permit ipv6 any anyThis example shows how to use the show ipv6 access-lists command to display an IPv6 ACL named ipv6-RandD-outbound-web, including per-entry statistics for the entries except for the LowerLab object group:
switch# show ipv6 access-lists ipv6-RandD-outbound-webIPv6 access list ipv6-RandD-outbound-webstatistics per-entryfragments deny-all1000 permit ahp any any [match=732]1005 permit tcp addrgroup LowerLab any eq telnet1010 permit tcp any any eq www [match=820421]This example shows how to use the show ipv6 access-lists command to display an IPv6 ACL named ipv6-RandD-outbound-web. The expanded keyword causes the contents of the object group from the previous example to appear, including the per-entry statistics:
switch# show ipv6 access-lists ipv6-RandD-outbound-web expandedIPv6 access list ipv6-RandD-outbound-webstatistics per-entry1000 permit ahp any any [match=732]1005 permit tcp 2001:db8:0:3ab0::1/128 any eq telnet [match=5032]1005 permit tcp 2001:db8:0:3ab0::32/128 any eq telnet [match=433]1010 permit tcp any any eq www [match=820421]This example shows how to use the show ipv6 access-lists command with the summary keyword to display information about an IPv6 ACL named ipv6-RandD-outbound-web, such as which interfaces the ACL is applied to and active on:
switch# show ipv6 access-lists ipv6-RandD-outbound-web summaryIPV6 ACL ipv6-RandD-outbound-webStatistics enabledTotal ACEs Configured: 4Configured on interfaces:Ethernet2/4 - ingress (Router ACL)Active on interfaces:Ethernet2/4 - ingress (Router ACL)Related Commands
show key chain
To display the configuration for a specific keychain, use the show key chain command.
show key chain keychain-name [mode decrypt]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display keychain configuration for the keychain glbp-key, which contains one key (key 13) which has specific accept and send lifetimes:
switch# show key chainKey-Chain glbp-keysKey 13 -- text 7 071a33595c1d0c1702170203163e3e21213c20361a021f11accept lifetime UTC (00:00:00 Jun 13 2008) - (23:59:59 Sep 12 2008)send lifetime UTC (00:00:00 Jun 13 2008) - (23:59:59 Aug 12 2008)Related Commands
show ldap-search-map
To display information about the configured Lightweight Directory Access Protocol (LDAP) attribute maps, use the show ldap-search-map command.
show ldap-search-map
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must use the feature ldap command before you can display LDAP information.
This command does not require a license.
Examples
This example shows how to display information about the configured LDAP attribute maps:
switch# show ldap-search-maptotal number of search maps : 1following LDAP search maps are configured:SEARCH MAP s0:User Profile:BaseDN: DN1Attribute Name: map1Search Filter: filter1Related Commands
show ldap-server
To display the Lightweight Directory Access Protocol (LDAP) server configuration, use the show ldap-server command.
show ldap-server
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must use the feature ldap command before you can display LDAP information.
This command does not require a license.
Examples
This example shows how to display the LDAP server configuration:
switch# show ldap-servertimeout : 5port : 389deadtime : 0total number of servers : 0Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap-server host
Specifies the IPv4 or IPv6 address or hostname for an LDAP server.
show ldap-server groups
To display the Lightweight Directory Access Protocol (LDAP) server group configuration, use the show ldap-server groups command.
show ldap-server groups
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must use the feature ldap command before you can display LDAP information.
This command does not require a license.
Examples
This example shows how to display the LDAP server group configuration:
switch# show ldap-server groupstotal number of groups: 1following LDAP server groups are configured:group LDAPgroup1:Use-vrf: defaultMode: UnSecureAuthentication: Search and BindBind and Search : append with basedn (cn=$userid)Authentication: Do bind instead of compareBind and Search : compare passwd attribute userPasswordAuthentication Mech: Default(PLAIN)Search map:Related Commands
Command Descriptionaaa group server ldap
Creates an LDAP server group and enters the LDAP server group configuration mode for that group.
feature ldap
Enables LDAP.
show ldap-server statistics
To display the Lightweight Directory Access Protocol (LDAP) server statistics, use the show ldap-server statistics command.
show ldap-server statistics {ipv4-address | ipv6-address | host-name}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must use the feature ldap command before you can display LDAP information.
This command does not require a license.
Examples
This example shows how to display the statistics for an LDAP server:
switch# show ldap-server statistics 10.10.1.1Server is not monitoredAuthentication Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap-server host
Specifies the IPv4 or IPv6 address or hostname for an LDAP server.
show mac access-lists
To display all MAC access control lists (ACLs) or a specific MAC ACL, use the show mac access-lists command.
show mac access-lists [access-list-name] [summary]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification4.2(1)
Command output is sorted alphabetically by the ACL names.
4.0(1)
This command was introduced.
Usage Guidelines
The device shows all MAC ACLs, unless you use the access-list-name argument to specify an ACL.
If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.
The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:
•Whether per-entry statistics are configured for the ACL.
•The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
•The interfaces that the ACL is applied to.
•The interfaces that the ACL is active on.
The show mac access-lists command displays statistics for each entry in an ACL if the following conditions are both true:
•The ACL configuration contains the statistics per-entry command.
•The ACL is applied to an interface that is administratively up.
This command does not require a license.
