{ "id": "eb9c8e61-474b-439f-a2af-0ab8cb289ed1", "created_at": "2026-04-06T00:08:52.323566Z", "updated_at": "2026-04-10T03:38:06.458147Z", "deleted_at": null, "sha1_hash": "624780872aea55bfa6282883afcacfae37862160", "title": "Cisco IOS Security Command Reference: Commands S to Z - show parameter-map type consent through show users [Support]", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1026102, "plain_text": "Cisco IOS Security Command Reference: Commands S to Z - show\r\nparameter-map type consent through show users [Support]\r\nPublished: 2026-02-17 · Archived: 2026-04-05 15:43:52 UTC\r\nshow parameter-map type consent through show users\r\nshow parameter-map type consent\r\nTo display consent parameter map information, use the show parameter-map type consent command in privileged EXEC\r\nmode.\r\nshow parameter-map type consent [parameter-map-name | default]\r\nSyntax Description\r\nparameter-map-name (Optional) Name of the parameter map.\r\ndefault (Optional) Specifies default consent parameter map information.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(15)T This command was introduced.\r\n12.4(20)T The command was modified. The parameter-map-name argument was added.\r\nExamples\r\nThe following is sample output from the show parameter-map type consent command. The fields are self-explanatory.\r\nRouter# show parameter-map type consent\r\nparameter-map type consent map1\r\n Syslog : Enabled\r\n File download time(in minutes) : 456\r\n Number of Accepted Users : 0\r\n Number of Denied Users : 0\r\nshow parameter-map type inspect\r\nTo display user-configured or default inspect-type parameter maps, use the show parameter-map type inspect command in\r\nprivileged EXEC mode.\r\nshow parameter-map type inspect [parameter-map-name | default | global]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 1 of 208\n\nSyntax Description\r\nparameter-map-name (Optional) Name of the parameter map.\r\ndefault\r\n(Optional) Displays the default inspect-type parameter-map values.\r\nNote\r\n \r\nUse this keyword when no parameter map is attached to the inspect action.\r\nglobal (Optional) Displays the global inspect type parameter map values.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\n15.1(1)T This command was modified. The global keyword was added.\r\nCisco IOS XE\r\nRelease 3.4S\r\nThis command was modified. Support for General Packet Radio Service (GPRS) Tunneling\r\nProtocol (GTP) was added.\r\nCisco IOS XE\r\nRelease 3.9S\r\nThis command was modified. The parameter-map-name argument was added.\r\nCisco IOS XE\r\nRelease 3.11S\r\nThis command was modified. The command output was modified to display the number of\r\nsimultaneous packets per flow.\r\nCisco IOS XE\r\nRelease 3.13S\r\nThis command was modified. The command output was modified to display the Locator/ID\r\nSeparation Protocol (LISP) inner-packet inspection information.\r\nCisco IOS XE\r\nRelease 3.14S\r\nThis command was modified. The command output was modified to display the Network-Based\r\nApplication Recognition (NBAR) information.\r\nUsage Guidelines\r\nWhen the nbar-classify command is configured, the output of show parameter-map type inspect global displays this\r\ninformation.\r\nExamples\r\nThe following is sample output from the show parameter-map type inspect command. The fields in the output are self-explanatory.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 2 of 208\n\nDevice# show parameter-map type inspect\r\n audit-trail off\r\n alert on\r\n max-incomplete low 2147483647\r\n max-incomplete high 2147483647\r\n one-minute low 2147483647\r\n one-minute high 2147483647\r\n udp idle-time 30\r\n icmp idle-time 10\r\n dns-timeout 5\r\n tcp idle-time 3600\r\n tcp finwait-time 5\r\n tcp synwait-time 30\r\n tcp max-incomplete host 4294967295 block-time 0\r\n tcp window scaling enforcement loose off\r\n sessions maximum 2147483647\r\n sessions packet default\r\nThe following is sample output from the show parameter-map type inspect parameter-map-name command. The fields in\r\nthe output are self-explanatory.