-
Cisco IOS Security Command Reference: Commands S to Z
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show content-scan
-
show crypto ace redundancy through show cts sxp
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Index
-
Feedback
Contents
show parameter-map type consent through show users
- show parameter-map type consent
- show parameter-map type inspect
- show parameter-map type inspect-global
- show parameter-map type inspect-vrf
- show parameter-map type inspect-zone
- show parameter-map type ooo global
- show parameter-map type protocol-info
- show parameter-map type regex
- show parameter-map type trend-global
- show parameter-map type urlf-glob
- show parameter-map type urlfilter
- show parameter-map type urlfpolicy
- show parser view
- show platform hardware qfp feature alg
- show platform hardware qfp act feature ipsec datapath memory
- show platform hardware qfp active feature ipsec
- show platform hardware qfp feature alg statistics sip
- show platform hardware qfp feature firewall
- show platform hardware qfp feature firewall datapath scb
- show platform hardware qfp feature td
- show platform software firewall
- show platform software ipsec policy statistics
- show platform software ipsec f0 encryption-processor registers
- show platform software ipsec fp active flow
- show platform software ipsec fp active spd-map
- show platform software urpf qfp active configuration
- show policy-firewall config
- show policy-firewall mib
- show policy-firewall session
- show policy-firewall stats
- show policy-firewall stats vrf
- show policy-firewall stats vrf global
- show policy-firewall stats zone
- show policy-firewall summary-log
- show policy-map type inspect
- show policy-map type inspect urlfilter
- show policy-map type inspect zone-pair
- show policy-map type inspect zone-pair urlfilter
- show port-security
- show ppp queues
- show pppoe session
- show private-hosts access-lists
- show private-hosts configuration
- show private-hosts interface configuration
- show private-hosts mac-list
- show privilege
- show radius local-server statistics
- show radius server-group
- show radius statistics
- show radius table attributes
- show redundancy application asymmetric-routing
- show redundancy application control-interface group
- show redundancy application data-interface
- show redundancy application faults group
- show redundancy application group
- show redundancy application if-mgr
- show redundancy application protocol
- show redundancy application transport
- show redundancy linecard-group
- show running-config
- show running-config vrf
- show sasl
- show secure bootset
- show smm
- show snmp mib nhrp status
- show ssh
- show ssl-proxy module state
- show tacacs
- show tcp intercept connections
- show tcp intercept statistics
- show tech-support alg
- show tech-support ipsec
- show tunnel endpoints
- show usb controllers
- show usb device
- show usb driver
- show usb port
- show usb-devices summary
- show usb tree
- show usbtoken
- show user-group
- show users
show parameter-map type consent
To display consent parameter map information, use the show parameter-map type consentcommand in privileged EXEC mode.
Examples
The following is sample output from the show parameter-map type consentcommand. The fields are self-explanatory.
Router# show parameter-map type consent parameter-map type consent map1 Syslog : Enabled File download time(in minutes) : 456 Number of Accepted Users : 0 Number of Denied Users : 0show parameter-map type inspect
To display user-configured or default inspect-type parameter maps, use the show parameter-map type inspect command in privileged EXEC mode.
Command History
Release
Modification
12.4(6)T
This command was introduced.
15.1(1)T
This command was modified. The global keyword was added.
Cisco IOS XE Release 3.4S
This command was modified. Support for General Packet Radio Service (GPRS) Tunneling Protocol (GTP) was added.
Cisco IOS XE Release 3.9S
This command was modified. The parameter-map-name argument was added.
Cisco IOS XE Release 3.11S
This command was modified. The command output was modified to display the number of simultaneous packets per flow.
Examples
The following is sample output from the show parameter-map type inspect command. The fields in the output are self-explanatory.
Device# show parameter-map type inspect audit-trail off alert on max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647 udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 30 tcp max-incomplete host 4294967295 block-time 0 tcp window scaling enforcement loose off sessions maximum 2147483647 sessions packet defaultThe following is sample output from the show parameter-map type inspect parameter-map-name command. The fields in the output are self-explanatory.
Device# show parameter-map type inspect pmap1 parameter-map type inspect pmap1 log dropped-packet off audit-trail on alert on max-incomplete low unlimited max-incomplete high unlimited one-minute low unlimited one-minute high unlimited sessions rate low unlimited sessions rate high unlimited sessions packet default udp idle-time 30 ageout-time 30 udp halfopen idle-time 30000 ms ageout-time 30000 ms icmp idle-time 50 ageout-time 50 dns-timeout 5 tcp window scaling enforcement loose off tcp idle-time 3600 ageout-time 3600 tcp finwait-time 1 ageout-time 1 tcp synwait-time 30 ageout-time 30 tcp half-open on, half-close on, idle on tcp max-incomplete host unlimited block-time 0 sessions maximum 3000 gtp permit error off gtp request-queue 40000 gtp tunnel-limit 40000 gtp gsn timeout 30 gtp pdp-context timeout 300 gtp request-queue timeout 60 gtp signaling timeout 30 gtp tunnel timeout 60The following is sample output from the show parameter-map type inspect default command. The fields in the output are self-explanatory.
Device# show parameter-map type inspect default parameter-map type inspect default values log dropped-packet off audit-trail off alert on max-incomplete low unlimited max-incomplete high unlimited one-minute low unlimited one-minute high unlimited sessions rate low unlimited sessions rate high unlimited sessions packet default udp idle-time 30 ageout-time 30 udp halfopen idle-time 30000 ms ageout-time 30000 ms icmp idle-time 10 ageout-time 10 dns-timeout 5 tcp idle-time 3600 ageout-time 3600 tcp finwait-time 1 ageout-time 1 tcp synwait-time 30 ageout-time 30 tcp max-incomplete host unlimited block-time 0 tcp window scaling enforcement loose off sessions maximum unlimited gtp permit error off gtp request-queue 40000 gtp tunnel-limit 40000 gtp gsn timeout 30 gtp pdp-context timeout 30 gtp request-queue timeout 60 gtp signaling timeout 30 gtp tunnel timeout 60The following is sample output from the show parameter-map type inspect global command. The fields in the output are self-explanatory.
Device# show parameter-map type inspect global alert on sessions maximum 2147483647 waas disabled l2-transparent dhcp-passthrough disabled log dropped-packets disabled log summary disabled max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647show parameter-map type inspect-global
To display global inspect-type parameter map information, use the show parameter-map type inspect-global command in user EXEC or privileged EXEC mode.
Usage Guidelines
The command output displays all configured parameters and their values and all unconfigured parameters with their box-level default values. (Box refers to the entire firewall session table.)
Examples
The following is sample output from the show parameter-map type inspect-global command:
Device# show parameter-map type inspect-global parameter-map type inspect-global log dropped-packet off alert on aggressive aging high: 2345 low: 1234 syn_flood_limit 5678 max_incomplete 7890 aggressive aging disabled max_incomplete TCP 6789 max_incomplete UDP unlimited max_incomplete ICMP unlimited vrf default inspect vrf1The following table describes the fields shown in the display.
Table 1 show parameter-map type inspect-global Field Descriptions Field
Description
log dropped-packet
Debugging message log of dropped packets is not enabled. If you configure the log command in parameter-map type inspect configuration mode, a log of dropped packets is displayed.
alert
Stateful packet inspection of alert messages is on. Valid values are on and off.
aggressive aging
Aggressive aging of half-opened firewall sessions. A half-opened session is a session that has not reached the established state.
syn_flood_limit
TCP synchronization (SYN) flood rate limit. When the configured maximum limit is reached, the TCP SYN cookie protection is triggered.
max_incomplete
Maximum half-opened session limit.
max_incomplete TCP
Maximum half-opened TCP connection limit.
max_incomplete UDP
Maximum half-opened UDP connection limit.
max_incomplete ICMP
Maximum half-opened Internet Control Message Protocol (ICMP) connection limit.
vrf default
Default VRF is bound to the inspect-VRF parameter map.
The following is sample output from the show parameter-map type inspect-global gtp command:
Device# show parameter-map type inspect-global gtp parameter-map type inspect global-gtp gtp request-queue 40000 (default) gtp tunnel-limit 40000 (default) gtp pdp-context timeout 351 gtp request-queue timeout 2167 permit-error Disable (default) gtp-in-gtp blocking Disable (default) gtpv2 request-queue 40000 (default) gtpv2 tunnel-limit 40000 (default) gtpv2 echo-rate-limit 10 (default)The following table describes the fields shown in the display.
Table 2 show parameter-map type inspect-global gtp Field Descriptions Field
Description
gtp request-queue
Displays the number of GTP requests that are queued to wait for a response.
gtp tunnel-limit
Displays the number of GTP tunnels that can be configured.
gtp pdp-context timeout
Displays the timeout, in minutes, for inactive Packet Data Protocol (PDP) contexts.
gtp request-queue timeout
Displays the timeout, in seconds, for inactive request queues.
permit-error
Displays the permissible errors. By default, the permit-error is disabled.
gtpv2 request-queue
Displays the number of GTP requests for GTPv2 protocol that are queued to wait for a response.
gtpv2 tunnel-limit
Displays the number of GTP tunnels that can be configured for gtpv2 protocol.
show parameter-map type inspect-vrf
To display information about the configured inspect VPN Routing and Forwarding (VRF) type parameter map, use the show parameter-map type inspect-vrf command in user EXEC or privileged EXEC mode.
Examples
The following is sample output from the show parameter-map type inspect-vrf command:
Router# show parameter-map type inspect-vrf vpmap01 VRF: vrf001, Parameter-Map: vpmap01 total_session_cnt: 3500 exceed_cnt: 40 tcp_half_open_cnt: 3520 syn_exceed_cnt: 40The table below describes the significant fields shown in the display.
Table 3 show parameter-map type inspect-vrf Field Descriptions Field
Description
total_session_cnt
Total session count.
exceed_cnt
Number of sessions that exceeded the configured session count.
tcp_half_open_cnt
TCP half-open sessions configured for each VRF. When the configured session limit is reached, the TCP synchronization (SYN) cookie verifies the source of the half-open TCP sessions before creating more sessions. A TCP half-open session is a session that has not reached the established state.
syn_exceed_count
Number of SYN packets that exceeded the configured SYN flood rate limit.
show parameter-map type inspect-zone
To display information about the configured inspect zone-type parameter map, use the show parameter-map type inspect-zone command in user EXEC or privileged EXEC mode.
Examples
The following is sample output from the show parameter-map type inspect-zone command:
Router# show parameter-map type inspect-zone zone-pmap parameter-map type inspect-zone zone-pmap tcp syn-flood-rate 400 max-destination 10000The table below describes the fields shown in the display.
Table 4 show parameter-map type inspect-zone Field Descriptions Field
Description
parameter-map type inspect-zone
Name of the inspect zone-type parameter map.
tcp syn-flood-rate
TCP synchronization (SYN) flood rate limit. When the configured maximum packet rate is reached, the TCP SYN cookie protection is triggered.
max-destination
Maximum number of destinations that a firewall can track.
show parameter-map type ooo global
To display Out-of-Order (OoO) global parameter-map information, use the show parameter-map type ooo global command in privileged EXEC mode.
Command History
Usage Guidelines
The output of the show parameter-map type ooo global command displays configurations related to OoO packet processing. If you do not configure the parameter-map type ooo global command, the output of the show parameter-map type ooo global command displays default values of the OoO packet-processing parameters.
Examples
The following is sample output from the show parameter-map type ooo global command:
Device# show parameter-map type ooo global parameter-map type ooo global tcp reassembly timeout 5 tcp reassembly queue length 16 tcp reassembly memory limit 1024 tcp reassembly alarm offThe following table describes the fields shown in the display.
Table 5 show parameter-map type ooo global Field Descriptions Field
Description
tcp reassembly timeout
Timeout, in seconds, for OoO-TCP queues.
tcp reassembly queue length
Length of the OoO queues.
tcp reassembly memory limit
Limit of the OoO buffer size.
tcp reassembly alarm
Indicates if alert messages for TCP sessions are enabled. Valid values are on and off.
show parameter-map type protocol-info
To display protocol parameter map information, use the show parameter-map type protocol-infocommand in privileged EXEC mode.
show parameter-map type protocol-info [ parameter-map-name [dns-cache] | dns-cache | msrpc | zone-pair zone-pair-name | stun-ice [parameter-map-name] ]
Syntax Description
parameter-map-name
(Optional) Name of the parameter map.
dns-cache
(Optional) Displays the protocol information about the Domain Name System (DNS) cache.
msrpc
(Optional) Displays the protocol information about the Microsoft Remote Procedure Call (MSRPC) parameter map.
zone-pair zone-pair-name
(Optional) Specifies the name of the zone pair.
stun-ice
(Optional) Displays the protocol information of Session Traversal Utilities for Network Address Translation (NAT) and Interactive Connectivity Establishment (STUN-ICE). STUN is an Internet standards-track suite of methods, including a network protocol, used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications. ICE is a technique used in computer networking involving NATs in Internet applications of VoIP, peer-to-peer communications, video, instant messaging, and other interactive media. In such applications, NAT traversal is an important component to facilitate communications involving hosts on private network installations, which often are located behind firewalls.
show parameter-map type regex
To display regular expression parameter-map information, use the show parameter-map type regex command in privileged EXEC mode.
show parameter-map type trend-global
To display the parameter map for the global parameters for a Trend Micro URL filtering policy, use the show parameter-map type trend-global command in privileged EXEC mode.
Usage Guidelines
Use the show parameter-map type trend-globalcommand to display the global parameters for Trend Micro URL filtering policies.
Examples
The following is sample output from the show parameter-map type trend-global defaultcommand:
Router# show parameter-map type trend-global default parameter-map type trend-global default values server trps.trendmicro.com http-port 80 https-port 443 retrans 3 timeout 60 alert on cache-size 256 KB cache-lifetime 24The following is sample output from the show parameter-map type trend-globalcommand when the server name and maximum cache size have been specified in the parameter map Global-Parameters:
Router# show parameter-map type trend-global Global-Parameters parameter-map type trend-global Global-Parameters server trps1.example.com http-port 80 https-port 443 retrans 3 timeout 60 alert on cache-size 300 KB cache-lifetime 24show parameter-map type urlf-glob
To display the parameter maps for local URL filtering, use the show parameter-map type urlf-glob command in privileged EXEC mode.
Usage Guidelines
Use the show parameter-map type urlf-glob command to display the parameter maps for local URL filtering policies.
Examples
The following is sample output from the show parameter-map type urlf-globcommand when two parameter maps for local URL filtering have been configured:
Router# show parameter-map type urlf-glob parameter-map type urlf-glob trusted-domain-param pattern www.example.com pattern *.example1.com parameter-map type urlf-glob untrusted-domain-param pattern www.example3.com pattern *.example4.comshow parameter-map type urlfilter
NoteEffective with Cisco IOS Release 12.4(15)XZ, the show parameter-map type urlfilter command is not available in Cisco IOS software.
To display user-configured or default URL filter type parameter maps, use the show parameter-map type urlfiltercommand in privileged EXEC mode.
Examples
The following example shows sample output from the show parameter-map type urlfilter command:
Router# show parameter-map type urlfilter parameter-map type urlfilter default values urlf-server-log off audit-trail off alert on max-request 1000 max-resp-pak 200 source-interface default allow-mode off cache 5000The following example shows sample output from the show parameter-map type urlfilter defaultcommand:
Router# show parameter-map type urlfilter default parameter-map type urlfilter default values urlf-server-log off audit-trail off alert on max-request 1000 max-resp-pak 200 source-interface default allow-mode offcache 5000
show parameter-map type urlfpolicy
To display the parameter maps associated with a URL filtering policy, use the show parameter-map type urlfiltercommand in privileged EXEC mode.
Syntax Description
Command Default
The paramater maps for all URL filtering policies of the type specified (local, trend, n2h2, or websense) are displayed.
Examples
The following example shows the default values for a Websense URL filtering policy:
Router# show parameter-map type urlfpolicy websense default parameter-map type urlfilter websense default values urlf-server-log off audit-trail off alert on max-request 1000 max-resp-pak 200 source-interface default allow-mode off cache 5000show parser view
To display command-line interface (CLI) view information, use the show parser view command in privileged EXEC mode.
Usage Guidelines
The show parser viewcommand will display information only about the view that the user is currently in. This command is available for both root view users and lawful intercept view users--except for the all keyword, which is available only to root view users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view.
The show parser view command cannot be excluded from any view.
Examples
The following example shows how to display information from the root view and the CLI view "first":
Router# enable view Router# 01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'. Router# ! Enable the show parser view command from the root view Router# show parser view Current view is 'root' ! Enable the show parser view command from the root view to display all views Router# show parser view all Views Present in System: View Name: first View Name: second ! Switch to the CLI view "first." Router# enable view first Router# 01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'. ! Enable the show parser view command from the CLI view "first." Router# show parser view Current view is 'first'show platform hardware qfp feature alg
To display application layer gateway (ALG)-specific information in the Cisco Quantum Flow Processor (QFP), use the show platform hardware qfp feature alg command in privileged EXEC mode.
show platform hardware qfp { active | standby } feature alg { debugging | memory | statistics [ protocol | clear ] }
Syntax Description
active
Displays the active instance of the processor.
standby
Displays the standby instance of the processor.
debugging
Displays ALG debugging information.
memory
Displays ALG memory usage information of the processor.
statistics
Displays ALG common statistics information of the processor.
protocol
(Optional) Protocol name. Use one of the following values for the protocol argument:
- dns—Displays Domain Name System (DNS) ALG information in the QFP datapath.
- exec—Displays exec ALG information in the QFP datapath.
- ftp—Displays FTP ALG information in the QFP datapath.
- gtp—Displays General Packet Radio Service (GPRS) Tunneling Protocol (GTP) ALG information in the QFP datapath.
- h323—Displays H.323 ALG information in the QFP datapath.
- http—Displays HTTP ALG information in the QFP datapath.
- imap—Displays Internet Message Access Protocol (IMAP) ALG information in the QFP datapath.
- ldap—Displays Lightweight Directory Access Protocol (LDAP) ALG information in the QFP datapath.
- login—Displays login ALG information in the QFP datapath.
- msrpc—Displays Microsoft Remote Procedure Call (MSRPC) ALG information in the QFP datapath.
- netbios—Displays Network Basic Input Output System (NetBIOS) ALG information in the QFP datapath.
- pop3—Displays Post Office Protocol 3 (POP3) ALG information in the QFP datapath.
- pptp—Displays Point-to-Point Tunneling Protocol (PPTP) ALG information in the QFP datapath.
- rtsp—Displays Rapid Spanning Tree Protocol (RSTP) ALG information in the QFP datapath.
- shell—Displays shell ALG information in the QFP datapath.
- sip—Displays Session Initiation Protocol (SIP) ALG information in the QFP datapath.
- skinny—Displays Skinny Client Control Protocol (SCCP) ALG information in the QFP datapath.
- smtp—Displays Simple Mail Transfer Protocol (SMTP) ALG information in the QFP datapath.
- sunrpc—Displays Sun RPC ALG information in the QFP datapath.
- tftp—Displays TFTP ALG information in the QFP datapath.
clear
(Optional) Clears common ALG counters after display.
Command History
Release
Modification
Cisco IOS XE Release 2.2
This command was introduced.
Cisco IOS XE Release 3.1S
This command was modified. Support for the NetBIOS protocol was added.
Cisco IOS XE Release 3.2S
This command was modified. The sip keyword was added.
Cisco IOS XE Release 3.9S
This command was modified. The gtp and pptp keywords were added.
Usage Guidelines
The show platform hardware qfp feature alg statistics netbios command displays the NetBIOS ALG memory usage and statistics information of the processor.
Examples
The following sample output from the show platform hardware qfp feature alg statistics netbios command displays the NetBIOS ALG statistics information of the processor:
Device# show platform hardware qfp active feature alg statistics netbios NetBIOS ALG Statistics: No. of allocated chunk elements in L7 data pool:0 No. of times L7 data is allocated:0 No. of times L7 data is freed:0 Datagram Service statistics Total packets :0 Direct unique packets :0 Direct group packets :0 Broadcast packets :0 DGM Error packets :0 Query request packets :0 Positive Qry response packets :0 Negative Qry response packets:0 Unknown packets :0 Total error packets :0 Name Service statistics Total packets :0 Query request packets :0 Query response packets :0 Registration req packets :0 Registration resp packets:0 Release request packets :0 Release response packets :0 WACK packets :0 Refresh packets :0 Unknown packets :0 Total error packets :0 Session Service statistics Total packets :0 Message packets :0 Request packets :0 Positive response packets:0 Negative response packets:0 Retarget response packets:0 Keepalive packets :0 Unknown packets :0 Total error packets :0The table below describes the significant fields shown in the display.
Table 6 show platform hardware qfp feature alg statistics netbios Field Descriptions Field
Description
No. of allocated chunk elements in L7 data pool
Number of memory chunks allocated for processing NetBIOS packets.
No. of times L7 data is allocated:0 No. of times L7 data is freed
Number of times memory is allocated and freed for processing NetBIOS packets.
Direct unique packets
Number of direct unique NetBIOS packets processed.
Direct group packets
Number of direct group NetBIOS packets processed.
Broadcast packets
Number of broadcast NetBIOS packets processed.
DGM Error packets
Number of Datagram Error NetBIOS packets processed.
Query request packets
Number of query request NetBIOS packets processed.
Positive Qry response packets
Number of positive query response NetBIOS packets processed.
Negative Qry response packets
Number of negative query response NetBIOS packets processed.
Unknown packets
Number of unknown packets.
Total error packets
Counter tracking number of error packets.
The following sample output from the show platform hardware qfp feature alg statistics sip command displays SIP statistics information of the processor.
Device# show platform hardware qfp active feature alg statistics sip SIP info pool used chunk entries number: 6 RECEIVE Register: 0 -> 200-OK: 0 Invite: 6 -> 200-OK: 6 Re-invite 0 Update: 0 -> 200-OK: 0 Bye: 0 -> 200-OK: 0 Subscribe: 0 -> 200-OK: 0 Refer: 0 -> 200-OK: 0 Prack: 0 -> 200-OK: 0 Trying: 0 Ringing: 6 Ack: 5 Info: 0 Cancel: 0 Sess Prog: 0 Message: 0 Notify: 0 Publish: 0 Options: 0 1xx: 0 2xx: 0 OtherReq: 0 OtherOk: 0 3xx-6xx: 0 Events Null dport: 0 Media Port Zero: 0 Malform Media: 0 No Content Length: 0 Cr Trunk Chnls: 6 Del Trunk Chnls: 0 start trunk timer: 6 restart trunk timer: 6 stop trunk timer: 6 trunk timer timeout: 0 Media Addr Zero: 0 Need More Data: 0 SIP PKT Alloc: 23 SIP PKT Free: 23 SIP MSG Alloc: 0 SIP MSG Free: 0 Errors Create Token Err: 0 Add portlist Err: 0 Invalid Offset: 0 Invalid Pktlen: 0 Free Magic: 0 Double Free: 0 Sess Retmem Failed: 0 Sess Malloc Failed 0 Pkt Retmem Failed: 0 Pkt Malloc Failed: 0 Msg Retmem Failed: 0 Msg Malloc Failed: 0 Bad Format: 0 Invalid Proto: 0 Add ALG state Fail: 0 No Call-id: 0 Parse SIP Hdr Fail: 0 Parse SDP Fail: 0 Error New Chnl: 0 Huge Size: 0 Create Failed: 0 Not SIP Msg: 0 Writeback Errors Offset Err: 0 PA Err: 0 No Info: 0The table below describes the significant fields shown in the display.
Table 7 show platform hardware qfp feature alg statistics sip Field Descriptions Field
Description
Register
Registers the address listed in the To field of the SIP ALG header with a SIP server.
Invite
Indicates that a user or a service is invited to participate in a call session.
Bye
Terminates a call. This message can be sent either by the caller or the called party.
Refer
Indicates that the user (recipient) should contact a third party for transferring a call.
PRACK
Improves the network reliability by adding an acknowledgment system to the provisional responses. PRACK is a Provisional Response Acknowledgment message.
The following sample output from the show platform hardware qfp feature alg statistics gtp command displays GTP (GTPv0, GTPv1, and GTPv2) ALG information. The field descriptions are self-explanatory.
Device# show platform hardware qfp active feature alg statistics gtp Global info: Total pkts passed inspection:0 GTP V0: Request: 0, Response: 0, Data: 0, Unknown: 0 GTP V1: Request: 0, Response: 0, Data: 0, Unknown: 0 GTP V2: Request: 0, Response: 0, Data: 0, Unknown: 0 VFRed packets: 0 Drop counters: Total dropped: 0 Fatal error: Internal SW error: 0 Packets subject to policy inspection: Policy not-exist: 0 Policy dirty-bit set: 0 Policy-mismatch: 0 GTP global Info: GTP message rejected: 0 GTP Request wasn't found: 0 GTP info element is missing: 0 GTP info element is incorrect: 0 GTP info element out of order: 0 GTP Request retransmit: 0 GTPv0 Info: Message rejected: 0 Request wasn't found: 0 Info element is missing: 0 Info element is incorrect: 0 Info element out of order: 0 Request retransmit: 0 GTPv1 Info: Message rejected: 0 Request wasn't found: 0 Info element is missing: 0 Info element is incorrect: 0 Info element out of order: 0 Request retransmit: 0 GTPv2 Info: Message rejected: 0 Request wasn't found: 0 Info element is missing: 0 Info element is incorrect: 0 Info element out of order: 0 Request retransmit: 0 Memory management: GTP ctxt - allocated: 0, freed: 0, failed: 0 GTP Primary - allocated: 0, freed: 0, failed: 0 GTP Secondary - allocated: 0, freed: 0, failed: 0 GTP Tunnel DB - allocated: 0, freed: 0, failed: 0 GTP Req/Res - allocated: 0, freed: 0, failed: 0 GTP Req/Resp entry - allocated: 0, freed: 0, failed: 0 GTPv2 Session - allocated: 0, freed: 0, failed: 0 GTPv2 Bearer - allocated: 0, freed: 0, failed: 0show platform hardware qfp act feature ipsec datapath memory
To display debugging information about the consumption of IPsec datapath memory, use the show platform hardware qfp act feature ipsec datapath memory command in privileged EXEC or diagnostic mode.
show platform hardware qfp active feature ipsec
To display IPsec feature-specific information in the IPsec Cisco Quantum Flow Processor (QFP), use the show platform hardware qfp active feature ipsec command in the privileged EXEC mode.
show platform hardware qfp active feature ipsec { event-monitor| interface interface-name | spi| sp-obj number | spd | { all | qfp-spd-number | [ ace spd-class-group-id | [ qfp-spd-class-id ] ] } }
Syntax Description
event-monitor Displays IPsec monitored events and event-count thresholds.
interface interface-name Displays QFP information for the specified interface.
spi Displays QFP IPsec security parameter index (SPI) information.
sp-obj number Displays security policy information. The range is from 0 to 4294967295.
spd Displays Security Policy Database (SPD) information.
state Displays QFP IPsec state information.
all Displays information about all SPDs.
qfp-spd-number Specific handle in IPsec Cisco QFP.
ace (Optional) Displays information about QFP IPsec SPD Cisco Application Control Engine (ACE).
spd-class-group-id (Optional) SPD class group ID in Cisco ACE.
qfp-spd-class-id (Optional) QFP class ID.
Command History
Release Modification Cisco IOS XE Release 3.9S
This command was introduced on the Cisco ASR 1000 Series Aggregation Services Routers.
Cisco IOS 12.2 XN
The event-monitor type keyword was added.
Usage Guidelines
This command displays information that can help you to troubleshoot issues about IPsec flows.
Examples
The following is a sample output of the show platform hardware qfp active feature ipsec event-monitor command. (The fields in the output are self-explanatory.)
Device# show platform hardware qfp active feature ipsec event-monitor AntiReplay Threshold Setting: 1 Decryption Threshold Setting: 1000 Encryption Threshold Setting: 0The following is a sample output from the show platform hardware qfp active feature ipsec interface command:
Device# show platform hardware qfp active feature ipsec interface gigabitEthernet 1/1/3 QFP ipsec intf sub-block Information Ingress subblock for interface : 10 spd_id : 1 flags: 8000 (INTF ENABLED) spi tbl ptr: 0x898e4c00 num labels: 1 cce_w0: 0x10004 cce_w1: 0x1084441 def_q: 0x0 pri_q: 0x0 Ingress Statistics: pkts decrypted: 1 pkts sent to crypto: 1 pkts recv from crypt: 1 pkts failed decryption: 0 pkts failed policy check: 0 Egress subblock for interface : 10 spd_id : 1 flags: 8000 (INTF ENABLED) spi tbl ptr: 0x0 num labels: 1 cce_w0: 0x10004 cce_w1: 0x1084441 def_q: 0x0 pri_q: 0x0 Egress Statistics: pkts encrypted : 1 pkts sent to crypto : 1 pkts recv from crypt: 1 pkts failed encryption: 0The following table describes the significant fields shown in the display.
Table 8 show platform hardware qfp active feature ipsec interface Field Descriptions Field
Description
Ingress subblock for interface
Incoming block for the interface.
spd_id
SPD identifier.
flags
Flags set for the interface.
spi tbl ptr
SPI table pointer.
num labels
Numerical labels.
def_q
Deferral queue.
pri_q
Priority queue.
Ingress Statistics
Incoming statistics.
pkts decrypted
Number of packets decrypted.
pkts sent to crypto
Number of packets sent to the crypto engine.
pkts recv from crypt
Number of packets received from the crypto engine.
pkts failed decryption
Number of packets that failed decryption.
pkts failed policy check
Number of packets that failed security policy check.