Examples
This example shows how to use the show mac access-lists command to show all MAC ACLs on a device with a single MAC ACL:
switch# show mac access-listsMAC access list mac-filter10 permit any any ipThis example shows how to use the show mac access-lists command to display a MAC ACL named mac-lab-filter, including per-entry statistics:
switch# show mac access-lists mac-lab-filterMAC access list mac-lab-filterstatistics per-entry10 permit 0600.ea5f.22ff 0000.0000.0000 any [match=820421]20 permit 0600.050b.3ee3 0000.0000.0000 any [match=732]This example shows how to use the show mac access-lists command with the summary keyword to display information about a MAC ACL named mac-lab-filter, such as which interfaces the ACL is applied to and active on:
switch# show mac access-lists mac-lab-filter summaryMAC ACL mac-lab-filterStatistics enabledTotal ACEs Configured: 2Configured on interfaces:Ethernet2/3 - ingress (Port ACL)Active on interfaces:Ethernet2/3 - ingress (Port ACL)Related Commands
show password strength-check
To display password-strength checking status, use the show password strength-check command.
show password strength-check
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display password-strength checking status:
switch# show password strength-checkPassword strength check enabledRelated Commands
Command Descriptionpassword strength-check
Enables password-strength checking.
show running-config security
Displays security feature configuration in the running configuration.
show policy-map type control-plane
To display control plane policy map information, use the show policy-map type control-plane command.
show policy-map type control-plane [expand] [name policy-map-name]
Syntax Description
expand
(Optional) Displays expanded control plane policy map information.
name policy-map-name
(Optional) Specifies the name of the control plane policy map. The name is case sensitive.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to display control plane policy map information:
switch# show policy-map type control-planepolicy-map type control-plane copp-system-policyclass copp-system-class-criticalpolice cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmitexceed transmit violate dropclass copp-system-class-importantpolice cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmitexceed transmit violate dropclass copp-system-class-normalpolice cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmitexceed transmit violate dropclass class-defaultpolice cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmitexceed transmit violate dropshow port-security
To show the state of port security on the device, use the show port-security command.
show port-security [state]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to use the show port-security command to view the status of the port security feature on a device:
switch# show port-securityTotal Secured Mac Addresses in System (excluding one mac per port) : 0Max Addresses limit in System (excluding one mac per port) : 8192----------------------------------------------------------------------------Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action(Count) (Count) (Count)----------------------------------------------------------------------------Ethernet1/4 5 1 0 Shutdown============================================================================switch#Related Commands
show port-security address
To show information about MAC addresses secured by the port security feature, use the show port-security address command.
show port-security address [interface {port-channel channel-number | ethernet slot/port}]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to use the show port-security address command to view information about all MAC addresses secured by port security:
switch# show port-security addressTotal Secured Mac Addresses in System (excluding one mac per port) : 0Max Addresses limit in System (excluding one mac per port) : 8192----------------------------------------------------------------------Secure Mac Address Table----------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age(mins)---- ----------- ------ ----- -------------1 0054.AAB3.770F STATIC port-channel1 01 00EE.378A.ABCE STATIC Ethernet1/4 0======================================================================switch#This example shows how to use the show port-security address command to view the MAC addresses secured by the port security feature on the Ethernet 1/4 interface:
switch# show port-security address interface ethernet 1/4Secure Mac Address Table----------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age(mins)---- ----------- ------ ----- -------------1 00EE.378A.ABCE STATIC Ethernet1/4 0----------------------------------------------------------------------switch#Related Commands
show port-security interface
To show the state of port security on a specific interface, use the show port-security interface command.
show port-security interface {port-channel channel-number | ethernet slot/port}
Syntax Description
port-channel channel-number
Specifies a Layer 2 port-channel interface. The channel-number argument can be a whole number from 1 to 4096.
ethernet slot/port
Specifies an Ethernet interface.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to use the show port-security interface command to view the status of the port security feature on the Ethernet 1/4 interface:
switch# show port-security interface ethernet 1/4Port Security : EnabledPort Status : Secure DownViolation Mode : ShutdownAging Time : 0 minsAging Type : AbsoluteMaximum MAC Addresses : 5Total MAC Addresses : 1Configured MAC Addresses : 1Sticky MAC Addresses : 0Security violation count : 0switch#Related Commands
show privilege
To show the current privilege level, username, and status of cumulative privilege support, use the show privilege command.
show privilege
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to use the show privilege command to view the current privilege level, username, and status of cumulative privilege support:
switch# show privilegeUser name: adminCurrent privilege level: -1Feature privilege: Enabledswitch#Related Commands
show radius
To display the RADIUS Cisco Fabric Services (CFS) distribution status and other details, use the show radius command.
show radius {distribution status | merge status | pending [cmds] | pending-diff | session status | status}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the RADIUS CFS distribution status:
switch# show radius distribution statusdistribution : enabledsession ongoing: nosession db: does not existmerge protocol status: not yet initiated after enablelast operation: enablelast operation status: successThis example shows how to display the RADIUS merge status:
switch# show radius merge statusResult: WaitingThis example shows how to display the RADIUS CFS session status:
switch# show radius session statusLast Action Time Stamp : NoneLast Action : Distribution EnableLast Action Result : SuccessLast Action Failure Reason : noneThis example shows how to display the RADIUS CFS status:
switch# show radius statusdistribution : enabledsession ongoing: nosession db: does not existmerge protocol status: not yet initiated after enablelast operation: enablelast operation status: successThis example shows how to display the pending RADIUS configuration:
switch# show radius pendingradius-server host 10.10.1.1 key 7 qxz123aaa group server radius aaa-private-sgThis example shows how to display the pending RADIUS configuration commands:
switch# show radius pending cmdsradius-server host 10.10.1.1 key 7 qxz12345 auth_port 1812 acct_port 1813 authentication accountingThis example shows how to display the differences between the pending RADIUS configuration and the current RADIUS configuration:
switch(config)# show radius pending-diff
+radius-server host 10.10.1.1 authentication accountingshow radius-server
To display RADIUS server information, use the show radius-server command.
show radius-server [hostname | ipv4-address | ipv6-address]
[directed-request | groups | sorted | statistics]Syntax Description
Defaults
Displays the global RADIUS server configuration
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys.
This command does not require a license.