\r\nDevice# show parameter-map type inspect pmap1\r\nparameter-map type inspect pmap1\r\n log dropped-packet off\r\n audit-trail on\r\n alert on\r\n max-incomplete low unlimited\r\n max-incomplete high unlimited\r\n one-minute low unlimited\r\n one-minute high unlimited\r\n sessions rate low unlimited\r\n sessions rate high unlimited\r\n sessions packet default\r\n udp idle-time 30 ageout-time 30\r\n udp halfopen idle-time 30000 ms ageout-time 30000 ms\r\n icmp idle-time 50 ageout-time 50\r\n dns-timeout 5\r\n tcp window scaling enforcement loose off\r\n tcp idle-time 3600 ageout-time 3600\r\n tcp finwait-time 1 ageout-time 1\r\n tcp synwait-time 30 ageout-time 30\r\n tcp half-open on, half-close on, idle on\r\n tcp max-incomplete host unlimited block-time 0\r\n sessions maximum 3000\r\n gtp permit error off\r\n gtp request-queue 40000\r\n gtp tunnel-limit 40000\r\n gtp gsn timeout 30\r\n gtp pdp-context timeout 300\r\n gtp request-queue timeout 60\r\n gtp signaling timeout 30\r\n gtp tunnel timeout 60\r\nThe following is sample output from the show parameter-map type inspect default command. The fields in the output are\r\nself-explanatory.\r\nDevice# show parameter-map type inspect default\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 3 of 208\n\nparameter-map type inspect default values\r\n log dropped-packet off\r\n audit-trail off\r\n alert on\r\n max-incomplete low unlimited\r\n max-incomplete high unlimited\r\n one-minute low unlimited\r\n one-minute high unlimited\r\n sessions rate low unlimited\r\n sessions rate high unlimited\r\n sessions packet default\r\n udp idle-time 30 ageout-time 30\r\n udp halfopen idle-time 30000 ms ageout-time 30000 ms\r\n icmp idle-time 10 ageout-time 10\r\n dns-timeout 5\r\n tcp idle-time 3600 ageout-time 3600\r\n tcp finwait-time 1 ageout-time 1\r\n tcp synwait-time 30 ageout-time 30\r\n tcp max-incomplete host unlimited block-time 0\r\n tcp window scaling enforcement loose off\r\n sessions maximum unlimited\r\n gtp permit error off\r\n gtp request-queue 40000\r\n gtp tunnel-limit 40000\r\n gtp gsn timeout 30\r\n gtp pdp-context timeout 30\r\n gtp request-queue timeout 60\r\n gtp signaling timeout 30\r\n gtp tunnel timeout 60\r\nThe following is sample output from the show parameter-map type inspect global command. The fields in the output are\r\nself-explanatory.\r\nDevice# show parameter-map type inspect global\r\nalert on\r\n sessions maximum 2147483647\r\n waas disabled\r\n l2-transparent dhcp-passthrough disabled\r\n log dropped-packets disabled\r\n log summary disabled\r\n max-incomplete low 2147483647\r\n max-incomplete high 2147483647\r\n one-minute low 2147483647\r\n one-minute high 2147483647\r\n vrf vrf2 inspect vrf-default\r\n lisp inner-packet-inspection\r\n exporter not-configured\r\n nbar-classify\r\nRelated Commands\r\nCommand Description\r\nparameter-map type\r\ninspect\r\nConfigures an inspect-type parameter map for connecting thresholds, timeouts, and other\r\nparameters pertaining to the inspect action.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 4 of 208\n\nCommand Description\r\nlisp inner-packet-inspection\r\nEnables LISP inner-packet inspection.\r\nshow parameter-map type inspect-global\r\nTo display global inspect-type parameter map information, use the show parameter-map type inspect-global command in\r\nuser EXEC or privileged EXEC mode.\r\nshow parameter-map type inspect-global [gtp]\r\nSyntax Description\r\ngtp (Optional) Displays information about the General Packet Radio Service (GPRS) tunneling protocol (GTP).\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE\r\nRelease 3.5S\r\nThis command was introduced.\r\nCisco IOS XE\r\nRelease 3.7S\r\nThis command was modified. The gtp keyword was added.\r\nCisco IOS XE\r\nRelease 3.9S\r\nThis command was modified. The output was enhanced to display GTP and GTPv2\r\nconfiguration.\r\nCisco IOS XE\r\nRelease 3.13S\r\nThis command was modified. The output was enhanced to display Locator ID Separation\r\nProtocol (LISP) inner packet inspection information.\r\nUsage Guidelines\r\nThe command output displays all configured parameters and their values and all unconfigured parameters with their box-level default values. (Box refers to the entire firewall session table.)