Egress subblock for interface
Outgoing block for the interface.
Egress Statistics
Outgoing statistics.
pkts encrypted
Number of packets encrypted.
pkts failed encryption
Number of packets that failed encryption.
The following is a sample output from the show platform hardware qfp active feature ipsec spi command:
Device# show platform hardware qfp active feature ipsec spi QFP IPSEC SPI TABLE: IDX SPI PPE_ADDR NXT_PPE PROTO VRF SPD SA ADDR --------------------------------------------------------------------------------------------- 0x992 0x95002492 0x89afb420 0x0 0x32 0 1 7 IPV4The following table describes the significant fields shown in the display.
Table 9 show platform hardware qfp active feature ipsec spi Field Descriptions Field
Description
IDX
Identifier.
SPI
SPI.
PPE_ADDR
Memory address where the SPI is stored in the QFP.
NXT_PPE
Address of the next SPI.
PROTO
IPSec protocol of the SA which is associated with the SPI.
VRF
Virtual routing and forwarding id of the SA.
SPD
QFP handle of the SPD that the SPI belongs to.
SA
QFP handle of the SA that the SPI belongs to.
Addr
Type of address.
The following is a sample output from the show platform hardware qfp active feature ipsec sp-obj command for SP ID 1:
Device# show platform hardware qfp active feature ipsec sp-obj 4 QFP ipsec sp Information QFP sp id: 4 pal sp id: 6 QFP spd id: 1 number of intfs: 0 cgid.cid.fid.rid: 1.2.2.1The following table describes the significant fields shown in the display.
Table 10 show platform hardware qfp active feature ipsec sp-obj Field Descriptions Field
Description
QFP sp id
QFP SP identifier.
QFP spd id
QFP SPD identifier.
number of intfs
Number of interfaces.
The following is a sample output from the show platform hardware qfp active feature ipsec spd all command:
Device# show platform hardware qfp active feature ipsec spd all Current number CONTEXTs: 8 Current number SPDs: 1 Current number SPs: 5 Current number SAs: 2 Active IN SAs: 1 (pending: 0) Active OUT SAs: 1 (pending: 0) ---spd_id--------cg_id-----------num of intf--- 1 1 1The following table describes the significant fields shown in the display.
Table 11 show platform hardware qfp active feature ipsec spd all Field Descriptions Field
Description
Current number CONTEXTs
Number of SPD contexts in the system.
Current number SPDs
Number of SPDs in the system.
Current number SPs
Number of SPs in the system.
Current number SAs
Number of SAs in the system.
Active IN SAs
Number of active SAs.
spd_id
SPD identifier.
cg_id
Class group identifier.
num of intf
Number of interfaces.
The following is a sample output from the show platform hardware qfp active feature ipsec spd command for SPD ID 1:
Device# show platform hardware qfp active feature ipsec spd 1 QFP id: 1 pal id: 1 num of aces: 6 num of intfs: 1 first intf name: GigabitEthernet1/1/3 cgid: 1 num of cm: 3 cce_w0: 0x10004 cce_w1: 0x1084441 ---cgid.cid.fid----------num of aces--- 1.1.1 2 1.2.2 2 1.3.3 2The following table describes the significant fields shown in the display.
Table 12 show platform hardware qfp active feature ipsec spd Field Descriptions Field
Description
QFP id
QFP identifier.
num of aces
Number of Cisco Application Control Engines (ACEs).
num of intfs
Number of interfaces.
first intf name
Name of the first interface.
The following is a sample output from the show platform hardware qfp active feature ipsec state command:
Device# show platform hardware qfp active feature ipsec state QFP IPSEC state: Message counter: Type Request Reply (OK) Reply (Error) ----------------------------------------------------------------------- Initialize 1 1 0 SPD Create 1 1 0 SPD Intf Bind 1 1 0 SPD CM Bind 3 3 0 SP Create 5 5 0 In SA Add 1 1 0 Intf Enable 1 1 0 Bulk SA Stats 128 128 0 CGM Begin Batch 4 4 0 CGM End Batch 4 4 0 Inv SPI Notify 0 2 0 Out SA Add Bind 1 1 0The following table describes the significant fields shown in the display.
Table 13 show platform hardware qfp active feature ipsec state Field Descriptions Field
Description
Message counter
Number of messages.
Initialize
Number of messages exchanged to initialize a connection.
SPD Create
Number of messages exchanged to create an SPD.
SPD Intf Bind
Number of messages exchanged to bind the SPD interface.
SPD CM Bind
Number of messages exchanged to bind to the SPD crypto map.
SP Create
Number of messages exchanged to create an SP.
In SA Add
Number of messages exchanged to create an inbound SA.
Intf Enable
Number of messages exchanged to enable an interface.
Bulk SA Stats
SA statistics.
CGM Begin Batch
Number of messages exchanged to start Class Group Manager (CGM).
CGM End Batch
Number of messages exchanged to end CGM.
Inv SPI Notify
Number of messages exchanged to notify an inverse SPI.
Out SA Add Bind
Number of messages exchanged to create an outbound SA.
show platform hardware qfp feature alg statistics sip
To display Session Initiation Protocol (SIP) application layer gateway (ALG)-specific statistics information in the Cisco Quantum Flow Processor (QFP), use the show platform hardware qfp feature alg statistics sip command in privileged EXEC mode.
show platform hardware qfp feature alg statistics sip [ clear | dbl [ all | clear | entry entry-string [ clear ] ] | dblcfg | l7data { callid call-id | clear } | processor | timer ]
Syntax Description
clear (Optional) Clears ALG counters after display.
dbl (Optional) Displays brief information about all SIP blacklist data.
all (Optional) Displays all dynamic blacklist entries: blacklisted and non blacklisted entries.
entry entry-string (Optional) Clears the specified blacklist entry.
dblcfg (Optional) Displays all SIP blacklist settings.
l7data (Optional) Displays brief information about all SIP Layer 7 data.
callid call-id (Optional) Displays information about the specified SIP call ID.
processor (Optional) Displays SIP processor settings.
timer (Optional) Displays SIP timer settings.
Command History
Usage Guidelines
This command displays the following error details:A blacklist is a list of entities that are denied a particular privilege, service, or access.
Examples
The following is sample output from the show platform hardware qfp active feature alg statistics sip command:
Device# show platform hardware qfp active feature alg statistics sip Events ... Cr dbl entry: 10 Del dbl entry: 10 Cr dbl cfg entry: 8 Del dbl cfg entry: 4 start dbl trig tmr: 10 restart dbl trig tmr: 1014 stop dbl trig tmr: 10 dbl trig timeout: 1014 start dbl blk tmr: 0 restart dbl blk tmr: 0 stop dbl blk tmr: 0 dbl blk tmr timeout: 0 start dbl idle tmr: 10 restart dbl idle tmr: 361 stop dbl idle tmr: 1 dbl idle tmr timeout: 9 DoS Errors Dbl Retmem Failed: 0 Dbl Malloc Failed: 0 DblCfg Retm Failed: 0 DblCfg Malloc Failed: 0 Session wlock ovflw: 0 Global wlock ovflw: 0 Blacklisted: 561The table below describes the significant fields shown in the display.
Table 14 show platform hardware qfp active feature alg statistics sip Field Descriptions Field
Description
CR dbl entry
Number of dynamic blacklist entries.
start dbl blk tmr
Number of events that have started the dynamic blacklist timer.
stop dbl idle tmr
Number of events that have stopped the dynamic blacklist idle timer.
Del dbl entry
Number of dynamic blacklist entries deleted.
restart dbl trig tmr
Number of dynamic blacklist trigger timers restarted.
dbl trig timeout
Number of dynamic blacklist trigger timers timed out.
restart dbl blk tmr
Number of dynamic blacklist timers to be restarted.
dbl idle tmr timeout
Number of dynamic blacklist idle timers timed out.
DoS Errors
Denial of service (DoS) related errors.
Dbl Retmem Failed
Number of dynamic blacklist return memory failures.
DblCfg Retm Failed
Number of dynamic blacklist configuration return memory failures.
Session wlock ovflw
Number of packets that are dropped because the session-level write lock number is exceeded.
Blacklisted
Number of packets dropped by dynamic blacklisting.
Dbl Malloc Failed
Number of dynamic blacklist memory allocation failures.
DblCfg Malloc Failed
Number of dynamic blacklist configuration memory allocation failures.
Global wlock ovflw
Number of packets dropped because the global-level write-lock number is exceeded.
The following is sample output from the show platform hardware qfp active feature alg statistics sip dbl entry command:
Device# show platform hardware qfp active feature alg statistics sip dbl entry a4a051e0a4a1ebd req_src_addr: 10.74.30.189 req_dst_addr: 10.74.5.30 trigger_period: 1000(ms) block_timeout: 30(sec) idle_timeout: 60(sec) dbl_flags: 0x 1 cfg_trig_cnt: 5 cur_trig_cnt: 0The table below describes the significant fields shown in the display.
Table 15 show platform hardware qfp active feature alg statistics sip Field Descriptions Field
Description
req_src_addr
Source IP address of a SIP request message.
trigger_period
Dynamic blacklist trigger period.
idle_timeout
Dynamic blacklist idle timeout entry.
cfg_trig_cnt
Configured trigger counter.
req_dst_addr
Destination IP address of a SIP request message.
block_timeout
Dynamic blacklist block timeout.
dbl_flags
Dynamic blacklist entry flags.
cur_trig_cnt
Current trigger counter.
show platform hardware qfp feature firewall
To display firewall feature-specific information in the Cisco Quantum Flow Processor (QFP), use the show platform hardware qfp feature firewall command in privileged EXEC mode.
show platform hardware qfp { active | standby } feature firewall { memory | runtime | client { l7 policy { zone-pair-id layer4-class-id | all } | statistics } | sess-query-context | session { create | delete | more } session-context number-of-sessions [ zonepair zonepair-id ] | zonepair zonepair-id }
Syntax Description
active Displays the active instance of the processor.
standby Displays the standby instance of the processor.
memory Displays information about the Cisco QFP firewall datapath memory.
runtime Displays information about the Cisco QFP firewall datapath runtime.
client Displays information about the Cisco QFP firewall client.
l7 policy zone-pair-id layer4-class-id Displays information about the Layer 7 policy that has the specified zone-pair ID and Layer 4 class ID.
all Displays information about all Cisco QFP firewall client Layer 7 policies.
statistics Displays information about Cisco QFP firewall client statistics.
sess-query-context Displays information about Cisco QFP firewall session query context.
session Displays information about the Cisco QFP firewall sessions.
create Creates new show session contexts.
delete Deletes the specified session context.
more Reads all configured sessions that have the specified context.
session-context Session context. Valid values are 0 to 4294967295.
number-of-sessions Number of sessions to read. Valid values are from 0 to 4294967295.
zonepair zonepair-id Displays information about Cisco QFP firewall zone pairs. Valid values are from 0 to 4294967295.
Command History
Release Modification Cisco IOS XE Release 3.9S
This command was introduced.
Cisco IOS XE Release 3.11S
This command was modified. The command output was modified to include the number of simultaneous packets per flow.
Usage Guidelines
Use this command to troubleshoot firewall issues related to memory usage, runtime errors, and so on.
Examples
The following is sample output from the show platform hardware qfp active feature firewall memory command:
Device# show platform hardware qfp active feature firewall memory ==FW memory info== Chunk-Pool Allocated Total_Free Init-Num Low_Wat ------------------------------------------------------------ scb 0 16384 16384 4096 hostdb 0 5120 5120 1024 ICMP Error 0 256 256 128 teardown 0 160 160 80 ha retry 0 2048 2048 512 dst pool 0 5120 5120 1024 ------------Total History---------- Chunk-Pool Inuse |Allocated Freed Alloc_Fail| ------------------------------------------------------------ scb 0 0 0 0 hostdb 0 0 0 0 ICMP Error 0 0 0 0 dst pool 0 0 0 0 Table-Name Address Size ----------------------------------------- ----------------------------------------- scb 0x8bc80000 65536 hostdb 0x89941c00 1024 zonepair 0x89950400 1024 dchannel 0x8994cc00 2048 FW persona timer tbl address 0x8c271020 entries: 131072 num_tbls 9 stagger 17, FW persona hostdb mtx (lock address): 0x89942c00 FW persona ICMP Error pool address: 0x89956820 FW persona un-created sessions due to max session limit: 0 FW persona agg-age sess teardown halfopen: 0, non-halfopen: 0The following is sample output from the show platform hardware qfp active feature firewall runtime command:
Device# show platform hardware qfp active feature firewall runtime FW internal: stop_traffic 0x0 global 0xa2400021 HA State Allow New Sess FW Configured (0x00000020) VRF Rsrc Chk (0x00400000) Syslog Deployed (0x02000000) VRF Enabled (0x20000000) B2B HA Enabled (0x80000000) global2 0x192c0012 Global number of simultaneous packet per session allowed 44 <<<<<<<<<<<< Default number of simultaneous packet per session allowed 25 debug 0x00008041 . . .The following is sample output from the show platform hardware qfp active feature firewall client statistics command:
Device# show platform hardware qfp active feature firewall client statistics Zonepair table entry count: 1 Filler block count: 0 Action block count: 0 L7 params block count: 0 Statistics table count: 0 Statistics block count: 0 Class name table entry count: 0 Number of vrf interfaces with zone: 0 Number of zoned interfaces: 2 Number of zones: 2 Number of zone pairs with policy: 0 Inspect parameter map count: 3 VRF related objects: VRF-ParameterMap count: 1, VRF-ParameterMap Binding count: 0 Zone related objects: Zone-ParameterMap count: 0, Zone-ParameterMap Binding count: 0 SCB pool: number of entries: 16384, entry limit: 1048576, size: 4719008, number of additions: 0 Synflood Hostdb pool: number of entries: 5120, entry limit: 0, size: 573856, number of additions: 0 Session Teardown pool: number of entries: 160, entry limit: 0, size: 5536, number of additions: 0 Syncookie Destination pool: number of entries: 5120, entry limit: 262144, size: 410016, number of additions: 0The following is sample output from the show platform hardware qfp active feature firewall zonepair command:
Device# show platform hardware qfp active feature firewall zonepair 1 Zonepair name:zp-ge000-ge003 | id:1 Source zone name:ge0-0-0 | id:2 Destination zone name:ge0-0-3 | id:1 Class group name:policy1 | id:14841376 lookup data in sw: 0x00010003, 0x00084441 lookup data in hw: 0x00010003, 0x00084441 Class name:c-ftp-tcp | id:13549553 Number of Protocols: 4 Protocols: 1, 2, 4, 18 Maxever number of packet per flow: 25 Filler block/Action block/Stats table addresses: 0x8967f400, 0x8d70f400, 0x898d7400 Stats blocks addresses: 0x8d716c00, 0x8d716c40, 0x8d716c80, 0x8d716cc0 Result: 0x08000000, 0x8967f400 Filler block in sw: 0x8d70f400898d7400 Filler block in hw: 0x0000000c00000000 Action block in hw: Class name:class-default | id:1593 Number of Protocols: 0 Maxever number of packet per flow: 0 Filler block/Action block/Stats table addresses: 0x8967f400, 0x8d70f400, 0x898d7400 Stats blocks addresses: 0x8d716c00, 0x8d716c40, 0x8d716c80, 0x8d716cc0 Result: 0x08000000, 0x8967f400 Filler block in sw: 0x8d70f400898d7400 Filler block in hw: 0x0000000c00000000 Action block in hw: Class name:class-default | id:1593 Number of Protocols: 0 Maxever number of packet per flow: 0 Filler block/Action block/Stats table addresses: 0x8967f408, 0x8d70f4f0, 0x898d7520 Result: 0x81000000, 0x8967f408 Filler block in sw: 0x8d70f4f0898d7520 Filler block in hw: 000000000000000000 Action block in hw:The table below describes the significant fields shown in the displays.
Table 16 show platform hardware qfp feature firewall Field Descriptions Field
Description
scb
Memory allocated for the session control block (SCB) pool.
dst pool
Memory allocated for the destination pool.
HA state
High availability status.
HSL Enabled
Number of sessions for which high-speed logging (HSL) is enabled.
teardowns
Number of queues that were torn down.
Num of ACK exceeds limit
Number of acknowledgment (ACK) requests that exceeded the configured limit.
Num of RST exceeds limit
Number of reset (RST) requests that exceeded the configured limit.
VRF Global Action Block
Information about the global virtual routing and forwarding (VRF) instance.
half-open
Information about the half-opened firewall sessions.
aggr-age high watermark low watermark
Information about the aggressive-aging high and low watermarks. Firewall sessions are aggressively aged to make room for new sessions, thereby protecting the firewall session database from filling. Aggressive aging period starts when the session table crosses the high watermark and ends when it falls below the low watermark.
show platform hardware qfp feature firewall datapath scb
To display information about the session control block of the Cisco Quantum Flow Processor (QFP), use the show platform hardware qfp feature firewall datapath scb command in privileged EXEC mode.
show platform hardware qfp { active | standby } feature firewall datapath scb [ ipv4-address | ipv4-address/mask | any | ipv6 source-ipv6-address ] [ source-port | any ] [ destination-ipv4-address | destination-ipv6-address | ipv4-address/prefix | any ] [ destination-port | any ] [ layer4-protocol | any ] [ all | imprecise | session ] [ vrf-id | any ] [ detail ]
Syntax Description
active Displays the active instance of the processor.
standby Displays the standby instance of the processor.
ipv4-address mask (Optional) IPv4 address and prefix mask.
any (Optional) Specifies any source port, destination port, Layer 4 protocol number, or virtual routing and forwarding (VRF) ID.
ipv6 source-ipv6-address (Optional) Specifies an IPv6 address.
source-port (Optional) Source port number. The range is from 0 to 65535.
destination-ipv4-address (Optional) Destination IPv4 address.
destination-ipv6-address (Optional) Destination IPv6 address.
destination-port (Optional) Destination port number. The range is from 0 to 65535.
layer4-protocol (Optional) Layer 4 protocol number. The range is from 0 to 255.
all (Optional) Specifies all firewall databases.
imprecise (Optional) Specifies the imprecise database.
session (Optional) Specifies the firewall session database.
vrf-id (Optional) VRF ID. The range is from 0 to 65535.
detail (Optional) Provides detailed information about the firewall session and imprecise databases.
Command History
Examples
The following is sample output from the show platform hardware qfp active feature firewall datapath scb any any any any any all any detail command:
Device# show platform hardware qfp active feature firewall datapath scb any any any any any all any detail [s=session i=imprecise channel c=control channel d=data channel] 192.168.2.2 1024 192.168.1.2 1024 proto 17 (0:0) [sd] pscb : 0x8bd0ddc0, bucket : 34846, fw_flags: 0x4 0x20413481, scb state: active, scb debug: 0 nxt_timeout: 360000, refcnt: 1, ha nak cnt: 0, rg: 0, sess id: 0 hostdb: 0x0, L7: 0x0, stats: 0x8d8e3740, child: 0x0 l4blk0: 29 l4blk1: 1ceabd0a l4blk2: 0 l4blk3: 805a46fd l4blk4: 0 l4blk5: 0 l4blk6: 0 l4blk7: 0 l4blk8: 0 l4blk9: 2 root scb: 0x0 act_blk: 0x8d8dbde0 ingress/egress intf: TenGigabitEthernet1/3/0 (1011), TenGigabitEthernet0/3/0 (131057) current time 43491794128 create tstamp: 25627209695 last access: 43491799244 nat_out_local_addr:port: 10.1.1.4:9 nat_in_global_addr:port: 192.0.2.5:7 syncookie fixup: 0x0 halfopen linkage: 0x0 0x0 tw timer: 0x0 0x0 0x37ed5 0xaf32111 Number of simultaneous packet per session: 70The table below describes the significant fields shown in the display.
Table 17 show platform hardware qfp feature firewall datapath scb Field Descriptions Field
Description
scb state
State for the SCB; either active or standby.
ingress/egress intf:
Incoming and outgoing interface IP addresses.
nat_out_local_addr:port:
Network Address Translation (NAT) outside local IP address and port number.
nat_in_global_addr:port:
NAT inside global IP address and port number.
Related Commands
Command
Description
parameter-map type inspect
Configures an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
parameter-map type inspect global
Defines a global parameter map and enter parameter-map type inspect configuration mode.
show parameter-map type inspect
Displays user-configured or default inspect-type parameter maps.
show platform hardware qfp feature td
To display threat-defense-specific information in the Cisco QuantumFlow Processor (QFP), use the show platform hardware qfp feature td command in privileged EXEC mode.
Syntax Description
active Displays the active instance of the processor.
standby Displays the standby instance of the processor.
client Displays information about the threat defense (TD) client.
datapath Displays TD information in the datapath.
memory Displays information about the TD memory usage.
Command History
Usage Guidelines
Use this command to check the virtual TCP (vTCP) statistics that are triggered by TCP application layer gateway (ALG) sessions.
Examples
The following is sample output from the show platform hardware qfp active feature td datapath memory command:
Device# show platform hardware qfp active feature td datapath memory ==VTCP ucode info== info alloc 0, free 0, fail 0 pkt buf alloc 0, free 0, fail 0 buf size alloc 0, free 0 rx drop 0, tx drop 0, tcp drop 0, alg csum 0 sending: rx ack 0, rst 0, hold rst 0 tx payload: seg 0, rexmit 0 vtcp_info_chunk 0x8d54fcb0, totalfree: 2048, allocated: 0 vtcp_pkt_pool 0x8d5d80c0, total: 1048240, free: 1048240 vtcp_timer_wheel 0x8d6d84d0, vtcp_init 1 td_internal debug 0x0 td_global td_init 0x2 alg_debug_vtcp 0x0The table below describes the significant fields shown in the display.
Table 18 show platform hardware qfp feature td datapath memory Field Descriptions Field
Description
info alloc
vTCP allocated counts.
pkt buf alloc
Allocated packet buffer size.
buf size alloc
Allocated buffer size.
rx drop
Transmit buffer (Rx) drop. Rx is memory spaces allocated by a device to handle traffic bursts.
tx drop
Receive buffer (Tx) drop. Rx is memory spaces allocated by a device to handle traffic bursts.
show platform software firewall
To display the firewall configuration information, use the show platform software firewall command in privileged EXEC mode.
show platform software firewall { F0 | F1 | FP | R0 | R1 | RP } { active | standby } { bindings | pairs | parameter-maps | port-application-mapping | sessions | statistics | vrf-pmap-bindings | zones }
Syntax Description
F0 Displays information about the Embedded Service Processor (ESP) slot 0.
F1 Displays information about the ESP slot 1.
FP Displays information about the ESP.
R0 Displays information about the Route Processor (RP) slot 0.
R1 Displays information about the RP slot 1.
RP Displays information about the RP.
active Displays information about the active instance of the processor.
standby Displays information about the standby instance of the processor.
bindings Displays information about the configured security zone bindings.
pairs Displays information about configured security zone pairs.
parameter-maps Displays information about configured parameter maps.
port-application-mapping Displays information about the configured Port-to-Application Mapping (PAM).
sessions Displays information about existing firewall sessions.
statistics Displays firewall statistics.
vrf-pmap-bindings Displays information about the configured virtual routing and forwarding (VRF) instance and parameter map bindings.
zones Displays information about configured security zones.
Command History
Release Modification Cisco IOS XE Release 3.9S
This command was introduced.
Cisco IOS XE Release 3.11S
This command was modified. The command output was modified to display the number of simultaneous packets per flow.
Usage Guidelines
Use this command to view information about the configured firewall policies, parameter maps, security zones, and security zone-pairs.
Examples
The following is sample output from the show platform software firewall FP active parameter-maps command:
Device# show platform software firewall FP active parameter-maps Forwarding Manager Inspect Parameter-Maps Inspect Parameter Map: global, Index 1 Parameter Map Type: Parameter-Map Global Parameter-Map Alerts: On, Audits: Off, Drop-Log: Off HSL Mode: V9, Host: 10.1.1.1:9000, Port: 54174, Template: 300 sec Session Rate High: 2147483647, Session Rate Low: 2147483647, Time Duration: 60 sec Half-Open: High: 2147483647, Low: 2147483647, Host: 4294967295, Host Block Time: 0 Inactivity Times [sec]: DNS: 5, ICMP: 10, TCP: 3600, UDP: 30 Inactivity Age-out Times [sec]: ICMP: 10, TCP: 3600, UDP: 30 TCP Timeouts [sec]: SYN wait time: 30, FIN wait time: 1 TCP Ageout Timeouts [sec]: SYN wait time: 30, FIN wait time: 1 TCP RST pkt control: half-open: On, half-close: On, idle: On UDP Timeout [msec]: UDP Half-open time: 30000 UDP Ageout Timeout [msec]: UDP Half-open time: 30000 Max Sessions: Unlimited Number of Simultaneous Packet per Sessions: 0 Syn Cookie and Resource Management: Global Syn Flood Limit: 4294967295 Global Total Session : 4294967295 Global Total Session Aggressive Aging Disabled Global alert : Off Global max incomplete : 4294967295 Global max incomplete TCP: 4294967295 Global max incomplete UDP: 4294967295 Global max incomplete ICMP: 4294967295 Global max incomplete Aggressive Aging Disabled Per Box Configuration syn flood limit : 4294967295 Total Session Aggressive Aging Disabled max incomplete : 4294967295 max incomplete TCP: 4294967295 max incomplete UDP: 4294967295 max incomplete ICMP: 4294967295 max incomplete Aggressive Aging Disabled Inspect Parameter Map: vrf-default, Index 2 Parameter Map Type: VRF-Parameter-Map VRF PMAP syn flood limit : 4294967295 VRF PMAP total session : 4294967295 VRF PMAP total session Aggressive Aging Disabled VRF PMAP alert : Off VRF PMAP max incomplete : 4294967295 VRF PMAP max incomplete TCP: 4294967295 VRF PMAP max incomplete UDP: 4294967295 VRF PMAP max incomplete ICMP: 4294967295 VRF PMAP max incomplete Aggressive Aging Disabled Inspect Parameter Map: pmap-hsl, Index 3 Parameter Map Type: Parameter-Map Alerts: On, Audits: On, Drop-Log: Off Session Rate High: 2147483647, Session Rate Low: 2147483647, Time Duration: 60 sec TCP Window Scaling Loose: off session packet default Half-Open: High: 2147483647, Low: 2147483647, Host: 4294967295, Host Block Time: 0 Inactivity Times [sec]: DNS: 5, ICMP: 10, TCP: 3600, UDP: 30 Inactivity Age-out Times [sec]: ICMP: 10, TCP: 3600, UDP: 30 TCP Timeouts [sec]: SYN wait time: 30, FIN wait time: 1 TCP Ageout Timeouts [sec]: SYN wait time: 30, FIN wait time: 1 TCP RST pkt control: half-open: On, half-close: On, idle: On UDP Timeout [msec]: UDP Half-open time: 30000 UDP Ageout Timeout [msec]: UDP Half-open time: 30000 Max Sessions: Unlimited Number of Simultaneous Packet per Sessions: 0 Syn Cookie and Resource Management: Global Syn Flood Limit: 4294967295 Global Total Session : 4294967295 Inspect Parameter Map: pmap1, Index 4 Parameter Map Type: Parameter-Map Alerts: On, Audits: On, Drop-Log: Off Session Rate High: 2147483647, Session Rate Low: 2147483647, Time Duration: 60 sec TCP Window Scaling Loose: off session packet default Half-Open: High: 2147483647, Low: 2147483647, Host: 4294967295, Host Block Time: 0 Inactivity Times [sec]: DNS: 5, ICMP: 10, TCP: 3600, UDP: 30 Inactivity Age-out Times [sec]: ICMP: 10, TCP: 3600, UDP: 30 TCP Timeouts [sec]: SYN wait time: 30, FIN wait time: 1 TCP Ageout Timeouts [sec]: SYN wait time: 30, FIN wait time: 1 TCP RST pkt control: half-open: On, half-close: On, idle: On UDP Timeout [msec]: UDP Half-open time: 30000 UDP Ageout Timeout [msec]: UDP Half-open time: 30000 Max Sessions: 3000 Number of Simultaneous Packet per Sessions: 0 Syn Cookie and Resource Management: Global Syn Flood Limit: 4294967295 Global Total Session : 4294967295 Inspect Parameter Map: pmap1, Index 4 Parameter Map Type: Parameter-Map Alerts: On, Audits: On, Drop-Log: Off Session Rate High: 2147483647, Session Rate Low: 2147483647, Time Duration: 60 sec TCP Window Scaling Loose: off session packet default Half-Open: High: 2147483647, Low: 2147483647, Host: 4294967295, Host Block Time: 0 Inactivity Times [sec]: DNS: 5, ICMP: 10, TCP: 3600, UDP: 30 Inactivity Age-out Times [sec]: ICMP: 10, TCP: 3600, UDP: 30 TCP Timeouts [sec]: SYN wait time: 30, FIN wait time: 1 TCP Ageout Timeouts [sec]: SYN wait time: 30, FIN wait time: 1 TCP RST pkt control: half-open: On, half-close: On, idle: On UDP Timeout [msec]: UDP Half-open time: 30000 UDP Ageout Timeout [msec]: UDP Half-open time: 30000 Max Sessions: 3000 Number of Simultaneous Packet per Sessions: 0 Syn Cookie and Resource Management: Global Syn Flood Limit: 4294967295 Global Total Session : 4294967295The table below describes the significant fields shown in the display.
Table 19 show platform software firewall Field Descriptions Field
Description
Alerts on
Console display of stateful packet inspection alert messages. Valid values are On and Off.