Examples
This example shows how to display information for all RADIUS servers:
switch# show radius-serverGlobal RADIUS shared secret:********retransmission count:1timeout value:5deadtime value:0total number of servers:2following RADIUS servers are configured:10.10.1.1:available for authentication on port:1812available for accounting on port:181310.10.2.2:available for authentication on port:1812available for accounting on port:1813This example shows how to display information for a specified RADIUS server:
switch# show radius-server 10.10.1.110.10.1.1:available for authentication on port:1812available for accounting on port:1813idle time:0test user:testtest password:********This example shows how to display the RADIUS directed request configuration:
switch# show radius-server directed-requestenabledThis example shows how to display information for RADIUS server groups:
switch# show radius-server groupstotal number of groups:2following RADIUS server groups are configured:group radius:server: all configured radius serversgroup RadServer:deadtime is 0vrf is managementThis example shows how to display information for a specified RADIUS server group:
switch# show radius-server groups RadServergroup RadServer:deadtime is 0vrf is managementThis example shows how to display sorted information for all RADIUS servers:
switch# show radius-server sortedGlobal RADIUS shared secret:********retransmission count:1timeout value:5deadtime value:0total number of servers:2following RADIUS servers are configured:10.10.0.0:available for authentication on port:1812available for accounting on port:181310.10.1.1:available for authentication on port:1812available for accounting on port:1813This example shows how to display statistics for a specified RADIUS server:
switch# show radius-server statistics 10.10.1.1Server is not monitoredAuthentication Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Accounting Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Related Commands
Command Descriptionshow running-config radius
Displays the RADIUS information in the running configuration file.
show role
To display the user role configuration, use the show role command.
show role [name role-name]
Syntax Description
name role-name
(Optional) Displays information for a specific user role name. The role name is case sensitive.
Defaults
Displays information for all user roles.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display information for a specific user role:
switch(config)# show role name MyRolerole: MyRoledescription: new rolevlan policy: denypermitted vlan1-10interface policy: denypermitted interfaceEthernet2/1-8vrf policy: permit (default)This example shows how to display information for all user roles in the default virtual device context (VDC):
switch(config)# show rolerole: network-admindescription: Predefined network admin role has access to all commandson the switch-------------------------------------------------------------------Rule Perm Type Scope Entity-------------------------------------------------------------------1 permit read-writerole: network-operatordescription: Predefined network operator role has access to all readcommands on the switch-------------------------------------------------------------------Rule Perm Type Scope Entity-------------------------------------------------------------------1 permit readrole: vdc-admindescription: Predefined vdc admin role has access to all commands withina VDC instance-------------------------------------------------------------------Rule Perm Type Scope Entity-------------------------------------------------------------------1 permit read-writerole: vdc-operatordescription: Predefined vdc operator role has access to all read commandswithin a VDC instance-------------------------------------------------------------------Rule Perm Type Scope Entity-------------------------------------------------------------------1 permit readrole: MyRoledescription: new rolevlan policy: denypermitted vlan1-10interface policy: denypermitted interfaceEthernet2/1-8vrf policy: permit (default)This example shows how to display information for all user roles in a nondefault virtual device context (VDC):
switch-MyVDC# show rolerole: vdc-admindescription: Predefined vdc admin role has access to all commands withina VDC instance-------------------------------------------------------------------Rule Perm Type Scope Entity-------------------------------------------------------------------1 permit read-writerole: vdc-operatordescription: Predefined vdc operator role has access to all read commandswithin a VDC instance-------------------------------------------------------------------Rule Perm Type Scope Entity-------------------------------------------------------------------1 permit readRelated Commands
show role feature
To display the user role features, use the show role feature command.
show role feature [detail | name feature-name]
Syntax Description
detail
(Optional) Displays detailed information for all features.
name feature-name
(Optional) Displays detailed information for a specific feature. The feature name is case sensitive.
Defaults
Displays a list of user role feature names.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the user role features:
switch(config)# show role featurefeature: aaafeature: access-listfeature: arpfeature: callhomefeature: cdpfeature: cryptofeature: goldfeature: installfeature: l3vmfeature: licensefeature: pingfeature: platformfeature: qosmgrfeature: radiusfeature: schedulerfeature: snmpfeature: syslog<content deleted>This example shows how to display detailed information for all the user role features:
switch(config)# show role feature detailfeature: aaashow aaa *config t ; aaa *aaa *clear aaa *debug aaa *show accounting *config t ; accounting *accounting *clear accounting *debug accounting *feature: access-listshow ip access-list *show ipv6 access-list *show mac access-list *show arp access-list *show vlan access-map *config t ; ip access-list *config t ; ipv6 access-list *config t ; mac access-list *config t ; arp access-list *config t ; vlan access-map *clear ip access-list *clear ipv6 access-list *clear mac access-list *clear arp access-list *clear vlan access-map *debug aclmgr *feature: arpshow arp *show ip arp *config t; ip arp *clear ip arp *debug ip arp *debug-filter ip arp *<content deleted>This example shows how to display detailed information for a specific user role feature:
switch(config)# show role feature name dot1xfeature: dot1xshow dot1x *config t ; dot1x *dot1x *clear dot1x *debug dot1x *Related Commands
Command Descriptionrole feature-group
Configures feature groups for user roles.
rule
Configures rules for user roles.
show role feature-group
To display the user role feature groups, use the show role feature-group command.
show role feature-group [detail | name group-name]
Syntax Description
detail
(Optional) Displays detailed information for all feature groups.
name group-name
(Optional) Displays detailed information for a specific feature group. The group name is case sensitive.
Defaults
Displays a list of user role feature groups.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the user role feature groups:
switch(config)# show role feature-groupfeature group: L3feature: router-bgpfeature: router-eigrpfeature: router-isisfeature: router-ospffeature: router-ripfeature group: SecGroupfeature: aaafeature: radiusfeature: tacacsThis example shows how to display detailed information about all the user role feature groups:
switch(config)# show role feature-group detailfeature group: L3feature: router-bgpshow bgp *config t ; bgp *bgp *clear bgp *debug bgp *show ip bgp *show ip mbgp *show ipv6 bgp *show ipv6 mbgp *clear ip bgp *clear ip mbgp *debug-filter ip *debug-filter ip bgp *config t ; router bgp *feature: router-eigrpshow eigrp *config t ; eigrp *eigrp *clear eigrp *debug eigrp *show ip eigrp *clear ip eigrp *debug ip eigrp *config t ; router eigrp *feature: router-isisshow isis *config t ; isis *isis *clear isis *debug isis *debug-filter isis *config t ; router isis *feature: router-ospfshow ospf *config t ; ospf *ospf *clear ospf *debug ospf *show ip ospf *show ospfv3 *show ipv6 ospfv3 *debug-filter ip ospf *debug-filter ospfv3 *debug ip ospf *debug ospfv3 *clear ip ospf *clear ip ospfv3 *config t ; router ospf *config t ; router ospfv3 *feature: router-ripshow rip *config t ; rip *rip *clear rip *debug rip *show ip rip *show ipv6 rip *overload rip *debug-filter rip *clear ip rip *clear ipv6 rip *config t ; router rip *This example shows how to display information for a specific user role feature group:
switch(config)# show role feature-group name SecGroupfeature group: SecGroupfeature: aaafeature: radiusfeature: tacacsRelated Commands
Command Descriptionrole feature-group
Configures feature groups for user roles.