\r\nExamples\r\nThe following is sample output from the show parameter-map type inspect-global command:\r\nDevice# show parameter-map type inspect-global\r\nparameter-map type inspect-global\r\n log dropped-packet off\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 5 of 208\n\nalert on\r\n aggressive aging disabled\r\n lisp inner-packet-inspection\r\n syn_flood_limit unlimited\r\n tcp window scaling enforcement loose off\r\n max incomplete unlimited aggressive aging disabled\r\n max_incomplete TCP unlimited\r\n max_incomplete UDP unlimited\r\n max_incomplete ICMP unlimited\r\n application-inspect all\r\n vrf default inspect vrf-default\r\n vrf vrf2 inspect vrf-default\r\n vrf vrf3 inspect vrf-defautl\r\n \r\n \r\nThe following table describes the fields shown in the display.\r\nTable 1. show parameter-map type inspect-global Field Descriptions\r\nField Description\r\nlog dropped-packet\r\nDebugging message log of dropped packets is not enabled. If you configure the log command\r\nin parameter-map type inspect configuration mode, a log of dropped packets is displayed.\r\nalert Stateful packet inspection of alert messages is on. Valid values are on and off.\r\naggressive aging\r\nAggressive aging of half-opened firewall sessions. A half-opened session is a session that has\r\nnot reached the established state.\r\nlisp inner-packet-inspection\r\nLISP inner-packet packet inspection is enabled.\r\nsyn_flood_limit\r\nTCP synchronization (SYN) flood rate limit. When the configured maximum limit is reached,\r\nthe TCP SYN cookie protection is triggered.\r\nmax_incomplete Maximum half-opened session limit.\r\nmax_incomplete TCP Maximum half-opened TCP connection limit.\r\nmax_incomplete\r\nUDP Maximum half-opened UDP connection limit.\r\nmax_incomplete\r\nICMP Maximum half-opened Internet Control Message Protocol (ICMP) connection limit.\r\nvrf default Default VRF is bound to the inspect-VRF parameter map.\r\nThe following is sample output from the show parameter-map type inspect-global gtp command:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 6 of 208\n\nDevice# show parameter-map type inspect-global gtp\r\n \r\nparameter-map type inspect global-gtp\r\n gtp request-queue 40000 (default)\r\n gtp tunnel-limit 40000 (default)\r\n gtp pdp-context timeout 351\r\n gtp request-queue timeout 2167\r\n permit-error Disable (default)\r\n gtp-in-gtp blocking Disable (default)\r\n gtpv2 request-queue 40000 (default)\r\n gtpv2 tunnel-limit 40000 (default)\r\n gtpv2 echo-rate-limit 10 (default)\r\nThe following table describes the fields shown in the display.\r\nTable 2. show parameter-map type inspect-global gtp Field Descriptions\r\nField Description\r\ngtp request-queue Displays the number of GTP requests that are queued to wait for a response.\r\ngtp tunnel-limit Displays the number of GTP tunnels that can be configured.\r\ngtp pdp-context timeout Displays the timeout, in minutes, for inactive Packet Data Protocol (PDP) contexts.\r\ngtp request-queue\r\ntimeout\r\nDisplays the timeout, in seconds, for inactive request queues.\r\npermit-error Displays the permissible errors. By default, the permit-error is disabled.\r\ngtpv2 request-queue\r\nDisplays the number of GTP requests for GTPv2 protocol that are queued to wait for a\r\nresponse.\r\ngtpv2 tunnel-limit Displays the number of GTP tunnels that can be configured for gtpv2 protocol.\r\nRelated Commands\r\nCommand Description\r\nparameter-map type inspect-global Configures a global parameter map.\r\nlisp inner-packet-inspection Enables LISP inner-packet inspection.\r\nshow parameter-map type inspect-vrf\r\nTo display information about the configured inspect VPN Routing and Forwarding (VRF) type parameter map, use the show\r\nparameter-map type inspect-vrf command in user EXEC or privileged EXEC mode.\r\nshow parameter-map type inspect-vrf [name | default]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 7 of 208\n\nSyntax Description\r\nname (Optional) Name of the inspect VRF type parameter map.\r\ndefault (Optional) Specifies the default inspect VRF type parameter map.\r\nCommand Default\r\nThis command has no default settings.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.3S This command was introduced.\r\nExamples\r\nThe following is sample output from the show parameter-map type inspect-vrf command:\r\nRouter# show parameter-map type inspect-vrf vpmap01\r\n VRF: vrf001, Parameter-Map: vpmap01\r\n total_session_cnt: 3500\r\n exceed_cnt: 40\r\n tcp_half_open_cnt: 3520\r\n syn_exceed_cnt: 40\r\nThe table below describes the significant fields shown in the display.