-
Cisco IOS Security Command Reference: Commands S to Z, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show content-scan
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Index
-
Feedback
Contents
show diameter peer through show object-group
- show dot1x
- show ip access-lists
- show ip admission
- show ip interface
- show ip ssh
- show ipv6 access-list
- show mab
- show mac-address-table
show dot1x
To display details for an identity profile, use the show dot1x command in privileged EXEC mode.
NoteEffective with Cisco IOS Release 12.2(33)SXI, the show dot1x command is supplemented by the show authentication command. The show dot1x command is reserved for displaying output specific to the use of the 802.1X authentication method. The show authentication sessionscommand has a wider remit of displaying information for all authentication methods and authorization features. See the show authentication sessionscommand for more information.
Syntax Description
all
(Optional) Displays 802.1X status for all interfaces.
summary
(Optional) Displays summary of 802.1X status for all interfaces.
interface interface-name
(Optional) Specifies the interface name and number.
details
(Optional) Displays the interface configuration as well as the authenticator instances on the interface.
statistics
(Optional) Displays 802.1X statistics for all the interfaces.
Command History
Release
Modification
12.1(11)AX
This command was introduced.
12.1(14)EA1
The all keyword was added.
12.3(2)XA
This command was integrated into Cisco IOS Release 12.3(2)XA.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
12.2(25)SED
The output display was expanded to include auth-fail-vlan information in the authorization state machine state and port status fields.
12.2(25)SEE
The details and statistics keywords were added.
12.3(11)T
The PAE, HeldPeriod, StartPeriod, and MaxStart fields were added to the show dot1x command output.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
If you do not specify a port, global parameters and a summary appear. If you specify a port, details for that port appear in the output.
NoteIn some IOS versions, the show dot1x command may not display the AUTHORIZED or UNAUTHORIZED value in the Port Status command output field if authentication methods other than the 802.1X authentication method are used. If the Port Status field does not contain a value, then use the show authentication sessions command to display the Authz Success or Authz Failed port status authentication value.
Examples
The following is sample output from the show dot1x command using both the interface and details keywords. The clients are successfully authenticated in this example.
Router# show dot1x interface ethernet1/0 details Dot1x Info for Ethernet1/0 ----------------------------------- PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = MULTI_HOST QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 1 TxPeriod = 30 Dot1x Authenticator Client List ------------------------------- Supplicant = aabb.cc00.c901 Session ID = 0A34628000000000000009F8 Auth SM State = AUTHENTICATED Auth BEND SM State = IDLEThe following is sample output from the show dot1x command using both the interface and details keywords. The clients are unsuccessful at authenticating in this example.
Router# show dot1x interface ethernet1/0 details Dot1x Info for Ethernet1/0 ----------------------------------- PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = MULTI_HOST QuietPeriod = 60 ServerTimeout = 0 SuppTimeout = 30 ReAuthMax = 2 MaxReq = 1 TxPeriod = 30 Dot1x Authenticator Client List EmptyThe table below describes the significant fields shown in the displays.
Related Commands
Command
Description
clear dot1x
Clears 802.1X interface information.
debug dot1x
Displays 802.1X debugging information.
dot1x default
Resets the global 802.1X parameters to their default values.
identity profile
Creates an identity profile.
show authentication sessions
Displays information about current Authentication Manager sessions.
show ip access-lists
To display the contents of all current IP access lists, use the show ip access-lists command in user EXEC or privileged EXEC modes.
show ip access-lists [ access-list-number | access-list-number-expanded-range | access-list-name | dynamic [dynamic-access-list-name] | interface name number [ in | out ] ]
Syntax Description
access-list-number
(Optional) Number of the IP access list to display.
access-list-number-expanded-range
(Optional) Expanded range of the IP access list to display.
access-list-name
(Optional) Name of the IP access list to display.
dynamic dynamic-access-list-name
(Optional) Displays the specified dynamic IP access lists.
interface name number
(Optional) Displays the access list for the specified interface.
in
(Optional) Displays input interface statistics.
out
(Optional) Displays output interface statistics.
Command History
Release
Modification
10.3
This command was introduced.
12.3(7)T
The dynamic keyword was added.
12.4(6)T
The interface nameand number keyword and argument pair was added. The in and out keywords were added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(11)T
This command was modified. Example output from the dynamic keyword was added.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4(20)T
This command was modified. The output of this command was extended to display access lists that contain object groups.
Cisco IOS XE Release 2.5
This command was integrated into Cisco IOS XE Release 2.5.
Usage Guidelines
The show ip access-lists command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.
Examples
The following is sample output from the show ip access-lists command when all access lists are requested:
Router# show ip access-lists Extended IP access list 101 deny udp any any eq nntp permit tcp any any permit udp any any eq tftp permit icmp any any permit udp any any eq domainThe table below describes the significant fields shown in the display.
Table 2 show ip access-lists Field Descriptions Field
Description
Extended IP access list
Extended IP access-list number.
deny
Packets to reject.
udp
User Datagram Protocol.
any
Source host or destination host.
eq
Packets on a given port number.
nntp
Network News Transport Protocol.
permit
Packets to forward.
tcp
Transmission Control Protocol.
tftp
Trivial File Transfer Protocol.
icmp
Internet Control Message Protocol.
domain
Domain name service.