rule
Configures rules for user roles.
show role pending
To display the pending user role configuration differences for the Cisco Fabric Services distribution session, use the show role pending command.
show role pending
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example displays the user role configuration differences for the Cisco Fabric Services session:
switch# show role pendingRole: test-userDescription: new roleVlan policy: permit (default)Interface policy: permit (default)Vrf policy: permit (default)-------------------------------------------------------------------Rule Perm Type Scope Entity-------------------------------------------------------------------1 permit read-write feature aaaRelated Commands
Command Descriptionrole distribute
Enables Cisco Fabric Services distribution for the user role configuration.
show role pending-diff
To display the differences between the pending user role configuration for the Cisco Fabric Services distribution session and the running configuration, use the show role pending-diff command.
show role pending-diff
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example displays the user role configuration differences for the Cisco Fabric Services session:
switch# show role pending+Role: test-user+ Description: new role+ Vlan policy: permit (default)+ Interface policy: permit (default)+ Vrf policy: permit (default)+ -------------------------------------------------------------------+ Rule Perm Type Scope Entity+ -------------------------------------------------------------------+ 1 permit read-write feature aaaRelated Commands
Command Descriptionrole distribute
Enables Cisco Fabric Services distribution for the user role configuration.
show role session
To display the status information for a user role Cisco Fabric Services session, use the show role session command.
show role session status
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example displays the user role configuration differences for the Cisco Fabric Services session:
switch# show role session statusLast Action Time Stamp : Thu Nov 20 12:43:26 2008Last Action : Distribution EnableLast Action Result : SuccessLast Action Failure Reason : noneRelated Commands
Command Descriptionrole distribute
Enables Cisco Fabric Services distribution for the user role configuration.
show role status
To display the status for the Cisco Fabric Services distribution for the user role feature, use the show role status command.
show role status
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example displays the user role configuration differences for the Cisco Fabric Services session:
switch# show role statusDistribution: EnabledSession State: LockedRelated Commands
Command Descriptionrole distribute
Enables Cisco Fabric Services distribution for the user role configuration.
show running-config aaa
To display authentication, authorization, and accounting (AAA) configuration information in the running configuration, use the show running-config aaa command.
show running-config aaa [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the configured AAA information in the running configuration:
switch# show running-config aaaversion 4.0(1)show running-config aclmgr
To display the user-configured access control lists (ACLs) in the running configuration, use the show running-config aclmgr command.
show running-config aclmgr [all | inactive-if-config]
Syntax Description
all
Displays both the default (CoPP-configured) and user-configured ACLs in the running configuration.
inactive-if-config
Displays the inactive policies in the running configuration.
Defaults
None
Command Modes
Any
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display user-configured ACLs in the running configuration:
switch# show running-config aclmgr all
!Command: show running-config aclmgr all!Time: Wed May 25 08:03:46 2011version 5.2(1)ip access-list acl1ip access-list cisco123-copp-acl-bgp10 permit tcp any gt 1024 any eq bgp20 permit tcp any eq bgp any gt 1024ipv6 access-list cisco123-copp-acl-bgp610 permit tcp any gt 1024 any eq bgp20 permit tcp any eq bgp any gt 1024ip access-list cisco123-copp-acl-cts10 permit tcp any any eq 6499920 permit tcp any eq 64999 anyip access-list cisco123-copp-acl-dhcp10 permit udp any eq bootpc any20 permit udp any neq bootps any eq bootpsip access-list cisco123-copp-acl-dhcp-relay-response10 permit udp any eq bootps any20 permit udp any any eq bootpcip access-list cisco123-copp-acl-eigrp10 permit eigrp any anyip access-list cisco123-copp-acl-ftp10 permit tcp any any eq ftp-data20 permit tcp any any eq ftp30 permit tcp any eq ftp-data any40 permit tcp any eq ftp anyip access-list cisco123-copp-acl-glbp10 permit udp any eq 3222 224.0.0.0/24 eq 3222ip access-list cisco123-copp-acl-hsrp10 permit udp any 224.0.0.0/24 eq 1985ipv6 access-list cisco123-copp-acl-hsrp610 permit udp any ff02::66/128 eq 2029ip access-list cisco123-copp-acl-icmp10 permit icmp any any echo20 permit icmp any any echo-replyipv6 access-list cisco123-copp-acl-icmp610 permit icmp any any echo-request20 permit icmp any any echo-replyipv6 access-list cisco123-copp-acl-icmp6-msgs10 permit icmp any any router-advertisement20 permit icmp any any router-solicitation30 permit icmp any any nd-na40 permit icmp any any nd-ns50 permit icmp any any mld-query60 permit icmp any any mld-report70 permit icmp any any mld-reductionip access-list cisco123-copp-acl-igmp10 permit igmp any 224.0.0.0/3mac access-list cisco123-copp-acl-mac-cdp-udld-vtp10 permit any 0100.0ccc.cccc 0000.0000.0000mac access-list cisco123-copp-acl-mac-cfsoe10 permit any 0180.c200.000e 0000.0000.0000 0x8843mac access-list cisco123-copp-acl-mac-dot1x10 permit any 0180.c200.0003 0000.0000.0000 0x888emac access-list cisco123-copp-acl-mac-fabricpath-isis10 permit any 0180.c200.0015 0000.0000.000020 permit any 0180.c200.0014 0000.0000.0000mac access-list cisco123-copp-acl-mac-flow-control10 permit any 0180.c200.0001 0000.0000.0000 0x8808mac access-list cisco123-copp-acl-mac-gold10 permit any any 0x3737mac access-list cisco123-copp-acl-mac-l2pt10 permit any 0100.0ccd.cdd0 0000.0000.0000mac access-list cisco123-copp-acl-mac-lacp10 permit any 0180.c200.0002 0000.0000.0000 0x8809mac access-list cisco123-copp-acl-mac-lldp10 permit any 0180.c200.000c 0000.0000.0000 0x88ccmac access-list cisco123-copp-acl-mac-otv-isis10 permit any 0100.0cdf.dfdf 0000.0000.0000mac access-list cisco123-copp-acl-mac-sdp-srp10 permit any 0180.c200.000e 0000.0000.0000 0x3401mac access-list cisco123-copp-acl-mac-stp10 permit any 0100.0ccc.cccd 0000.0000.000020 permit any 0180.c200.0000 0000.0000.0000mac access-list cisco123-copp-acl-mac-undesirable10 permit any any--More--Related Commands
show running-config copp
To display control plane policing configuration information in the running configuration, use the show running-config copp command.