\r\nTable 3. show parameter-map type inspect-vrf Field Descriptions\r\nField Description\r\ntotal_session_cnt Total session count.\r\nexceed_cnt Number of sessions that exceeded the configured session count.\r\ntcp_half_open_cnt\r\nTCP half-open sessions configured for each VRF. When the configured session limit is reached,\r\nthe TCP synchronization (SYN) cookie verifies the source of the half-open TCP sessions before\r\ncreating more sessions. A TCP half-open session is a session that has not reached the established\r\nstate.\r\nsyn_exceed_count Number of SYN packets that exceeded the configured SYN flood rate limit.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 8 of 208\n\nRelated Commands\r\nCommand Description\r\nparameter-map type inspect-vrf Configures an inspect VRF type parameter map.\r\nshow parameter-map type inspect-zone\r\nTo display information about the configured inspect zone-type parameter map, use the show parameter-map type inspect-zone command in user EXEC or privileged EXEC mode.\r\nshow parameter-map type inspect-zone [name | default]\r\nSyntax Description\r\nname (Optional) Name of the inspect zone-type parameter map.\r\ndefault (Optional) Specifies the default inspect zone-type parameter map.\r\nCommand Default\r\nThis command has no default settings.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC(#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.3S This command was introduced.\r\nExamples\r\nThe following is sample output from the show parameter-map type inspect-zone command:\r\nRouter# show parameter-map type inspect-zone zone-pmap\r\n \r\nparameter-map type inspect-zone zone-pmap\r\n tcp syn-flood-rate 400\r\n max-destination 10000\r\nThe table below describes the fields shown in the display.\r\nTable 4. show parameter-map type inspect-zone Field Descriptions\r\nField Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 9 of 208\n\nField Description\r\nparameter-map type\r\ninspect-zone\r\nName of the inspect zone-type parameter map.\r\ntcp syn-flood-rate\r\nTCP synchronization (SYN) flood rate limit. When the configured maximum packet rate is\r\nreached, the TCP SYN cookie protection is triggered.\r\nmax-destination Maximum number of destinations that a firewall can track.\r\nRelated Commands\r\nCommand Description\r\nparameter-map type inspect-zone Configures an inspect zone-type parameter map.\r\nshow parameter-map type ooo global\r\nTo display Out-of-Order (OoO) global parameter-map information, use the show parameter-map type ooo global command\r\nin privileged EXEC mode.\r\nshow parameter-map type ooo global\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.0(1)M This command was introduced.\r\nUsage Guidelines\r\nThe output of the show parameter-map type ooo global command displays configurations related to OoO packet processing.\r\nIf you do not configure the parameter-map type ooo global command, the output of the show parameter-map type ooo global\r\ncommand displays default values of the OoO packet-processing parameters.\r\nExamples\r\nThe following is sample output from the show parameter-map type ooo global command:\r\nDevice# show parameter-map type ooo global\r\n parameter-map type ooo global\r\n tcp reassembly timeout 5\r\n tcp reassembly queue length 16\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 10 of 208\n\ntcp reassembly memory limit 1024\r\n tcp reassembly alarm off\r\nThe following table describes the fields shown in the display.\r\nTable 5. show parameter-map type ooo global Field Descriptions\r\nField Description\r\ntcp reassembly timeout Timeout, in seconds, for OoO-TCP queues.\r\ntcp reassembly queue length Length of the OoO queues.\r\ntcp reassembly memory limit Limit of the OoO buffer size.\r\ntcp reassembly alarm Indicates if alert messages for TCP sessions are enabled. Valid values are on and off.\r\nRelated Commands\r\nparameter-map type ooo global Configures an OoO global parameter map for all firewall policies.\r\ntcp reassembly Changes the default parameters for OoO queue processing of TCP sessions.