Audits off
Audit trail messages. Valid values are On and Off.
HSL mode
High-speed logging (HSL) messages are logged.
Host
IP address of the host to which HSL messages are logged.
SYN wait time
Time period the software waits for a TCP session to reach the established state before dropping the session.
FIN wait time
Time period a TCP session is managed after the firewall detects a finish (FIN) exchange.
Global SYN Flood limit
Configured TCP half-open session limit before triggering the synchronization (SYN) cookie processing for new SYN packets.
The following is sample output from the show platform software firewall RP active statistics command:
Device# show platform software firewall RP active statistics Forwarding Manager Firewall Statistics Zones: 3 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors) 6 Downloads (0 errors) Zone-pairs: 1 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors) 2 Downloads (0 errors) Zone-bindings: 4 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors) 8 Downloads (0 errors) Inspect Parameter-Maps: 0 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors) 0 Downloads (0 errors) PAMs(Port Application Mapping): 0 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors) 0 Downloads (0 errors) VRF Bindings: 0 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors) 0 Downloads (0 errors)show platform software ipsec policy statistics
To display debugging information about the IP security policy statistics, use the show platform software ipsec policy statistics command in Privileged EXEC mode.
Examples
The following is sample output from the show platform software ipsec policy statistics command:
Router# show platform software ipsec policy statistics PAL CMD REQUEST REPLY OK REPLY ERR ABORT SADB_INIT_START 1 1 0 0 SADB_INIT_COMPLETED 1 1 0 0 SADB_DELETE 0 0 0 0 SADB_ATTR_UPDATE 1 1 0 0 SADB_INTF_ATTACH 1 1 0 0 SADB_INTF_UPDATE 0 0 0 0 SADB_INTF_DETACH 0 0 0 0 ACL_INSERT 1 1 0 0 ACL_MODIFY 0 0 0 0 ACL_DELETE 0 0 0 0 PEER_INSERT 3 3 0 0 PEER_DELETE 2 2 0 0 SPI_INSERT 151 151 0 0 SPI_DELETE 150 150 0 0 CFLOW_INSERT 3 151 0 0 CFLOW_MODIFY 148 148 0 0 CFLOW_DELETE 2 2 0 0 OUT_SA_DELETE 150 150 0 0 TBAR_CREATE 0 0 0 0 TBAR_UPDATE 0 0 0 0 TBAR_REMOVE 0 0 0 0 PAL NOTIFY RECEIVE COMPLETE PROC ERR IGNORE NOTIFY_RP 0 0 0 0 SA_DEAD 2 2 0 0 SA_SOFT_LIFE 80 80 0 0 IDLE_TIMER 0 0 0 0 DPD_TIMER 0 0 0 0 INVALID_SPI 0 0 0 0The following table describes the significant fields shown in the display:
Table 20 show platform software ipsec policy statistics Field Descriptions Field
Description
PAL CMD
Name of a request sent from the IPsec control plane to the IPsec data plane.
REQUEST
Number of IPsec control plane requests sent.
REPLY OK
Number of successful replies sent by the IPsec data plane for the requests sent by the IPsec control plane.
REPLY ERR
Number of failed replies sent by the IPsec data plane for the requests sent by the IPsec control plane.
ABORT
Number of requests aborted because of a timeout.
PAL NOTIFY
Name of a notification sent from the IPsec data plane to the IPsec control plane.
RECEIVE
Number of IPsec data plane notifications received.
COMPLETE
Number of successful IPsec data plane notifications sent to the IPsec control plane.
PROC ERR
Number of IPsec data plane notifications that were not sent because of a process error.
IGNORE
Number of IPsec data plane notifications that can be safely ignored.
show platform software ipsec f0 encryption-processor registers
To display debugging information about the crypto engine processor registers, use the show platform software ipsec f0 encryption-processor registers command in privileged EXEC or diagnostic mode.
Usage Guidelines
This command displays debugging information for crypto engine processor registers.
show platform software ipsec f0 encryption-processor registers Forwarding Manager Encryption-processor Registers reg_addr : 00000000, reg_val : 0000ca5b reg_addr : 00000008, reg_val : 00000000 reg_addr : 00000010, reg_val : 00000000 reg_addr : 00000018, reg_val : 22f10038 reg_addr : 00000020, reg_val : 00000800 reg_addr : 00000028, reg_val : 00002040 reg_addr : 00000030, reg_val : 00000000 reg_addr : 00000038, reg_val : 23158838show platform software ipsec fp active flow
To display information about active instances of IPsec flows in the Embedded Service Processor (ESP), use the show platform software fp ipsec active flow command in privileged EXEC mode.
Syntax Description
all Displays information about all active IPsec flows in the instance.
identifier number Displays information about the specified IPsec flow in the instance. The range is from 0 to 32767.
Command History
Release Modification Cisco IOS XE Release 3.9S
This command was introduced on Cisco ASR 1000 Series Routers.
Usage Guidelines
This command displays information that can help you to troubleshoot issues about IPsec flows.
Examples
The following is sample output from the show platform software ipsec fp active flow all command:
Device# show platform software ipsec fp active flow all =========== Flow id: 1 mode: tunnel direction: inbound protocol: esp SPI: 0x95002492 local IP addr: 100.0.0.1 remote IP addr: 100.0.0.2 crypto map id: 3 SPD id: 1 ACE line number: 1 QFP SA handle: 7 crypto device id: 0 IOS XE interface id: 11 interface name: GigabitEthernet1/1/3 object state: active =========== Flow id: 2 mode: tunnel direction: outbound protocol: esp SPI: 0xfd2fa486 local IP addr: 100.0.0.1 remote IP addr: 100.0.0.2 crypto map id: 3 SPD id: 1 ACE line number: 1 QFP SA handle: 8 crypto device id: 0 IOS XE interface id: 11 interface name: GigabitEthernet1/1/3 object state: activeThe following table describes the significant fields shown in the display.
Table 22 show platform software ipsec fp active flow all Field Descriptions Field
Description
Flow id
Flow identifier.
mode
Operation mode. In this case, it is tunnel mode.
direction
Flow direction—inbound or outbound. In this case, it is outbound.
protocol
Protocol used. In this case, it is Encapsulating Security Payloads (ESP).
SPI
Security Parameters Index (SPI) that is used to identify the security association (SA).
local IP addr
IP address of the local host.
remote IP addr
IP address of the remote host.
crypto map id
Crypto map identifier.
SPD id
SPI identifier.
ACE line number
Cisco Application Control Engine (ACE) number.
QFP SA handle
Quantum Flow Processor (QFP) SA identifier.
crypto device id
Crypto device identifier.
IOS XE interface id
Interface ID in Cisco IOS XE software.
interface name
Interface name.
use path MTU
Maximum transmission unit (MTU) size.
object state
Object state.
object bind state
State of the object bound.
The following is sample output from the show platform software ipsec fp active flow command for flow ID 1:
Device# show platform software ipsec fp active flow identifier 1 =========== Flow id: 1 mode: tunnel direction: inbound protocol: esp SPI: 0x95002492 local IP addr: 100.0.0.1 remote IP addr: 100.0.0.2 crypto device id: 0 crypto map id: 3 SPD id: 1 ACE line number: 1 QFP SA handle: 7 IOS XE interface id: 11 interface name: GigabitEthernet1/1/3 Crypto SA ctx id: 0x000000002dc3bfde cipher: 3DES auth: SHA1 initial seq.number: 0 timeout, mins: 0 flags: exp time;exp traffic;DPD; Peer Flow handle: 0x0000000080000014 Time limits soft limit: 3537 hard limit: 3597 Traffic limits soft limit: 3686400 hard limit: 4608000 --------------- DPD mode: periodic rearm countdown: 0 next notify: *EXPIRED* last in packet: 0 inline_tagging: DISABLED anti-replay window: 64 SPI Selector: remote addr low: 0.0.0.0 remote addr high: 0.0.0.0 local addr low: 100.0.0.1 local addr high: 100.0.0.1 Classifier: range src IP addr low: 1.0.0.0 src IP addr high: 1.0.0.255 dst IP addr low: 2.0.0.0 dst IP addr high: 2.0.0.255 src port low: 0 src port high: 65535 dst port low: 0 dst port high: 65535 protocol low: 0 protocol high: 255 ------- Statistics octets: 100 total octets: 4718591900 packets: 1 dropped packets: 0 replay drops: 0 auth packets: 1 auth fails: 0 encrypted packets: 1 encrypt fails: 0 ---- End statistics object state: active --------------- AOM cpp aom id: 145 cgm aom id: 0 n2 aom id: 142 if aom id: 0The following table describes the significant fields shown in the display.
Table 23 show platform software ipsec fp active flow identifier Field Descriptions Field
Description
Flow id
Flow identifier.
mode
Operation mode. In this case, it is tunnel mode.
direction
Flow direction—inbound or outbound. In this case, it is outbound.
protocol
Protocol used. In this case, it is Encapsulating Security Payloads (ESP).
SPI
Security Parameters Index (SPI) that is used to identify the security association (SA).
local IP addr
IP address of the local host.
remote IP addr
IP address of the remote host.
crypto map id
Crypto map identifier.
SPD id
SPI identifier.
ACE line number
Cisco Application Control Engine (ACE) number.
QFP SA handle
Quantum Flow Processor (QFP) SA identifier.
crypto device id
Crypto device identifier.
IOS XE interface id
Interface ID in Cisco IOS XE software.
interface name
Interface name.
Crypto SA ctx id
Context identifier of the crypto SA.
cipher
Type of encryption algorithm.
auth
Type of authentication algorithm.
initial seq.number
Initial sequence number.
timeout, mins
Timeout, in minutes.
flags
Flags set for the packet flow.
Peer Flow handle
Peer flow identifier.
Time limits soft limit
Minimum permissible time limit.
Time limits hard limit
Maximum permissible time limit.
Traffic limits soft limit
Minimum permissible traffic limit.
Traffic limits hard limit
Maximum permissible traffic limit.
DPD
Dead peer detection (DPD).
mode
DPD mode. In this case, it is periodic.
rearm countdown
Rearm for DPD.
next notify
Status of next notification.
last in packet
Status of the last packet.
inline_tagging
Status of inline tagging.
anti-replay window
Status of anti-replay window.
SPI Selector
Information about SPI selection.
remote addr low
Starting range address of the remote host.
remote addr high
Highest range address of the remote host.
local addr low
Starting range address of the local host.
local addr high
Highest range address of the local host.
Classifier
Type of classification.
src IP addr low
Starting range of the source IP address.
src IP addr high
Highest range of the source IP address.
dst IP addr low
Starting range of the destination IP address.
dst IP addr high
Highest range of the destination IP address.
src port low
Starting range of the source port.
src port high
Highest range of the source port.
dst port low
Starting range of the destination port.
dst port high
Highest range of the destination port.
protocol low
Starting range of the protocol.
protocol high
Highest range of the protocol.
octets
Number of octets in the packet.
total octets
Total number of octets.
packets
Number of packets.
dropped packets
Number of packets dropped.
replay drops
Number of packets that were dropped again.
auth packets
Number of packets authenticated.
auth fails
Number of packets for which authentication failed.
encrypted packets
Number of encrypted packets.
encrypt fails
Number of packets for which encryption failed.
object state
Object state. In this case, it is active.
cpp aom id
Cisco Packet Processor Asynchronous Object Manager (AOM) identifier.
cgm aom id
Class Group Manager AOM identifier.
n2 aom id
Cavium NITROX II cryptographic coprocessor AOM identifier.
if aom id
Interface AOM identifier.
show platform software ipsec fp active spd-map
To display information about the active instances of IPsec Security Policy Database (SPD) map objects in the Embedded Service Processor (ESP), use the show platform software ipsec fp active spd-map command in privileged EXEC mode.
Syntax Description
all Displays information about all active IPsec flows in the instance.
identifier number Displays information about the specified IPsec flow in the instance. The range is from 0 to 4294967295.
Command History
Release Modification Cisco IOS XE Release 3.9S
This command was introduced on Cisco ASR 1000 Series Routers.
Usage Guidelines
SPD is an ordered list of policies applied to traffic. A policy decides if a packet requires IPsec processing, if should be allowed in clear text, or should be dropped. The IPsec SPDs are derived from user configuration of crypto maps. The Internet Key Exchange (IKE) SPD is configured by the user.
Examples
The following is sample output from the show platform software ipsec fp active spd-map all command:
Device# show platform software ipsec fp active spd-map all ======== SPD map id: 11 SPD id: 1 interface id: 11 interface name: GigabitEthernet1/1/3 inbound ACL id: 65535 local address: 0 object state: active bind state: active enable state: activeThe following table describes the significant fields shown in the display.
Table 24 show platform software ipsec fp active spd-map all Field Descriptions Field
Description
SPD map id
SPD map identifier.
SPD id
SPD identifier.
interface id
Interface identifier.
interface name
Interface name.
inbound ACL id
Inbound access control list (ACL) identifier.
local address
IP address of the local host.
object state
Object status.
bind state
Bind status.
enable state
Enable status.
The following is sample output from the show platform software ipsec fp active spd-map identifier command for ID 11:
Device# show platform software ipsec fp active spd-map identifier 11 ======== SPD map id: 11 SPD id: 1 interface id: 11 interface name: GigabitEthernet1/1/3 inbound ACL id: 65535 local address: 0 object state: active tunnel state: new bind state: active enable state: active aom id: 101The following table describes the significant fields shown in the display.
Table 25 show platform software ipsec fp active spd-map identifier Field Descriptions Field
Description
SPD map id
SPD map identifier.
SPD id
SPD identifier.
interface id
Interface identifier.
interface name
Interface name.
inbound ACL id
Inbound access control list (ACL) identifier.
local address
IP address of the local host.
object state
Object status.
tunnel state
Tunnel status.
bind state
Bind status.
enable state
Enable status.
aom id
Asynchronous Object Manager (AOM) identifier.
show platform software urpf qfp active configuration
To confirm and display the Unicast Reverse Path Forwarding (uRPF) configuration on a forwarding processor of the Cisco ASR 1000 Series Aggregation Services Routers, use the show platform software urpf qfp active configuration command in the privileged EXEC mode.
Usage Guidelines
The uRPF configuration on an IPv4 or IPv6 interface is downloaded from the route processor to a forwarding processor and the configuration is reflected on the forwarding processor. Use the show platform software urpf qfp active configuration command to display the uRPF configuration on a forwarding processor.
Examples
The following is a sample output of the show platform software urpf qfp active configuration command:
Router# show platform software urpf qfp active configuration ipv6 gigabitethernet 0/0/0.777 Forwarding Manager uRPF IPv6 Configuration on Interface Interface Index FLAGS ------------------------------------------------------------------------------- GigabitEthernet0/0/0.777 13 ACL: 1 ACL Binding AOM id: 152The following table describes the significant fields shown in the display.
show policy-firewall config
To display the firewall configuration on the router, use the show policy-firewall config command in privileged EXEC mode.
show policy-firewall config { all | class-map [ class-map-name | protocol-name ] | parameter-map [ parameter-map-name | default | global | protocol-info | regex [protocol-info-name] ] | policy-map [ policy-map-name | protocol-name ] | zone [self] | zone-pair }
Syntax Description
all
Displays the entire firewall configuration on the router.
class-map class-map-name
Displays the class-maps configured on the router.
protocol-name
Displays the protocols configured for the class-map.
parameter-map
Displays the parameter-maps configured in the router.
parameter-map-name
Displays configuration information about a specific parameter map.
default
Displays configuration information about the default inspect parameter map.
global
Displays configuration information about the global inspect parameter map.
protocol-info
Displays configuration information about the protocol-specific inspect parameter map.
regex
Displays configuration information about the regex inspect parameter map.
protocol-info-name
Displays configuration information about a specific protocol.
policy-map policy-map-name
Displays the policy maps configured on the router.
protocol-name
Displays the protocols configured for the policy map.
zone
Displays configuration information about the zones configured on the router.
self
(Optional) Displays configuration information about the system-defined zone.
zone-pair
Displays configuration information about each each zone-pair.
Examples
The following is the sample output from the show policy-firewall config all command. The field descriptions are self-explanatory.
Router# show policy-firewall config all Zone: self Description: System defined zone Parameter-map Config: Global: alert on sessions maximum 2147483647 waas disabled l2-transparent dhcp-passthrough disabled dropped-packets disabled log summary disabled max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647 Default: audit-trail off alert on max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647 udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 30 tcp max-incomplete host 4294967295 block-time 0 sessions maximum 2147483647The following example is a sample output from the show policy-firewall config class-map command:
Router# show policy-firewall config class-map c1 Class Map type inspect match-all c1 (id 1) Match access-group 101 Match protocol httpThe following example shows output related to user-defined parameter map:
Router# show policy-firewall config parameter-map params1 parameter-map type inspect params1 audit-trail off alert on max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647 udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 30 tcp max-incomplete host 4294967295 block-time 0 sessions maximum 2147483647The following example shows output related default parameter map:
Router# show policy-firewall config parameter-map default audit-trail off alert on max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647 udp idle-time 30 icmp idle-time 10 dns-timeout 5 tcp idle-time 3600 tcp finwait-time 5 tcp synwait-time 30 tcp max-incomplete host 4294967295 block-time 0 sessions maximum 2147483647The following example shows output related to global parameter map:
Router# show policy-firewall config parameter-map global alert on sessions maximum 2147483647 waas disabled l2-transparent dhcp-passthrough disabled log dropped-packets disabled log summary disabled max-incomplete low 2147483647 max-incomplete high 2147483647 one-minute low 2147483647 one-minute high 2147483647show policy-firewall mib
To display connection statistics of the firewall policy on the router, use the show policy-firewall mib command in privileged EXEC mode.
show policy-firewall mib connection-statistics { global | policy policy-name zone-pair name | L4-Protocol | L7-Protocol } { name | all }
Syntax Description
connection-statistics
Displays the statistics for one of the following selected options.
global
Displays the global connection statistics.
policy policy-name
Displays statistics for a specific firewall policy.
zone-pair name
Displays statistics for a zone pair in a specific firewall policy.
L4-Protocol name
Displays statistics for a specific Layer 4 protocol.
L7-Protocol name
Displays statistics for a specific Layer 7 protocol.
all
Displays statistics for all Layer 4 or Layer 7 protocols.
Usage Guidelines
Use this command to display the global connection statistics and the statistics per protocol in Layer 4 or Layer 7 for each policy or zone pair. Use the debug policy-firewall mib command to toggle on or off the support for MIBs in zone-based policy firewalls.
Examples
The following is sample output from five versios of the show policy-firewall mibcommand:
Router# show policy-firewall mib connection-statistics global -------------------------------------------------- Connections Attempted 26 Connections Setup Aborted 0 Connections Policy Declined 0 Connections Resource Declined 0 Connections Half Open 0 Connections Active 0 Connections Expired 25 Connections Aborted 0 Connections Embryonic 0 Connections 1-min Setup Count 0 Connections 5-min Setup Count 0 Router# show policy-firewall mib connection-statistics L4-Protocol all -------------------------------------------------- Protocol udp Connections Attempted 1 Connections Setup Aborted 0 Connections Policy Declined 0 Connections Resource Declined 0 Connections Half Open 0 Connections Active 0 Connections Aborted 0 Connections Embryonic 0 Connections 1-min Setup Count 0 Connections 5-min Setup Count 0 -------------------------------------------------- Protocol tcp Connections Attempted 25 Connections Setup Aborted 0 Connections Policy Declined 0 Connections Resource Declined 0 Connections Half Open 0 Connections Active 0 Connections Aborted 0 Connections Embryonic 0 Connections 1-min Setup Count 0 Connections 5-min Setup Count 0 Router# show policy-firewall mib connection-statistics L7-Protocol all -------------------------------------------------- Protocol http Connections Attempted 14 Connections Setup Aborted 0 Connections Policy Declined 0 Connections Resource Declined 0 Connections Half Open 0 Connections Active 0 Connections Aborted 0 Connections Embryonic 0 Connections 1-min Setup Count 0 Connections 5-min Setup Count 0 -------------------------------------------------- Protocol tacacs Connections Attempted 12 Connections Setup Aborted 0 Connections Policy Declined 0 Connections Resource Declined 0 Connections Half Open 0 Connections Active 0 Connections Aborted 0 Connections Embryonic 0 Connections 1-min Setup Count 0 Connections 5-min Setup Count 0 Router# show policy-firewall mib connection-statistics policy inout-policy zone-pair inout L4-Protocol all -------------------------------------------------- Policy inout-policy Zone-pair inout -------------------------------------------------- Protocol udp Connections Attempted 1 Connections Setup Aborted 0 Connections Policy Declined 0 Connections Resource Declined 0 Connections Half Open 0 Connections Active 0 Connections Aborted 0 -------------------------------------------------- Protocol tcp Connections Attempted 11 Connections Setup Aborted 0 Connections Policy Declined 0 Connections Resource Declined 0 Connections Half Open 0 Connections Active 0 Connections Aborted 0 Router# show policy-firewall mib connection-statistics policy inout-policy zone-pair inout L7-Protocol all -------------------------------------------------- Policy inout-policy Zone-pair inout -------------------------------------------------- Protocol tacacs Connections Attempted 12 Connections Setup Aborted 0 Connections Policy Declined 0 Connections Resource Declined 0 Connections Half Open 0 Connections Active 0 Connections Aborted 0The table below describes the significant fields shown in the displays.
Table 27 show policy-firewall mib Field Descriptions Field
Description
Connections Attempted
The total number of connection attempts sent to the firewall. This is a cumulative value.
Connections Policy Declined
The number of connection attempts that were declined due to a firewall security policy. This is a cumulative value.
Connections Resource Declined
The number of connection attempts that were declined due to firewall resource constraints. This is a cumulative value.
Connections Half Open
The number of connections that are being established with the firewall. This is a reflection of the current state of the system.
Connections Active
The number of connections that are currently active. This is a reflection of the current state of the system.
Connections Expired
The number of connections that were active and terminated. This is a cumulative value.
Connections Aborted
The number of connections that were abnormally terminated after a successful connection. This is a cumulative value.
Connections Embryonic
The number of embryonic application layer connections. This is a reflection of the current state of the system.
Connections 1-min Setup Count
The number of connections that the firewall attempts to establish per second averaged over the last 60 seconds. This is a reflection of the current state of the system.
Connections 5-min Setup Count
The number of connections that the firewall attempts to establish per second, averaged over the last 300 seconds. This is a reflection of the current state of the system.
show policy-firewall session
To display the session details of a firewall policy, use the show policy-firewall session command in privileged EXEC mode.
Usage Guidelines
Use the show policy-firewall session command to display session details. Session details can be either global, zone pair-specific, or MSRPC-specific. Global session details incorporate information about all sessions created by the firewall, and zone pair-specific details that pertain to each zone pair.
Examples
The following is sample output from the show policy-firewall session command:
Router# show policy-firewall session zone-pair Zone-pair: zone-pair-source2destination Service-policy inspect : policy-test Class-map: class-test (match-any) Inspect Number of Established Sessions = 100 Established Sessions Session 3F4DF38 (10.0.0.148:13686)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:01 Bytes sent (initiator:responder) [257:10494] Session 43F0F58 (10.0.0.149:13687)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:01 Bytes sent (initiator:responder) [274:10494] Session 3F3BD98 (10.0.0.98:13770)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:02 Bytes sent (initiator:responder) [251:0] Session 3F2E498 (10.0.0.104:13774)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:01 Bytes sent (initiator:responder) [277:10220] Session 3F3B008 (10.0.0.105:13775)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:01 Bytes sent (initiator:responder) [264:10220] Session 3F31AD8 (10.0.0.108:13776)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:01 Bytes sent (initiator:responder) [265:10220] Session 2F91030 (10.0.0.113:13780)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:01 Bytes sent (initiator:responder) [257:10220] Session 3F35308 (10.0.0.229:13966)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [278:10494] Session 3F30B58 (10.0.0.231:13968)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [257:10494] Session 3F30588 (10.0.0.234:13969)=>(10.0.0.33:80) http:tcp SIS_OPEN Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [259:10494] Number of Half-open Sessions = 8 Half-open Sessions Session 3F32298 (10.0.0.99:13068)=>(10.0.0.33:80) http:tcp SIS_OPENING Created 00:00:06, Last heard 00:00:06 Bytes sent (initiator:responder) [0:0] Session 2F8F510 (10.0.0.123:13428)=>(10.0.0.33:80) http:tcp SIS_OPENING Created 00:00:04, Last heard 00:00:04 Bytes sent (initiator:responder) [0:0] Session 3F4E128 (10.0.0.125:13430)=>(10.0.0.33:80) http:tcp SIS_OPENING Created 00:00:04, Last heard 00:00:04 Bytes sent (initiator:responder) [0:0] Session 3F4E318 (10.0.0.126:13431)=>(10.0.0.33:80) http:tcp SIS_OPENING Created 00:00:04, Last heard 00:00:04 Bytes sent (initiator:responder) [0:0] Session 3F4E6F8 (10.0.0.127:13432)=>(10.0.0.33:80) http:tcp SIS_OPENING Created 00:00:04, Last heard 00:00:04 Bytes sent (initiator:responder) [0:0] Session 43ECF68 (10.0.0.138:13561)=>(10.0.0.33:80) http:tcp SIS_OPENING Created 00:00:03, Last heard 00:00:03 Bytes sent (initiator:responder) [0:0] Session 3F4D968 (10.0.0.130:13674)=>(10.0.0.33:80) http:tcp SIS_OPENING Created 00:00:02, Last heard 00:00:02 Bytes sent (initiator:responder) [0:0] Session 3F4DB58 (10.0.0.147:13685)=>(10.0.0.33:80) http:tcp SIS_OPENING Created 00:00:02, Last heard 00:00:02 Bytes sent (initiator:responder) [0:0] Number of Terminating Sessions = 3 Terminating Sessions Session 2F9DD90 (10.0.0.203:13603)=>(10.0.0.33:80) http:tcp SIS_CLOSING Created 00:00:03, Last heard 00:00:02 Bytes sent (initiator:responder) [268:10494] Session 3F3AA38 (10.0.0.209:13844)=>(10.0.0.33:80) http:tcp SIS_CLOSING Created 00:00:01, Last heard 00:00:01 Bytes sent (initiator:responder) [251:2301] Session 43F20C8 (10.0.0.224:14070)=>(10.0.0.33:80) http:tcp SIS_CLOSING Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [264:2301] Zone-pair: zone-pair-destination2source Service-policy inspect : policy-test Class-map: class-test (match-any) InspectThe table below describes the significant fields shown in the display.
Table 28 show policy-firewall session Field Descriptions Field
Description
Number of Established Sessions
Number of established sessions. A session is established when traffic flows between the sessions.
Number of Half-open Sessions
Number of half-opened sessions. A TCP session that has not yet reached the established state is called a half-opened session.
Number of Terminating Sessions
A link or session between a pair of devices that get closed. The terminating side waits for a timeout and closes the connection between the devices. After the connection is closed, the local port of the terminating side will not be available for new connections.
The following is sample output from the show policy-firewall session zone-pair ha command:Router# show policy-firewall session zone-pair ha Session 3FAF888 (192.168.1.2:14401)=>(10.99.75.1:80) http:tcp SIS_OPEN/TCP_ESTAB Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [252:2301] HA State: ACTIVE, RG: rg_foo id 1 Session 3FAF888 (192.168.1.3:14401)=>(10.99.175.1:80) http:tcp SIS_OPEN/TCP_ESTAB Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [252:2301] HA State: STANDBY, RG: rg_fzooid 2show policy-firewall stats
To display the statistics of the firewall activity on the router, use the show policy-firewall stats command in privileged EXEC mode.
Usage Guidelines
This command provides the statistics of all the firewall activity on the router. The command displays the box-wide statistics or the statistics for each zone pair. To get all statistics, use the all keyword. Use the drop-counters keyword to display the packets dropped and grouped by their error codes. The output displays only the error codes for which the drop counter is greater than zero. If the number of packets dropped is similar for multiple error codes, the error codes are sorted in alphabetical order.
Examples
The following is sample output from the show policy-firewall stats command. The field descriptions are self-explanatory.
Router# show policy-firewall stats drop-counters REASON PACKETS DROPPED Invalid Header length 39 policy match failure 38 Police rate limiting 37 Session limiting 36 Bidirectional traffic disabled 35 SYN with data or with PSH/URG flags 34 Segment matching no TCP connection 33 Invalid Segment 32 Invalid Seq# 31 Invalid Ack (or no Ack) 30 Invalid Flags 29 Invalid Checksum 28 SYN inside current window 27 RST inside current window 26 Out-Of-Order Segment 25 Retransmitted Segment 24 Retransmitted Segment with Invalid Flags 23 Stray Segment 22 Internal Error 21 Invalid Window scale option 20 Invalid TCP options 19 No zone-pair between zones 18 One of the interfaces not being configured for zoning 17 Policy not present on zone-pair 16 DROP action found in policy-map 15show policy-firewall stats vrf
To display VPN routing and forwarding (VRF)-level policy firewall statistics, use the show policy-firewall stats vrf command in user EXEC or privileged EXEC mode.
Examples
The following is sample output from the show policy-firewall stats vrf command:
Router# show policy-firewall stats vrf vrf-default VRF: default, Parameter-Map: vrf-default Interface reference count: 1 Total Session Count(estab + half-open): 0, Exceed: 0 Total Session Aggressive Aging Period Off, Event Count: 0 Half Open Protocol Session Cnt Exceed -------- ----------- ------ All 0 0 UDP 0 0 ICMP 0 0 TCP 0 0 TCP Syn Flood Half Open Count: 0, Exceed: 0 Half Open Aggressive Aging Period Off, Event Count: 0The table below describes the significant fields shown in the display.