show running-config copp [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to display the configured control plane policing information in the running configuration:
switch# show running-config coppversion 4.0(1)class-map type control-plane match-any copp-system-class-criticalmatch access-group name copp-system-acl-arpmatch access-group name copp-system-acl-msdpclass-map type control-plane match-any copp-system-class-importantmatch access-group name copp-system-acl-grematch access-group name copp-system-acl-tacasclass-map type control-plane match-any copp-system-class-normalmatch access-group name copp-system-acl-icmpmatch redirect dhcp-snoopmatch redirect arp-inspectmatch exception ip optionmatch exception ip icmp redirectmatch exception ip icmp unreachablepolicy-map type control-plane copp-system-policyclass copp-system-class-criticalpolice cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate dropclass copp-system-class-importantpolice cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit exceed transmit violate dropclass copp-system-class-normalpolice cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit exceed transmit violate dropclass class-defaultpolice cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate dropThis example shows how to display the configured and default control plane policing information in the running configuration:
switch# show running-config copp allversion 4.0(1)class-map type control-plane match-any copp-system-class-criticalmatch access-group name copp-system-acl-arpmatch access-group name copp-system-acl-msdpclass-map type control-plane match-any copp-system-class-importantmatch access-group name copp-system-acl-grematch access-group name copp-system-acl-tacasclass-map type control-plane match-any copp-system-class-normalmatch access-group name copp-system-acl-icmpmatch redirect dhcp-snoopmatch redirect arp-inspectmatch exception ip optionmatch exception ip icmp redirectmatch exception ip icmp unreachablepolicy-map type control-plane copp-system-policyclass copp-system-class-criticalpolice cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate dropclass copp-system-class-importantpolice cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit exceed transmit violate dropclass copp-system-class-normalpolice cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit exceed transmit violate dropclass class-defaultpolice cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate dropshow running-config cts
To display the Cisco TrustSec configuration in the running configuration, use the show running-config cts command.
show running-config cts
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to display the Cisco TrustSec configuration in the running configuration:
switch# show running-config ctsversion 4.0(1)feature ctscts role-based enforcementcts role-based sgt-map 10.10.1.1 10cts role-based access-list MySGACLpermit icmpcts role-based sgt 65535 dgt 65535 access-list MySGACLcts sxp enablects sxp connection peer 10.10.3.3 source 10.10.2.2 password default mode listenervlan 1cts role-based enforcementvrf context MyVRFcts role-based enforcementRelated Commands
show running-config dhcp
To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the running configuration, use the show running-config dhcp command.
show running-config dhcp [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
This command does not require a license.
Examples
This example shows how to display the DHCP snooping configuration:
switch# show running-config dhcpversion 4.0(1)feature dhcpinterface Ethernet2/46ip verify source dhcp-snooping-vlanip arp inspection trustip dhcp snoopingip arp inspection validate src-mac dst-mac ipip source binding 10.3.2.2 0f00.60b3.2333 vlan 13 interface Ethernet2/46ip source binding 10.2.2.2 0060.3454.4555 vlan 100 interface Ethernet2/10ip dhcp snooping vlan 1ip arp inspection vlan 1ip dhcp snooping vlan 13ip arp inspection vlan 13switch#Related Commands
show running-config dot1x
To display 802.1X configuration information in the running configuration, use the show running-config dot1x command.
show running-config dotx1 [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must enable the 802.1X feature by using the feature dot1x command before using this command.
This command does not require a license.
Examples
This example shows how to display the configured 802.1X information in the running configuration:
switch# show running-config dot1xversion 4.0(1)show running-config eou
To display the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) configuration information in the running configuration, use the show running-config eou command.
show running-config eou [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must enable the EAPoUDP feature by using the feature eou command before using this command.
This command does not require a license.
Examples
This example shows how to display the configured EAPoUDP information in the running configuration:
switch# show running-config eouversion 4.0(1)show running-config ldap
To display Lightweight Directory Access Protocol (LDAP) server information in the running configuration, use the show running-config ldap command.
show running-config ldap [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must use the feature ldap command before you can display LDAP information.
This command does not require a license.
Examples
This example shows how to display LDAP information in the running configuration:
switch# show running-config ldapRelated Commands
show running-config port-security
To display port-security information in the running configuration, use the show running-config port-security command.
show running-config port-security [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display information for port-security in the running configuration:
switch# show running-port-securityversion 4.0(3)feature port-securitylogging level port-security 5interface Ethernet2/3switchport port-securityRelated CommandsA
Command Descriptionshow startup-config port-security
Displays port-security information in the startup configuration.
show running-config radius
To display RADIUS server information in the running configuration, use the show running-config radius command.
show running-config radius [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display information for RADIUS in the running configuration:
switch# show running-config radiusRelated CommandsA
show running-config security
To display a user account, Secure Shell (SSH) server, and Telnet server information in the running configuration, use the show running-config security command.
show running-config security [all]
Syntax Description
all
(Optional) Displays the default user account, SSH server, and Telnet server configuration information.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display user account, SSH server, and Telnet server information in the running configuration:
switch# show running-config securityversion 5.1(1)username admin password 5 $1$7Jwq/LDM$XF0M/UWeT43DmtjZy8VP91 role network-adminusername adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na. role network-operatorusername user1 password 5 $1$qEclQ5Rx$CAX9fXiAoFPYSvbVzpazj/ role network-operatortelnet server enablessh key rsa 1024 forceshow running-config tacacs+
To display TACACS+ server information in the running configuration, use the show running-config tacacs+ command.
show running-config tacacs+ [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must use the feature tacacs+ command before you can display TACACS+ information.