\r\ntcp reassembly memory limit Specifies the limit of the OoO queue size for TCP sessions.\r\nshow parameter-map type protocol-info\r\nTo display protocol parameter map information, use the show parameter-map type protocol-info command in privileged\r\nEXEC mode.\r\nshow parameter-map type protocol-info [parameter-map-name [dns-cache] | dns-cache | msrpc | zone-pair zone-pair-name | stun-ice [parameter-map-name] ]\r\nSyntax Description\r\nparameter-map-name\r\n(Optional) Name of the parameter map.\r\ndns-cache (Optional) Displays the protocol information about the Domain Name System (DNS) cache.\r\nmsrpc\r\n(Optional) Displays the protocol information about the Microsoft Remote Procedure Call (MSRPC)\r\nparameter map.\r\nzone-pair\r\nzone-pair-name(Optional) Specifies the name of the zone pair.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 11 of 208\n\nstun-ice\r\n(Optional) Displays the protocol information of Session Traversal Utilities for Network Address\r\nTranslation (NAT) and Interactive Connectivity Establishment (STUN-ICE). STUN is an Internet\r\nstandards-track suite of methods, including a network protocol, used in NAT traversal for applications\r\nof real-time voice, video, messaging, and other interactive IP communications. ICE is a technique used\r\nin computer networking involving NATs in Internet applications of VoIP, peer-to-peer communications,\r\nvideo, instant messaging, and other interactive media. In such applications, NAT traversal is an\r\nimportant component to facilitate communications involving hosts on private network installations,\r\nwhich often are located behind firewalls.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(11)T This command was introduced.\r\n12.4(22)T The command was modified. The stun-ice keyword was added.\r\n15.1(4)M This command was modified. The msrpc keyword was added.\r\nExamples\r\nThe following is sample output from the show parameter-map type protocol-info command. The fields are self-explanatory.\r\nRouter# show parameter-map type protocol-info\r\nparameter-map type protocol-info map2\r\n server ip 192.168.1.1\r\nRelated Commands\r\nCommand Description\r\nparameter-map type\r\nprotocol-info\r\nCreates or modifies a protocol-specific parameter map and enters parameter-map type\r\nconfiguration mode.\r\nshow parameter-map type regex\r\nTo display regular expression parameter-map information, use the show parameter-map type regex command in privileged\r\nEXEC mode.\r\nshow parameter-map type regex [parameter-map-name]\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 12 of 208\n\nparameter-map-name (Optional) Name of the parameter map.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(11)T This command was introduced.\r\nCisco IOS XE Release 3.2S This command was integrated into Cisco IOS XE Release 3.2S.\r\nExamples\r\nThe following is sample output from the show parameter-map type regex command. The output fields are self-explanatory.\r\nRouter# show parameter-map type regex\r\nparameter-map type regex map3\r\n pattern x*y\r\nRelated Commands\r\nCommand Description\r\nparameter-map type regex Configures a parameter-map type to match a specific traffic pattern.\r\nshow parameter-map type trend-global\r\nTo display the parameter map for the global parameters for a Trend Micro URL filtering policy, use the show parameter-map\r\ntype trend-global command in privileged EXEC mode.\r\nshow parameter-map type trend-global [parameter-map-name] [default]\r\nSyntax Description\r\nparameter-map-name\r\n(Optional) The name of the parameter map for which to display parameters.\r\ndefault\r\n(Optional) Specifies that the default values for the global Trend Micro filtering parameters be\r\ndisplayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 13 of 208\n\nCommand History\r\nRelease Modification\r\n12.4(15)XZ This command was introduced.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\nUsage Guidelines\r\nUse the show parameter-map type trend-global command to display the global parameters for Trend Micro URL filtering\r\npolicies.