Table 29 show policy-firewall stats vrf Field Descriptions Field
Description
Total Session Count
Total session count.
Exceed
Number of sessions that exceeded the configured session count.
Total Session Aggressive Aging Period Off
Indicates whether aggressive aging is enabled (On) or disabled (Off).
Event Count
The number of times the event has been enabled in the past.
TCP Syn Flood Half Open Count
Number of half-open synchronization (SYN) packets that exceeded the configured SYN flood rate limit.
Half Open Aggressive Aging Period Off
Aggressive aging of half-opened sessions is not configured.
show policy-firewall stats vrf global
To display global VPN Routing and Forwarding (VRF) firewall policy statistics, use the show policy-firewall stats vrf globalcommand in user EXEC or privileged EXEC mode.
Examples
The following is sample output from the show policy-firewall stats vrf global command:
Router# show policy-firewall stats vrf global Global table statistics total_session_cnt: 0 exceed_cnt: 0 tcp_half_open_cnt: 0 syn_exceed_cnt: 0The table below describes the fields shown in the display.
Table 30 show policy-firewall stats vrf global Field Descriptions Field
Description
total_session_cnt
Total session count.
exceed_cnt
Number of sessions that exceeded the configured session count.
tcp_half_open_cnt
TCP half-open sessions configured at a global VRF level. When the configured session limit is reached, the TCP synchronization (SYN) cookie verifies the source of the half-open TCP sessions before creating more sessions. A TCP half-open session is a session that has not reached the established state.
syn_exceed_cnt
Number of SYN packets that exceeded the configured SYN flood rate limit.
show policy-firewall stats zone
To display policy firewall statistics at a zone level, use the show policy-firewall stats zone command in user EXEC or privileged EXEC mode.
Examples
The following is sample output from the show policy-firewall stats zone command:
Router# show policy-firewall stats zone zone02 Zone: zone02 Parameter-map: zonepmap TCP SYN packet conform limit: 0 TCP SYN packet exceed limit: 0 Threat Detection Statistics: Average(eps) Current(eps) Threat Total events 10-min Basic FW Drop: 0 0 0 20 10-min Inspection Drop: 0 0 0 70 10-min Syn Attack: 0 0 0 0The table below describes the significant fields shown in the display.
Table 31 show policy-firewall stats zone Field Descriptions Field
Description
Zone
Name of the zone.
Parameter-map
Name of the configured zone-type parameter map.
TCP SYN packet conform limit
Number of TCP synchronization (SYN) packets that are within the configured limit.
TCP SYN packet exceed limit
Number of TCP SYN packets that exceeded the configured SYN packet rate limit.
Basic FW Drop
Threat detection rate for firewall drop events.
Inspection Drop
Threat detection rate for firewall inspection-based drop events.
Syn Attack
Threat detection rate for SYN cookie attack events.
Related Commands
Command
Description
clear policy-firewall stats zone
Clears the policy firewall statistics counter at a zone level.
tcp syn-flood limit
Configures a limit to the number of TCP half-open sessions before triggering SYN cookie processing for new SYN packets.
threat-detection
Configures basic threat detection.
show policy-firewall summary-log
Usage Guidelines
Use this command to display the summary logs captured as follows:
- Configured flow
- Configured flow value
- Number of flows
NoteWhen the number of flows for the log summary reaches the configured flow value, some flows are not summarized.
show policy-map type inspect
To display a specified policy map, use the show policy-map type inspect command in privileged EXEC mode.
Examples
The following example displays the policy map for policy map p1:
Router # show policy-map type inspect p1 Policy Map type inspect p1 Class c1 InspectThe following example shows sample command output:
Router# show policy-map type inspect p_inside Policy Map type inspect p_inside Description: Policy map with inspect action Class c_permit Pass Class c_test Class class-defaultThe table below describes the significant fields shown in the display.
show policy-map type inspect urlfilter
To display the details of a URL filtering policy map, use the show policy-map type inspect urlfilter command in privileged EXEC mode.
Usage Guidelines
Use the show policy-map type inspect urlfiltercommand to display the details of all URL filtering policy maps. To display the details of a particular URL filtering policy map, specify the name of the policy map.
The output of the show ip urlfilter cache command displays the pages cached by a device.
Examples
The following is sample output from the show policy-map type inspect urlfilter command for a policy map named websense-policy:
Router# show policy-map type inspect urlfilter websense-policy policy-map type inspect urlfilter url-websense-policy parameter-map urlfpolicy websense websense-parameter-map class type urlfilter trusted-domain-lists allow class type urlfilter untrusted-domain-lists reset class type urlfilter block-url-keyword-lists reset class type urlfilter websense websense-map server-specified-actionshow policy-map type inspect zone-pair
To display runtime inspect type policy map statistics and other information such as sessions existing on a specified zone pair, use the show policy-map type inspect zone-pair command in privileged EXEC mode.
show policy-map type inspect zone-pair [ zone-pair-name [ sessions ] ] [sessions] ipv6 | { destination destination-ip [ sourcesource-ip ] | sourcesource-ip [ destination destination-ip ] } destination destination-ip [ sourcesource-ip ] sourcesource-ip [ destination destination-ip ]
Syntax Description
zone-pair-name
(Optional) Zone pair for which the system displays the runtime inspect type policy-map statistics.
sessions
(Optional) Displays stateful packet inspection sessions created because a policy map is applied on the specified zone pair.
ipv6
(Optional) Displays information about the IPv6 session.
destination destination-ip
(Optional) Displays information about the destination IPv4 or IPv6 address of the session.
source source-ip
(Optional) Displays information about the source IPv4 or IPv6 address of the session.
Command History
Release
Modification
12.4(6)T
This command was introduced.
12.4(9)T
This command was modified. The output was enhanced to display the police action configuration.
12.4(15)XZ
This command was integrated into Cisco IOS Release 12.4(15)XZ and implemented on the following platforms: Cisco 881 and Cisco 888.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
Cisco IOS XE Release 3.4S
This command was modified. The output was enhanced to display the General Packet Radio Service (GPRS) Tunneling Protocol (GTP) configuration.
Cisco IOS XE Release 3.6S
This command was modified. The output was enhanced to display both IPv4 and IPv6 firewall sessions.
Cisco IOS XE Release 3.9S
This command was modified. The destination, ipv6, and source keywords and thedestination-ip and source-ip arguments were added.
Usage Guidelines
If you do not specify a zone-pair name, policy maps on all zone pairs are displayed.
When packets are matched to an access group (match access-group), a protocol (match protocol), or a class map (match class-map), a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the “inspect” action and are displayed using the show policy-map type inspect zone-pair sessions command.
Command Limitations
The cumulative counters in the show policy-map type inspect zone-pair command output do not increment for match statements in a nested class map configuration in Cisco IOS Releases 12.4(15)T and 12.4(20)T. The problem with the counters exists regardless of whether the top-level class map uses the match-any or match-all keyword.
The following configuration example shows the match counter problem:
class-map type inspect match-any y match protocol tcp match protocol icmp class-map type inspect match-all x match class yThe following sample output from the show policy-map type inspect zone-pair command displays cumulative counters for the above configuration (if the class map matches any class map):
Device# show policy-map type inspect zone-pair sessions policy exists on zp Zone-pair: zp Service-policy inspect : fw Class-map: x (match-any) Match: class-map match-any y 2 packets, 48 bytes <======== Cumulative class map counters are incrementing. 30 second rate 0 bps Match: protocol tcp 0 packets, 0 bytes <===== The match for the protocol is not incrementing. 30 second rate 0 bps Match: protocol icmp 0 packets, 0 bytes 30 second rate 0 bps Inspect Number of Established Sessions = 1 Established Sessions Session 53105C0 (10.1.1.2:19180)=>(10.2.1.2:23) tacacs:tcp SIS_OPEN Created 00:00:02, Last heard 00:00:02 Bytes sent (initiator:responder) [30:69] Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytesExamples
The following sample output from the show policy-map type inspect zone-pair command shows information about zone pairs zp and trusted-untrusted:
Device# show policy-map type inspect zone-pair zp Zone-pair: zp Service-policy : p1 Class-map: c1 (match-all) Match: protocol tcp Inspect Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created never Last statistic reset never Last session creation rate 0 half-open session total 0 Class-map: c2 (match-all) Match: protocol udp Pass 0 packets, 0 bytes Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytesDevice# show policy-map type inspect zone-pair trusted-untrusted Zone-pair: trusted-untrusted Service-policy inspect : firewall-policy Class-map: class_4 (match-any) Match: protocol dbcontrol-agent Match: protocol ddns-v3 Match: protocol dhcp-failover Match: protocol discard Match: protocol dns Match: protocol dnsix Match: protocol echo Match: protocol entrust-svc-handler Inspect Packet inspection statistics [process switch:fast switch] dns packets: [0:28949015] Session creations since subsystem startup or last reset 4 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [1:0:0] Last session created 00:06:16 Last statistic reset never Last session creation rate 0 Last half-open session total 0
NoteOnly some protocols that undergo Layer 7 inspections have dedicated statistics; others are grouped into either TCP statistics or UDP statistics.
The following is sample output from the show policy-map type inspect zone-pair command for a GTP configuration:
Device# show policy-map type inspect zone-pair zp Zone-pair: zp Service-policy inspect : L4-Policy Class-map: L4-Class (match-all) Match: protocol gtpv0 Inspect Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created never Last statistic reset never Last session creation rate 0 Last half-open session total 0 Service-policy inspect gtpv0 : L7-Policy Class-map: L7-Class (match-any) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: match mcc 772 mnc 331 Class-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0000 bps, drop rate 0000 bps Match: any Class-map: class-default (match-any) Match: any Drop (default action) 0 packets, 0 bytesThe following is sample output from the show policy-map type inspect zone-pair sessions command:
Device# show policy-map type inspect zone-pair sessions Zone-pair: hi2int Service-policy inspect : pg1 Class-map: c1 (match-any) Match: protocol ftp Match: protocol telnet Match: protocol smtp Match: protocol http Match: protocol tacacs Match: protocol dns Match: protocol sql-net Match: protocol https Match: protocol tftp Match: protocol gopher Match: protocol finger Match: protocol kerberos Match: protocol pop3 Match: protocol sunrpc Match: protocol msrpc Match: protocol icmp Inspect Established Sessions Session 10E28550 (10.1.1.1:50536)=>(172.16.1.1:111) sunrpc SIS_OPEN Created 00:09:44, Last heard 00:09:18 Bytes sent (initiator:responder) [108:0] Session 10E28550 (10.1.1.1:39377)=>(172.16.1.1:150) sql-net SIS_CLOSED Created 00:03:01, Last heard 00:03:01 Bytes sent (initiator:responder) [0:0] Session 10E2859C (10.1.1.1:39377)=>(172.16.1.1:110) pop3 SIS_CLOSED Created 00:02:59, Last heard 00:02:59 Bytes sent (initiator:responder) [0:0] Session 10E285E8 (10.1.1.1:39377)=>(172.16.1.1:443) https SIS_CLOSED Created 00:03:33, Last heard 00:03:33 Bytes sent (initiator:responder) [0:0] Class-map: class-default (match-any) Match: any Drop (default action) 147127 packets, 8485742 bytes
NoteIn the preceding sample output, the information displayed below the Class-map field is the traffic rate (bits-per-second) of the traffic belonging to only the connection-initiating traffic. Unless the connection setup rate is significantly high and sustained for multiple intervals over which the rate is computed, no significant data is shown for the connection.
The following sample output from the show policy-map type inspect zone-pair sessions command displays IPv6 firewall sessions:
Device# show policy-map type inspect zone-pair sessions Zone-pair: hi2int Service-policy inspect : pg1 Class-map: c1 (match-any) Match: protocol ftp Match: protocol telnet Match: protocol icmp Inspect Established Sessions Session 10E28550 ([2001:DB8::1]:50536)=>( [2001:DB8:2::1]:111) sunrpc SIS_OPEN Created 00:09:44, Last heard 00:09:18 Bytes sent (initiator:responder) [108:0] Session 10E28550 ([2001:DB8::1]:39377)=>([2001:DB8:2::1]:150) sql-net IS_CLOSED Created 00:03:01, Last heard 00:03:01 Bytes sent (initiator:responder) [0:0] Class-map: class-default (match-any) Match: any Drop (default action) 147127 packets, 8485742 bytesThe following sample output from the show policy-map type inspect zone-pair command displays the police action configuration:
Device# show policy-map type inspect zone-pair Zone-pair: zp Service-policy inspect : test-udp Class-map: check-udp (match-all) Match: protocol udp Inspect Packet inspection statistics [process switch:fast switch] udp packets: [3:4454] Session creations since subsystem startup or last reset 92 Current session counts (estab/half-open/terminating) [5:33:0] Maxever session counts (estab/half-open/terminating) [5:59:0] Last session created 00:00:06 Last statistic reset never Last session creation rate 61 Last half-open session total 33 Class-map: class-default (match-any) Match: any Drop (default action) 0 packets, 0 bytesThe table below describes the significant fields shown in the display:
Table 33 show parameter-map type inspect zone-pair Field Descriptions Field
Description
Zone-pair
Name of the configured security zone pair.
Service-policy inspect
Name of the service policy that was inspected.
Class-map
Name of the configured class map and the configured match criterion.
Match
Protocols that were configured as match criteria.
Inspect
Session details such as packets received, current session count, and total session count.
Related Commands
Command
Description
match access-group
Configures the match criteria for a class map on the basis of the specified ACL.
match class-map
Uses a traffic class as a classification policy.
match protocol
Configures the match criterion for a class map on the basis of a specified protocol.
policy-map type inspect
Creates a Layer 3 and Layer 4 or a Layer 7 (protocol-specific) inspect-type policy map.
show policy-map type inspect zone-pair urlfilter
To display the details of a URL filtering policy map--URL filter state, URL filter statistics, and URL filter server details--use the show policy-map type inspect zone-pair urlfilter command in privileged EXEC mode.
Syntax Description
zone-pair-name
(Optional) Zone pair for which the system will display the runtime inspect type policy-map statistics. Default: The requested information is shown for all zone pairs.
cache
Displays information about the URL filter cache.
detail
(Optional) Displays each entry in the cache. Because cache entries can be long, only the first few bytes are displayed.
Command Default
The URL filter information for all zone pairs is displayed. Details about the URL filtering cache are not displayed.
Command History
Release
Modification
12.4(6)T
This command was introduced.
12.4(15)XZ
This command was implemented on the following platforms: Cisco 881 and Cisco 888. The detail keyword was added to show more information about the URL filtering cache.
12.4(20)T
This command was integrated into Cisco IOS Release 12.4(20)T. The detail keyword was added to show more information about the URL filtering cache.
Examples
The following example shows sample output for a Websense URL filtering server:
Router# show policy-map type inspect zone-pair urlfilter cache Zone-pair: zp Urlfilter Websense URL Filtering is ENABLED Websense Primary server: 10.3.3.3(port : 15868) recount: 0 Current packet buffer count(in use): 0 Current cache entry count: 0 Maxever request count: 0 Maxever packet buffer count: 0 Maxever cache entry count: 0 Total requests sent to URL Filter Server :0 Total responses received from URL Filter Server :0 Total requests allowed: 0 Total requests blocked: 0 Drop (default action) packets, 0 bytes Service-policy inspect : test Class-map: test (match-all) Match: protocol http Class-map: class-default (match-any) Match: anyThe following example shows sample output for a Trend Micro URL filtering server, including the cache details:
Router# show policy-map type inspect zone-pair urlfilter cache detail policy exists on zp zp_in Zone-pair: zp_in Service-policy inspect : trend-global-policy Class-map: http-class (match-all) Match: protocol http Match: access-group 101 Inspect Packet inspection statistics [process switch:fast switch] tcp packets: [3353:0] Session creations since subsystem startup or last reset 21 Current session counts (estab/half-open/terminating) [3:0:0] Maxever session counts (estab/half-open/terminating) [4:1:1] Last session created 00:00:22 Last statistic reset never Last session creation rate 7 Maxever session creation rate 14 Last half-open session total 0 Maximum number of bytes in cache: 131072000 Time to live for eache cache entry (in hrs): 1 Total number of bytes used by cache: 442 Number of bytes used by domain type cache: 442 Number of bytes used by directory type cache: 0 ------------------------------------------------------------ URL Age Access #/ Cat::Rep (Directory cache end with /) (day:h:m:s) Idle Time ------------------------------------------------------------ example.com 0:00:00:23 28 58::100 example1.com 0:00:00:25 1 56::100 example.example2.com 0:00:00:34 1 56::100 Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes policy exists on zp zp_out Zone-pair: zp_out Service-policy inspect : icmp_permit Class-map: icmp_permit (match-all) Match: access-group 110 Pass 0 packets, 0 bytes Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytesshow port-security
To display information about the port-security setting in EXEC command mode, use the show port-security command.
show port-security [ interface interface interface-number ]
show port-security [ interface interface interface-number ] { address | vlan }
Syntax Description
interface interface
(Optional) Specifies the interface type; possible valid values are ethernet, fastethernet, gigabitethernet, and longreachethernet.
interface-number
Interface number. Valid values are 1 to 6.
address
Displays all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address.
vlan
Virtual LAN.
Command History
Release
Modification
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(18)SXE
The address keyword was added to display the maximum number of MAC addresses configured per VLAN on a trunk port on the Supervisor Engine 720 only.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
The vlan keyword is supported on trunk ports only and displays per-Vlan maximums set on a trunk port.
The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.
Examples
This example shows the output from the show port-security command when you do not enter any options:
Router# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ---------------------------------------------------------------------------- Fa5/1 11 11 0 Shutdown Fa5/5 15 5 0 Restrict Fa5/11 5 4 0 Protect ---------------------------------------------------------------------------- Total Addresses in System: 21 Max Addresses limit in System: 128 Router#This example shows how to display port-security information for a specified interface:
Router# show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0 Router#This example show how to display all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address:
Router# show port-security address Default maximum: 10 VLAN Maximum Current 1 5 3 2 4 4 3 6 4 Router#show ppp queues
To monitor the number of requests processed by each authentication, authorization, and accounting (AAA) background process, use the show ppp queuescommand inprivilegedEXEC mode.
Command History
Release
Modification
11.3(2)AA
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use the show ppp queues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the network access server and the AAA server.
This command displays information about the background processes configured by the aaa processes global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data.
Examples
The following example shows output from the show ppp queues command:
Router# show ppp queues Proc #0 pid=73 authens=59 avg. rtt=118s. authors=160 avg. rtt=94s. Proc #1 pid=74 authens=52 avg. rtt=119s. authors=127 avg. rtt=115s. Proc #2 pid=75 authens=69 avg. rtt=130s. authors=80 avg. rtt=122s. Proc #3 pid=76 authens=44 avg. rtt=114s. authors=55 avg. rtt=106s. Proc #4 pid=77 authens=70 avg. rtt=141s. authors=76 avg. rtt=118s. Proc #5 pid=78 authens=64 avg. rtt=131s. authors=97 avg. rtt=113s. Proc #6 pid=79 authens=56 avg. rtt=121s. authors=57 avg. rtt=117s. Proc #7 pid=80 authens=43 avg. rtt=126s. authors=54 avg. rtt=105s. Proc #8 pid=81 authens=139 avg. rtt=141s. authors=120 avg. rtt=122s. Proc #9 pid=82 authens=63 avg. rtt=128s. authors=199 avg. rtt=80s. queue len=0 max len=499The table below describes the fields shown in the example.
Table 34 show ppp queues Field Descriptions Field
Description
Proc #
Identifies the background process allocated by the aaa processes command to handle AAA requests for PPP. All of the data in this row relates to this process.
pid=
Identification number of the background process.
authens=
Number of authentication requests the process has performed.
avg. rtt=
Average delay (in seconds) until the authentication request was completed.
authors=
Number of authorization requests the process has performed.
avg. rtt=
Average delay (in seconds) until the authorization request was completed.
queue len=
Current queue length.
max len=
Maximum length the queue ever reached.
show pppoe session
To display information about currently active PPP over Ethernet (PPPoE) sessions, use the show pppoe session in privileged EXEC mode.
Syntax Description
all
(Optional) Displays detailed information about the PPPoE session.
interface type number
(Optional) Displays information about the interface on which the PPPoE session is active.
packets
(Optional) Displays packet statistics for the PPPoE session.
ipv6
(Optional) Displays PPPoE session packet statistics for IPv6 traffic
Command History
Release
Modification
12.2(4)YG
This command was introduced on the Cisco SOHO 76, 77, and 77H routers.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T and was enhanced to display information about relayed PPPoE Active Discovery (PAD) messages.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB and support was added for the Cisco 7200, 7301, 7600, and 10000 series platforms.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2 and the output following the use of the all keyword was modified to indicate if a session is Interworking Functionality (IWF)-specific or if the tag ppp-max-payload tag is in the discovery frame and accepted.
12.4(15)XF
The output was modified to display Virtual Multipoint Interface (VMI) and PPPoE process-level values.
12.4(15)T
This command was integrated into Cisco IOS Release 12.4(15)T to support VMIs in Mobile Ad Hoc Router-to-Radio Networks (MANETs).
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC.
Cisco IOS XE Release 2.5
This command was implemented on Cisco ASR 1000 series routers.
Cisco IOS XE Release 3.5S
This command was modified. The ipv6 keyword was added.
Examples
The following is sample output from the show pppoe session command:
Router# show pppoe session 1 session in FORWARDED (FWDED) State 1 session totalExamples
The following is sample output from the show pppoe session command when there is an IWF session and the ppp-max-payload tag is accepted in the discovery frame (available in Cisco IOS Release 12.2(31)SB2):
Router# show pppoe session 1 session in LOCALLY_TERMINATED (PTA) State 1 session total. 1 session of it is IWF type
The table below describes the significant fields shown in the displays.
Table 35 show pppoe session Field Descriptions Field
Description
Uniq ID
Unique identifier for the PPPoE session.
PPPoE SID
PPPoE session identifier.
RemMAC
Remote MAC address.
Port
Port type and number.
VT
Virtual-template interface.
VA
Virtual access interface.
State
Displays the state of the session, which will be one of the following:
LocMAC
Local MAC address.
Examples
The following example shows information per session for the show pppoe session all command.
Router# show pppoe session all Total PPPoE sessions 1 session id: 21 local MAC address: 0006.52a4.901e, remote MAC address: 0001.c9f2.a81e virtual access interface: Vi2.1, outgoing interface: Et1/2, IWF PPP-Max-Payload tag: 1500 15942 packets sent, 15924 received 224561 bytes sent, 222948 receivedExamples
The following example shows the output from the show pppoe session all command. This version of the display includes PPPoE credit flow statistics for the session.
Router# show pppoe session all Total PPPoE sessions 1 session id: 1 local MAC address: aabb.cc00.0100, remote MAC address: aabb.cc00.0200 virtual access interface: Vi2, outgoing interface: Et0/0 17 packets sent, 24 received 1459 bytes sent, 2561 received PPPoE Flow Control Stats Local Credits: 65504 Peer Credits: 65478 Credit Grant Threshold: 28000 Max Credits per grant: 65534 PADG Seq Num: 7 PADG Timer index: 0 PADG last rcvd Seq Num: 7 PADG last nonzero Seq Num: 0 PADG last nonzero rcvd amount: 0 PADG Timers: [0]-1000 [1]-2000 [2]-3000 [3]-4000 PADG xmit: 7 rcvd: 7 PADC xmit: 7 rcvd: 7 PADQ xmit: 0 rcvd: 0show private-hosts access-lists
To display the access lists for your Private Hosts configuration, use the show private-hosts access-lists command in privileged EXEC mode.
Examples
The following example shows how to display the Private Hosts access lists for your configuration:
Router# s how private-hosts access-lists Promiscuous ACLs Action Permit Sequence # 010 Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff Action Deny Sequence # 020 Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffff Isolated ACLs Action Deny Sequence # 010 Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff Action Permit Sequence # 020 Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.1111.4001 0000.0000.0000 Action Redirect Sequence # 030 Redirect index 6 Source:0000.0000.0000 ffff.ffff.ffff Destination:ffff.ffff.ffff 0000.0000.0000 Action Permit Sequence # 040 Source:0000.0000.0000 ffff.ffff.ffff Destination:0100.5e00.0000 0000.007f.ffff Source:0000.0000.0000 ffff.ffff.ffff Destination:3333.0000.0000 0000.ffff.ffff Action Deny Sequence # 050 Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffff Mixed ACLs Action Permit Sequence # 010 Source:0000.1111.4001 0000.0000.0000 Destination:ffff.ffff.ffff 0000.0000.0000 Action Redirect Sequence # 020 Redirect index 6 Source:0000.0000.0000 ffff.ffff.ffff Destination:ffff.ffff.ffff 0000.0000.0000 Action Permit Sequence # 030 Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff Action Permit Sequence # 040 Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.1111.4001 0000.0000.0000 Action Deny Sequence # 050 Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffffRelated Commands
Command
Description
show fm private-hosts
Displays information about the Private Hosts feature manager.
show private-hosts configuration
Displays Private Hosts configuration information for the networking device.
show private-hosts interface configuration
Displays Private Hosts configuration information for individual interfaces.
show private-hosts configuration
To display information about the Private Hosts configuration on the router, use the show private-hosts configuration command in privileged EXEC mode.
Examples
The following example shows sample command output:
Router# show private-hosts configuration Private hosts enabled. BR INDEX 6 State 0000000F Privated hosts vlans lists: 200 Privated promiscuous MAC configuration: A '*' mark behind the mac list indicates non-existent mac-list -------------------------------------------------------------------------------- MAC-list VLAN list -------------------------------------------------------------------------------- bras-list *** Uses the isolated vlans (if any) ***The following example shows sample command output:
Router# show private-hosts configuration Private-hosts enabled Isolated vlan-list 10,12,15,200-300 Promiscuous MAC configuration: ------------------------------------------------------------------------------------ MAC-List VLAN List ----------------------------------------------------------------------------------- Bras_list 10,12,15,200-300 Mcast_server_list 10,12,15 Router#Related Commands
Command
Description
private-hosts
Enables or configures the Private Hosts feature.
private-hosts mode
Sets the switchport mode.
show fm private-hosts interface configuration
Displays the FM-related Private Hosts information.
show private-hosts interface configuration
Displays Private Hosts configuration information for individual interfaces.
show private-hosts interface configuration
To display information about the Private Hosts configuration on individual interfaces (ports), use the show private-hosts interface configuration command in privileged EXEC mode.
Examples
The following example shows sample command output:
Router# show private-hosts interface configuration Private hosts enabled Debug Events: 0 Acl: 0 API: 0 Promiscuous interface list -------------------------- GigabitEthernet1/1 promiscuous connected Facing BRAS Jupiter Isolated interface list ------------------------- FastEthernet3/1-14 isolated connected Facing DSLAM AB-125-1 Mixed mode interface list -------------------------- GigabitEthernet1/4-5 mixed connected Facing Server Mars Router#show private-hosts mac-list
To display the contents of the MAC address lists defined for Private Hosts, use the show private-hosts mac-list command in privileged EXEC mode.
Examples
The following example shows sample command output:
Router# show private-hosts mac-list MAC-List: bras-list ------------------------------------------------------------------ MAC address Description ------------------------------------------------------------------ 0000.1111.1111 BRAS-SERVERshow privilege
Command History
Release
Modification
10.3
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
show radius local-server statistics
To display the statistics for the local authentication server, use the show radius local-server statisticscommand in privileged EXEC mode.
Command History
Release
Modification
12.2(11)JA
This command was introduced on the Cisco Aironet Access Point 1100 and the Cisco Aironet Access Point 1200.
12.3(11)T
This command was integrated into Cisco IOS Release 12.3(11)T and implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.
Examples
The following output displays statistics for the local authentication server.
Router# show radius local-server statistics Successes : 11262 Unknown usernames : 0 Client blocks : 0 Invalid passwords : 8 Unknown NAS : 0 Invalid packet from NAS: 0 NAS : 10.0.0.1 Successes : 11262 Unknown usernames : 0 Client blocks : 0 Invalid passwords : 8 Corrupted packet : 0 Unknown RADIUS message : 0 No username attribute : 0 Missing auth attribute : 0 Shared key mismatch : 0 Invalid state attribute: 0 Unknown EAP message : 0 Unknown EAP auth type : 0 PAC refresh : 0 Invalid PAC received : 0 Maximum number of configurable users: 50, current user count: 11 Username Successes Failures Blocks vayu-ap-1 2235 0 0 vayu-ap-2 2235 0 0 vayu-ap-3 2246 0 0 vayu-ap-4 2247 0 0 vayu-ap-5 2247 0 0 vayu-11 3 0 0 vayu-12 5 0 0 vayu-13 5 0 0 vayu-14 30 0 0 vayu-15 3 0 0 scm-test 1 8 0The first section of statistics lists cumulative statistics from the local authenticator.
The second section lists statistics for each access point (NAS) authorized to use the local authenticator. The EAP-FAST statistics in this section include the following:
- Auto provision success--the number of PACs generated automatically
- Auto provision failure--the number of PACs not generated because of an invalid handshake packet or invalid username or password
- PAC refresh--the number of PACs renewed by clients
- Invalid PAC received--the number of PACs received that were expired, that the authenticator could not decrypt, or that were assigned to a client username not in the authenticator’s database
The third section lists stats for individual users. If a user is blocked and the lockout time is set to infinite, blocked appears at the end of the stat line for that user. If the lockout time is not infinite, Unblocked in x seconds appears at the end of the stat line for that user.