The following is sample output from the show ip access-lists command when the name of a specific access list is requested:
Router# show ip access-lists Internetfilter Extended IP access list Internetfilter permit tcp any 192.0.2.0 255.255.255.255 eq telnet deny tcp any any deny udp any 192.0.2.0 255.255.255.255 lt 1024 deny ip any any logThe following is sample output from the show ip access-lists command when the name of a specific access list that contains an object group is requested:
Router# show ip access-lists my-ogacl-policy Extended IP access list my-ogacl-policy 10 permit object-group eng-service any anyThe following sample output from the show ip access-lists command shows input statistics for Fast Ethernet interface 0/0:
Router# show ip access-lists interface FastEthernet0/0 in Extended IP access list 150 in 10 permit ip host 10.1.1.1 any 30 permit ip host 10.2.2.2 any (15 matches)The following is sample output from the show ip access-lists command using the dynamic keyword:
Router# show ip access-lists dynamic CM_SF#1 Extended IP access list CM_SF#1 10 permit udp any any eq 5060 (650 matches) 20 permit tcp any any eq 5060 30 permit udp any any dscp ef (806184 matches)To check your configuration, use the show run interfaces cable command:
Router# show run interfaces cable 0/1/0 Building configuration... Current configuration : 144 bytes ! interface cable-modem0/1/0 ip address dhcp load-interval 30 no keepalive service-flow primary upstream service-policy output llq endRelated Commands
Command
Description
deny
Sets conditions in a named IP access list or OGACL that will deny packets.
ip access-group
Applies an ACL or OGACL to an interface or a service policy map.
ip access-list
Defines an IP access list or OGACL by name or number.
object-group network
Defines network object groups for use in OGACLs.
object-group service
Defines service object groups for use in OGACLs.
permit
Sets conditions in a named IP access list or OGACL that will permit packets.
show object-group
Displays information about object groups that are configured.
show run interfaces cable
Displays statistics on the cable modem.
show ip admission
To display the network admission cache entries and information about web authentication sessions, use the show ip admission command in user EXEC or privileged EXEC mode.
Cisco IOS XE Release 3SE and Later Releases
show ip admission { cache | statistics [ brief | details | httpd | input-feature ] | status [ banners | custom-pages | httpd | parameter-map [parameter-map-name] ] | watch-list }
All Other Releases
show ip admission { cache [ consent | eapoudp | ip-addr ip-address | username username ] | configuration | httpd | statistics | [ brief | details | httpd ] | status [httpd] | watch-list }
Syntax Description
cache
Displays the current list of network admission entries.
statistics
Displays statistics for web authentication.
brief
(Optional) Displays a statistics summary for web authentication.
details
(Optional) Displays detailed statistics for web authentication.
httpd
(Optional) Displays information about web authentication HTTP processes
input-feature
Displays statistics about web authentication packets.
status
Displays status information about configured web authentication features including banners, custom pages, HTTP processes, and parameter maps.
banners
Displays information about configured banners for web authentication.
custom-pages
Displays information about custom pages configured for web authentication.
Custom files are read into a local cache and served from the cache. A background process periodically checks if the files need to be re-cached.
parameter-map parameter-map-name
Displays information about configured banners and custom pages for all parameter maps or only for the specified parameter map.
watch-list
Displays the list of IP addresses in the watch list.
consent
(Optional) Displays the consent web page cache entries.
eapoudp
(Optional) Displays the Extensible Authentication Protocol over UDP (EAPoUDP) network admission cache entries. Includes the host IP addresses, session timeout, and posture state.
ip-addr ip-address
(Optional) Displays information for a client IP address.
username username
(Optional) Display information for a client username.
configuration
(Optional) Displays the NAC configuration.
Note This keyword is not supported in Cisco IOS XE Release 3.2SE and later releases. Use the show running-config all command to see the running web authentication configuration and the commands configured with default parameters.
Command History
Release
Modification
12.3(8)T
This command was introduced.
12.4(11)T
This command was modified. The output of this command was enhanced to display whether the AAA timeout policy is configured.
12.4(15)T
This command was modified. The consent keyword was added.
12.2(33)SXI
This command was integrated into Cisco IOS Release 12.2(33)SXI.
15.3(1)T
This command was modified. The statistics, brief, details, httpd, and status keywords were added.
Cisco IOS XE Release 3.2SE
This command was modified. The input-feature, banners, custom-pages, and parameter-map keywords were added. The configuration keyword was removed.
Usage Guidelines
Use the show ip admission command to display information about network admission entries and information about web authentication sessions.
Examples
The following is sample output from the show ip admission cache command:
Device# show ip admission cache Authentication Proxy Cache Total Sessions: 1 Init Sessions: 1 Client MAC 5cf3.fc25.7e3d Client IP 1.150.128.2 IPv6 :: Port 0, State INIT, Method WebauthThe following is sample output from the show ip admission statistics command:
Device# show ip admission statistics Webauth input-feature statistics: IPv4 IPv6 Total packets received 46 0 Delivered to TCP 46 0 Forwarded 0 0 Dropped 0 0 TCP new connection limit reached 0 0 Webauth HTTPd statistics: HTTPd process 1 Intercepted HTTP requests: 8 IO Read events: 9 Received HTTP messages: 7 IO write events: 11 Sent HTTP replies: 7 IO AAA messages: 4 SSL OK: 0 SSL Read would block: 0 SSL Write would block: 0 HTTPd process scheduled count: 23The following is sample output from the show ip admission status command:
Device# show ip admission status IP admission status: Enabled interfaces 1 Total sessions 1 Init sessions 1 Max init sessions allowed 100 Limit reached 0 Hi watermark 1 TCP half-open connections 0 Hi watermark 0 TCP new connections 0 Hi watermark 0 TCP half-open + new 0 Hi watermark 0 HTTPD1 Contexts 0 Hi watermark 1 Parameter Map: Global Custom Pages Custom pages not configured Banner Banner not configured Parameter Map: PMAP_WEBAUTH Custom Pages Custom pages not configured Banner Type: text Banner " <H2>Login Page Banner</H2> " Html " <H2>Login Page Banner</H2> " Length 48 Parameter Map: PMAP_CONSENT Custom Pages Custom pages not configured Banner Banner not configured Parameter Map: PMAP_WEBCONSENT Custom Pages Custom pages not configured Banner Banner not configured Parameter Map: PMAP_WEBAUTH_CUSTOM_FLASH Custom Pages Type: "login" File flash:webauth_login.html File status Ok - File cached File mod time 2012-07-20T02:29:36.000Z File needs re-cached No Cache 0x3AEE1E1C Cache len 246582 Cache time 2012-09-18T13:56:57.000Z Cache access 0 reads, 1 write Type: "success" File flash:webauth_success.html File status Ok - File cached File mod time 2012-02-21T06:57:28.000Z File needs re-cached No Cache 0x3A529B3C Cache len 70 Cache time 2012-09-18T13:56:57.000Z Cache access 0 reads, 1 write Type: "failure" File flash:webauth_fail.html File status Ok - File cached File mod time 2012-02-21T06:55:49.000Z File needs re-cached No Cache 0x3A5BEBC4 Cache len 67 Cache time 2012-09-18T13:56:57.000Z Cache access 0 reads, 1 write Type: "login expired" File flash:webauth_expire.html File status Ok - File cached File mod time 2012-02-21T06:55:25.000Z File needs re-cached No Cache 0x3AA20090 Cache len 69 Cache time 2012-09-18T13:56:57.000Z Cache access 0 reads, 1 write Banner Banner not configured Parameter Map: PMAP_WEBAUTH_CUSTOM_EXTERNAL Custom Pages Custom pages not configured Banner Banner not configuredThe following is sample output from the show ip admission status banners command for a banner configured with the banner text command:
Device# show ip admission status banners IP admission status: Parameter Map: Global Banner not configured Parameter Map: PMAP_WEBAUTH Type: text Banner " <H2>Login Page Banner</H2> " Html " <H2>Login Page Banner</H2> " Length 48The following is sample output from the show ip admission status banners command for a banner configured with the banner file command:
Device# show ip admission status banners IP admission status: Parameter Map: Global Banner not configured Parameter Map: PMAP_WEBAUTH Type: file Banner <h2>Cisco Systems</h2> <h3>Webauth Banner from file</h3> Length 60 File flash:webauth_banner1.html File status Ok - File cached File mod time 2012-07-24T07:07:09.000Z File needs re-cached No Cache 0x3AF6CEE4 Cache len 60 Cache time 2012-09-19T10:13:59.000Z Cache access 0 reads, 1 writeThe following is sample output from the show ip admission status custom pages command:
Device# show ip admission status custom pages IP admission status: Parameter Map: Global Custom pages not configured Parameter Map: PMAP_WEBAUTH Type: "login" File flash:webauth_login.html File status Ok - File cached File mod time 2012-07-20T02:29:36.000Z File needs re-cached No Cache 0x3B0DCEB4 Cache len 246582 Cache time 2012-09-18T16:26:13.000Z Cache access 0 reads, 1 write Type: "success" File flash:webauth_success.html File status Ok - File cached File mod time 2012-02-21T06:57:28.000Z File needs re-cached No Cache 0x3A2E9090 Cache len 70 Cache time 2012-09-18T16:26:13.000Z Cache access 0 reads, 1 write Type: "failure" File flash:webauth_fail.html File status Ok - File cached File mod time 2012-02-21T06:55:49.000Z File needs re-cached No Cache 0x3AF6D1A4 Cache len 67 Cache time 2012-09-18T16:26:13.000Z Cache access 0 reads, 1 write Type: "login expired" File flash:webauth_expire.html File status Ok - File cached File mod time 2012-02-21T06:55:25.000Z File needs re-cached No Cache 0x3A2E8284 Cache len 69 Cache time 2012-09-18T16:26:13.000Z Cache access 0 reads, 1 write Parameter Map: PMAP_CONSENT Custom pages not configuredThe following table describes the significant fields shown in the above display.
Table 3 show ip admission Field Descriptions File mod time
Time stamp when the file was changed on the file system.
Cache time
Time stamp when the file was last read into cache.
The following output displays all the IP admission control rules that are configured on a router:
Device# show ip admission configuration Authentication Proxy Banner not configured Consent Banner is not configured Authentication Proxy webpage Login page : flash:test1.htm Success page : flash:test1.htm Fail page : flash:test1.htm Login Expire page : flash:test1.htm Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 5 minutes Authentication Proxy Watch-list is disabled Authentication Proxy Max HTTP process is 7 Authentication Proxy Auditing is disabled Max Login attempts per user is 5The following output displays the host IP addresses, the session timeout, and the posture states. If the posture statue is POSTURE ESTAB, the host validation was successful.
Device# show ip admission cache eapoudp Posture Validation Proxy Cache Total Sessions: 3 Init Sessions: 1 Client IP 10.0.0.112, timeout 60, posture state POSTURE ESTAB Client IP 10.0.0.142, timeout 60, posture state POSTURE INIT Client IP 10.0.0.205, timeout 60, posture state POSTURE ESTABThe fields in the displays are self-explanatory.
Related Commands
Command
Description
banner (parameter-map webauth)
Displays a banner on the web-authentication login web page.
clear ip admission cache
Clears IP admission cache entries from the router.
custom-page
Displays custom web pages during web authentication login.
ip admission name
Creates a Layer 3 network admission control rule.
show ip interface
To display the usability status of interfaces configured for IP, use the show ip interface command in privileged EXEC mode.
Command History
Release
Modification
10.0
This command was introduced.
12.0(3)T
The command output was modified to show the status of the ip wccp redirect out and ip wccp redirect exclude add in commands.
12.2(14)S
The command output was modified to display the status of NetFlow on a subinterface.
12.2(15)T
The command output was modified to display the status of NetFlow on a subinterface.
12.3(6)
The command output was modified to identify the downstream VPN routing and forwarding (VRF) instance in the output.
12.3(14)YM2
The command output was modified to show the usability status of interfaces configured for Multiprocessor Forwarding (MPF) and implemented on the Cisco 7301 and Cisco 7206VXR routers.
12.2(14)SX
This command was implemented on the Supervisor Engine 720.
12.2(17d)SXB
This command was integrated into Cisco IOS 12.2(17d)SXB on the Supervisor Engine 2, and the command output was changed to include NDE for hardware flow status.
12.4(4)T
This command was integrated into Cisco IOS Release 12.4(4)T.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(31)SB2
The command output was modified to display information about the Unicast Reverse Path Forwarding (RPF) notification feature.
12.4(20)T
The command output was modified to display information about the Unicast RPF notification feature.
12.2(33)SXI2
This command was modified. The command output was modified to display information about the Unicast RPF notification feature.
Cisco IOS XE Release 2.5
This command was modified. This command was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.