\r\nExamples\r\nThe following is sample output from the show parameter-map type trend-global default command:\r\nRouter# show parameter-map type trend-global\r\n default\r\nparameter-map type trend-global default values\r\n server trps.trendmicro.com http-port 80 https-port 443 retrans 3 timeout 60\r\n alert on\r\n cache-size 256 KB\r\n cache-lifetime 24\r\nThe following is sample output from the show parameter-map type trend-global command when the server name and\r\nmaximum cache size have been specified in the parameter map Global-Parameters:\r\nRouter# show parameter-map type trend-global\r\n Global-Parameters\r\n \r\nparameter-map type trend-global Global-Parameters\r\n server trps1.example.com http-port 80 https-port 443 retrans 3 timeout 60\r\n alert on\r\n cache-size 300 KB\r\n cache-lifetime 24\r\nRelated Commands\r\nCommand Description\r\nshow parameter-map type urlfpolicy Displays the parameters for a URL filtering policy.\r\nshow parameter-map type urlf-glob\r\nTo display the parameter maps for local URL filtering, use the show parameter-map type urlf-glob command in privileged\r\nEXEC mode.\r\nshow parameter-map type urlf-glob [parameter-map-name]\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 14 of 208\n\nparameter-map-name (Optional) Name of the URL filtering parameter map to display.\r\nCommand Default\r\nThe parameter maps for all local URL filtering policies are displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(15)XZ This command was introduced.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\nUsage Guidelines\r\nUse the show parameter-map type urlf-glob command to display the parameter maps for local URL filtering policies.\r\nExamples\r\nThe following is sample output from the show parameter-map type urlf-glob command when two parameter maps for local\r\nURL filtering have been configured:\r\nRouter# show parameter-map type urlf-glob\r\n \r\nparameter-map type urlf-glob trusted-domain-param\r\n pattern www.example.com\r\n pattern *.example1.com\r\nparameter-map type urlf-glob untrusted-domain-param\r\n pattern www.example3.com\r\n pattern *.example4.com\r\nRelated Commands\r\nCommand Description\r\nshow parameter-map type trend-global Displays the global parameters for a Trend Micro URL filtering policy.\r\nshow parameter-map type urlfpolicy Displays the parameters for a URL filtering policy.\r\nshow parameter-map type urlfilter\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 15 of 208\n\nNote\r\nEffective with Cisco IOS Release 12.4(15)XZ, the show parameter-map type urlfilter command is not available\r\nin Cisco IOS software.\r\nTo display user-configured or default URL filter type parameter maps, use the show parameter-map type urlfilter command\r\nin privileged EXEC mode.\r\nshow parameter-map type urlfilter [default]\r\nSyntax Description\r\ndefault\r\n(Optional) Displays the default urlfilter parameter map values.\r\nNote\r\n \r\nIf this keyword is not issued, user-configured parameter maps will be displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\n12.4(15)XZ This command was removed.\r\nExamples\r\nThe following example shows sample output from the show parameter-map type urlfilter command:\r\nRouter# show parameter-map type urlfilter\r\n parameter-map type urlfilter default values\r\n urlf-server-log off\r\n audit-trail off\r\n alert on\r\n max-request 1000\r\n max-resp-pak 200\r\n source-interface default\r\n allow-mode off\r\n cache 5000\r\nThe following example shows sample output from the show parameter-map type urlfilter default command:\r\nRouter# show parameter-map type urlfilter default\r\nparameter-map type urlfilter default values\r\n urlf-server-log off\r\n audit-trail off\r\n alert on\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 16 of 208\n\nmax-request 1000\r\n max-resp-pak 200\r\n source-interface default\r\n allow-mode off\r\ncache 5000\r\nshow parameter-map type urlfpolicy\r\nTo display the parameter maps associated with a URL filtering policy, use the show parameter-map type urlfilter command\r\nin privileged EXEC mode.\r\nshow parameter-map type urlfpolicy {local | trend | n2h2 | websense} [param-map-name] [default]\r\nSyntax Description\r\nlocal Specifies that the parameters for local URL filtering policies be displayed.\r\ntrend Specifies that the parameters for Trend Micro URL filtering policies be displayed.\r\nn2h2 Specifies that the parameters for SmartFilter URL filtering policies be displayed.