Use the clear radius local-server statistics command in privileged EXEC mode to reset local authenticator statistics to zero.
Related Commands
Command
Description
block count
Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server
Clears the statistics display or unblocks a user.
debug radius local-server
Displays the debug information for the local server.
group
Enters user group configuration mode and configures shared setting for a user group.
nas
Adds an access point or router to the list of devices that use the local authentication server.
radius-server host
Specifies the remote RADIUS server host.
radius-server local
Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time
Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
ssid
Specifies up to 20 SSIDs to be used by a user group.
user
Authorizes a user to authenticate using the local authentication server.
vlan
Specifies a VLAN to be used by members of a user group.
show radius server-group
To display properties for the RADIUS server group, use the show radius server-group command in user EXEC or privileged EXEC mode.
Syntax Description
server-group-name
Displays properties for the server group named. The character string used to name the group of servers must be defined using the aaa group server radiuscommand.
all
Displays properties for all the server group.
server
Displays properties for a specific server or servers in the group.
Usage Guidelines
Use the show radius server-group command to display the server groups that you defined by using the aaa group server radius command.
Examples
The following show radius server-group command output displays properties for the server group "rad_sg":
Router# show radius server-group rad_sg server group rad-sg Sharecount = 1 sg_unconfigured = FALSE Type = standard Memlocks = 1The following show radius server-group command output displays the properties for two server groups, 123 and 456, respectively. Using the aaa group server radius command, the configuration of each server group is also shown.
Router(config)# aaa new-model ! ! Router(config)# aaa group server radius 123 server 10.9.8.1 auth-port 1645 acct-port 1646 ! Router(config)# aaa group server radius 456 server 10.9.8.2 auth-port 1645 acct-port 1646 Router(config)# exit Router# show radius server-group all Server group 123 Sharecount = 1 sg_unconfigured = FALSE Type = standard Server group 456 Sharecount = 1 sg_unconfigured = FALSE Type = standard Router# show radius server-group 123 Server group 123 Sharecount = 1 sg_unconfigured = FALSE Type = standardThe table below describes the significant fields shown in the display.
Table 36 show radius server-group command Field Descriptions Field
Description
Server group
Name of the server group.
Sharecount
Number of method lists that are sharing this server group. For example, if one method list uses a particular server group, the sharecount would be 1. If two method lists use the same server group, the sharecount would be 2.
sg_unconfigured
Server group has been unconfigured.
Type
The type can be either "standard" or "nonstandard". The type indicates whether the servers in the group accept nonstandard attributes. If all servers within the group are configured with the nonstandard option, the type will be shown as "nonstandard".
Memlocks
An internal reference count for the server-group structure that is in memory. The number represents how many internal data structure packets or transactions are holding references to this server group. Memlocks is used internally for memory management purposes.
Related Commands
Command
Description
aaa group server radius
Groups different RADIUS server hosts into distinct lists and distinct methods.
show aaa servers
Displays information about the number of packets sent to and received from AAA servers.
show radius statistics
Displays the RADIUS statistics for accounting and authentication packets.
show radius statistics
To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics command in user EXEC or privileged EXEC mode.
Command History
Release
Modification
12.1(3)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.1(1)S
This command was integrated into Cisco IOS Release 15.1(1)S. Support for the CISCO-RADIUS-EXT-MIB was added.
15.1(4)M
This command was modified. Support for the CISCO-RADIUS-EXT-MIB was added.
Examples
The following is sample output from the show radius statistics command:
Router# show radius statistics Auth. Acct. Both Maximum inQ length: NA NA 1 Maximum waitQ length: NA NA 2 Maximum doneQ length: NA NA 1 Total responses seen: 33 67 100 Packets with responses: 33 67 100 Packets without responses: 0 0 0 Access Rejects : 0 Average response delay(ms) : 1331 124 523 Maximum response delay(ms): 5720 4800 5720 Number of Radius timeouts: 8 2 10 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 156 327 327 Malformed Responses : 0 0 0 Bad Authenticators : 0 0 0 Source Port Range: (2 ports only) 1645 - 1646 Last used Source Port/Identifier: 1645/33 1646/69The table below describes significant fields shown in the display.
Table 37 show radius statistics Field Descriptions Field
Description
Auth.
Statistics for authentication packets.
Acct.
Statistics for accounting packets.
Both
Combined statistics for authentication and accounting packets.
Maximum inQ length
Maximum number of entries allowed in the queue that holds the RADIUS messages not yet sent.
Maximum waitQ length
Maximum number of entries allowed in the queue that holds the RADIUS messages that have been sent and are waiting for a response.
Maximum doneQ length
Maximum number of entries allowed in the queue that holds the messages that have received a response and will be forwarded to the code that is waiting for the messages.
Total responses seen
Number of RADIUS responses seen from the server. In addition to the expected packets, the number includes repeated packets and packets that do not have a matching message in the waitQ.
Packets with responses
Number of packets that received a response from the RADIUS server.
Packets without responses
Number of packets that never received a response from any RADIUS server.
Access Rejects
Number of times access requests have been rejected by a RADIUS server.
Average response delay
Average time, in milliseconds (ms), from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this value is not included in the average.
Maximum response delay
Maximum delay, in ms, observed while gathering the average response delay information.
Number of RADIUS timeouts
Number of times a server did not respond and the RADIUS server re-sent the packet.
Duplicate ID detects
RADIUS has a maximum of 255 unique IDs. In some instances, there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If this response does not match, the duplicate ID detect counter is increased.
Buffer Allocation Failures
Number of times the buffer failed to get allocated.
Maximum Buffer Size (bytes)
Displays the maximum size of the buffer.
Malformed Responses
Number of corrupted responses, mostly due to bad authenticators.
Bad Authenticators
Number of authentication failures due to shared secret mismatches.
Source Port Range: (2 ports only)
Displays the port numbers.
Last used Source Port/Identifier
Ports that were last used by the RADIUS server for authentication.
The fields in the output are mapped to Simple Network Management Protocol (SNMP) objects in the CISCO-RADIUS-EXT-MIB and are used in SNMP reporting. The first line of the report is mapped to the CISCO-RADIUS-EXT-MIB as follows:
- Maximum inQ length maps to creClientTotalMaxInQLength
- Maximum waitQ length maps to creClientTotalMaxWaitQLength
- Maximum doneQ length maps to creClientTotalMaxDoneQLength
The field "Both" in the output can be derived from the authentication and accounting MIB objects. The calculation formula for each field, as displayed in the output, is given in the table below.
Table 38 Calculation Formula for the Both field in show radius statistics Command Output show radius statistics Command Output Data
Calculation Formula for the Both Field
Maximum inQ length
creClientTotalMaxInQLength
Maximum waitQ length
creClientTotalWaitQLength
Maximum doneQ length
creClientDoneQLength
Total responses seen
creAuthClientTotalResponses + creAcctClientTotalResponses
Packets with responses
creAuthClientTotalPacketsWithResponses + creAcctClientTotalPacketsWithResponses
Packets without responses
creAuthClientTotalPacketsWithoutResponses + creAcctClientTotalPacketsWithoutResponses
Access Rejects
creClientTotalAccessRejects
Average response delay
creClientAverageResponseDelay
Maximum response delay
MAX(creAuthClientMaxResponseDelay, creAcctClientMaxResponseDelay)
Number of RADIUS timeouts
creAuthClientTimeouts + creAcctClientTimeouts
Duplicate ID detects
creAuthClientDupIDs + creAcctClientDupIDs
Buffer Allocation Failures
creAuthClientBufferAllocFailures + creAcctClientBufferAllocFailures
Maximum Buffer Size (bytes)
MAX(creAuthClientMaxBufferSize, creAcctClientMaxBufferSize)
Malformed Responses
creAuthClientMalformedResponses + creAcctClientMalformedResponses
Bad Authenticators
creAuthClientBadAuthenticators + creAcctClientBadAuthenticators
Mapping the following set of objects listed in the CISCO-RADIUS-EXT-MIB map to fields displayed by the show radius statisticscommand is straightforward. For example, the creClientLastUsedSourcePort field corresponds to the Last used Source Port/Identifier portion of the report, creAuthClientBufferAllocFailures corresponds to the Buffer Allocation Failures for authentication packets, creAcctClientBufferAllocFailure corresponds to the Buffer Allocation Failures for accounting packets, and so on.
- creClientTotalMaxInQLength
- creClientTotalMaxWaitQLength
- creClientTotalMaxDoneQLength
- creClientTotalAccessRejects
- creClientTotalAverageResponseDelay
- creClientSourcePortRangeStart
- creClientSourcePortRangeEnd
- creClientLastUsedSourcePort
- creClientLastUsedSourceId
- creAuthClientBadAuthenticators
- creAuthClientUnknownResponses
- creAuthClientTotalPacketsWithResponses
- creAuthClientBufferAllocFailures
- creAuthClientTotalResponses
- creAuthClientTotalPacketsWithoutResponses
- creAuthClientAverageResponseDelay
- creAuthClientMaxResponseDelay
- creAuthClientMaxBufferSize
- creAuthClientTimeouts
- creAuthClientDupIDs
- creAuthClientMalformedResponses
- creAuthClientLastUsedSourceId
- creAcctClientBadAuthenticators
- creAcctClientUnknownResponses
- creAcctClientTotalPacketsWithResponses
- creAcctClientBufferAllocFailures
- creAcctClientTotalResponses
- creAcctClientTotalPacketsWithoutResponses
- creAcctClientAverageResponseDelay
- creAcctClientMaxResponseDelay
- creAcctClientMaxBufferSize
- creAcctClientTimeouts
- creAcctClientDupIDs
- creAcctClientMalformedResponses
- creAcctClientLastUsedSourceId
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs .
show radius table attributes
To display a list of all attributes supported by the RADIUS subsystem, use the show radius table attributes command in user EXEC or privileged EXEC mode.
Usage Guidelines
This command enables you to verify that a required RADIUS attribute is supported in a specific release.
Examples
The following example displays the complete table attribute list from the show radius table attributes command.
Router# show radius table attributes IETF ATTRIBUTE LIST: Name User-Name Format String Name User-Password Format Binary Name CHAP-Password Format Binary Name NAS-IP-Address Format IPv4 Address Name NAS-Port Format Ulong Name Service-Type Format Enum Name Framed-Protocol Format Enum Name Framed-IP-Address Format IPv4 Address Name Framed-IP-Netmask Format IPv4 Address Name Framed-Routing Format Ulong Name Filter-Id Format Binary Name Framed-MTU Format Ulong Name Framed-Compression Format Enum Name login-ip-addr-host Format IPv4 Address Name Login-Service Format Enum Name login-tcp-port Format Ulong Name Reply-Message Format Binary Name Callback-Number Format String Name Framed-Route Format String Name Framed-IPX-Network Format IPv4 Address Name State Format Binary Name Class Format Binary Name Vendor-Specific Format Binary Name Session-Timeout Format Ulong Name Idle-Timeout Format Ulong Name Termination-Action Format Boolean Name Called-Station-Id Format String Name Calling-Station-Id Format String Name Nas-Identifier Format String Name Acct-Status-Type Format Enum Name Acct-Delay-Time Format Ulong Name Acct-Input-Octets Format Ulong Name Acct-Output-Octets Format Ulong Name Acct-Session-Id Format String Name Acct-Authentic Format Enum Name Acct-Session-Time Format Ulong Name Acct-Input-Packets Format Ulong Name Acct-Output-Packets Format Ulong Name Acct-Terminate-Cause Format Enum Name Multilink-Session-ID Format String Name Acct-Link-Count Format Ulong Name Acct-Input-Giga-Words Format Ulong Name Acct-Output-Giga-Words Format Ulong Name Event-Timestamp Format Ulong Name CHAP-Challenge Format Binary Name NAS-Port-Type Format Enum Name Port-Limit Format Ulong Name Tunnel-Type Format Enum Name Tunnel-Medium-Type Format Enum Name Tunnel-Client-Endpoint Format String Name Tunnel-Server-Endpoint Format String Name Acct-Tunnel-Connection Format String Name Tunnel-Password Format Binary Name Prompt Format Enum Name Connect-Info Format String Name EAP-Message Format Binary Name Message-Authenticator Format Binary Name Tunnel-Private-Group-Id Format String Name Tunnel-Assignment-Id Format String Name Tunnel-Preference Format Ulong Name Acct-Interim-Interval Format Ulong Name Tunnel-Packets-Lost Format Ulong Name NAS-Port-Id Format String Name Tunnel-Client-Auth-ID Format String Name Tunnel-Server-Auth-ID Format String Name Framed-Interface-Id Format Binary Name Framed-IPv6-Prefix Format Binary Name login-ip-addr-host Format Binary Name Framed-IPv6-Route Format String Name Framed-IPv6-Pool Format String Name Dynamic-Author-Error-Cause Format Enum Non Standard ATTRIBUTE LIST: Name Old-Password Format Binary Name Ascend-Filter-Required Format Enum Name Ascend-Cache-Refresh Format Enum Name Ascend-Cache-Time Format Ulong Name Ascend-Auth-Type Format Ulong Name Ascend-Redirect-Number Format String Name Ascend-Private-Route Format String Name Ascend-Shared-Profile-Enable Format Boolean Name Ascend-Client-Primary-DNS Format IPv4 Address Name Ascend-Client-Secondary-DNS Format IPv4 Address Name Ascend-Client-Assign-DNS Format Ulong Name Ascend-Session-Svr-Key Format String Name Ascend-Multicast-Rate-Limit Format Ulong Name Ascend-Multicast-Client Format Ulong Name Ascend-Multilink-Session-ID Format Ulong Name Ascend-Num-In-Multilink Format Ulong Name Ascend-Presession-Octets-In Format Ulong Name Ascend-Presession-Octets-Out Format Ulong Name Ascend-Presession-Packets-In Format Ulong Name Ascend-Presession-Packets-Out Format Ulong Name Ascend-Max-Time Format Ulong Name Ascend-Disconnect-Cause Format Enum Name Ascend-Connection-Progress Format Enum Name Ascend-Data-Rate Format Ulong Name Ascend-Presession-Time Format Ulong Name Ascend-Require-Auth Format Ulong Name Ascend-PW-Liftime Format Ulong Name Ascend-IP-Direct Format IPv4 Address Name Ascend-PPP-VJ-Slot-Comp Format Boolean Name Ascend-Asyncmap Format Ulong Name Ascend-Send-Secret Format Binary Name ascend_pool_definition Format String Name Ascend-IP-Pool Format Ulong Name Ascend-Dial-Number Format String Name Ascend-Route-IP Format Boolean Name Ascend-Send-Auth Format Enum Name Ascend-Link-Compression Format Enum Name Ascend-Target-Util Format Ulong Name Ascend-Max-Channels Format Ulong Name Ascend-Data-Filter Format Binary Name Ascend-Call-Filter Format Binary Name Ascend-Idle-Limit Format Ulong Name Ascend-Data-Service Format Ulong Name Ascend-Force-56 Format Ulong Name Ascend-Xmit-Rate Format Ulong Cisco VSA ATTRIBUTE LIST: Name Cisco AVpair Format String Name cisco-nas-port Format String Name fax_account_id_origin Format String Name fax_msg_id Format String Name fax_pages Format String Name fax_modem_time Format String Name fax_connect_speed Format String Name fax_mdn_address Format String Name fax_mdn_flag Format String Name fax_auth_status Format String Name email_server_address Format String Name email_server_ack_flag Format String Name gateway_id Format String Name call_type Format String Name port_used Format String Name abort_cause Format String Name h323-remote-address Format String Name Conf-Id Format String Name h323-setup-time Format String Name h323-call-origin Format String Name h323-call-type Format String Name h323-connect-time Format String Name h323-disconnect-time Format String Name h323-disconnect-cause Format String Name h323-voice-quality Format String Name h323-gw-id Format String Name Cisco AVpair Format Binary Name Cisco encrypted string vsa Format String Name Sub_Policy_In Format String Name Sub_Policy_Out Format String Name h323-credit-amount Format String Name h323-credit-time Format String Name h323-return-code Format String Name h323-prompt-id Format String Name h323-time-and-day Format String Name h323-redirect-number Format String Name h323-preferred-lang Format String Name h323-redirect-ip-address Format String Name h323-billing-model Format String Name h323-currency Format String Name ssg-account-info Format String Name ssg-service-info Format String Name ssg-command-code Format Binary Name ssg-control-info Format String Microsoft VSA ATTRIBUTE LIST: Name MS-CHAP-Response Format Binary Name MS-CHAP-ERROR Format Binary Name MS-CHAP-CPW-1 Format Binary Name MS-CHAP-CPW-2 Format Binary Name MS-CHAP-LM-Enc-PW Format Binary Name MS-CHAP-NT-Enc-PW Format Binary Name MS-MPPE-Enc-Policy Format Binary Name MS-MPPE-Enc-Type Format Binary Name MS-RAS-Vendor Format String Name MS-CHAP-DOMAIN Format String Name MSCHAP_Challenge Format Binary Name MS-CHAP-MPPE-Keys Format Binary Name MS-BAP-Usage Format Binary Name MS-Link-Util-Thresh Format Binary Name MS-Link-Drop-Time-Limit Format Binary Name MS-MPPE-Send-Key Format Binary Name MS-MPPE-Recv-Key Format Binary Name MS-RAS-Version Format String Name MS-Old-ARAP-Password Format Binary Name New-ARAP-Password Format Binary Name MS-ARAP-PW-Change-Reason Format Binary Name MS-Filter Format Binary Name MS-Acct-Auth-Type Format Binary Name MS-MPPE-EAP-Type Format Binary Name MS-CHAP-V2-Response Format Binary Name MS-CHAP-V2-Success Format String Name MS-CHAP-CPW-2 Format Binary Name MS-Primary-DNS Format IPv4 Address Name MS-Secondary-DNS Format IPv4 Address Name MS-1st-NBNS-Server Format IPv4 Address Name MS-2nd-NBNS-Server Format IPv4 Address Name MS-ARAP-Challenge Format Binary 3GPP VSA ATTRIBUTE LIST: Name Charging-ID Format Ulong Name PDP Type Format Enum Name Charging-Gateway-Address Format IPv4 Address Name GPRS-QoS-Profile Format String Name SGSN-Address Format IPv4 Address Name GGSN-Address Format IPv4 Address Name IMSI-MCC-MNC Format String Name GGSN-MCC-MNC Format String Name NSAPI Format String Name Session-Stop-Ind Format Binary Name Selection-Mode Format String Name Charging-Characteristics Format String 3GPP2 VSA ATTRIBUTE LIST: Name cdma-reverse-tnl-spec Format Ulong Name cdma-diff-svc-class-opt Format Ulong Name cdma-container Format String Name cdma-ha-ip-addr Format IPv4 Address Name cdma-pcf-ip-addr Format IPv4 Address Name cdma-bs-msc-addr Format String Name cdma-user-id Format Ulong Name cdma-forward-mux Format Ulong Name cdma-reverse-mux Format Ulong Name cdma-forward-rate Format Ulong Name cdma-reverse-rate Format Ulong Name cdma-service-option Format Ulong Name cdma-forward-type Format Ulong Name cdma-reverse-type Format Ulong Name cdma-frame-size Format Ulong Name cdma-forward-rc Format Ulong Name cdma-reverse-rc Format Ulong Name cdma-ip-tech Format Ulong Name cdma-comp-flag Format Enum Name cdma-reason-ind Format Enum Name cdma-bad-frame-count Format Ulong Name cdma-num-active Format Ulong Name cdma-sdb-input-octets Format Ulong Name cdma-sdb-output-octets Format Ulong Name cdma-numsdb-input Format Ulong Name cdma-numsdb-output Format Ulong Name cdma-ip-qos Format Ulong Name cdma-airlink-qos Format Ulong Name cdma-rp-session-id Format Ulong Name cdma-hdlc-layer-bytes-in Format Ulong Name cdma-correlation-id Format String Name cdma-moip-inbound Format Ulong Name cdma-moip-outbound Format Ulong Name cdma-session-continue Format Ulong Name cdma-active-time Format Ulong Name cdma-frame-size Format Ulong Name cdma-esn Format String Name cdma-mn-ha-spi Format Ulong Name cdma-mn-ha-shared-key Format Binary Name cdma-sess-term-capability Format Ulong Name cdma-disconnect-reason Format Ulong Verizon VSA ATTRIBUTE LIST: Name mip-key-data Format Binary Name aaa-authenticator Format Binary Name public-key-invalid Format BinaryThe table below describes the significant fields shown in the display.
Table 39 show radius table attributes Field Descriptions Field
Description
User-Name
The name of the user on the system. The format is String.
User-Password
The password of the user on the system. The format is Binary.
CHAP-Password
Challenge Handshake Authentication Protocol (CHAP) password. The format is Binary.
NAS-IP-Address
Network-Attached Storage (NAS) IP address. The format is IPv4 Address.
NAS-Port
The RADIUS Attribute 5 (NAS-Port) format specified on a per-server group level. The format is Ulong.
Service-Type
Sets the service type. The format is Enum.
Framed-Protocol
Indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets. The format is Enum.
Framed-IP-Address
Indicates the address to be configured for the user. It may be used in Access-Accept packets. The format is IPv4 Address.
Framed-IP-Netmask
Indicates the IP netmask to be configured for the user when the user is a router to a network. The format is IPv4 Address.
Framed-Routing
Indicates the routing method for the user when the user is a router to a network. The format is Ulong.
Filter-Id
To disable, enable, get, or set a filter, the filter ID must be valid. The format is Binary.
Framed-MTU
Indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). The format is Ulong.
Framed-Compression
Indicates a compression protocol to be used for the link. The format is Enum.
login-ip-addr-host
Indicates the host to which the user will connect when the Login-Service attribute is included. The format is IPv4 Address.
Login-Service
The Login-IP-Host AVP (AVP Code 14) is of type Address and contains the system with which to connect the user, when the Login-Service AVP is included. The format is Enum.
login-tcp-port
The Login-TCP-Port AVP (AVP Code 16) is of type Integer32 and contains the TCP port with which the user is to be connected, when the Login-Service AVP is also present. The format is Ulong.
Reply-Message
Indicates text that may be displayed to the user. The format is Binary.
Callback-Number
Indicates a dialing string to be used for callback. The format is String.
Framed-Route
Provides routing information to be configured for the user on the NAS. The format is String.
Framed-IPX-Network
The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32, and contains the IPX Network number to be configured for the user. The format is Pv4 Address.
State
Is available to be sent by the server to the client in an Access-Challenge and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any. The format is Binary.
Class
Is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The format is Binary.
Vendor-Specific
Is available to allow vendors to support their own extended attributes not suitable for general usage. The format is Binary.
Session-Timeout
Sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The format is Ulong.
Idle-Timeout
Sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The format is Ulong.
Termination-Action
Indicates what action the NAS should take when the specified service is completed. The format is Boolean.
Called-Station-Id
The Called-Station-Id AVP (AVP Code 30) is of type String and allows the NAS to send in the request the phone number that the user called, using Dialed Number Identification (DNIS) or a similar technology. The format is String.
Calling-Station-Id
The Calling-Station-Id AVP (AVP Code 31) is of type String and allows the NAS to send in the request the phone number that the call came from, using Automatic Number Identification (ANI) or a similar technology. The format is String.
Nas-Identifier
Contains a string identifying the NAS originating the access request. The format is String.
Acct-Status-Type
Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). The format is Enum.
Acct-Delay-Time
Indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.) The format is Ulong.
Acct-Input-Octets
Indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Output-Octets
Indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Session-Id
Is a unique accounting ID to make it easy to match start and stop records in a log file. The format is String.
Acct-Authentic
Indicate how the user was authenticated, whether by Radius, the NAS itself, or another remote authentication protocol. It may be included in an Accounting-Request. The format is Enum.
Acct-Session-Time
Indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Input-Packets
Indicates how many packets have been received from the port over the course of this service being provided to a framed user, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Output-Packets
Indicates how many packets have been sent to the port in the course of delivering this service to a framed user, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.
Acct-Terminate-Cause
Indicates how the session was terminated, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Enum.
Multilink-Session-ID
Indicates the service to use to connect the user to the login host. It is only used in Access-Accept packets. The format is String.
Acct-Link-Count
Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The format is Ulong.
Acct-Input-Giga-Words
Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. The format is Ulong.
Acct-Output-Giga-Words
Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. The format is Ulong.
Event-Timestamp
Use to include the Event-Timestamp attribute in Acct-Start or Acct-Stop messages. The format is Ulong.
CHAP-Challenge
The CHAP is used to verify periodically the identity of the peer using a 3-way handshake. The format is Binary.
NAS-Port-Type
Indicates the physical port number of the NAS which is authenticating the user. The format is Enum.
Port-Limit
Sets the maximum number of ports to be provided to the user by the NAS. The format is Ulong.
Tunnel-Type
Indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the tunneling protocol in use (in the case of a tunnel terminator). The format is Enum.
Tunnel-Medium-Type
Indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. The format is Enum.
Tunnel-Client-Endpoint
Contains the address of the initiator end of the tunnel. The format is String.
Tunnel-Server-Endpoint
Indicates the address of the server end of the tunnel. The format is String.
Acct-Tunnel-Connection
Indicates the identifier assigned to the tunnel session. The format is String.
Tunnel-Password
Can contain a password to be used to authenticate to a remote server. The format is Binary.
Prompt
Used only in Access-Challenge packets, and indicates to the NAS whether it should echo the user's response as it is entered, or not echo it. The format is Enum.
Connect-Info
Is sent from the NAS to indicate the nature of the user's connection. The format is String.
EAP-Message
Encapsulates Extensible Authentication Protocol packets so as to allow the NAS to authenticate dial-in users via EAP without having to understand the protocol. The format is Binary.
Message-Authenticator
Can be used to authenticate and integrity-protect Access-Requests in order to prevent spoofing. The format is Binary.
Tunnel-Private-Group-Id
Indicates the group ID for a particular tunneled session. The format is String.
Tunnel-Assignment-Id
Used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. The format is String.
Tunnel-Preference
Should be included in each set to indicate the relative preference assigned to each tunnel if more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator. The format is Ulong.
Acct-Interim-Interval
Indicates the number of seconds between each interim update in seconds for this specific session. The format is Ulong.
Tunnel-Packets-Lost
Indicates the number of packets lost on a given link. The format is Ulong.
NAS-Port-Id
Used to identify the IEEE 802.1X Authenticator port which authenticates the Supplicant. The format is String.
Tunnel-Client-Auth-ID
Specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. The format is String.
Tunnel-Server-Auth-ID
Specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. The format is String.
Framed-Interface-Id
Indicates the IPv6 interface identifier to be configured for the user. The format is Binary.
Framed-IPv6-Prefix
Indicates an IPv6 prefix (and corresponding route) to be configured for the user. The format is Binary.
Framed-IPv6-Route
Provides routing information to be configured for the user on the NAS. The format is String.
Framed-IPv6-Pool
Contains the name of an assigned pool that should be used to assign an IPv6 prefix for the user. The format is String.
Dynamic-Author-Error-Cause
Specifies the error causes associated with dynamic authorization. The format is Enum.
Old-Password
Is 16 octets in length. It contains the encrypted Lan Manager hash of the old password. The format is Binary.
Ascend-Filter-Required
Specifies whether the call should be permitted if the specified filter is not found. If present, this attribute will be applied after any authentication, authorization, and accounting (AAA) filter method-list. The format is Enum.
Ascend-Cache-Refresh
Specifies whether cache entries should be refreshed each time an entry is referenced by a new session. This attribute corresponds to the cache refresh command. The format is Enum.
Ascend-Cache-Time
Specifies the idle time out, in minutes, for cache entries. This attribute corresponds to the cache clear age command. The format is Ulong.
Ascend-Auth-Type
Indicates the type of name and password (PPP) authorization to use. The format Ulong.
Ascend-Redirect-Number
Indicates the original number in the information sent to the authentication server when the number dialed by a device is redirected to another number for authentication. The format is String.
Ascend-Private-Route
Specifies whether IP routing is allowed for the user profile. The format is String.
Ascend-Shared-Profile-Enable
Specifies whether multiple incoming callers can share a single RADIUS user profile. The format is Boolean.
Ascend-Client-Primary-DNS
Specifies a primary DNS server address to send to any client connecting to the MAX TNT. The format is IPv4 Address.
Ascend-Client-Secondary-DNS
Specifies a secondary DNS server address to send to any client connecting to the MAX TNT. The format is IPv4 Address.
Ascend-Client-Assign-DNS
Specifies whether or not the MAX TNT sends the Ascend-Client-Primary-DNS and Ascend-Client-Secondary-DNS values during connection negotiation. The format is Ulong.
Ascend-Session-Svr-Key
Specifies the session key that identifies the user session. You can specify up to 16 characters. The default value is null. The format is String.
Ascend-Multicast-Rate-Limit
Specifies how many seconds the MAX waits before accepting another packet from the multicast client. The format is Ulong.
Ascend-Multicast-Client
Specifies whether the user is a multicast client of the MAX. The format is Ulong.
Ascend-Multilink-Session-ID
Specifies the ID number of the Multilink bundle when the session closes. A Multilink bundle is a multichannel MP or MP+ call. The format is Ulong.
Ascend-Num-In-Multilink
Indicates the number of sessions remaining in a Multilink bundle when the session closes. A Multilink bundle is a multichannel MP or MP+ call. The format is Ulong.
Ascend-Presession-Octets-In
Reports the number of octets received before authentication. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet. The format is Ulong.
Ascend-Presession-Octets-Out
Reports the number of octets transmitted before authentication. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet. The format is Ulong.