This command does not require a license.
Examples
This example shows how to display TACACS+ information in the running configuration:
switch# show running-config tacacs+Related CommandsA
show ssh key
To display the Secure Shell (SSH) server key for a virtual device context (VDC), use the show ssh key command.
show ssh key
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command is available only when SSH is enabled using the feature ssh command.
This command does not require a license.
Examples
This example shows how to display the SSH server key:
switch# show ssh key**************************************rsa Keys generated:Wed Aug 11 11:45:14 2010ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDypfN6FSHZDbFPWEoz7sgWCamhfoqjqYNoZMvySSb4056LhWZ75D90KPo+G+XTo7QAyQMpLJSkwKcRkidgD4lwJaDd/Ic/Sl5SJ3i0jyM61Bwvi+8+J3JoIdftAvgH47GT5BdDD6hM7aUHq+efSQSq8pGyDAR4Cw6UdY9HNAWoTw==bitcount:1024fingerprint:cd:8d:e3:0c:2a:df:58:d3:6e:9c:bd:72:75:3f:2e:45**************************************could not retrieve dsa key information**************************************Related Commands
show ssh server
To display the Secure Shell (SSH) server status for a virtual device context (VDC), use the show ssh server command.
show ssh server
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the SSH server status:
switch# show ssh serverssh is enabledversion 2 enabledRelated Commands
show startup-config aaa
To display authentication, authorization, and accouting (AAA) configuration information in the startup configuration, use the show startup-config aaa command.
show startup-config aaa
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the AAA information in the startup configuration:
switch# show startup-config aaaversion 4.0(1)show startup-config aclmgr
To display the user-configured access control lists (ACLs) in the startup configuration, use the show startup-config aclmgr command.
show startup-config aclmgr [all]
Syntax Description
all
Displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration.
Defaults
None
Command Modes
Any
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the user-configured ACLs in the startup configuration:
switch(config)# show startup-config aclmgr all
!Command: show startup-config aclmgr all!Time: Wed May 25 08:04:36 2011!Startup config saved at: Mon May 23 05:44:16 2011version 5.2(1)ip access-list acl1ip access-list copp-system-p-acl-bgp10 permit tcp any gt 1024 any eq bgp20 permit tcp any eq bgp any gt 1024ipv6 access-list copp-system-p-acl-bgp610 permit tcp any gt 1024 any eq bgp20 permit tcp any eq bgp any gt 1024ip access-list copp-system-p-acl-cts10 permit tcp any any eq 6499920 permit tcp any eq 64999 anyip access-list copp-system-p-acl-dhcp10 permit udp any eq bootpc any20 permit udp any neq bootps any eq bootpsip access-list copp-system-p-acl-dhcp-relay-response10 permit udp any eq bootps any20 permit udp any any eq bootpcip access-list copp-system-p-acl-eigrp10 permit eigrp any anyip access-list copp-system-p-acl-ftp10 permit tcp any any eq ftp-data20 permit tcp any any eq ftp30 permit tcp any eq ftp-data any40 permit tcp any eq ftp anyip access-list copp-system-p-acl-glbp10 permit udp any eq 3222 224.0.0.0/24 eq 3222ip access-list copp-system-p-acl-hsrp10 permit udp any 224.0.0.0/24 eq 1985ipv6 access-list copp-system-p-acl-hsrp610 permit udp any ff02::66/128 eq 2029ip access-list copp-system-p-acl-icmp10 permit icmp any any echo20 permit icmp any any echo-replyipv6 access-list copp-system-p-acl-icmp610 permit icmp any any echo-request20 permit icmp any any echo-replyipv6 access-list copp-system-p-acl-icmp6-msgs10 permit icmp any any router-advertisement20 permit icmp any any router-solicitation30 permit icmp any any nd-na40 permit icmp any any nd-ns50 permit icmp any any mld-query60 permit icmp any any mld-report70 permit icmp any any mld-reductionip access-list copp-system-p-acl-igmp10 permit igmp any 224.0.0.0/3mac access-list copp-system-p-acl-mac-cdp-udld-vtp10 permit any 0100.0ccc.cccc 0000.0000.0000mac access-list copp-system-p-acl-mac-cfsoe10 permit any 0180.c200.000e 0000.0000.0000 0x8843mac access-list copp-system-p-acl-mac-dot1x10 permit any 0180.c200.0003 0000.0000.0000 0x888emac access-list copp-system-p-acl-mac-fabricpath-isis10 permit any 0180.c200.0015 0000.0000.000020 permit any 0180.c200.0014 0000.0000.0000mac access-list copp-system-p-acl-mac-flow-control--More--Related Commands
show startup-config copp
To display the Control Plane Policing (CoPP) configuration information in the startup configuration, use the show startup-config copp command.
show startup-config copp
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to display the control plane policing information in the startup configuration:
switch# show startup-config coppversion 4.0(1)class-map type control-plane match-any MyClassMapmatch redirect dhcp-snoopclass-map type control-plane match-any copp-system-class-criticalmatch access-group name copp-system-acl-arpmatch access-group name copp-system-acl-msdpclass-map type control-plane match-any copp-system-class-importantmatch access-group name copp-system-acl-grematch access-group name copp-system-acl-tacasclass-map type control-plane match-any copp-system-class-normalmatch access-group name copp-system-acl-icmpmatch redirect dhcp-snoopmatch redirect arp-inspectmatch exception ip optionmatch exception ip icmp redirectmatch exception ip icmp unreachablepolicy-map type control-plane MyPolicyMapclass MyClassMappolice cir 0 bps bc 0 bytes conform drop violate droppolicy-map type control-plane copp-system-policyclass copp-system-class-criticalpolice cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate dropclass copp-system-class-importantpolice cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit exceed transmit violate dropclass copp-system-class-normalpolice cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit exceed transmit violate dropclass class-defaultpolice cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate droppolicy-map type control-plane xclass class-defaultpolice cir 0 bps bc 0 bytes conform drop violate dropshow startup-config dhcp
To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the startup configuration, use the show startup-config dhcp command.
show startup-config dhcp [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
network-operator
vdc-operatorCommand History
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
This command does not require a license.
