-
Cisco IOS Security Command Reference: Commands S to Z, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show content-scan
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Index
-
Feedback
Contents
show parameter-map type consent through show users
show port-security
To display information about the port-security setting in EXEC command mode, use the show port-security command.
show port-security [ interface interface interface-number ]
show port-security [ interface interface interface-number ] { address | vlan }
Syntax Description
interface interface
(Optional) Specifies the interface type; possible valid values are ethernet, fastethernet, gigabitethernet, and longreachethernet.
interface-number
Interface number. Valid values are 1 to 6.
address
Displays all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address.
vlan
Virtual LAN.
Command History
Release
Modification
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(18)SXE
The address keyword was added to display the maximum number of MAC addresses configured per VLAN on a trunk port on the Supervisor Engine 720 only.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
The vlan keyword is supported on trunk ports only and displays per-Vlan maximums set on a trunk port.
The interface-number argument designates the module and port number. Valid values for interface-number depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.
Examples
This example shows the output from the show port-security command when you do not enter any options:
Router# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ---------------------------------------------------------------------------- Fa5/1 11 11 0 Shutdown Fa5/5 15 5 0 Restrict Fa5/11 5 4 0 Protect ---------------------------------------------------------------------------- Total Addresses in System: 21 Max Addresses limit in System: 128 Router#This example shows how to display port-security information for a specified interface:
Router# show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0 Router#This example show how to display all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address:
Router# show port-security address Default maximum: 10 VLAN Maximum Current 1 5 3 2 4 4 3 6 4 Router#show privilege
Command History
Release
Modification
10.3
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
show radius statistics
To display the RADIUS statistics for accounting and authentication packets, use the show radius statistics command in user EXEC or privileged EXEC mode.
Command History
Release
Modification
12.1(3)T
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.1(1)S
This command was integrated into Cisco IOS Release 15.1(1)S. Support for the CISCO-RADIUS-EXT-MIB was added.
15.1(4)M
This command was modified. Support for the CISCO-RADIUS-EXT-MIB was added.
Examples
The following is sample output from the show radius statistics command:
Router# show radius statistics Auth. Acct. Both Maximum inQ length: NA NA 1 Maximum waitQ length: NA NA 2 Maximum doneQ length: NA NA 1 Total responses seen: 33 67 100 Packets with responses: 33 67 100 Packets without responses: 0 0 0 Access Rejects : 0 Average response delay(ms) : 1331 124 523 Maximum response delay(ms): 5720 4800 5720 Number of Radius timeouts: 8 2 10 Duplicate ID detects: 0 0 0 Buffer Allocation Failures: 0 0 0 Maximum Buffer Size (bytes): 156 327 327 Malformed Responses : 0 0 0 Bad Authenticators : 0 0 0 Source Port Range: (2 ports only) 1645 - 1646 Last used Source Port/Identifier: 1645/33 1646/69The table below describes significant fields shown in the display.
Table 1 show radius statistics Field Descriptions Field
Description
Auth.
Statistics for authentication packets.
Acct.
Statistics for accounting packets.
Both
Combined statistics for authentication and accounting packets.
Maximum inQ length
Maximum number of entries allowed in the queue that holds the RADIUS messages not yet sent.
Maximum waitQ length
Maximum number of entries allowed in the queue that holds the RADIUS messages that have been sent and are waiting for a response.
Maximum doneQ length
Maximum number of entries allowed in the queue that holds the messages that have received a response and will be forwarded to the code that is waiting for the messages.
Total responses seen
Number of RADIUS responses seen from the server. In addition to the expected packets, the number includes repeated packets and packets that do not have a matching message in the waitQ.
Packets with responses
Number of packets that received a response from the RADIUS server.
Packets without responses
Number of packets that never received a response from any RADIUS server.
Access Rejects
Number of times access requests have been rejected by a RADIUS server.
Average response delay
Average time, in milliseconds (ms), from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this value is not included in the average.
Maximum response delay
Maximum delay, in ms, observed while gathering the average response delay information.
Number of RADIUS timeouts
Number of times a server did not respond and the RADIUS server re-sent the packet.
Duplicate ID detects
RADIUS has a maximum of 255 unique IDs. In some instances, there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If this response does not match, the duplicate ID detect counter is increased.
Buffer Allocation Failures
Number of times the buffer failed to get allocated.
Maximum Buffer Size (bytes)
Displays the maximum size of the buffer.
Malformed Responses
Number of corrupted responses, mostly due to bad authenticators.
Bad Authenticators
Number of authentication failures due to shared secret mismatches.
Source Port Range: (2 ports only)
Displays the port numbers.
Last used Source Port/Identifier
Ports that were last used by the RADIUS server for authentication.