Usage Guidelines
The Cisco IOS software automatically enters a directly connected route in the routing table if the interface is usable (which means that it can send and receive packets). If an interface is not usable, the directly connected routing entry is removed from the routing table. Removing the entry lets the software use dynamic routing protocols to determine backup routes to the network, if any.
If the interface can provide two-way communication, the line protocol is marked "up." If the interface hardware is usable, the interface is marked "up."
If you specify an optional interface type, information for that specific interface is displayed. If you specify no optional arguments, information on all the interfaces is displayed.
When an asynchronous interface is encapsulated with PPP or Serial Line Internet Protocol (SLIP), IP fast switching is enabled. A show ip interface command on an asynchronous interface encapsulated with PPP or SLIP displays a message indicating that IP fast switching is enabled.
You can use the show ip interface brief command to display a summary of the router interfaces. This command displays the IP address, the interface status, and other information.
The show ip interface brief command does not display any information related to Unicast RPF.
Examples
The following example shows configuration information for interface Gigabit Ethernet 0/3. In this example, the IP flow egress feature is configured on the output side (where packets go out of the interface), and the policy route map named PBRNAME is configured on the input side (where packets come into the interface).
Router# show running-config interface gigabitethernet 0/3 interface GigabitEthernet0/3 ip address 10.1.1.1 255.255.0.0 ip flow egress ip policy route-map PBRNAME duplex auto speed auto media-type gbic negotiation auto endThe following example shows interface information on Gigabit Ethernet interface 0/3. In this example, MPF is enabled, and both Policy Based Routing (PBR) and NetFlow features are not supported by MPF and are ignored.
Router# show ip interface gigabitethernet 0/3 GigabitEthernet0/3 is up, line protocol is up Internet address is 10.1.1.1/16 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP Feature Fast switching turbo vector IP VPN Flow CEF switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is enabled, using route map PBR Network address translation is disabled BGP Policy Mapping is disabled IP Multi-Processor Forwarding is enabled IP Input features, "PBR", are not supported by MPF and are IGNORED IP Output features, "NetFlow", are not supported by MPF and are IGNOREDThe following example identifies a downstream VRF instance. In the example, "Downstream VPN Routing/Forwarding "D"" identifies the downstream VRF instance.
Router# show ip interface virtual-access 3 Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (10.0.0.8) Broadcast address is 255.255.255.255 Peer address is 10.8.1.1 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is enabled IP Flow switching is disabled IP CEF switching is enabled IP Feature Fast switching turbo vector IP VPN CEF switching turbo vector VPN Routing/Forwarding "U" Downstream VPN Routing/Forwarding "D" IP multicast fast switching is disabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabledThe following example shows the information displayed when Unicast RPF drop-rate notification is configured:
Router# show ip interface ethernet 2/3 Ethernet2/3 is up, line protocol is up Internet address is 10.0.0.4/16 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is disabled IP Flow switching is disabled IP CEF switching is disabled IP Null turbo vector IP Null turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled IP route-cache flags are No CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabledExamples
Unicast RPF Information
Input features: uRPF IP verify source reachable-via RX, allow default 0 verification drops 0 suppressed verification drops 0 verification drop-rate Router#The following example shows how to display the usability status for a specific VLAN:
Router# show ip interface vlan 1 Vlan1 is up, line protocol is up Internet address is 10.0.0.4/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP Fast switching turbo vector IP Normal CEF switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Sampled Netflow is disabled IP multicast multilayer switching is disabled Netflow Data Export (hardware) is enabledThe table below describes the significant fields shown in the display.
Table 4 show ip interface Field Descriptions Field
Description
Virtual-Access3 is up
Shows whether the interface hardware is usable (up). For an interface to be usable, both the interface hardware and line protocol must be up.
Broadcast address is
Broadcast address.
Peer address is
Peer address.
MTU is
MTU value set on the interface, in bytes.
Helper address
Helper address, if one is set.
Directed broadcast forwarding
Shows whether directed broadcast forwarding is enabled.
Outgoing access list
Shows whether the interface has an outgoing access list set.
Inbound access list
Shows whether the interface has an incoming access list set.
Proxy ARP
Shows whether Proxy Address Resolution Protocol (ARP) is enabled for the interface.
Security level
IP Security Option (IPSO) security level set for this interface.
Split horizon
Shows whether split horizon is enabled.
ICMP redirects
Shows whether redirect messages will be sent on this interface.
ICMP unreachables
Shows whether unreachable messages will be sent on this interface.
ICMP mask replies
Shows whether mask replies will be sent on this interface.
IP fast switching
Shows whether fast switching is enabled for this interface. It is generally enabled on serial interfaces, such as this one.
IP Flow switching
Shows whether Flow switching is enabled for this interface.
IP CEF switching
Shows whether Cisco Express Forwarding switching is enabled for the interface.
Downstream VPN Routing/Forwarding "D"
Shows the VRF instance where the PPP peer routes and AAA per-user routes are being installed.
IP multicast fast switching
Shows whether multicast fast switching is enabled for the interface.
IP route-cache flags are Fast
Shows whether NetFlow is enabled on an interface. Displays "Flow init" to specify that NetFlow is enabled on the interface. Displays "Ingress Flow" to specify that NetFlow is enabled on a subinterface using the ip flow ingresscommand. Shows "Flow" to specify that NetFlow is enabled on a main interface using the ip route-cache flow command.
Router Discovery
Shows whether the discovery process is enabled for this interface. It is generally disabled on serial interfaces.
IP output packet accounting
Shows whether IP accounting is enabled for this interface and what the threshold (maximum number of entries) is.
TCP/IP header compression
Shows whether compression is enabled.
WCCP Redirect outbound is disabled
Shows the status of whether packets received on an interface are redirected to a cache engine. Displays "enabled" or "disabled."
WCCP Redirect exclude is disabled
Shows the status of whether packets targeted for an interface will be excluded from being redirected to a cache engine. Displays "enabled" or "disabled."
Netflow Data Export (hardware) is enabled
NetFlow Data Expert (NDE) hardware flow status on the interface.