Examples
This example shows how to display the DHCP snooping configuration in the startup configuration:
switch# show startup-config dhcpversion 4.0(1)feature dhcpinterface Ethernet2/46ip verify source dhcp-snooping-vlanip arp inspection trustip dhcp snoopingip arp inspection validate src-mac dst-mac ipip source binding 10.3.2.2 0f00.60b3.2333 vlan 13 interface Ethernet2/46ip source binding 10.2.2.2 0060.3454.4555 vlan 100 interface Ethernet2/10ip dhcp snooping vlan 1ip arp inspection vlan 1ip dhcp snooping vlan 13ip arp inspection vlan 13switch#Related Commands
Command Descriptionfeature dhcp
Enables the DHCP snooping feature on the device.
show running-config dhcp
Shows DHCP snooping configuration in the running configuration.
show startup-config dot1x
To display 802.1X configuration information in the startup configuration, use the show startup-config dot1x command.
show startup-config dot1x
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must enable the 802.1X feature by using the feature dot1x command before using this command.
This command does not require a license.
Examples
This example shows how to display the 802.1X information in the startup configuration:
switch# show startup-config dot1xversion 4.0(1)show startup-config eou
To display the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) configuration information in the startup configuration, use the show startup-config eou command.
show startup-config eou
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must enable the EAPoUDP feature by using the feature eou command before using this command.
This command does not require a license.
Examples
This example shows how to display the EAPoUDP information in the startup configuration:
switch# show startup-config eouversion 4.0(1)show startup-config ldap
To display Lightweight Directory Access Protocol (LDAP) configuration information in the startup configuration, use the show startup-config ldap command.
show startup-config ldap
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
You must use the feature ldap command before you can display LDAP information.
This command does not require a license.
Examples
This example shows how to display the LDAP information in the startup configuration:
switch# show startup-config ldap!Command: show startup-config ldap!Time: Wed Feb 17 13:02:31 2010!Startup config saved at: Wed Feb 17 10:32:23 2010version 5.0(2)feature ldapaaa group server ldap LDAPgroup1no ldap-search-mapaaa group server ldap LdapServer1no ldap-search-mapRelated Commands
show startup-config port-security
To display port-security information in the startup configuration, use the show startup-config port-security command.
show startup-config port-security [all]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display information for port-security in the startup configuration:
switch# show startup-port-securityversion 4.0(3)feature port-securitylogging level port-security 5interface Ethernet2/3switchport port-securityRelated CommandsA
Command Descriptionshow running-config port-security
Displays port-security information in the running configuration.
show startup-config radius
To display RADIUS configuration information in the startup configuration, use the show startup-config radius command.
show startup-config radius
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the RADIUS information in the startup configuration:
switch# show startup-config radiusversion 4.0(1)show startup-config security
To display user account, Secure Shell (SSH) server, and Telnet server configuration information in the startup configuration, use the show startup-config security command.
show startup-config security
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration:
switch# show startup-config securityversion 5.1(1)username admin password 5 $1$7Jwq/LDM$XF0M/UWeT43DmtjZy8VP91 role network-adminusername adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na. role network-operatorusername user1 password 5 $1$qEclQ5Rx$CAX9fXiAoFPYSvbVzpazj/ role network-operatortelnet server enablessh key rsa 1024 forceshow startup-config tacacs+
To display TACACS+ configuration information in the startup configuration, use the show startup-config tacacs+ command.
show startup-config tacacs+
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the TACACS+ information in the startup configuration:
switch# show startup-config tacacs+version 4.0(1)show system internal pktmgr internal control sw-rate-limit
To display the inband and outband global rate limit configuration for packets that reach the supervisor module, use the show system internal pktmgr internal control sw-rate-limit command.
show system internal pktmgr internal control sw-rate-limit
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any
Supported User Rolesnetwork-admin
network-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the inband and outband global rate limit configuration for packets that reach the supervisor module:
switch# show system internal pktmgr internal control sw-rate-limit
inband pps global threshold 12500 outband pps global threshold 15500switch#Related Commands
Command Descriptionrate-limit cpu direction pps action log
Configures rate limits globally on the device for packets that reach the supervisor module.
show tacacs+
To display the TACACS+ Cisco Fabric Services (CFS) distribution status and other details, use the show tacacs+ command.
show tacacs+ {distribution status | pending [cmds] | pending-diff}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the TACACS+ CFS status:
switch# show tacacs+ distribution statusdistribution : enabledsession ongoing: nosession db: does not existmerge protocol status: not yet initiated after enablelast operation: enablelast operation status: successThis example shows how to display the TACACS+ merge status:
switch# show tacacs+ merge statusResult: WaitingThis example shows how to display the pending TACACS+ configuration:
switch# show tacacs+ pendingtacacs-server host 10.10.2.2 key 7 qxz12345This example shows how to display the pending TACACS+ configuration commands:
switch# show tacacs+ pending cmdstacacs-server host 10.10.2.2 key 7 qxz12345 port 49This example shows how to display the differences between the pending TACACS+ configuration and the current TACACS+configuration:
switch# show tacacs+ pending-diff+tacacs-server host 10.10.2.2show tacacs-server
To display TACACS+ server information, use the show tacacs-server command.
show tacacs-server [hostname | ip4-address | ipv6-address]
[directed-request | groups | sorted | statistics]Syntax Description
Defaults
Displays the global TACACS+ server configuration
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys.
You must use the feature tacacs+ command before you can display TACACS+ information.
This command does not require a license.