Ascend-Presession-Packets-In
Reports the number of packets received before authentication. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets. The format is Ulong.
Ascend-Presession-Packets-Out
Reports the number of packets transmitted before authentication. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets. The format is Ulong.
Ascend-Max-Time
Specifies the maximum length of time in seconds that any session can remain online. Once a session reaches the time limit, its connection goes offline. The format is Ulong.
Ascend-Disconnect-Cause
Indicates the reason a connection went offline. The format is Enum.
Ascend-Connection-Progress
Indicates the state of the connection before it disconnects. The format is Enum.
Ascend-Data-Rate
Specifies the rate of data received on the connection in bits per second. The format is Ulong.
Ascend-Presession-Time
Reports the length of time in seconds from when a call connected to when it completes authentication. The format is Ulong.
Ascend-Require-Auth
Specifies whether the MAX TNT requires additional authentication after Calling-Line ID (CLID) or called-number authentication. The format is Ulong.
Ascend-PW-Liftime
Specifies the number of days that a password is valid. The format is Ulong.
Ascend-IP-Direct
Specifies the IP address to which the MAX TNT redirects packets from the user. When you include this attribute in a user profile, the MAX TNT bypasses all internal routing tables, and simply sends all packets it receives on the connection's WAN interface to the specified IP address. The format is IPv4 Address.
Ascend-PPP-VJ-Slot-Comp
Instructs the MAX TNT to not use slot compression when sending VJ-compressed packets. The format is Boolean.
Ascend-Asyncmap
The format is Ulong.
Ascend-Send-Secret
Specifies the password that the RADIUS server sends to the remote end of a connection on an outgoing call. It is encrypted when passed between the RADIUS server and the MAX TNT. The format is Binary.
Ascend_pool_definition
Specifies all the addresses in the pool. The format is String.
Ascend-IP-Pool
Specifies the first address in an IP address pool, as well as the number of addresses in the pool. The format is Ulong.
Ascend-Dial-Number
Specifies the phone number the MAX TNT dials to reach the router or node at the remote end of the link. The format is String.
Ascend-Route-IP
Specifies whether IP routing is allowed for the user profile. The format is Boolean.
Ascend-Send-Auth
Specifies the authentication protocol that the MAX TNT requests when initiating a PPP or MP+ connection. The answering side of the connection determines which authentication protocol, if any, the connection uses. The format is Enum.
Ascend-Link-Compression
Turns data compression on or off for a PPP link. The format is Enum.
Ascend-Target-Util
Specifies the percentage of bandwidth use at which the MAX TNT adds or subtracts bandwidth. The format is Ulong.
Ascend-Max-Channels
Specifies the maximum number of channels allowed on an MP+ call. The format is Ulong.
Ascend-Data-Filter
Specifies the characteristics of a data filter in a RADIUS user profile. The MAX TNT uses the filter only when it places or receives a call associated with the profile that includes the filter definition. The format is Binary.
Ascend-Call-Filter
Specifies the characteristics of a call filter in a RADIUS user profile. The MAX TNT uses the filter only when it places a call or receives a call associated with the profile that includes the filter definition. The format is Binary.
Ascend-Idle-Limit
Specifies the number of seconds the MAX TNT waits before clearing a call when a session is inactive. The format is Ulong.
Ascend-Data-Service
Specifies the type of data service the link uses for outgoing calls. The format is Ulong.
Ascend-Force-56
Indicates whether the MAX uses only the 56-kbps portion of a channel, even when all 64-kbps appear to be available. The format is Ulong.
Ascend-Xmit-Rate
Specifies the rate of data transmitted on the connection in bits per second. For ISDN calls, Ascend-Xmit-Rate indicates the transmit data rate. For analog calls, it indicates the modem baud rate at the time of the initial connection. The format is Ulong.
Cisco AVpair
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair". The format is String.
cisco-nas-port
Enables the display of physical interface information and parent interface details as part of the of the cisco-nas-port vendor-specific attribute (VSA) for login calls. The format is String.
fax_account_id_origin
Indicates the account ID origin as defined by system administrator for the mmoip aaa receive-id or the mmoip aaa send-id command. The format is String.
fax_msg_id
Indicates a unique fax message identification number assigned by Store and Forward Fax. The format is String.
fax_pages
Indicates the number of pages transmitted or received during this fax session. This page count includes cover pages. The format is String.
fax_modem_time
Indicates the amount of time in seconds the modem sent fax data (x) and the amount of time in seconds of the total fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds, and the total fax session took 15 seconds. The format is String.
fax_connect_speed
Indicates the modem speed at which this fax-mail was initially transmitted or received. Possible values are 1200, 4800, 9600, and 14400. The format is String.
fax_mdn_address
Indicates the address to which message delivery notifications (MDNs) will be sent. The format is String.
fax_mdn_flag
Indicates whether or not MDNs has been enabled. True indicates that MDN had been enabled; false means that MDN had not been enabled. The format is String.
fax_auth_status
Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown. The format is String.
email_server_address
Indicates the IP address of the e-mail server handling the on-ramp fax-mail message. The format is String.
email_server_ack_flag
Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message. The format is String.
gateway_id
Indicates the name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name. The format is String.
call_type
Describes the type of fax activity: fax receive or fax send. The format is String.
port_used
Indicates the slot/port number of the Cisco AS5300 used to either transmit or receive this fax-mail. The format is String.
abort_cause
If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server. The format is String.
h323-remote-address
Indicates the IP address of the remote gateway. The format is String.
Conf-Id
Indicates a unique call identifier generated by the gateway. Used to identify the separate billable events (calls) within a single calling session. The format is String.
h323-setup-time
Indicates the setup time in NTP format: hour, minutes, seconds, microseconds, time_zone, day, month, day_of_month, year. The format is String.
h323-call-origin
Indicates the gateway's behavior in relation to the connection that is active for this leg. The format is String.
h323-call-type
Indicates the protocol type or family used on this leg of the call. The format is String.
h323-connect-time
Indicates the connect time in Network Time Protocol (NTP) format: hour, minutes, seconds, microseconds, time_zone, day, month, day_of_month, and year. The format is String.
h323-disconnect-time
Indicates the disconnect time in NTP format: hour, minutes, seconds, microseconds, time_zone, day, month, day_of_month, year. The format is String.
h323-disconnect-cause
Indicates the Q.931 disconnect cause code retrieved from CCAPI. The source of the code is the disconnect location such as a PSTN, terminating gateway, or SIP. The format is String.
h323-voice-quality
Indicates the ICPIF of the voice quality. The format is String.
h323-gw-id
Indicate the name of the tenor. The format is String.
Cisco AVpair
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair". The format is String.
Cisco encrypted string vsa
Cisco allows several forms of sub-attribute encryption. The only method supported is the Cisco Encrypted String VSA Format also supported by an IETF draft for Salt-Encryption of RADIUS attributes. The format is String.
Sub_Policy_In
Defines the service policy input. The format is String.
Sub_Policy_Out
Defines the service policy output. The format is String.
h323-credit-amount
Indicates the amount of credit (in currency) that the account contains. The format is String.
h323-credit-time
Indicates the number of seconds for which the call is authorized. The format is String.
h323-return-code
Return codes are instructions from the RADIUS server to the voice gateway. The format is String.
h323-prompt-id
Indexes into an array that selects prompt files used at the gateway. The format is String.
h323-time-and-day
Indicates the time of day at the dialed number or at the remote gateway in the format: hour, minutes, seconds. The format is String.
h323-redirect-number
Indicates the phone number to which the call is redirected; for example, to a toll-free number or a customer service number. The format is String.
h323-preferred-lang
Indicates the language to use when playing the audio prompt specified by the h323-prompt-id. The format is String.
h323-redirect-ip-address
Indicates the IP address for an alternate or redirected call. The format is String.
h323-billing-model
Indicates the type of billing service for a specific call. The format is String.
h323-currency
Indicates the currency to use with h323-credit-amount. The format is String.
ssg-account-info
Subscribes the subscriber to the specified service and indicates that the subscriber should be automatically connected to this service after successful logon. The format is String.
ssg-service-info
SSG redirects the user's HTTP traffic to a server in the specified server group. All the service features (such as quality of service (QoS) and prepaid billing) are applied to the HTTP traffic. The format is String.
ssg-command-code
Specifies account logon and logoff, session query, and service activate and deactivate information. The format is Binary.
ssg-control-info
Indicates the control-info code for prepaid quota. The format is String.
MS-CHAP-Response
This attribute contains the response value provided by a PPP Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user in response to the challenge. The format is Binary.
MS-CHAP-ERROR
Contains error data related to the preceding MS-CHAP exchange. The format is Binary.
MS-CHAP-CPW-1
Allows the user to change their password if it has expired. The format is Binary.
MS-CHAP-CPW-2
Allows the user to change their password if it has expired. The format is Binary.
MS-CHAP-LM-Enc-PW
Contains the new Windows NT password encrypted with the old LAN Manager password hash. The format is Binary.
MS-CHAP-NT-Enc-PW
Contains the new Windows NT password encrypted with the old Windows NT password hash. The format is Binary.
MS-MPPE-Enc-Policy
The MS-MPPE-Encryption-Policy attribute may be used to signify whether the use of encryption is allowed or required. The format is Binary.
MS-MPPE-Enc-Type
The MS-MPPE-Encryption-Types attribute is used to signify the types of encryption available for use with Microsoft Point-to-Point Encryption (MPPE). The format is Binary.
MS-RAS-Vendor
Used to indicate the manufacturer of the RADIUS client machine. The format is Binary.
MS-CHAP-DOMAIN
Indicates the Windows NT domain in which the user was authenticated. The format is Binary.
MSCHAP_Challenge
Contains the challenge sent by a NAS to a MS-CHAP user. The format is Binary.
MS-CHAP-MPPE-Keys
Contains two session keys for use by the MPPE. The format is Binary.
MS-BAP-Usage
Describes whether the use of Bandwidth Allocation Protocol (BAP) is allowed, disallowed or required on new multilink calls. The format is Binary.
MS-Link-Util-Thresh
Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. The format is Binary.
MS-Link-Drop-Time-Limit
Indicates the length of time (in seconds) that a link must be underutilized before it is dropped. The format is Binary.
MS-MPPE-Send-Key
Contains a session key for use by the MPPE. The format is Binary.
MS-MPPE-Recv-Key
Contains a session key for use by the MPPE. The format is Binary.
MS-RAS-Version
Used to indicate the version of the RADIUS client software. The format is Binary.
MS-Old-ARAP-Password
Used to transmit the old Apple Remote Access Protocol (ARAP) password during an ARAP password change operation. The format is Binary.
New-ARAP-Password
Used to transmit the new ARAP password during an ARAP password change operation. The format is Binary.
MS-ARAP-PW-Change-Reason
Used to indicate reason for a server-initiated password change. The format is Binary.
MS-Filter
Used to transmit traffic filters. The format is Binary.
MS-Acct-Auth-Type
Used to represent the method used to authenticate the dial-up user. The format is Binary.
MS-MPPE-EAP-Type
Used to represent the EAP type used to authenticate the dial-up user. The format is Binary.
MS-CHAP-V2-Response
This attribute is identical in format to the standard CHAP Response packet. The format is Binary.
MS-CHAP-V2-Success
Contains a 42-octet authenticator response string and must be included in the Message field packet sent from the NAS to the peer. The format is Binary.
MS-CHAP-CPW-2
Allows the user to change their password if it has expired. The format is Binary.
MS-Primary-DNS
Used to indicate the address of the primary DNS server to be used by the PPP peer. The format is IPv4 Address.
MS-Secondary-DNS
Used to indicate the address of the secondary DNS server to be used by the PPP peer. The format is IPv4 Address.
MS-1st-NBNS-Server
Used to indicate the address of the primary NetBIOS Name Server (NBNS) server to be used by the PPP peer. The format is IPv4 Address.
MS-2nd-NBNS-Server
Used to indicate the address of the secondary NBNS server to be used by the PPP peer. The format is IPv4 Address.
MS-ARAP-Challenge
Only present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP). The format is Binary.
Charging-ID
Generated for each activated context. It is a unique four octet value generated by the GGSN when a PDP Context is activated. The format is Ulong.
PDP Type
Indicates the Packet Data Protocol (PDP) is to be used by the mobile for a certain service. The format is Enum.
Charging-Gateway-Address
The IP address of the recommended Charging Gateway Functionality to which the SGSN should transfer the Charging Detail Records (CDR) for this PDP Context. The format is IPv4 Address.
GPRS-QoS-Profile
Controls the QoS negotiated values. The format is String.
SGSN-Address
This is the IP address of the SGSN that is used by the GTP control plane for handling control messages. The format is IPv4 Address.
GGSN-Address
IP address of the GGSN that is used by the GTP control plane for the context establishment. This address is the same as the GGSN IP address used in G-CDRs. The format is IPv4 Address.
IMSI-MCC-MNC
The MCC and MNC extracted from the user's IMSI number (the first 5 or 6 digits depending on the IMSI). The format is String.
GGSN-MCC-MNC
The MCC and MNC of the network to which the GGSN belongs. The format is String.
NSAPI
Identifies a particular PDP context for the associated PDN and MSISDN/IMSI from creation to deletion. The format is String.
Session-Stop-Ind
Indicates to the AAA server that the last PDP context of a session is released and that the PDP session has been terminated. The format is Binary
Selection-Mode
Contains the selection mode for this PDP Context received in the Create PDP Context Request Message. The format is String.
Charging-Characteristics
Contains the charging characteristics for this PDP Context received in the Create PDP Context Request Message (only available in R99 and later releases). The format is String.
cdma-reverse-tnl-spec
Indicates the style of reverse tunneling that is required, and optionally appears in a RADIUS Access-Accept message. The format is Ulong.
cdma-diff-svc-class-opt
This attribute is deprecated and is replaced by the Allowed Differentiated Services Marking attribute. The Home RADIUS server authorizes differentiated services via the Differentiated Services Class Options attribute, and optionally appears in a RADIUS Access-Accept message. The format is Ulong.
cdma-container
Contains embedded 3GPP2 VSAs and/or RADIUS accounting attributes. The format is String.
cdma-ha-ip-addr
A Home Agent (HA) IP address used during a MIP session by the user as defined in IETF RFC 2002. The format is IPv4 Address.
cdma-pcf-ip-addr
The IP address of the serving PCF (the PCF in the serving RN). The format is IPv4 Address.
cdma-bs-msc-addr
The Base Station (BS) Mobile Switching Center (MSC) address. The format is String.
cdma-user-id
The name of the user on the system. The format is Ulong.
cdma-forward-mux
Forwards FCH multiplex option. The format is Ulong.
cdma-reverse-mux
Reverses FCH multiplex option. The format is Ulong.
cdma-forward-rate
The format and structure of the radio channel in the forward Dedicated Control Channel. A set of forward transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.
cdma-reverse-rate
The format and structure of the radio channel in the reverse Dedicated Control Channel. A set of reverse transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.
cdma-service-option
Code Division Multiple Access (CDMA) service option as received from the RN. The format is Ulong.
cdma-forward-type
Forward direction traffic type. It is either Primary or Secondary. The format is Ulong.
cdma-reverse-type
Reverse direction traffic type. It is either Primary or Secondary. The format is Ulong.
cdma-frame-size
Specifies the Fundamental Channel (FCH) frame size. The format is Ulong.
cdma-forward-rc
The format and structure of the radio channel in the forward FCH. A set of forward transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.
cdma-reverse-rc
The format and structure of the radio channel in the reverse FCH. A set of reverse transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.
cdma-ip-tech
Identifies the IP technology to use for the call: Simple IP or Mobile IP. The format is Ulong.
cdma-comp-flag
Indicates the type of compulsory tunnel. The format is Ulong.
cdma-reason-ind
Indicates the reasons for a stop record. The format is Ulong.
cdma-bad-frame-count
The total number of PPP frames from the MS dropped by the Packet Data Serving Node (PDSN) due to uncorrectable errors. The format is Ulong.
cdma-num-active
The number of active transitions. The format is Ulong.
cdma-sdb-input-octets
This is the Short Data Burst (SDB) octet count reported by the RN in the SDB Airlink Record. The format is Ulong.
cdma-sdb-output-octets
The SDB octet count reported by the RN in the SDB Airlink Record. The format is Ulong.
cdma-numsdb-input
The number of terminating SDBs. The format is Ulong.
cdma-numsdb-output
The number of originating SDBs. The format is Ulong.
cdma-ip-qos
Indicates the IP Quality of Service (QoS). The format is Ulong.
cdma-airlink-qos
Identifies Airlink Priority associated with the user. This is the user's priority associated with the packet data service. The format is Ulong.
cdma-rp-session-id
Identifies the resource reservation protocol type session identifier. The format is Ulong.
cdma-hdlc-layer-bytes-in
The count of all octets received in the reverse direction by the High-Level Data Link Control (HDLC) layer in the PDSN. The format is Ulong.
cdma-correlation-id
Indicates a unique accounting ID created by the Serving PDSN for each packet data session that allows multiple accounting events for each associated R-P connection or P-P connection to be correlated.The format is String.
cdma-moip-inbound
This is the total number of octets in registration requests and solicitations sent by the MS. The format is Ulong.
cdma-moip-outbound
This is the total number of octets in registration replies and agent advertisements, sent to the MS. The format is Ulong.
cdma-session-continue
This attribute when set to "true" means it is not the end of a Session and an Accounting Stop is immediately followed by an Account Start Record. "False" means end of a session. The format is Ulong.
cdma-active-time
The total active connection time on traffic channel in seconds. The format is Ulong.
cdma-frame-size
Specifies the FSH frame size. The format is Ulong.
cdma-esn
Indicates the Electronic Serial Number (ESN). The format is String.
cdma-mn-ha-spi
The SPI for the MN-HA shared key that optionally appears in a RADIUS Access-Request message. It is used to request an MN-HA shared key. The format is Ulong.
cdma-mn-ha-shared-key
A shared key for MN-HA that may appear in a RADIUS Access-Accept message. The MN-HA shared key is encrypted using a method based on the RSA Message Digest Algorithm MD5 [RFC 1321] as described in Section 3.5 of RFC 2868. The format is Binary.
cdma-sess-term-capability
The value shall be bitmap encoded rather than a raw integer. This attribute shall be included in a RADIUS Access-Request message to the Home RADIUS server and shall contain the value 3 to indicate that the PDSN and HA support both Dynamic authorization with RADIUS and Registration Revocation for Mobile IPv4. The attribute shall also be included in the RADIUS Access-Accept message and shall contain the preferred resource management mechanism by the home network, which shall be used for the session and may include values 1 to 3. The format is Ulong.
cdma-disconnect-reason
Indicates the reason for disconnecting the user. This attribute may be included in a RADIUS Disconnect-Request message from Home RADIUS server to the PDSN. The format is Ulong.
mip-key-data
This is the key data payload containing the encrypted MN_AAA key, MN_HA key, CHAP key, MN_Authenticator, and AAA_Authenticator. The format is Binary.
aaa-authenticator
This is the 64-bit AAA_Authenticator value decrypted by the Home RADIUS AAA Server. The format is Binary.
public-key-invalid
The home RADIUS AAA Server includes this attribute to indicate that the Public key used by the MN is not valid. The format is Binary.
show redundancy application asymmetric-routing
To display asymmetric routing information for a redundancy group, use the show redundancy application asymmetric-routing command in user EXEC or privileged EXEC mode.
Examples
The following is sample output from the show redundancy application asymmetric-routing interface group command:
Device# show redundancy application asymmetric-routing interface group 1 AR Group ID:1 interface Ethernet1/1 neighbor 10.3.3.2, transport context: my ip 10.9.9.1, my port 53000 peer ip 10.9.9.2, peer port 53000The following is sample output from the show redundancy application asymmetric-routing tunnel group command:
Device# show redundancy application asymmetric-routing tunnel group 1 Group ID:1 rii 1000, idb Ethernet1/2 packet sent: 0, packet received: 0 byte sent: 0, byte recv: 0 encap: length 32 IP :45 00 00 00 00 00 00 00 FF 11 00 00 09 09 09 01 09 09 09 02 UDP:CF 08 CF 08 00 00 00 00 AR :00 01 03 E8The following table describes the significant fields shown in the displays.
Table 40 show redundancy application asymmetric-routing Field Descriptions Field
Description
AR Group ID
The identifier for the asymmetric routing redundancy group.
interface
The interface type and number.
neighbor
The IP address of the peer redundancy group's control interface.
transport context:
The IP address of the asymmetric routing interface and the IP address of the peer asymmetric routing interface are displayed under the transport context.
Group ID
The identifier for the asymmetric routing redundancy group.
rii
The redundancy interface identifier.
show redundancy application control-interface group
To display control interface information for a redundancy group, use the show redundancy application control-interface group command in privileged EXEC mode.
Usage Guidelines
The show redundancy application control-interfacecommand shows information for the redundancy group control interfaces.
Examples
The following is sample output from the show redundancy application control-interface command:
Router# show redundancy application control-interface group 2 The control interface for rg[2] is GigabitEthernet0/1/0 Interface is Control interface associated with the following protocols: 2 1 BFD Enabled Interface Neighbors:Examples
The following is a sample output from the show redundancy application control-interface group command on Cisco 4400 Series ISR:
Router# show redundancy application control-interface group The control interface for rg[1] is GigabitEthernet0/0/0 Interface is Control interface associated with the following protocols: 2 1 BFD Enabled Interface Neighbors: Peer: 1.1.1.2 Active RGs: 1 Standby RGs: 2 BFD handle: 0 The control interface for rg[2] is GigabitEthernet0/0/0 Interface is Control interface associated with the following protocols: 2 1 BFD Enabled Interface Neighbors: Peer: 1.1.1.2 Active RGs: 1 Standby RGs: 2 BFD handle: 0Related Commands
Command
Description
show redundancy application faults
Displays fault-specific information for a redundancy group.
show redundancy application group
Displays redundancy group information.
show redundancy application if-mgr
Displays if-mgr information for a redundancy group.
show redundancy application protocol
Displays protocol-specific information for a redundancy group.
show redundancy application data-interface
To display data interface-specific information, use the show redundancy application data-interfacecommand in privileged EXEC mode.
Usage Guidelines
The show redundancy application data-interface command displays information about the redundancy group data interfaces.
Examples
The following is sample output from the show redundancy application data-interface command:
Router# show redundancy application data-interface group 1 The data interface for rg[1] is GigabitEthernet0/1/1Examples
The following sample output shows configuration details for redundancy application group 1 and group 2 from the show redundancy application data-interface command
Router# show redundancy application data-interface group 1 The data interface for rg[1] is GigabitEthernet0/0/1 Router # show redundancy application data-interface group 2 The data interface for rg[2] is GigabitEthernet0/0/1Related Commands
Command
Description
show redundancy application control-interface
Displays control interface information for a redundancy group.
show redundancy application faults
Displays fault-specific information for a redundancy group.
show redundancy application group
Displays redundancy group information.
show redundancy application if-mgr
Displays if-mgr information for a redundancy group.
show redundancy application protocol
Displays protocol-specific information for a redundancy group.
show redundancy application faults group
To display fault-specific information for a redundancy group, use the show redundancy application faults groupcommand in privileged EXEC mode.
Usage Guidelines
The show redundancy application faultscommand shows information returned by redundancy group faults.
Examples
The following is sample output from the show redundancy application faults command:
Router# show redundancy application faults group 2 Faults states Group 2 info: Runtime priority: [150] RG Faults RG State: Up. Total # of switchovers due to faults: 2 Total # of down/up state changes due to faults: 2Examples
The following is a sample output from the show redundancy application faults command
Router# show redundancy application faults group Faults states Group 1 info: Runtime priority: [50] RG Faults RG State: Up. Total # of switchovers due to faults: 0 Total # of down/up state changes due to faults: 2 Faults states Group 2 info: Runtime priority: [135] RG Faults RG State: Up. Total # of switchovers due to faults: 0 Total # of down/up state changes due to faults: 2
Table 41 show redundancy application group all Field Descriptions Field
Description
Faults states Group 1 info
Redundancy group faults information for Group 1.
Runtime priority
Current redundancy group priority of the group. This field is important when monitoring redundancy group switchover and when configuring interface tracking.
RG Faults RG State
Redundancy group state returned by redundancy group faults.
Total # of switchovers due to faults
Number of switchovers triggered by redundancy group fault events.
Total # of down/up state changes due to faults
Number of down and up state changes triggered by redundancy group fault events.
Related Commands
Command
Description
show redundancy application control-interface
Displays control interface information for a redundancy group.
show redundancy application group
Displays redundancy group information.
show redundancy application if-mgr
Displays if-mgr information for a redundancy group.
show redundancy application protocol
Displays protocol-specific information for a redundancy group.
show redundancy application group
To display the redundancy group information, use the show redundancy application group command in privileged EXEC mode.
Usage Guidelines
Use the show redundancy application group command to display the current state of each interbox redundancy group on the device and the peer device.
Examples
The following is sample out from the show redundancy application group command:
Device# show redundancy application group 1 Group ID:1 Group Name: Generic-Redundancy-1 Administrative State: No Shutdown Aggregate operational state : Up My Role: STANDBY Peer Role: ACTIVE Peer Presence: Yes Peer Comm: Yes Peer Progression Started: Yes RF Domain: btob-one RF state: STANDBY HOT Peer RF state: ACTIVE Device# show redundancy application group 2 Group ID:2 Group Name: Generic-Redundancy2 Administrative State: No Shutdown Aggregate operational state : Up My Role: ACTIVE Peer Role: STANDBY Peer Presence: Yes Peer Comm: Yes Peer Progression Started: Yes RF Domain: btob-two RF state: ACTIVE Peer RF state: STANDBY HOTExamples
The following is sample output from the show redundancy application group all command:
Device# show redundancy application group all Faults states Group 1 info: Runtime priority: [200] RG Faults RG State: Up. Total # of switchovers due to faults: 3 Total # of down/up state changes due to faults: 2 Group ID:1 Group Name:grp2 Administrative State: No Shutdown Aggregate operational state : Up My Role: ACTIVE Peer Role: UNKNOWN Peer Presence: No Peer Comm: No Peer Progression Started: No RF Domain: btob-one RF state: ACTIVE Peer RF state: DISABLED RG Protocol RG 1 ------------------ Role: Active Negotiation: Enabled Priority: 200 Protocol state: Active Ctrl Intf(s) state: Down Active Peer: Local Standby Peer: Not exist Log counters: role change to active: 2 role change to standby: 0 disable events: rg down state 1, rg shut 0 ctrl intf events: up 0, down 2, admin_down 1 reload events: local request 3, peer request 0 RG Media Context for RG 1 -------------------------- Ctx State: Active Protocol ID: 1 Media type: Default Control Interface: GigabitEthernet0/1/0 Hello timer: 5000 Effective Hello timer: 5000, Effective Hold timer: 15000 LAPT values: 0, 0 Stats: Pkts 0, Bytes 0, HA Seq 0, Seq Number 0, Pkt Loss 0 Authentication not configured Authentication Failure: 0 Reload Peer: TX 0, RX 0 Resign: TX 1, RX 0 Standby Peer: Not Present. Faults states Group 2 info: Runtime priority: [150] RG Faults RG State: Up. Total # of switchovers due to faults: 2 Total # of down/up state changes due to faults: 2 Group ID:2 Group Name:name1 Administrative State: No Shutdown Aggregate operational state : Up My Role: ACTIVE Peer Role: UNKNOWN Peer Presence: No Peer Comm: No Peer Progression Started: No RF Domain: btob-two RF state: ACTIVE Peer RF state: DISABLED RG Protocol RG 2 ------------------ Role: Active Negotiation: Enabled Priority: 150 Protocol state: Active Ctrl Intf(s) state: Down Active Peer: Local Standby Peer: Not exist Log counters: role change to active: 1 role change to standby: 0 disable events: rg down state 1, rg shut 0 ctrl intf events: up 0, down 2, admin_down 1 reload events: local request 2, peer request 0 RG Media Context for RG 2 -------------------------- Ctx State: Active Protocol ID: 2 Media type: Default Control Interface: GigabitEthernet0/1/0 Hello timer: 5000 Effective Hello timer: 5000, Effective Hold timer: 15000 LAPT values: 0, 0 Stats: Pkts 0, Bytes 0, HA Seq 0, Seq Number 0, Pkt Loss 0 Authentication not configured Authentication Failure: 0 Reload Peer: TX 0, RX 0 Resign: TX 0, RX 0 Standby Peer: Not Present.The table below describes the significant fields shown in the display.
Table 42 show redundancy application group all Field Descriptions Field
Description
Faults states Group 1 info
Redundancy group faults information for Group 1.
Runtime priority
Current priority of the redundancy group.
RG Faults RG State
Redundancy group state returned by redundancy group faults.
Total # of switchovers due to faults
Number of switchovers triggered by redundancy group fault events.
Total # of down/up state changes due to faults
Number of down and up state changes triggered by redundancy group fault events.
Group ID
Redundancy group ID.
Group Name
Redundancy group name.
Administrative State
Redundancy group state configured by users.
Aggregate operational state
Current redundancy group state.
My Role
Current role of the device.
Peer Role
Current role of the peer device.
Peer Presence
Indicates if the peer device is detected or not.
Peer Comm
Indicates the communication state with the peer device.
Peer Progression Started
Indicates if the peer device has started Redundancy Framework (RF) progression.
RF Domain
Name of the RF domain for the redundancy group.
Related Commands
Command
Description
show redundancy application control-interface
Displays control interface information for a redundancy group.
show redundancy application faults
Displays fault-specific information for a redundancy group.
show redundancy application if-mgr
Displays if-mgr information for a redundancy group.
show redundancy application protocol
Displays protocol-specific information for a redundancy group.
show redundancy application if-mgr
To display interface manager information for a redundancy group, use the show redundancy application if-mgr command in privileged EXEC mode.