The following example shows how to display a summary of the usability status information for each interface:
Router# show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0 10.108.00.5 YES NVRAM up up Ethernet1 unassigned YES unset administratively down down Loopback0 10.108.200.5 YES NVRAM up up Serial0 10.108.100.5 YES NVRAM up up Serial1 10.108.40.5 YES NVRAM up up Serial2 10.108.100.5 YES manual up up Serial3 unassigned YES unset administratively down downThe table below describes the significant fields shown in the display.
Related Commands
Command
Description
ip address
Sets a primary or secondary IP address for an interface.
ip vrf autoclassify
Enables VRF autoclassify on a source interface.
match ip source
Specifies a source IP address to match to required route maps that have been set up based on VRF connected routes.
route-map
Defines the conditions for redistributing routes from one routing protocol into another or to enable policy routing.
set vrf
Enables VPN VRF selection within a route map for policy-based routing VRF selection.
show ip arp
Displays the ARP cache, in which SLIP addresses appear as permanent ARP table entries.
show route-map
Displays static and dynamic route maps.
show ip ssh
To display the version and configuration data for Secure Shell (SSH), use the show ip ssh command in privileged EXEC mode.
Command History
Release
Modification
12.0(5)S
This command was introduced.
12.1(1)T
This command was integrated into Cisco IOS Release 12.1 T.
12.1(5)T
This command was modified to display the SSH status--enabled or disabled.
12.2(17a)SX
This command was integrated into Cisco IOS Release 12.2(17a)SX.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
Use the show ip ssh command to view the status of configured options such as retries and timeouts. This command allows you to see if SSH is enabled or disabled.
Examples
The following is sample output from the show ip ssh command when SSH has been enabled:
Router# show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3 The following is sample output from the show ip ssh command when SSH has been disabled: Router# show ip ssh %SSH has not been enabledshow ipv6 access-list
To display the contents of all current IPv6 access lists, use the show ipv6 access-listcommand in user EXEC or privileged EXEC mode.
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.0(23)S
The priority field was changed to sequence and Layer 4 protocol information (extended IPv6 access list functionality) was added to the display output.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2(50)SY
This command was modified. Information about IPv4 and IPv6 hardware statistics is displayed.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The show ipv6 access-list command provides output similar to the show ip access-list command, except that it is IPv6-specific.
Examples
The following output from the show ipv6 access-listcommand shows IPv6 access lists named inbound, tcptraffic, and outbound:
Router# show ipv6 access-list IPv6 access list inbound permit tcp any any eq bgp reflect tcptraffic (8 matches) sequence 10 permit tcp any any eq telnet reflect tcptraffic (15 matches) sequence 20 permit udp any any reflect udptraffic sequence 30 IPv6 access list tcptraffic (reflexive) (per-user) permit tcp host 2001:0DB8:1::1 eq bgp host 2001:0DB8:1::2 eq 11000 timeout 300 (time left 243) sequence 1 permit tcp host 2001:0DB8:1::1 eq telnet host 2001:0DB8:1::2 eq 11001 timeout 300 (time left 296) sequence 2 IPv6 access list outbound evaluate udptraffic evaluate tcptrafficThe following sample output shows IPv6 access list information for use with IPSec:
Router# show ipv6 access-list IPv6 access list Tunnel0-head-0-ACL (crypto) permit ipv6 any any (34 matches) sequence 1 IPv6 access list Ethernet2/0-ipsecv6-ACL (crypto) permit 89 FE80::/10 any (85 matches) sequence 1The table below describes the significant fields shown in the display.
Table 6 show ipv6 access-list Field Descriptions Field
Description
ipv6 access list inbound
Name of the IPv6 access list, for example, inbound.
permit
Permits any packet that matches the specified protocol type.
tcp
Transmission Control Protocol. The higher-level (Layer 4) protocol type that the packet must match.
any
Equal to ::/0.
eq
An equal operand that compares the source or destination ports of TCP or UDP packets.
bgp
Border Gateway Protocol. The lower-level (Layer 3) protocol type that the packet must be equal to.
reflect
Indicates a reflexive IPv6 access list.
tcptraffic (8 matches)
The name of the reflexive IPv6 access list and the number of matches for the access list. The clear ipv6 access-list privileged EXEC command resets the IPv6 access list match counters.
sequence 10
Sequence in which an incoming packet is compared to lines in an access list. Lines in an access list are ordered from first priority (lowest number, for example, 10) to last priority (highest number, for example, 80).
host 2001:0DB8:1::1
The source IPv6 host address that the source address of the packet must match.
host 2001:0DB8:1::2
The destination IPv6 host address that the destination address of the packet must match.
11000
The ephemeral source port number for the outgoing connection.
timeout 300
The total interval of idle time (in seconds) after which the temporary IPv6 reflexive access list named tcptraffic will time out for the indicated session.
(time left 243)
The amount of idle time (in seconds) remaining before the temporary IPv6 reflexive access list named tcptraffic is deleted for the indicated session. Additional received traffic that matches the indicated session resets this value to 300 seconds.
evaluate udptraffic
Indicates the IPv6 reflexive access list named udptraffic is nested in the IPv6 access list named outbound.
Related Commands
Command
Description
clear ipv6 access-list
Resets the IPv6 access list match counters.
hardware statistics
Enables the collection of hardware statistics.
show ip access-list
Displays the contents of all current IP access lists.
show ip prefix-list
Displays information about a prefix list or prefix list entries.
show ipv6 prefix-list
Displays information about an IPv6 prefix list or IPv6 prefix list entries.
show mab
To display MAC Authentication Bypass (MAB) information, use the show mab command in privileged EXEC mode.
Command History
Release
Modification
12.2(33)SXI
This command was introduced.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T.
15.2(3)T
This command was modified. The authorization status of the authentication result is displayed as SUCCESS or FAIL instead of AUTHORIZED or UNAUTHORIZED in the command output.
Examples
The following is sample output from the show mab interface detail command where a MAB session has been authorized:
Switch# show mab interface FastEthernet1/0/1 detail MAB details for FastEthernet1/0/1 ------------------------------------- Mac-Auth-Bypass = Enabled Inactivity Timeout = None MAB Client List --------------- Client MAC = 000f.23c4.a401 MAB SM state = TERMINATE Auth Status = SUCCESSThe table below describes the significant fields shown in the display.