Examples
This example shows how to display information for all TACACS+ servers:
switch# show tacacs-serverGlobal TACACS+ shared secret:********timeout value:5deadtime value:0total number of servers:2following TACACS+ servers are configured:10.10.2.2:available on port:4910.10.1.1:available on port:49This example shows how to display information for a specified TACACS+ server:
switch# show tacacs-server 10.10.2.210.10.2.2:available for authentication on port:1812available for accounting on port:1813idle time:0test user:testtest password:********This example shows how to display the TACACS+ directed request configuration:
switch# show tacacs-server directed-requestenabledThis example shows how to display information for TACACS+ server groups:
switch# show tacacs-server groupstotal number of groups:1following TACACS+ server groups are configured:group TacServer:server 10.10.2.2 on port 49deadtime is 0vrf is vrf3This example shows how to display information for a specified TACACS+ server group:
switch# show tacacs-server groups TacServergroup TacServer:server 10.10.2.2 on port 49deadtime is 0vrf is vrf3This example shows how to display sorted information for all TACACS+ servers:
switch# show tacacs-server sortedGlobal TACACS+ shared secret:********timeout value:5deadtime value:0total number of servers:2following TACACS+ servers are configured:10.10.1.1:available on port:4910.10.2.2:available on port:49This example shows how to display statistics for a specified TACACS+ servers:
switch# show tacacs-server statistics 10.10.2.2Server is not monitoredAuthentication Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Authorization Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Accounting Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Related Commands
Command Descriptionshow running-config tacacs+
Displays the TACACS+ information in the running configuration file.
show telnet server
To display the Telnet server status for a virtual device context (VDC), use the show telnet server command.
show telnet server
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display the Telnet server status:
switch# show telnet servertelnet service enabledRelated Commands
show time-range
To display all time ranges or a specific time range, use the show time-range command.
show time-range [time-range-name]
Syntax Description
time-range-name
(Optional) Name of a time range, which can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
The device shows all time ranges unless you use the time-range-name argument to specify a time range.
If you do not specify a time-range name, the device lists time ranges alphabetically by the time-range names.
The output of the show time-range command indicates whether a time range is active, which means that the current system time on the device falls within the configured time range.
This command does not require a license.
Examples
This example shows how to use the show time-range command without specifying a time-range name on a device that has two time ranges configured, where one of the time ranges is inactive and the other is active:
switch(config-time-range)# show time-range
time-range entry: december (inactive)10 absolute start 0:00:00 1 December 2009 end 11:59:59 31 December 2009time-range entry: november (active)10 absolute start 0:00:00 1 November 2009 end 23:59:59 30 November 2009Related Commands
show user-account
To display information for the user accounts in a virtual device context (VDC), use the show user-account command.
show user-account
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display information for user accounts in the default virtual device context (VDC):
switch# show user-accountuser:adminthis user account has no expiry dateroles:network-adminuser:adminbackupthis user account has no expiry dateroles:network-operatorThis example shows how to display information for user accounts in a nondefault VDC:
switch-MyVDC# show user-accountuser:adminthis user account has no expiry dateroles:vdc-adminRelated Commands
show username
To display the public key for the specified user, use the show username command.
show username username keypair
Syntax Description
username
Name of the user. You can enter up to 28 alphanumeric characters.
keypair
Displays the Secure Shell (SSH) user keys.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
For security reasons, this command does not show the private key.
Examples
This example shows how to display the public key for the specified user:
switch# show username admin keypair**************************************rsa Keys generated:Mon Feb 15 08:10:45 2010ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0+rIeMgXwv004lt/hwOoyqIKbFGl1tmkFNm/tozuazfL4dH/asAXZoJePDdiO1ILBGfrQgzyS5u3prXuXfgnWkTu0/4WlD0DF/EPdsd3NNzNbpPFzNDVylPDyDfRX5SfVICioEirjX9Y59DZP+Nng6rJD7Z/YHVXs/jRNLPBOIs=bitcount:262144fingerprint:a4:a7:b1:d1:43:09:49:6f:7c:f8:60:62:8e:a2:c1:d1**************************************could not retrieve dsa key information**************************************switch#Related Commands
Command Descriptionusername username keypair generate
Generates the SSH public and private keys and stores them in the home directory of the Cisco NX-OS device for the specified user.
show users
To display the user session information for a virtual device context (VDC), use the show users command.
show users
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display user session information in the default virtual device context (VDC):
switch# show usersNAME LINE TIME IDLE PID COMMENTadmin pts/1 Mar 17 15:18 . 5477 (172.28.254.254)admin pts/9 Mar 19 11:19 . 23101 (10.82.234.56)*This example shows how to display information for user accounts in a nondefault VDC:
switch-MyVDC# show usersadmin pts/10 Mar 19 12:54 . 30965 (10.82.234.56)*Related Commands
show vlan access-list
To display the contents of the IPv4 access control list (ACL), IPv6 ACL, or MAC ACL associated with a specific VLAN access map, use the show vlan access-list command.
show vlan access-list access-list-name
Syntax Description
access-list-name
Name of the VLAN access map, which can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to use the show vlan access-list command to display the contents of the ACL that the VLAN access map named vacl-01 is configured to use:
switch# show vlan access-list vacl-01IP access list ipv4acl5 deny ip 10.1.1.1/32 any10 permit ip any anyRelated Commands
show vlan access-map
To display all VLAN access maps or a VLAN access map, use the show vlan access-map command.
show vlan access-map map-name
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Release Modification4.2(1)
Command output is sorted alphabetically by the ACL names.
4.0(1)
This command was introduced.
Usage Guidelines
The device shows all VLAN access maps, unless you use the map-name argument to specify an access map.
If you do not specify an access-map name, the device lists VLAN access maps alphabetically by access-map name.
For each VLAN access map displayed, the device shows the access-map name, the ACL specified by the match command, and the action specified by the action command.
Use the show vlan filter command to see which VLANs have a VLAN access map applied to them.
This command does not require a license.
Examples
This example shows how to remove dynamically learned, secure MAC addresses from the Ethernet 2/1 interface:
switch# show vlan access-mapVlan access-map austin-vlan-mapmatch ip: austin-corp-aclaction: forwardRelated Commands
show vlan filter
To display information about instances of the vlan filter command, including the VLAN access-map and the VLAN IDs affected by the command, use the show vlan filter command.
show vlan filter [access-map map-name | vlan vlan-ID]
Syntax Description
Defaults
The device shows all instances of VLAN access maps applied to a VLAN, unless you use the access-map keyword and specify an access map, or you use the vlan keyword and specify a VLAN ID.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display all VLAN access map information on a device that has only one VLAN access map applied (austin-vlan-map) to VLANs 20 through 35 and 42 through 80:
switch# show vlan filtervlan map austin-vlan-map:Configured on VLANs: 20-35,42-80Related Commands