The fields in the output are mapped to Simple Network Management Protocol (SNMP) objects in the CISCO-RADIUS-EXT-MIB and are used in SNMP reporting. The first line of the report is mapped to the CISCO-RADIUS-EXT-MIB as follows:
- Maximum inQ length maps to creClientTotalMaxInQLength
- Maximum waitQ length maps to creClientTotalMaxWaitQLength
- Maximum doneQ length maps to creClientTotalMaxDoneQLength
The field "Both" in the output can be derived from the authentication and accounting MIB objects. The calculation formula for each field, as displayed in the output, is given in the table below.
Table 2 Calculation Formula for the Both field in show radius statistics Command Output show radius statistics Command Output Data
Calculation Formula for the Both Field
Maximum inQ length
creClientTotalMaxInQLength
Maximum waitQ length
creClientTotalWaitQLength
Maximum doneQ length
creClientDoneQLength
Total responses seen
creAuthClientTotalResponses + creAcctClientTotalResponses
Packets with responses
creAuthClientTotalPacketsWithResponses + creAcctClientTotalPacketsWithResponses
Packets without responses
creAuthClientTotalPacketsWithoutResponses + creAcctClientTotalPacketsWithoutResponses
Access Rejects
creClientTotalAccessRejects
Average response delay
creClientAverageResponseDelay
Maximum response delay
MAX(creAuthClientMaxResponseDelay, creAcctClientMaxResponseDelay)
Number of RADIUS timeouts
creAuthClientTimeouts + creAcctClientTimeouts
Duplicate ID detects
creAuthClientDupIDs + creAcctClientDupIDs
Buffer Allocation Failures
creAuthClientBufferAllocFailures + creAcctClientBufferAllocFailures
Maximum Buffer Size (bytes)
MAX(creAuthClientMaxBufferSize, creAcctClientMaxBufferSize)
Malformed Responses
creAuthClientMalformedResponses + creAcctClientMalformedResponses
Bad Authenticators
creAuthClientBadAuthenticators + creAcctClientBadAuthenticators
Mapping the following set of objects listed in the CISCO-RADIUS-EXT-MIB map to fields displayed by the show radius statisticscommand is straightforward. For example, the creClientLastUsedSourcePort field corresponds to the Last used Source Port/Identifier portion of the report, creAuthClientBufferAllocFailures corresponds to the Buffer Allocation Failures for authentication packets, creAcctClientBufferAllocFailure corresponds to the Buffer Allocation Failures for accounting packets, and so on.
- creClientTotalMaxInQLength
- creClientTotalMaxWaitQLength
- creClientTotalMaxDoneQLength
- creClientTotalAccessRejects
- creClientTotalAverageResponseDelay
- creClientSourcePortRangeStart
- creClientSourcePortRangeEnd
- creClientLastUsedSourcePort
- creClientLastUsedSourceId
- creAuthClientBadAuthenticators
- creAuthClientUnknownResponses
- creAuthClientTotalPacketsWithResponses
- creAuthClientBufferAllocFailures
- creAuthClientTotalResponses
- creAuthClientTotalPacketsWithoutResponses
- creAuthClientAverageResponseDelay
- creAuthClientMaxResponseDelay
- creAuthClientMaxBufferSize
- creAuthClientTimeouts
- creAuthClientDupIDs
- creAuthClientMalformedResponses
- creAuthClientLastUsedSourceId
- creAcctClientBadAuthenticators
- creAcctClientUnknownResponses
- creAcctClientTotalPacketsWithResponses
- creAcctClientBufferAllocFailures
- creAcctClientTotalResponses
- creAcctClientTotalPacketsWithoutResponses
- creAcctClientAverageResponseDelay
- creAcctClientMaxResponseDelay
- creAcctClientMaxBufferSize
- creAcctClientTimeouts
- creAcctClientDupIDs
- creAcctClientMalformedResponses
- creAcctClientLastUsedSourceId
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs .
show ssh
To display the status of Secure Shell (SSH) server connections on the router, use the show ssh command in user EXEC or privileged EXEC mode.
Command History
Release
Modification
12.1(15)T
This command was introduced.
12.2(33)SRA
This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXI
This command was modified. It was integrated into Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release 2.1
This command was modified. It was integrated into Cisco IOS XE Release 2.1.
Usage Guidelines
Use the show ssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data. Use the show ip ssh command for SSH configuration information such as timeouts and retries.
Examples
The following is sample output from the show ssh command with SSH enabled:
Router# show ssh Connection Version Encryption State Username 0 1.5 3DES Session Started guestThe table below describes the significant fields shown in the display.
Table 3 show ssh Field Descriptions Field
Description
Connection
Number of SSH connections on the router.
Version
Version number of the SSH terminal.
Encryption
Type of transport encryption.
State
The status of SSH connection to indicate if the session has started or stopped.
Username
Uesrname to log in to the SSH.