Related Commands
Command
Description
show authentication interface
Displays information about the Auth Manager for a given interface.
show authentication registrations
Displays information about authentication methods registered with the Auth Manager.
show authentication sessions
Displays information about Auth Manager sessions.
show mac-address-table
Cisco 2600, 3600, and 3700 Series Routers
show mac-address-table [ secure | self | count ] [ addressmacaddress ] [ interfacetype/number ] { fa | gislot/port } [ atmslot/port ] [ atmslot/port ] [ vlanvlan-id ]
Catalyst 4500 Series Switches
show mac-address-table { assigned | ip | ipx | other }
Catalyst 6000/6500 Series Switches and 7600 Series Routers
show mac-address-table [ address mac-addr [ all | interface type/number | module number | vlan vlan-id ] | aging-time [ vlan vlan-id ] | count [ module number | vlan vlan-id ] | interface type/number | limit [ vlan vlan-id | module number | interface type ] | module number | multicast [ count ] [ igmp-snooping | mld-snooping | user ] [ vlan vlan-id ] | notification { mac-move [ counter [ vlan ] ] | threshold | change } [ interface [ number ] ] | synchronize statistics | unicast-flood | vlan vlan-id [ all | module number ] ]
Syntax Description
secure
(Optional) Displays only the secure addresses.
self
(Optional) Displays only addresses added by the switch itself.
count
(Optional) Displays the number of entries that are currently in the MAC address table.
address mac-addr
(Optional) Displays information about the MAC address table for a specific MAC address. See the �Usage Guidelines� section for formatting information.
interface type / number
(Optional) Displays addresses for a specific interface. For the Catalyst 6500 and 6000 series switches, valid values are atm, fastethernet, gigabitethernet, and port-channel. For the Cisco 7600 series, valid values are atm,ethernet, fastethernet, ge-wan, gigabitethernet, tengigabitethernet, and pos.
fa
(Optional) Specifies the Fast Ethernet interface.
gi
(Optional) Specifies the Gigabit Ethernet interface.
slot / port
(Optional) Adds dynamic addresses to the module in slot 1 or 2. The slash mark is required.
atm slot /port
(Optional) Adds dynamic addresses to ATM module slot /port . Use 1 or 2 for the slot number. Use 0 as the port number. The slash mark is required.
vlan vlan -id
(Optional) Displays addresses for a specific VLAN. For the Cisco 2600, 3600, and 3700 series, valid values are from 1 to 1005; do not enter leading zeroes. Beginning with Cisco IOS Release 12.4(15)T, the valid VLAN ID range is from 1 to 4094.
For the Catalyst 6500 and 6000 series switches and 7600 series, valid values are from 1 to 4094.
assigned
Specifies the assigned protocol entries.
ip
Specifies the IP protocol entries.
ipx
Specifies the IPX protocol entries.
other
Specifies the other protocol entries.
all
(Optional) Displays every instance of the specified MAC address in the forwarding table.
type / number
(Optional) Module and interface number.
module number
(Optional) Displays information about the MAC address table for a specific Distributed Forwarding Card (DFC) module.
aging-time
(Optional) Displays the aging time for the VLANs.
limit
Displays MAC-usage information.
multicast
Displays information about the multicast MAC address table entries only.
igmp-snooping
Displays the addresses learned by Internet Group Management Protocol (IGMP) snooping.
mld-snooping
Displays the addresses learned by Multicast Listener Discover version 2 (MLDv2) snooping.
user
Displays the manually entered (static) addresses.
notification mac-move
Displays the MAC-move notification status.
notification mac-move counter
(Optional) Displays the number of times a MAC has moved and the number of these instances that have occurred in the system.
vlan
(Optional) Specifies a VLAN to display. For the Catalyst 6500 and 6000 series switches and 7600 series, valid values are from 1 to 4094.
notification threshold
Displays the Counter-Addressable Memory (CAM) table utilization notification status.
notification change
Displays the MAC notification parameters and history table.
synchronize statistics
Displays information about the statistics collected on the switch processor or DFC.
unicast-flood
Displays unicast-flood information.
Command History
Usage Guidelines
Cisco 2600, 3600, and 3700 Series Routers
The show mac-address-table command displays the MAC address table for the switch. Specific views can be defined by using the optional keywords and arguments. If more than one optional keyword is used, then all the conditions must be true for that entry to be displayed.
Catalyst 4500 Series Switches
For the MAC address table entries that are used by the routed ports, the routed port name, rather than the internal VLAN number, is displayed in the �vlan� column.
Catalyst 6000 and 6500 Series Switches and Cisco 7600 Series Routers
If you do not specify a module number, the output of the show mac-address-table command displays information about the supervisor engine. To display information about the MAC address table of the DFCs, you must enter the module number or the all keyword.
The mac-addrvalue is a 48-bit MAC address. The valid format is H.H.H.
The interface number argument designates the module and port number. Valid values depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.
The optional module number keyword-argument pair is supported only on DFC modules. The module numberkeyword-argument pair designate the module number.
Valid values for the mac-group-address argument are from 1 to 9.
The optional count keyword displays the number of multicast entries.
The optional multicast keyword displays the multicast MAC addresses (groups) in a VLAN or displays all statically installed or IGMP snooping-learned entries in the Layer 2 table.
The information that is displayed in the show mac-address-table unicast-flood command output is as follows:
- Up to 50 flood entries, shared across all the VLANs that are not configured to use the filter mode, can be recorded.
NoteThe information displayed on the destination MAC addresses is deleted as soon as the floods stop after the port shuts down.
- Information is updated each time that you install the filter. The information lasts until you remove the filter.
The dynamic entries that are displayed in the Learn field are always set to Yes.
The show mac-address-table limit command output displays the following information:
- The current number of MAC addresses.
- The maximum number of MAC entries that are allowed.
- The percentage of usage.