Usage Guidelines
The show redundancy application if-mgr command shows information of traffic interfaces protected by redundancy groups. When a traffic interface is functioning with the redundancy group, the state is no shut on the active device, and shut on the standby device. On the other hand, it is always shut on the standby device.
Examples
The following sample output shows configuration details of redundancy group 1 and redudancy group 2 from the show redundancy application if-mgr command
Router# show redundancy application if-mgr group 1 RG ID: 1 ========== interface GigabitEthernet0/0/3.152 --------------------------------------- VMAC 0007.b421.4e21 VIP 55.1.1.255 Shut shut Decrement 10 interface GigabitEthernet0/0/2.152 --------------------------------------- VMAC 0007.b421.5209 VIP 45.1.1.255 Shut shut Decrement 10 Router# show redundancy application if-mgr group 2 RG ID: 2 ========== interface GigabitEthernet0/0/3.166 --------------------------------------- VMAC 0007.b422.14d6 VIP 4.1.255.254 Shut no shut Decrement 10 interface GigabitEthernet0/0/2.166 --------------------------------------- VMAC 0007.b422.0d06 VIP 3.1.255.254 Shut no shut Decrement 10Examples
The following is sample output from the show redundancy application if-mgr command:
Router# show redundancy application if-mgr group 2 RG ID: 2 Interface VIP VMAC Shut Decrement ========================================================== GigabitEthernet0/1/7 10.1.1.3 0007.b422.0016 no shut 50 GigabitEthernet0/3/1 11.1.1.3 0007.b422.0017 no shut 50The table below describes the significant fields shown in the display.
Table 43 show redundancy application if-mgr Field Descriptions Field
Description
RG ID
Redundancy group ID.
Interface
Interface name.
VIP
Virtual IP address for this traffic interface.
VMAC
Virtual MAC address for this traffic interface.
Shut
The state of this interface.
Note It is always “shut” on the standby box.
Decrement
The decrement value for this interface. When this interface goes down, the runtime priority of its redundancy group decreases.
Related Commands
Command
Description
show redundancy application control-interface
Displays control interface information for a redundancy group.
show redundancy application faults
Displays fault-specific information for a redundancy group.
show redundancy application group
Displays redundancy group information.
show redundancy application protocol
Displays protocol-specific information for a redundancy group
show redundancy application protocol
To display protocol-specific information for a redundancy group, use the show redundancy application protocolcommand in privileged EXEC mode.
Usage Guidelines
The show redundancy application protocolcommand shows information returned by redundancy group protocol.
Examples
The following is sample output from the show redundancy application protocol command:
Router# show redundancy application protocol 3 Protocol id: 3, name: BFD: ENABLE Hello timer in msecs: 0 Hold timer in msecs: 0The table below describes the significant fields shown in the display.
Table 44 show redundancy application protocol Field Descriptions Field
Description
Protocol id
Redundancy group protocol ID.
BFD
Indicates whether the BFD protocol is enabled for the redundancy group protocol.
Hello timer in msecs
Redundancy group hello timer, in milliseconds, for the redundancy group protocol. The default is 3000 msecs.
Hold timer in msecs
Redundancy group hold timer, in milliseconds, for the redundancy group protocol. The default is 10000 msecs.
Examples
The following is a sample output from the show redundancy application protocol command for the Cisco 4400 Series ISR.
Router# show redundancy application protocol RG Protocol RG 1 ------------------ Role: Standby Negotiation: Enabled Priority: 50 Protocol state: Standby-hot Ctrl Intf(s) state: Up Active Peer: address 1.1.1.2, priority 150, intf Gi0/0/0 Standby Peer: Local Log counters: role change to active: 0 role change to standby: 1 disable events: rg down state 1, rg shut 0 ctrl intf events: up 2, down 1, admin_down 1 reload events: local request 0, peer request 0 RG Media Context for RG 1 -------------------------- Ctx State: Standby Protocol ID: 1 Media type: Default Control Interface: GigabitEthernet0/0/0 Current Hello timer: 3000 Configured Hello timer: 3000, Hold timer: 10000 Peer Hello timer: 3000, Peer Hold timer: 10000 Stats: Pkts 117, Bytes 7254, HA Seq 0, Seq Number 117, Pkt Loss 0 Authentication not configured Authentication Failure: 0 Reload Peer: TX 0, RX 0 Resign: TX 0, RX 0 Active Peer: Present. Hold Timer: 10000 Pkts 115, Bytes 3910, HA Seq 0, Seq Number 1453975, Pkt Loss 0 RG Protocol RG 2 ------------------ Role: Active Negotiation: Enabled Priority: 135 Protocol state: Active Ctrl Intf(s) state: Up Active Peer: Local Standby Peer: address 1.1.1.2, priority 130, intf Gi0/0/0 Log counters: role change to active: 1 role change to standby: 1 disable events: rg down state 1, rg shut 0 ctrl intf events: up 2, down 1, admin_down 1 reload events: local request 0, peer request 0 RG Media Context for RG 2 -------------------------- Ctx State: Active Protocol ID: 2 Media type: Default Control Interface: GigabitEthernet0/0/0 Current Hello timer: 3000 Configured Hello timer: 3000, Hold timer: 10000 Peer Hello timer: 3000, Peer Hold timer: 10000 Stats: Pkts 118, Bytes 7316, HA Seq 0, Seq Number 118, Pkt Loss 0 Authentication not configured Authentication Failure: 0 Reload Peer: TX 0, RX 0 Resign: TX 0, RX 1 Standby Peer: Present. Hold Timer: 10000 Pkts 102, Bytes 3468, HA Seq 0, Seq Number 1453977, Pkt Loss 0Related Commands
Command
Description
show redundancy application group
Displays redundancy group information.
show redundancy application control-interface
Displays control interface information for a redundancy group.
show redundancy application faults
Displays fault-specific information for a redundancy group.
show redundancy application if-mgr
Displays if-mgr information for a redundancy group.
show redundancy application transport
To display transport-specific information for a redundancy group, use the show redundancy application transportcommand in privileged EXEC mode.
Usage Guidelines
The show redundancy application transport command shows information for redundancy group transport.
Examples
The following is sample output from the show redundancy application transport group command:
Router# show redundancy application transport group 1 Transport Information for RG (1)Examples
The following is a sample output from the show redundancy application transport client command
Router# show redundancy application transport client Client Conn# Priority Interface L3 L4 ( 0)RF 0 1 CTRL IPV4 SCTP ( 1)MCP_HA 1 1 DATA IPV4 UDP_REL ( 4)AR 0 1 ASYM IPV4 UDP ( 5)CF 0 1 DATA IPV4 SCTPThe following is a sample output from the show redundancy application transport group command
Router# show redundancy application transport group Transport Information for RG (1) Client = RF TI conn_id my_ip my_port peer_ip peer_por intf L3 L4 0 0 1.1.1.1 59000 1.1.1.2 59000 CTRL IPV4 SCTP Client = MCP_HA TI conn_id my_ip my_port peer_ip peer_por intf L3 L4 1 1 9.9.9.2 53000 9.9.9.1 53000 DATA IPV4 UDP_REL Client = AR TI conn_id my_ip my_port peer_ip peer_por intf L3 L4 2 0 0.0.0.0 0 0.0.0.0 0 NONE_IN NONE_L3 NONE_L4 Client = CF TI conn_id my_ip my_port peer_ip peer_por intf L3 L4 3 0 9.9.9.2 59001 9.9.9.1 59001 DATA IPV4 SCTP Transport Information for RG (2) Client = RF TI conn_id my_ip my_port peer_ip peer_por intf L3 L4 8 0 1.1.1.1 59004 1.1.1.2 59004 CTRL IPV4 SCTP Client = MCP_HA TI conn_id my_ip my_port peer_ip peer_por intf L3 L4 9 1 9.9.9.2 53002 9.9.9.1 53002 DATA IPV4 UDP_REL Client = AR TI conn_id my_ip my_port peer_ip peer_por intf L3 L4 10 0 0.0.0.0 0 0.0.0.0 0 NONE_IN NONE_L3 NONE_L4 Client = CF TI conn_id my_ip my_port peer_ip peer_por intf L3 L4 11 0 9.9.9.2 59005 9.9.9.1 59005 DATA IPV4 SCTPRelated Commands
Command
Description
show redundancy application control-interface
Displays control interface information for a redundancy group.
show redundancy application faults
Displays fault-specific information for a redundancy group.
show redundancy application group
Displays redundancy group information.
show redundancy application if-mgr
Displays if-mgr information for a redundancy group.
show redundancy application protocol
Displays protocol-specific information for a redundancy group.
show redundancy linecard-group
To display the components of a Blade Failure Group, use the show redundancy linecard-group command in privileged EXEC mode.
show running-config
To display the contents of the current running configuration file or the configuration for a specific module, Layer 2 VLAN, class map, interface, map class, policy map, or virtual circuit (VC) class, use the show running-config command in privileged EXEC mode.
Syntax Description
options
(Optional) Keywords used to customize output. You can enter more than one keyword.
- all --Expands the output to include the commands that are configured with default parameters. If the all keyword is not used, the output does not display commands configured with default parameters.
- brief --Displays the configuration without certification data and encrypted filter details. The brief keyword can be used with the linenum keyword.
- class-map [name][linenum]--Displays class map information. The linenum keyword can be used with the class-map name option.
- control-plane [cef-exception| host| transit]--Displays control-plane information. The cef-exception, host, and transit keywords can be used with the control-plane option.
- flow {exporter | monitor | record}--Displays global flow configuration commands. The exporter, monitor, and recordkeywords can be used with the flow option.
- full --Displays the full configuration.
- interface type number -- Displays interface-specific configuration information. If you use the interface keyword, you must specify the interface type and the interface number (for example, interface ethernet 0). Keywords for common interfaces include async, ethernet, fastEthernet, group-async, loopback, null, serial, and virtual-template. Use the show run interface ?command to determine the interfaces available on your system.
- linenum --Displays line numbers in the output. The brief or full keyword can be used with the linenum keyword. The linenumkeyword can be used with the class-map, interface, map-class, policy-map, and vc-class keywords.
- map-class [atm | dialer | frame-relay] [name] [linenum]--Displays map class information. This option is described separately; see the show running-config map-class command page.
- partition types -- Displays the configuration corresponding to a partition. The types keyword can be used with the partitionoption.
- policy-map [name][linenum]--Displays policy map information. The linenum keyword can be used with the policy-map name option.
- vc-class [name] [linenum]--Displays VC-class information (the display is available only on certain routers such as the Cisco 7500 series routers). The linenum keyword can be used with the vc-class name option.
- view full --Enables the display of a full running configuration. This is for view-based users who typically can only view the configuration commands that they are entitled to access for that particular view.
- vrf name --Displays the Virtual routing and forwarding (VRF)-aware configuration module number .
- vlan [vlan-id]--Displays the specific VLAN information ; valid values are from 1 to 4094.
Command Default
The default syntax, show running-config, displays the contents of the running configuration file, except commands configured using the default parameters.
Command History
Release
Modification
11.0
This command was introduced.
12.0
This command was replaced by the more system:running-config command.
12.0(1)T
This command was integrated into Cisco IOS Release 12.0(1)T, and the output modifier (|) was added.
12.2(4)T
This command was modified. The linenum keyword was added.
12.3(8)T
This command was modified. The view fulloption was added.
12.2(14)SX
This command was integrated into Cisco IOS Release 12.2(14)SX. The module number and vlan vlan-id keywords and arguments were added for the Supervisor Engine 720.
12.2(17d)SXB
This command was integrated into Release 12.2(17d)SXB and implemented on the Supervisor Engine 2.
12.2(33)SXH
This command was modified. The allkeyword was added.
12.2(31)SB2
This command was integrated into Cisco IOS Release 12.2(31)SB2. This command was enhanced to display the configuration information for traffic shaping overhead accounting for ATM and was implemented on the Cisco 10000 series router for the PRE3.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC.
12.2(33)SB
This command was modified. Support for the Cisco 7300 series router was added.
12.4(24)T
This command was modified in a release earlier than Cisco IOS Release 12.4(24)T. The partition and vrf keywords were added. The module and vlan keywords were removed.
15.0(1)M
This command was modified. The output was modified to include encrypted filter information.
12.2(33)SXI
This command was modified. The output was modified to display Access Control List (ACL) information.
Usage Guidelines
The show running-config command is technically a command alias (substitute or replacement syntax) of the more system:running-config command. Although the use of more commands is recommended (because of their uniform structure across platforms and their expandable syntax), the show running-config command remains enabled to accommodate its widespread use, and to allow typing shortcuts such as show run.
The show running-config interface command is useful when there are multiple interfaces and you want to look at the configuration of a specific interface.
The linenum keyword causes line numbers to be displayed in the output. This option is useful for identifying a particular portion of a very large configuration.
You can enter additional output modifiers in the command syntax by including a pipe character (|) after the optional keyword. For example, show running-config interface serial 2/1 linenum | begin 3. To display the output modifiers that are available for a keyword, enter | ? after the keyword. Depending on the platform you are using, the keywords and the arguments for the options argument may vary.
Prior to Cisco IOS Release 12.2(33)SXH, the show running-configcommand output omitted configuration commands set with default values. Effective with Cisco IOS Release 12.2(33)SXH, the show running-config all command displays complete configuration information, including the default settings and values. For example, if the Cisco Discovery Protocol (abbreviated as CDP in the output) hold-time value is set to its default of 180:
- The show running-config command does not display this value.
- The show running-config all displays the following output: cdp holdtime 180.
If the Cisco Discovery Protocol holdtime is changed to a nondefault value (for example, 100), the output of the show running-config and show running-config allcommands is the same; that is, the configured parameter is displayed.
NoteIn Cisco IOS Release 12.2(33)SXH, the allkeyword expands the output to include some of the commands that are configured with default values. In subsequent Cisco IOS releases, additional configuration commands that are configured with default values will be added to the output of the show running-config allcommand.
Effective with Cisco IOS Release 12.2(33)SXI, the show running-config command displays ACL information. To exclude ACL information from the output, use the show running | section exclude ip access | access listcommand.
Cisco 7600 Series Router
In some cases, you might see a difference in the duplex mode that is displayed between the show interfaces command and the show running-config command. The duplex mode that is displayed in the show interfaces command is the actual duplex mode that the interface is running. The show interfaces command displays the operating mode of an interface, and the show running-config command displays the configured mode of the interface.
The show running-config command output for an interface might display the duplex mode but no configuration for the speed. This output indicates that the interface speed is configured as auto and that the duplex mode that is displayed becomes the operational setting once the speed is configured to something other than auto. With this configuration, it is possible that the operating duplex mode for that interface does not match the duplex mode that is displayed with the show running-config command.
Examples
The following example shows the configuration for serial interface 1. The fields are self-explanatory.
Router# show running-config interface serial 1 Building configuration... Current configuration: ! interface Serial1 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown endThe following example shows the configuration for Ethernet interface 0/0. Line numbers are displayed in the output. The fields are self-explanatory.
Router# show running-config interface ethernet 0/0 linenum Building configuration... Current configuration : 104 bytes 1 : ! 2 : interface Ethernet0/0 3 : ip address 10.4.2.63 255.255.255.0 4 : no ip route-cache 5 : no ip mroute-cache 6 : endThe following example shows how to set line numbers in the command output and then use the output modifier to start the display at line 10. The fields are self-explanatory.
Router# show running-config linenum | begin 10 10 : boot-start-marker 11 : boot-end-marker 12 : ! 13 : no logging buffered 14 : enable password ##### 15 : ! 16 : spe 1/0 1/7 17 : firmware location bootflash:mica-modem-pw.172.16.0.0.bin 18 : ! 19 : ! 20 : resource-pool disable 21 : ! 22 : no aaa new-model 23 : ip subnet-zero 24 : ip domain name cisco.com 25 : ip name-server 172.16.11.48 26 : ip name-server 172.16.2.133 27 : ! 28 : ! 29 : isdn switch-type primary-5ess 30 : ! . . . 126 : endThe following example shows how to display the module and status configuration for all modules on a Cisco 7600 series router. The fields are self-explanatory.
Router# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug datetime localtime service timestamps log datetime localtime no service password-encryption ! hostname Router ! boot buffersize 126968 boot system flash slot0:7600r boot bootldr bootflash:c6msfc-boot-mz.120-6.5T.XE1.0.83.bin enable password lab ! clock timezone Pacific -8 clock summer-time Daylight recurring redundancy main-cpu auto-sync standard ! ip subnet-zero ! ip multicast-routing ip dvmrp route-limit 20000 ip cef mls flow ip destination mls flow ipx destination cns event-service server ! spanning-tree portfast bpdu-guard spanning-tree uplinkfast spanning-tree vlan 200 forward-time 21 port-channel load-balance sdip ! ! ! shutdown ! ! . . .In the following sample output from the show running-config command, the shape averagecommand indicates that the traffic shaping overhead accounting for ATM is enabled. The BRAS-DSLAM encapsulation type is qinq and the subscriber line encapsulation type is snap-rbe based on the ATM adaptation layer 5 (AAL5) service. The fields are self-explanatory
Router# show running-config . . . subscriber policy recording rules limit 64 no mpls traffic-eng auto-bw timers frequency 0 call rsvp-sync ! controller T1 2/0 framing sf linecode ami ! controller T1 2/1 framing sf linecode ami ! ! policy-map unit-test class class-default shape average percent 10 account qinq aal5 snap-rbe !The following is sample output from the show running-config class-map command. The fields in the display are self-explanatory.
Router# show running-config class-map Building configuration... Current configuration : 2910 bytes ! class-map type stack match-all ip_tcp_stack match field IP protocol eq 0x6 next TCP class-map type access-control match-all my match field UDP dest-port eq 1111 match encrypted filter-version 0.1, Dummy Filter 2 filter-id 123 filter-hash DE0EB7D3C4AFDD990038174A472E4789 algorithm aes256cbc cipherkey realm-cisco.sym ciphervalue # oeahb4L6JK+XuC0q8k9AqXvBeQWzVfdg8WV67WEXbiWdXGQs6BEXqQeb4Pfow570zM4eDw0gxlp/Er8w /lXsmolSgYpYuxFMYb1KX/H2iCXvA76VX7w5TElb/+6ekgbfP/d5ms6DEzKa8DlOpl+Q95lP194PsIlU wCyfVCwLS+T8p3RDLi8dKBgQMcDW4Dha1ObBJTpV4zpwhEdMvJDu5PATtEQhFjhN/UYeyQiPRthjbkJn LzT8hQFxwYwVW8PCjkyqEwYrr+R+mFG/C7tFRiooaW9MU9PCpFd95FARvlU=# exit class-map type stack match-all ip_udp_stack match field IP protocol eq 0x11 next UDP class-map type access-control match-all psirt1 match encrypted filter-version 0.0_DummyVersion_20090101_1830 filter-id cisco-sa-20090101-dummy_ddts_001 filter-hash FC50BED10521002B8A170F29AF059C53 algorithm aes256cbc cipherkey realm-cisco.sym ciphervalue # DkGbVq0FPAsVJKguU15lQPDfZyTcHUXWsj8+tD+dCSYW9cjkRU9jyST4vO4u69/L62QlbyQuKdyQmb10 6sAeY5vDsDfDV05k4o5eD+j8cMt78iZT0Qg7uGiBSYBbak3kKn/5w2gDd1vnivyQ7g4Ltd9+XM+GP6XL 27RrXeP5A5iGbzC7KI9t6riZXk0gmR/vFw1a5wck0D/iQHIlFa/yRPoKMSFlqfIlLTe5NM7JArSTKET2 pu7wZammTz4FF6rY# exit match start TCP payload-start offset 0 size 10 regex "abc.*def" match field TCP source-port eq 1234 class-map type access-control match-all psirt2 match encrypted filter-version 0.0_DummyVersion_20090711_1830 filter-id cisco-sa-20090711-dummy_ddts_002 filter-hash DE0EB7D3C4AFDD990038174A472E4789 algorithm aes256cbc cipherkey realm-cisco.symRelated Commands
Command
Description
bandwidth
Specifies or modifies the bandwidth allocated for a class belonging to a policy map, and enables ATM overhead accounting.
boot config
Specifies the device and filename of the configuration file from which the router configures itself during initialization (startup).
configure terminal
Enters global configuration mode.
copy running-config startup-config
Copies the running configuration to the startup configuration. (Command alias for the copy system:running-config nvram:startup-config command.)
shape
Shapes traffic to the indicated bit rate according to the algorithm specified, and enables ATM overhead accounting.
show interfaces
Displays statistics for all interfaces configured on the router or access server.
show policy-map
Displays the configuration of all classes for a specified service policy map or all classes for all existing policy maps, and displays ATM overhead accounting information, if configured.
show startup-config
Displays the contents of NVRAM (if present and valid) or displays the configuration file pointed to by the CONFIG_FILE environment variable. (Command alias for the more:nvram startup-config command.)
show running-config vrf
To display the subset of the running configuration of a router that is linked to a specific VPN routing and forwarding (VRF) instance or linked to all VRFs configured on the router, use the show running-config vrf command in privileged EXEC mode.
Command Default
If you do not specify the name of a VRF configuration, the running configurations of all VRFs on the router are displayed.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.2(33)SRB
This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.4(20)T
This command was integrated into Cisco IOS Release 12.4(20)T.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
Cisco IOS XE Release 3.5S
This command was modified. The output of the command was modified to display the Network Address Translation (NAT) configuration.
Usage Guidelines
Use the show running-config vrf command to display a specific VRF configuration or to display all VRF configurations on the router. To display the configuration of a specific VRF, specify the name of the VRF.
This command displays the following elements of the VRF configuration:
Examples
The following is sample output from the show running-config vrf command. It includes a base VRF configuration for VRF vpn3 and Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF) configurations associated with VRF vpn3.
Router# show running-config vrf vpn3 Building configuration... Current configuration : 720 bytes ip vrf vpn3 rd 100:1 route-target export 100:1 route-target import 100:1 ! ! interface GigabitEthernet0/0/1 description connected to nat44-1ru-ce1 g0/0/0 ip vrf forwarding vpn3 ip address 172.17.0.1 255.0.0.0 ip nat inside shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address negotiation auto ! interface GigabitEthernet0/0/3.2 encapsulation dot1Q 2 ip vrf forwarding vpn3 ip address 10.0.0.1 255.255.255.0 ip nat inside ! router bgp 100 ! address-family ipv4 vrf vpn3 redistribute connected redistribute static exit-address-family ip nat inside source route-map rm-vpn3 pool shared-pool vrf vpn3 match-in-vrf overload ip nat pool shared-pool 10.0.0.2 10.0.0.254 prefix-length 24 ! router ospf 101 vrf vpn3 log-adjacency-changes area 1 sham-link 10.43.43.43 10.23.23.23 cost 10 network 172.17.0.0 0.255.255.255 area 1 . . . endThe table below describes the significant fields shown in the display.
Table 45 show running-config vrf Field Descriptions Field
Description
Current configuration: 720 bytes
Indicates the number of bytes (720) in the VRF vpn3 configuration.
ip vrf vpn3
Indicates the name of the VRF (vpn3) for which the configuration is displayed.
rd 100:1
Identifies the route distinguisher (100:1) for VRF vpn3.
route-target export 100:1
route-target import 100:1
Specifies the route-target extended community for VRF vpn3.
interface GigabitEthernet0/0/1
Specifies the interface associated with VRF vpn3.
ip vrf forwarding vpn3
Associates VRF vpn3 with the named interface.
ip address 172.17.0.1 255.0.0.0
Configures the IP address of the Gigabit Ethernet interface.
ip nat inside
Enables NAT of inside addresses.
router bgp 100
Sets up a BGP routing process for the router with the autonomous system number as 100.
address-family ipv4 vrf vpn3
Sets up a routing session for VRF vpn3 using the standard IPv4 address prefixes.
redistribute connected
Redistributes routes that are automatically established by the IP on an interface into the BGP routing domain.
ip nat pool
Defines a pool of IP addresses for NAT.
router ospf 101 vrf vpn3
Sets up an OSPF routing process and associates VRF vpn3 with OSPF VRF processes.
area 1 sham-link 10.43.43.43 10.23.23.23 cost 10
Configures a sham-link interface on a provider edge (PE) router in a Multiprotocol Label Switching (MPLS) VPN backbone.
network 172.17.0.0 0.255.255.255 area 1
Defines the interfaces on which OSPF runs and defines the area ID for those interfaces.
show sasl
To display Simple Authentication and Security Layer (SASL) information, use the show sasl command in user EXEC or privileged EXEC mode.
Syntax Description
all
Displays detailed information for all SASL profiles.
context
Displays context information for SASL profiles.
mechanisms
Displays the mechanisms applied for all SASL profiles.
profile profile-name
Displays detailed information for the specified SASL profile.
profile all
Displays all configured profiles.
Command History
Release
Modification
12.3(1)
This command was introduced.
12.2(33)SRC
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SRC.
12.2(33)SXI
This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
Examples
The following is sample output from the show sasl profile all command:
Router# show sasl profile all SASL profile 'sgw_sasl' Refs:0 Mechs:0x2 client: <NONE>/<NONE> servers: ravi/ravi SASL profile 'sgw_1' Refs:0 Mechs:0x1 client: us1/pw1 servers: server1/userThe table below describes the significant fields shown in the display.
Table 46 show sasl profile all Field Descriptions Field
Description
SASL profile
Indicates the name of the SASL profile.
Refs
Indicates the number of active sessions.
Mechs
Indicates the profile mechanisms configured.
client
Indicates the SASL client configured for the specified profile.
servers
Indicates the SASL server configured for the specified profile.
show secure bootset
To display the status of Cisco IOS image and configuration resilience, use the show securecommand in privileged EXEC mode.
Usage Guidelines
Use the show secure bootsetcommand, instead of the Cisco IOS directory listing dir command, to verify the existence of an image archive. This command also displays output that specifies whether the image or configuration archive is ready for an upgrade.
Examples
The following is sample output from the show secure bootset command. The field descriptions are self-explanatory:
Router# show secure bootset %IOS image and configuration resilience is not active Router# show secure bootset IOS resilience router id JMX0704L5GH IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002 Secure archive slot0:c3745-js2-mz type is image (elf) [] file size is 25469248 bytes, run size is 25634900 bytes Runnable image, entry point 0x80008000, run from ram IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002 Secure archive slot0:.runcfg-20020616-081702.ar type is config configuration archive size 1059 bytesshow smm
To display string matching module (SMM) information, use the show smm command in privileged EXEC mode.
Examples
The following is sample output from the show smm counters command. Fields in the output are self-explanatory.
Router# show smm counters Number of non-matching packets processed - 0 Number of cache hits - 0 Number of cache misses - 0 Cache full instances - 0 Number of matching packets processed - 0 Number of matches for Stage0 - 0 Number of matches for Stage1 - 0 Number of matches for Stage2 - 0 Number of matches for Stage3 - 0 Number of signatures in signature database - 0The following is sample output from the show smm timing command:
Router# show smm timing Packet processing stats (in microseconds) : -------------------------------------------- Minimum processing time per packet - 0 Maximum processing time per packet - 0 Average processing time for non-matching packets - 0 Average processing time for matching packets - 0show snmp mib nhrp status
To display status information about the Next Hop Resolution Protocol (NHRP) MIB, use the show snmp mib nhrp status command in privileged EXEC mode.
Usage Guidelines
This command is used to display the status of the MIB for NHRP and whether the NHRP MIB is enabled or disabled.
Examples
The following output is from the show snmp mib nhrp status command:
Spoke_103# show snmp mib nhrp status NHRP-SNMP Agent Feature: Enabled NHRP-SNMP Tree State: Good ListEnqueue Count = 0 Node Malloc Counts = 1 Spoke_103#Table 1 describes the significant fields shown in the display.
Table 47 show snmp mib nhrp status Field Descriptions Field
Description
NHRP-SNMP Agent Feature:
Shows the status of the NHRP MIB. "Enabled" indicates that the NHRP MIB is enabled. If the NHRP MIB was disabled, it would display "Disabled".
ListEnqueue Count
Indicates how many nodes have been queued for freeing.
Node Malloc Counts
Indicates how many nodes are allocated.
show ssh
To display the status of Secure Shell (SSH) server connections on the router, use the show ssh command in user EXEC or privileged EXEC mode.
Command History
Release
Modification
12.1(15)T
This command was introduced.
12.2(33)SRA
This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXI
This command was modified. It was integrated into Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release 2.1
This command was modified. It was integrated into Cisco IOS XE Release 2.1.
Usage Guidelines
Use the show ssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data. Use the show ip ssh command for SSH configuration information such as timeouts and retries.
Examples
The following is sample output from the show ssh command with SSH enabled:
Router# show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started guestThe table below describes the significant fields shown in the display.
Table 48 show ssh Field Descriptions Field
Description
Connection
Number of SSH connections on the router.
Version
Version number of the SSH terminal.
Encryption
Type of transport encryption.
State
The status of SSH connection to indicate if the session has started or stopped.
Username
Uesrname to log in to the SSH.
show ssl-proxy module state
To display the spanning-tree state for the specified VLAN, enter the showssl-proxymodulestate command in user EXEC mode.
Usage Guidelines
This command is supported on Cisco 7600 series routers that are configured with a Secure Sockets Layer (SSL) Services Module only.
Examples
This example shows how to verify that the VLAN information displayed matches the VLAN configuration. The fields shown in the display are self-explanatory.