The show mac-address-table synchronize statistics command output displays the following information:
Examples
Cisco 2600, 3600, and 3700 Series Routers
The following is sample output from theshow mac-address-table command:
Switch# show mac-address-table Dynamic Addresses Count: 9 Secure Addresses (User-defined) Count: 0 Static Addresses (User-defined) Count: 0 System Self Addresses Count: 41 Total MAC addresses: 50 Non-static Address Table: Destination Address Address Type VLAN Destination Port ------------------- ------------ ---- -------------------- 0010.0de0.e289 Dynamic 1 FastEthernet0/1 0010.7b00.1540 Dynamic 2 FastEthernet0/5 0010.7b00.1545 Dynamic 2 FastEthernet0/5 0060.5cf4.0076 Dynamic 1 FastEthernet0/1 0060.5cf4.0077 Dynamic 1 FastEthernet0/1 0060.5cf4.1315 Dynamic 1 FastEthernet0/1 0060.70cb.f301 Dynamic 1 FastEthernet0/1 00e0.1e42.9978 Dynamic 1 FastEthernet0/1 00e0.1e9f.3900 Dynamic 1 FastEthernet0/1Examples
Catalyst 4500 Series Switches
The following example shows how to display the MAC address table entries that have a specific protocol type (in this case, "assigned"):
Switch# show mac-address-table protocol assigned vlan mac address type protocol qos ports -----+---------------+--------+---------+---+-------------------------------- 200 0050.3e8d.6400 static assigned -- Switch 100 0050.3e8d.6400 static assigned -- Switch 5 0050.3e8d.6400 static assigned -- Switch 4092 0000.0000.0000 dynamic assigned -- Switch 1 0050.3e8d.6400 static assigned -- Switch 4 0050.3e8d.6400 static assigned -- Switch 4092 0050.f0ac.3058 static assigned -- Switch 4092 0050.f0ac.3059 dynamic assigned -- Switch 1 0010.7b3b.0978 dynamic assigned -- Fa5/9The following example shows the "other" output for the previous example:
Switch# show mac-address-table protocol other Unicast Entries vlan mac address type protocols port -------+---------------+--------+---------------------+-------------------- 1 0000.0000.0201 dynamic other FastEthernet6/15 1 0000.0000.0202 dynamic other FastEthernet6/15 1 0000.0000.0203 dynamic other FastEthernet6/15 1 0000.0000.0204 dynamic other FastEthernet6/15 1 0030.94fc.0dff static ip,ipx,assigned,other Switch 2 0000.0000.0101 dynamic other FastEthernet6/16 2 0000.0000.0102 dynamic other FastEthernet6/16 2 0000.0000.0103 dynamic other FastEthernet6/16 2 0000.0000.0104 dynamic other FastEthernet6/16 Fa6/1 0030.94fc.0dff static ip,ipx,assigned,other Switch Fa6/2 0030.94fc.0dff static ip,ipx,assigned,other Switch Multicast Entries vlan mac address type ports -------+---------------+-------+------------------------------------------- 1 ffff.ffff.ffff system Switch,Fa6/15 2 ffff.ffff.ffff system Fa6/16 1002 ffff.ffff.ffff system 1003 ffff.ffff.ffff system 1004 ffff.ffff.ffff system 1005 ffff.ffff.ffff system Fa6/1 ffff.ffff.ffff system Switch,Fa6/1 Fa6/2 ffff.ffff.ffff system Switch,Fa6/2Examples
Catalyst 6000 and 6500 Series Switches and Cisco 7600 Series Routers
The following is sample output from theshow mac-address-tablecommand:
Switch# show mac-address-table Dynamic Addresses Count: 9 Secure Addresses (User-defined) Count: 0 Static Addresses (User-defined) Count: 0 System Self Addresses Count: 41 Total MAC addresses: 50 Non-static Address Table: Destination Address Address Type VLAN Destination Port ------------------- ------------ ---- -------------------- 0010.0de0.e289 Dynamic 1 FastEthernet0/1 0010.7b00.1540 Dynamic 2 FastEthernet0/5 0010.7b00.1545 Dynamic 2 FastEthernet0/5 0060.5cf4.0076 Dynamic 1 FastEthernet0/1 0060.5cf4.0077 Dynamic 1 FastEthernet0/1 0060.5cf4.1315 Dynamic 1 FastEthernet0/1 0060.70cb.f301 Dynamic 1 FastEthernet0/1 00e0.1e42.9978 Dynamic 1 FastEthernet0/1 00e0.1e9f.3900 Dynamic 1 FastEthernet0/1
NoteIn a distributed Encoded Address Recognition Logic (EARL) switch, the asterisk (*) indicates a MAC address that is learned on a port that is associated with this EARL.
The following example shows how to display the information about the MAC address table for a specific MAC address with a Supervisor Engine 720:
Switch# show mac-address-table address 001.6441.60ca Codes: * - primary entry vlan mac address type learn qos ports ------+----------------+--------+-----+---+-------------------------- Supervisor: * --- 0001.6441.60ca static No -- RouterThe following example shows how to display MAC address table information for a specific MAC address with a Supervisor Engine 720:
Router# show mac-address-table address 0100.5e00.0128 Legend: * - primary entry age - seconds since last seen n/a - not available vlan mac address type learn age ports ------+----------------+--------+-----+----------+-------------------------- Supervisor: * 44 0100.5e00.0128 static Yes - Fa6/44,Router * 1 0100.5e00.0128 static Yes - Router Module 9: * 44 0100.5e00.0128 static Yes - Fa6/44,Router * 1 0100.5e00.0128 static Yes - RouterThe following example shows how to display the currently configured aging time for all VLANs:
Switch# show mac-address-table aging-time Vlan Aging Time ---- ---------- *100 300 200 1000The following example shows how to display the entry count for a specific slot:
Switch# show mac-address-table count module 1 MAC Entries on slot 1 : Dynamic Address Count: 4 Static Address (User-defined) Count: 25 Total MAC Addresses In Use: 29 Total MAC Addresses Available: 131072The following example shows how to display the information about the MAC address table for a specific interface with a Supervisor Engine 720:
Switch# show mac-address-table interface fastethernet 6/45 Legend: * - primary entry age - seconds since last seen n/a - not available vlan mac address type learn age ports ------+----------------+--------+-----+----------+-------------------------- * 45 00e0.f74c.842d dynamic Yes 5 Fa6/45
NoteA leading asterisk (*) indicates entries from a MAC address that was learned from a packet coming from an outside device to a specific module.