Router# show ssl-proxy module 6 state SSL-services module 6 data-port: Switchport:Enabled Administrative Mode:trunk Operational Mode:trunk Administrative Trunking Encapsulation:dot1q Operational Trunking Encapsulation:dot1q Negotiation of Trunking:Off Access Mode VLAN:1 (default) Trunking Native Mode VLAN:1 (default) Trunking VLANs Enabled:100 Pruning VLANs Enabled:2-1001 Vlans allowed on trunk:100 Vlans allowed and active in management domain:100 Vlans in spanning tree forwarding state and not pruned: 100 Allowed-vlan :100 Router#show tacacs
Command History
Release
Modification
11.2
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 2.3
This command was integrated into Cisco IOS XE Release 2.3. The private and public keywords were added.
Examples
The following example is sample output for the show tacacs command:
Router# show tacacs Tacacs+ Server : 172.19.192.80/49 Socket opens: 3 Socket closes: 3 Socket aborts: 0 Socket errors: 0 Socket Timeouts: 0 Failed Connect Attempts: 0 Total Packets Sent: 7 Total Packets Recv: 7 Expected Replies: 0 No current connectionhe following is sample output from the show tacacs command for the private IP address 192.168.0.0:
Router# show tacacs private 192.168.0.0 Tacacs+ Server - private : 192.168.0.0 Socket opens: 0 Socket closes: 0 Socket aborts: 0 Socket errors: 0 Socket Timeouts: 0 Failed Connect Attempts: 0 Total Packets Sent: 0 Total Packets Recv: 0The following is sample output from the show tacacs command for the public IP address 209.165.200.224:
Router# show tacacs public 209.165.200.224 Tacacs+ Server - public : 209.165.200.224 Socket opens: 0 Socket closes: 0 Socket aborts: 0 Socket errors: 0 Socket Timeouts: 0 Failed Connect Attempts: 0 Total Packets Sent: 0 Total Packets Recv: 0The table below describes the significant fields shown in the display.
Table 49 show tacacs Field Descriptions Field
Description
Tacacs+ Server
IP address of the TACACS+ server.
Socket opens
Number of successful TCP socket connections to the TACACS+ server.
Socket closes
Number of successfully closed TCP socket attempts.
Socket aborts
Number of premature TCP socket closures to the TACACS+ server; That is, the peer did not wait for a reply from the server after a the peer sent its request.
Socket errors
Any other socket read or write errors, such as incorrect packet format and length.
Failed Connect Attempts
Number of failed TCP socket connections to the TACACS+ server.
Total Packets Sent
Number of packets sent to the TACACS+ server.
Total Packets Recv
Number of packets received from the TACACS+ server.
Tacacs+ Server
IP address of the TACACS+ server.
show tcp intercept connections
To display TCP incomplete and established connections, use the show tcp intercept connectionscommand in EXEC mode.
Command History
Release
Modification
11.2 F
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use the show tcp intercept connections command to display TCP incomplete and established connections.
Examples
The following is sample output from the show tcp intercept connections command:
Router# show tcp intercept connections Incomplete: Client Server State Create Timeout Mode 172.19.160.17:58190 10.1.1.30:23 SYNRCVD 00:00:09 00:00:05 I 172.19.160.17:57934 10.1.1.30:23 SYNRCVD 00:00:09 00:00:05 I Established: Client Server State Create Timeout Mode 172.16.232.23:1045 10.1.1.30:23 ESTAB 00:00:08 23:59:54 IThe table below describes significant fields shown in the display.
Table 50 show tcp intercept connections Field Descriptions Field
Description
Incomplete:
Rows of information under "Incomplete" indicate connections that are not yet established.
Client
IP address and port of the client.
Server
IP address and port of the server being protected by TCP intercept.
State
SYNRCVD--establishing with client.
SYNSENT--establishing with server.
ESTAB--established with both, passing data.
Create
Hours:minutes:seconds since the connection was created.
Timeout
Hours:minutes:seconds until the retransmission timeout.
Mode
I--intercept mode.
W--watch mode.
Established:
Rows of information under "Established" indicate connections that are established. The fields are the same as those under "Incomplete" except for the Timeout field described below.
Timeout
Hours:minutes:seconds until the connection will timeout, unless the software sees a FIN exchange, in which case this indicates the hours:minutes:seconds until the FIN or RESET timeout.
Related Commands
Command
Description
ip tcp intercept connection-timeout
Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrst-timeout
Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
ip tcp intercept list
Enables TCP intercept.
show tcp intercept statistics
Displays TCP intercept statistics.
show tcp intercept statistics
Command History
Release
Modification
11.2 F
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Examples
The following is sample output from the show tcp intercept statistics command:
Router# show tcp intercept statistics intercepting new connections using access-list 101 2 incomplete, 1 established connections (total 3) 1 minute connection request rate 2 requests/secRelated Commands
Command
Description
ip tcp intercept connection-timeout
Changes how long a TCP connection will be managed by the TCP intercept after no activity.
ip tcp intercept finrst-timeout
Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.
ip tcp intercept list
Enables TCP intercept.
show tcp intercept connections
Displays TCP incomplete and established connections.
show tech-support alg
To display application layer gateway (ALG)-specific information to assist in troubleshooting, use the show tech-support alg command in privileged EXEC mode.
Syntax Description
Command History
Usage Guidelines
The show tech-support alg command is useful for collecting a large amount of information about ALGs for troubleshooting purposes. The output of this command can be provided to technical support representatives when reporting a problem. The command output displays the output of a number of show commands at once. The output from this command varies depending on your platform and configuration.
Examples
The following is sample output from the show tech-support alg platform command:
Device# show tech-support alg platform show platform hardware qfp active feature alg memory Pool information: Pool-Name Num-Entries Entry-Limit Size(bytes) Num-Additions ----------------------------------------------------------------------------- FTP pool 640 0 41376 0 SCCP pool 160 0 8096 0 SIP pool 640 0 348576 0 SIP pkt pool 160 0 18336 0 SIP msg pool 320 0 26016 0 RTSP pool 160 0 10656 0 H323 info pool 100 5000 61216 0 H323 fs olc pool 100 5000 3616 0 H323 pkt sb pool 100 5000 3616 0 H323 indus pool 1000 2000 4112416 0 H323 tl olc pool 100 5000 3616 0 H323 msg info pool 100 5000 8416 0 DNS pool 1024 0 82336 0 LDAP pool 128 5000 4512 0 LDAP pkt info pool 32 160 670624 0 RCMD pool 160 5000 5536 0 HTTP info pool 2400 1048576 192416 0 HTTP req ctxt pool 6400 2097152 1638816 0 HTTP resp ctxt pool 6400 2097152 1331616 0 HTTP hdr fld pool 6400 2097152 307616 0 HTTP MIME ctxt pool 6400 2097152 819616 0 NetBIOS L7 data pool 1024 5000 33184 0 Act token pool 640 0 143776 0 Ext state pool 160 0 5536 0 ALG HA ntuple hdr pool 10000 0 640416 0 Sun RPC info pool 1024 7168 33184 0 MS RPC info pool 1024 7168 49568 0 MS RPC extended toke... 1024 7168 82336 0 SMTP l7 info pool 2400 524288 1075616 0 SMTP command pool 6400 1048576 307616 0 SMTP log filter pool 6400 1048576 307616 0 SMTP mask pool 6400 1048576 307616 0 IMAP info pool 2400 524288 154016 0 POP3 info pool 2400 524288 154016 0 GTP AIC ctxt pool 2400 1048576 154016 0 GTP request response... 2400 524288 154016 0 GTP hash info pool 2400 2097152 192416 0 GTP master pdp pool 2400 524288 1421216 0 GTP secondary pdp pool 2400 524288 269216 0 GTP req_resp hash en... 2400 1048576 192416 0 Table information: Ha hash table: Num-Entries: 10000, Size(bytes): 40000 show platform hardware qfp active feature td datapath memory ==VTCP ucode info== info alloc 0, free 0, fail 0 pkt buf alloc 0, free 0, fail 0 buf size alloc 0, free 0 rx drop 0, tx drop 0, tcp drop 0, alg csum 0 sending: rx ack 0, rst 0, hold rst 0 tx payload: seg 0, rexmit 0 vtcp_info_chunk 0x8d54fcb0, totalfree: 2048, allocated: 0 vtcp_pkt_pool 0x8d5d80c0, total: 1048240, free: 1048240 vtcp_timer_wheel 0x8d6d84d0, vtcp_init 1 td_internal debug 0x0 td_global td_init 0x2 alg_debug_vtcp 0x0 show platform hardware qfp active feature alg statistics ALG counters: ALG Cntrl-Pkt Parser-Err&Drop Parser-No-Act FTP 0 0 0 SIP 0 0 0 SKINNY 0 0 0 H225 0 0 0 H245 0 0 0 H225ras 0 0 0 RTSP 0 0 0 DNS 0 0 0 LDAP 0 0 0 TFTP 0 0 0 HTTP 0 0 0 SHELL 0 0 0 LOGIN 0 0 0 NETBIOS-NS 0 0 0 NETBIOS-SSN 0 0 0 ALG chunk pool: Pool-Name Used-Entries Free-Entries FTP pool 0 640 SCCP pool 0 160 SIP pool 0 640 SIP pkt pool 0 160 SIP msg pool 0 320 RTSP pool 0 160 H323 info pool 0 100 H323 fs olc pool 0 100 H323 pkt sb pool 0 100 H323 indus pool 50 950 H323 tl olc pool 0 100 H323 msg info pool 0 100 DNS pool 0 1024 LDAP pool 0 128 LDAP pkt info pool 0 32 HTTP info pool 0 0 HTTP req ctxt pool 0 0 HTTP resp ctxt pool 0 0 HTTP hdr fld pool 0 0 HTTP MIME ctxt pool 0 0 NetBIOS L7 data pool 0 1024 Common ALG chunk pool: Pool-Name Used-Entries Free-Entries Act Token Pool 0 640 Ext State Pool 0 160 HA ntuple hdr Pool 0 10000 Sun RPC info pool 0 1024 MS RPC info pool 0 1024 SMTP l7 info pool 0 0 SMTP command pool 0 0 SMTP log filter pool 0 0 SMTP mask pool 0 0 IMAP info pool 0 0 POP3 info pool 0 0 GTP AIC ctxt pool 0 0 GTP Req/Res pool 0 0 GTP hash info pool 0 0 GTP master pdp pool 0 0 GTP secondary pdp pool 0 0 GTP req_res hash entry pool 0 0 . . .The table below describes the significant fields shown in the display.
Table 51 show tech-support alg platform Field Descriptions Field
Description
Pool information
Detailed information about ALG pools.
Pool-Name
Name of the ALG pool.
Num-Entries
Number of pool entries.
Entry-Limit
Configured limit for the number of packets that can access the pool.
info alloc
Virtual TCP (vTCP) allocated counts.
pak buf alloc
Allocated packet buffer.
buf siz alloc
Allocated buffer size.
show tech-support ipsec
To display IPsec information to assist in troubleshooting, use the show tech-support ipsec command in privileged EXEC mode.
Command History
Release
Modification
12.4(20)T
This command was introduced.
Cisco IOS XE Release 2.4
This command was implemented on the Cisco ASR 1000 Series Aggregation Service Routers.
Cisco IOS XE Release 3.7S
This command was modified. The platform keyword was added. The output was enhanced to display platform specific information about the IPsec flow.
Usage Guidelines
The show tech-support ipsec command simplifies the collection of IPsec-related information if you are troubleshooting a problem.
The show tech-support ipsec command without any keywords displays the output from the following show commands, as listed in the order below:
- show version
- show running-config
- show crypto isakmp sa count
- show crypto ipsec sa count
- show crypto session summary
- show crypto session detail
- show crypto isakmp sa detail
- show crypto ipsec sa detail
- show crypto isakmp peers
- show crypto ruleset detail
- show processes memory | include Crypto IKMP
- show processes cpu | include Crypto IKMP
- show crypto eli
- show crypto engine accelerator statistic
The show tech-support ipsec command with the peer keyword and the ipv4-address argument displays the output from the following show commands, as listed in the order below:
- show version
- show running-config
- show crypto session remote ipv4address detail
- show crypto isakmp sa peer ipv4address detail
- show crypto ipsec sa peer ipv4address detail
- show crypto isakmp peers ipv4address
- show crypto ruleset detail
- show processes memory | include Crypto IKMP
- show processes cpu | include Crypto IKMP
- show crypto eli
- show crypto engine accelerator statistic
The show tech-support ipsec command with the vrf vrf-name keyword and argument displays the output from the following show commands as listed in the order below:
- show version
- show running-config
- show crypto isakmp sa count vrf vrf-name
- show crypto ipsec sa count vrf vrf-name
- show crypto session ivrf ivrf-name detail
- show crypto session fvrf fvrf-name detail
- show crypto isakmp sa vrf vrf-name detail
- show crypto ipsec sa vrf vrf-name detail
- show crypto ruleset detail
- show processes memory | include Crypto IKMP
- show processes cpu | include Crypto IKMP
- show crypto eli
- show crypto engine accelerator statistic
The show tech-support ipsec platform command displays the output from the following show commands, as listed in the order below:
- show clock
- show version
- show running-config
- show crypto tech-support
- show crypto isakmp sa count
- show crypto ipsec sa count
- show crypto isakmp sa detail
- show crypto ipsec sa detail
- show crypto session summary
- show crypto session detail
- show crypto isakmp peers
- show crypto ruleset detail
- show processes memory
- show processes cpu
- show crypto eli
- show crypto engine accelerator statistic
- show crypto isakmp diagnose error
- show crypto isakmp diagnose error count
- show crypto call admission statistics
show tunnel endpoints
To display the contents of the tunnel endpoint database that is used for tunnel endpoint address resolution, when running a tunnel in multipoint generic routing encapsulation (mGRE) mode, use the show tunnel endpointscommand in privileged EXEC mode.
Command History
Release
Modification
12.0(27)S
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.(33)SRA.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Cisco IOS XE Release 2.1
This command was implemented on the Cisco ASR 1000 series routers.
Usage Guidelines
The output of show tunnel endpoints command displays the tunnel destination and transport address together with any overlay or virtual private network (VPN) address that resolves to it.
Examples
The following example shows that there are two tunnel endpoints in the database that are associated with tunnel 1 (192.0.2.0 and 192.0.2.1). Through these endpoints, VPN destination 192.0.2.3 is reachable by tunneling to endpoint 192.0.2.0 and VPN destination 192.0.2.2 is reachable by tunneling to endpoint 192.0.2.1.
Router# show tunnel endpoints Tunnel0 running in multi-GRE/IP mode Endpoint transport 20.20.20.20 Refcount 4 Base 0x55BCC5E8 Create Time 00:01:08 overlay ::FFFF:20.20.20.20 Refcount 2 Parent 0x55BCC5E8 Create Time 00:01:08 overlay 20.20.20.20 Refcount 2 Parent 0x55BCC5E8 Create Time 00:01:08The table below describes the significant fields shown in the display..
Table 52 show tunnel endpoints Field Descriptions Field
Description
Transport
Displays the transport address.
Refcount
Number of overlay addresses that are resolving through the destination address.
Base
Displays the base address.
Overlay
Displays the overlay address.
Parent
Reference to the tunnel endpoint.
show usb controllers
To display USB host controller information, use the show usb controllerscommand in privileged EXEC mode.
Syntax Description
controller-number
(Optional) Displays information only for the specified controller.
Command History
Release
Modification
12.3(14)T
This command was introduced.
12.4(11)T
This command was integrated into the Cisco 7200VXR NPE-G2 platform.
Usage Guidelines
Use the show usb controllerscommand to display content such as controller register specific information, current asynchronous buffer addresses, and period scheduling information. You can also use this command to verify that copy operations are occurring successfully onto a USB flash module.
Examples
The following example is sample output from the show usb controllers command:
Router# show usb controllers Name:1362HCD Controller ID:1 Controller Specific Information: Revision:0x11 Control:0x80 Command Status:0x0 Hardware Interrupt Status:0x24 Hardware Interrupt Enable:0x80000040 Hardware Interrupt Disable:0x80000040 Frame Interval:0x27782EDF Frame Remaining:0x13C1 Frame Number:0xDA4C LSThreshold:0x628 RhDescriptorA:0x19000202 RhDescriptorB:0x0 RhStatus:0x0 RhPort1Status:0x100103 RhPort2Status:0x100303 Hardware Configuration:0x3029 DMA Configuration:0x0 Transfer Counter:0x1 Interrupt:0x9 Interrupt Enable:0x196 Chip ID:0x3630 Buffer Status:0x0 Direct Address Length:0x80A00 ATL Buffer Size:0x600 ATL Buffer Port:0x0 ATL Block Size:0x100 ATL PTD Skip Map:0xFFFFFFFF ATL PTD Last:0x20 ATL Current Active PTD:0x0 ATL Threshold Count:0x1 ATL Threshold Timeout:0xFF Int Level:1 Transfer Completion Codes: Success :920 CRC :0 Bit Stuff :0 Stall :0 No Response :0 Overrun :0 Underrun :0 Other :0 Buffer Overrun :0 Buffer Underrun :0 Transfer Errors: Canceled Transfers :2 Control Timeout :0 Transfer Failures: Interrupt Transfer :0 Bulk Transfer :0 Isochronous Transfer :0 Control Transfer:0 Transfer Successes: Interrupt Transfer :0 Bulk Transfer :26 Isochronous Transfer :0 Control Transfer:894 USBD Failures: Enumeration Failures :0 No Class Driver Found:0 Power Budget Exceeded:0 USB MSCD SCSI Class Driver Counters: Good Status Failures :3 Command Fail :0 Good Status Timed out:0 Device not Found:0 Device Never Opened :0 Drive Init Fail :0 Illegal App Handle :0 Bad API Command :0 Invalid Unit Number :0 Invalid Argument:0 Application Overflow :0 Device in use :0 Control Pipe Stall :0 Malloc Error :0 Device Stalled :0 Bad Command Code:0 Device Detached :0 Unknown Error :0 Invalid Logic Unit Num:0 USB Aladdin Token Driver Counters: Token Inserted :1 Token Removed :0 Send Insert Msg Fail :0 Response Txns :434 Dev Entry Add Fail :0 Request Txns :434 Dev Entry Remove Fail:0 Request Txn Fail:0 Response Txn Fail :0 Command Txn Fail:0 Txn Invalid Dev Handle:0 USB Flash File System Counters: Flash Disconnected :0 Flash Connected :1 Flash Device Fail :0 Flash Ok :1 Flash startstop Fail :0 Flash FS Fail :0 USB Secure Token File System Counters: Token Inserted :1 Token Detached :0 Token FS success :1 Token FS Fail :0 Token Max Inserted :0 Create Talker Failures:0 Token Event :0 Destroy Talker Failures:0 Watched Boolean Create Failures:0show usb device
Usage Guidelines
Use the show usb device command to display information for either a USB flash drive or a USB eToken, as appropriate.
Examples
The following example is sample output from the show usb device command:
Router# show usb device Host Controller:1 Address:0x1 Device Configured:YES Device Supported:YES Description:DiskOnKey Manufacturer:M-Sys Version:2.0 Serial Number:0750D84030316868 Device Handle:0x1000000 USB Version Compliance:2.0 Class Code:0x0 Subclass Code:0x0 Protocol:0x0 Vendor ID:0x8EC Product ID:0x15 Max. Packet Size of Endpoint Zero:64 Number of Configurations:1 Speed:Full Selected Configuration:1 Selected Interface:0 Configuration: Number:1 Number of Interfaces:1 Description: Attributes:None Max Power:140 mA Interface: Number:0 Description: Class Code:8 Subclass:6 Protocol:80 Number of Endpoints:2 Endpoint: Number:1 Transfer Type:BULK Transfer Direction:Device to Host Max Packet:64 Interval:0 Endpoint: Number:2 Transfer Type:BULK Transfer Direction:Host to Device Max Packet:64 Interval:0 Host Controller:1 Address:0x11 Device Configured:YES Device Supported:YES Description:eToken Pro 4254 Manufacturer:AKS Version:1.0 Serial Number: Device Handle:0x1010000 USB Version Compliance:1.0 Class Code:0xFF Subclass Code:0x0 Protocol:0x0 Vendor ID:0x529 Product ID:0x514 Max. Packet Size of Endpoint Zero:8 Number of Configurations:1 Speed:Low Selected Configuration:1 Selected Interface:0 Configuration: Number:1 Number of Interfaces:1 Description: Attributes:None Max Power:60 mA Interface: Number:0 Description: Class Code:255 Subclass:0 Protocol:0 Number of Endpoints:0The following table describes the significant fields shown in the display.
Table 53 show usb device Field Descriptions Field
Description
Device handle
Internal memory handle allocated to the device.
Device Class code
The class code supported by the device.
This number is allocated by the USB-IF. If this field is reset to 0, each interface within a configuration specifies its own class information, and the various interfaces operate independently. If this field is set to a value between 1 and FEH, the device supports different class specifications on different interfaces, and the interfaces may not operate independently. This value identifies the class definition used for the aggregate interfaces. If this field is set to FFH, the device class is vendor-specific.
Device Subclass code
The subclass code supported by the device. This number is allocated by the USB-IF.
Device Protocol
The protocol supported by the device. If this field is set to 0, the device does not use class-specific protocols on a device basis. If this field is set to 0xFF, the device uses a vendor-specific protocol on a device basis.
Interface Class code
The class code supported by the interface. If the value is set to 0xFF, the interface class is vendor specific. All other values are allocated by the USB-IF.
Interface Subclass code
The subclass code supported by the interface. All values are allocated by the USB-IF.
Interface Protocol
The protocol code supported by the interface. If this field is set to 0, the device does not use a class-specific protocol on this interface. If this field is set to 0xFF, the device uses a vendor-specific protocol for this interface.
Max Packet
Maximum data packet size, in bytes.
show usb driver
To display information about registered USB class drivers and vendor-specific drivers, use the show usb drivercommand in privileged EXEC mode.
Examples
The following example is sample output for the show usb driver command:
Router# show usb driver Index:0 Owner Mask:0x6 Class Code:0x0 Subclass Code:0x0 Protocol:0x0 Interface Class Code:0x8 Interface Subclass Code:0x6 Interface Protocol Code:0x50 Product ID:0x655BD598 Vendor ID:0x64E90000 Attached Devices: Controller ID:1, Device Address:1 Index:1 Owner Mask:0x1 Class Code:0x0 Subclass Code:0x0 Protocol:0x0 Interface Class Code:0x0 Interface Subclass Code:0x0 Interface Protocol Code:0x0 Product ID:0x514 Vendor ID:0x529 Attached Devices: Controller ID:1, Device Address:17 Index:2 Owner Mask:0x5 Class Code:0x9 Subclass Code:0x6249BD58 Protocol:0x2 Interface Class Code:0x5DC0 Interface Subclass Code:0x5 Interface Protocol Code:0xFFFFFFFF Product ID:0x2 Vendor ID:0x1 Attached Devices: None Index:3 Owner Mask:0x10 Class Code:0x0 Subclass Code:0x0 Protocol:0x0 Interface Class Code:0x0 Interface Subclass Code:0x0 Interface Protocol Code:0x0 Product ID:0x0 Vendor ID:0x0 Attached Devices: NoneThe following table describes the significant field shown in the display.
show usb port
show usb-devices summary
To display USB device summary information for all USB devices attached to the router, use the show usb-devices summarycommand in privileged EXEC mode.
Usage Guidelines
Use the show usb-devices summary command to display information for either a USB flash drive or a USB eToken, as appropriate.
Examples
The following example is sample output from the show usb-devices summary command, which shows that a USB token device is supported by Cisco (see the text in bold).:
Router# show usb-devices summary USB Device: OHCI Host Controller Bus: 03 Port: 00 Cnt: 00 Speed: 12 Vendor: 1d6b ProdID: 0001 Rev: 2.06 Serial Number: 0001:01:11.1 USB Device: OHCI Host Controller Bus: 02 Port: 00 Cnt: 00 Speed: 12 Vendor: 1d6b ProdID: 0001 Rev: 2.06 Serial Number: 0001:01:11.0 USB Device: Token 4.28.1.1 2.7.195 Bus: 02 Port: 00 Cnt: 01 Speed: 12 Vendor: 0529 ProdID: 0600 Rev: 1.00 Serial Number: USB Device: EHCI Host Controller Bus: 01 Port: 00 Cnt: 00 Speed: 480 Vendor: 1d6b ProdID: 0002 Rev: 2.06 Serial Number: 0001:01:11.2 USB Device: eUSB Bus: 01 Port: 03 Cnt: 01 Speed: 480 Vendor: 0e39 ProdID: 2b00 Rev: b9.00 Serial Number: 1E884812183636210510show usb tree
To display information about the port state and all attached devices, use the show usb treecommand in privileged EXEC mode.
Examples
The following example is sample output from the show usb tree command. This output shows that both a USB flash module and a USB eToken are currently enabled.
Router# show usb tree [Host Id:1, Host Type:1362HCD, Number of RH-Port:2] <Root Port0:Power=ON Current State=Enabled> Port0:(DiskOnKey) Addr:0x1 VID:0x08EC PID:0x0015 Configured (0x1000000) <Root Port1:Power=ON Current State=Enabled> Port1:(eToken Pro 4254) Addr:0x11 VID:0x0529 PID:0x0514 Configured (0x1010000)show usbtoken
To display information about the USB eToken (such as the eToken ID), use the show usbtokencommand in privileged EXEC mode.
Usage Guidelines
Use the show usbtoken command to verify whether a USB eToken is inserted in the router.
Examples
The following example is sample output from the show usbtoken command:
Router# show usbtoken0 Token ID :43353334 Token device name : token0 Vendor name : Vendor34 Product Name :Etoken Pro Serial number : 22273a334353 Firmware version : 4.1.3.2 Total memory size : 32 KB Free memory size : 16 KB FIPS version : Yes/No Token state : “Active” | “User locked” | “Admin locked” | “System Error” | “Uknown” ATR (Answer To Reset) :"3B F2 98 0 FF C1 10 31 FE 55 C8 3"The following table describes the significant fields shown in the display.
show user-group
Examples
The following is sample output from the show user-group command when the auth_proxy_ug user group is specified.
Router# show user-group auth_proxy_ug ! Usergroup: auth_proxy_ug ---------------------------------------------------------------- User Name Type Interface Learn Age (min) ---------------------------------------------------------------- 192.168.101.131 IPv4 Vlan333 Dynamic 0!
The following is sample output from the show user-group command when the count keyword is used.
Router# show user-group count ! Total Usergroup: 2 -------------------------- User Group Members -------------------------- auth_proxy_ug 1 eng_group_ug 1 !The table below describes the significant fields shown in the displays.
show users
To displa y information about the active lines on the router, use the show userscommand in user EXEC or privileged EXEC mode.
Syntax Description
all
(Optional) Specifies that all lines be displayed, regardless of whether anyone is using them.
wide
(Optional) Specifies that the wide format be used.
slot
(Optional) Displays information about remote logins to other processes in the chassis.
slot-number
(Optional) The slot number.
summary
(Optional) Displays a summary of user sessions.
lawful-intercept
(Optional) Displays lawful-intercept users.
Command History
Release
Modification
10.0
This command was introduced.
12.3(2)T
The summary keyword was introduced.
12.3(7)T
The lawful-intercept keyword was introduced.
12.2(33)SRB
This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2(33)SXI
This command was modified in a release earlier than Cisco IOS Release 12.2(33)SXI. The slot keyword and slot-number argument were added.
Cisco IOS XE Release 2.1
This command was implemented on the Cisco ASR 1000 Series Aggregation Sevices Routers.
Usage Guidelines
This command displays the line number, connection name, idle time, hosts (including virtual access interfaces), and terminal location. An asterisk (*) indicates the current terminal session.
If the lawful-intercept keyword is issued, the names of all users who have access to a configured lawful intercept view will be displayed. To access the show users lawful-intercept command, you must be an authorized lawful-intercept-view user.
When an idle timeout is configured on a full virtual access interface and a subvirtual access interface, the show users command displays the idle time for both the interfaces. However, if the idle timeout is not configured on both the interfaces, then the show users command will display the idle time for the full virtual access interface only.
Examples
The following is sample output from the show users command:
Router# show users Line User Host(s) Idle Location 0 con 0 idle * 2 vty 0 user1 idle 0 SERVICE1.CISCO.COMThe following is sample output identifying an active virtual access interface:
Router# show users Line User Host(s) Idle Location * 0 con 0 idle 01:58 10 vty 0 Virtual-Access2 0 1212321The following is sample output from the show users all command:
Router# show users all Line User Host(s) Idle Location * 0 vty 0 user1 idle 0 SERVICE1.CISCO.COM 1 vty 1 2 con 0 3 aux 0 4 vty 2The table below describes the significant fields shown in the displays.
Table 57 show users Field Descriptions Field
Description
Line
Contains three subfields:
- The first subfield (0 in the sample output) is the absolute line number.
- The second subfield (vty in the sample output) indicates the type of line. Possible values follow:
aux--auxiliary port
con--console
tty--asynchronous terminal port
vty--virtual terminal
User
User using the line. If no user is listed in this field, no one is using the line.
Host(s)
Host to which the user is connected (outgoing connection). A value of idle means that there is no outgoing connection to a host.
Idle
Interval (in minutes) since the user has entered something.
Location
Either the hard-wired location for the line or, if there is an incoming connection, the host from which the incoming connection came.
The following sample output from the show users lawful interceptcommand shows three LI-View users on the system--li_admin, li-user1, and li-user2:
Router# show users lawful-intercept li_admin li-user1 li-user2 Router#