The following example shows how to display the limit information for a specific slot:
Switch# show mac-address-table limit vlan 1 module 1 vlan switch module action maximum Total entries flooding -------+--------+---------+-----------+--------+--------------+------------ 1 1 7 warning 500 0 enabled 1 1 11 warning 500 0 enabled 1 1 12 warning 500 0 enabled Router#show mac-address-table limit vlan 1 module 2 vlan switch module action maximum Total entries flooding -------+--------+---------+-----------+--------+--------------+------------ 1 2 7 warning 500 0 enabled 1 2 9 warning 500 0 enabledThe following example shows how to display the MAC-move notification status:
Switch# show mac-address-table notification mac-move MAC Move Notification: EnabledThe following example shows how to display the MAC move statistics:
Router# show mac-address-table notification mac-move counter ----------------------------------------------------------------------------------- Vlan Mac Address From Mod/Port To Mod/Port Count ---- ----------------- ----------------------- ----------------------- ------------ 1 00-01-02-03-04-01 2/3 3/1 10 20 00-01-05-03-02-01 5/3 5/1 20The following example shows how to display the CAM-table utilization-notification status:
Router# show mac-address-table notification threshold Status limit Interval -------------+-----------+------------- enabled 1 120The following example shows how to display the MAC notification parameters and history table:
Switch# show mac-address-table notification change MAC Notification Feature is Disabled on the switch MAC Notification Flags For All Ethernet Interfaces : ---------------------------------------------------- Interface MAC Added Trap MAC Removed Trap -------------------- -------------- ----------------The following example shows how to display the MAC notification parameters and history table for a specific interface:
Switch# show mac-address-table notification change interface gigabitethernet5/2 MAC Notification Feature is Disabled on the switch Interface MAC Added Trap MAC Removed Trap -------------------- -------------- ---------------- GigabitEthernet5/2 Disabled DisabledThe following example shows how to display unicast-flood information:
Switch# show mac-address-table unicast-flood > > Unicast Flood Protection status: enabled > > > > Configuration: > > vlan Kfps action timeout > > ------+----------+-----------------+---------- > > 2 2 alert none > > > > Mac filters: > > No. vlan source mac addr. installed > > on time left (mm:ss) > > > >-----+------+-----------------+------------------------------+------------------ > > > > Flood details: > > Vlan source mac addr. destination mac addr. > > > >------+----------------+------------------------------------------------- > > 2 0000.0000.cafe 0000.0000.bad0, 0000.0000.babe, > > 0000.0000.bac0 > > 0000.0000.bac2, 0000.0000.bac4, > > 0000.0000.bac6 > > 0000.0000.bac8 > > 2 0000.0000.caff 0000.0000.bad1, 0000.0000.babf, > > 0000.0000.bac1 > > 0000.0000.bac3, 0000.0000.bac5, > > 0000.0000.bac7 > > 0000.0000.bac9The following example shows how to display the information about the MAC-address table for a specific VLAN:
Switch#show mac-address-table vlan 100 vlan mac address type protocol qos ports -----+---------------+--------+---------+---+-------------------------------- 100 0050.3e8d.6400 static assigned -- Router 100 0050.7312.0cff dynamic ip -- Fa5/9 100 0080.1c93.8040 dynamic ip -- Fa5/9 100 0050.3e8d.6400 static ipx -- Router 100 0050.3e8d.6400 static other -- Router 100 0100.0cdd.dddd static other -- Fa5/9,Router,Switch 100 00d0.5870.a4ff dynamic ip -- Fa5/9 100 00e0.4fac.b400 dynamic ip -- Fa5/9 100 0100.5e00.0001 static ip -- Fa5/9,Switch 100 0050.3e8d.6400 static ip -- RouterThe following example shows how to display the information about the MAC address table for MLDv2 snooping:
Switch# show mac-address-table multicast mld-snooping vlan mac address type learn qos ports -----+---------------+--------+-----+---+-------------------------------- --- 3333.0000.0001 static Yes - Switch,Stby-Switch --- 3333.0000.000d static Yes - Fa2/1,Fa4/1,Router,Switch --- 3333.0000.0016 static Yes - Switch,Stby-SwitchThe table below describes the significant fields shown in the displays.
Table 8 show mac-address-table Field Descriptions Field
Description
Dynamic Addresses Count
Total number of dynamic addresses in the MAC address table.
Secure Addresses (User-defined) Count
Total number of secure addresses in the MAC address table.
Static Addresses (User-defined) Count
Total number of static addresses in the MAC address table.
System Self Addresses Count
Total number of addresses in the MAC address table.
Total MAC addresses
Total MAC addresses in the MAC address table.
Destination Address
Destination addresses present in the MAC address table.
Address Type
Address type: static or dynamic.
VLAN
VLAN number.
Destination Port
Destination port information present in the MAC address table.
mac address
The MAC address of the entry.
protocol
Protocol present in the MAC address table.
qos
Quality of service associated with the MAC address table.
ports
Port type.
age
The time in seconds since last occurrence of the interface.
Aging Time
Aging time for entries.
module
Module number.
action
Type of action.
flooding
Status of the flooding.
Related Commands
Command
Description
clear mac-address-table
Deletes entries from the MAC address table.
mac-address-table aging-time
Configures the aging time for entries in the Layer 2 table.
mac-address-table limit
Enables MAC limiting.
mac-address-table notification mac-move
Enables MAC-move notification.
mac-address-table static
Adds static entries to the MAC address table or configures a static MAC address with IGMP snooping disabled for that address.
mac-address-table synchronize
Synchronizes the Layer 2 MAC address table entries across the PFC and all the DFCs.
show mac-address-table static
Displays only static MAC address table entries.