\r\nwebsense Specifies that the parameters for Websense URL filtering policies be displayed.\r\nparam-map-name (Optional) The name of the parameter map for a URL filtering policy to be displayed.\r\ndefault\r\n(Optional) Displays the default values for the URL filtering policy.\r\nNote\r\n \r\nIf this keyword is not issued, user-configured values will be displayed.\r\nCommand Default\r\nThe paramater maps for all URL filtering policies of the type specified (local , trend , n2h2 , or websense ) are displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(15)XZ This command was introduced.\r\nExamples\r\nThe following example shows the default values for a Websense URL filtering policy:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 17 of 208\n\nRouter# show parameter-map type urlfpolicy websense default\r\n parameter-map type urlfilter websense default values\r\n urlf-server-log off\r\n audit-trail off\r\n alert on\r\n max-request 1000\r\n max-resp-pak 200\r\n source-interface default\r\n allow-mode off\r\n cache 5000\r\nshow parser view\r\nTo display command-line interface (CLI) view information, use the show parser view command in privileged EXEC mode.\r\nshow parser view [all]\r\nSyntax Description\r\nall (Optional) Displays information about all CLI views that are configured on the router.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.3(7)T This command was introduced.\r\n12.2(33)SRB This command was integrated into Cisco IOS Release 12.2(33)SRB.\r\nCisco IOS XE Release 2.1 This command was integrated into Cisco IOS XE Release 2.1\r\n12.2(33)SXI This command was integrated into Cisco IOS Release 12.2(33)SXI.\r\nUsage Guidelines\r\nThe show parser view command will display information only about the view that the user is currently in. This command is\r\navailable for both root view users and lawful intercept view users--except for the all keyword, which is available only to root\r\nview users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept\r\nview.\r\nThe show parser view command cannot be excluded from any view.\r\nExamples\r\nThe following example shows how to display information from the root view and the CLI view \"first\":\r\nRouter# enable view\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 18 of 208\n\nRouter#\r\n01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.\r\nRouter#\r\n! Enable the show parser view command from the root view\r\nRouter# show parser view\r\n \r\nCurrent view is 'root'\r\n! Enable the show parser view command from the root view to display all views\r\nRouter# show parser view all\r\n \r\nViews Present in System:\r\nView Name: first\r\nView Name: second\r\n! Switch to the CLI view \"first.\"\r\nRouter# enable view first\r\n \r\nRouter#\r\n01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.\r\n! Enable the show parser view command from the CLI view \"first.\"\r\nRouter# show parser view\r\nCurrent view is 'first'\r\nRelated Commands\r\nCommand Description\r\nparser view Creates or changes a CLI view and enters view configuration mode.\r\nshow platform hardware qfp feature alg\r\nTo display application layer gateway (ALG)-specific information in the Cisco Quantum Flow Processor (QFP), use the show\r\nplatform hardware qfp feature alg command in privileged EXEC mode.\r\nshow platform hardware qfp {active | standby} feature alg {debugging | memory | statistics [protocol | clear]}\r\nSyntax Description\r\nactive Displays the active instance of the processor.\r\nstandby Displays the standby instance of the processor.\r\ndebugging Displays ALG debugging information.\r\nmemory Displays ALG memory usage information of the processor.\r\nstatistics Displays ALG common statistics information of the processor.\r\nprotocol (Optional) Protocol name. Use one of the following values for the protocol argument:\r\ndns —Displays Domain Name System (DNS) ALG information in the QFP datapath.\r\nexec —Displays exec ALG information in the QFP datapath.\r\nftp —Displays FTP ALG information in the QFP datapath.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 19 of 208\n\ngtp —Displays General Packet Radio Service (GPRS) Tunneling Protocol (GTP) ALG information\r\nin the QFP datapath.\r\nh323 —Displays H.323 ALG information in the QFP datapath.\r\nhttp —Displays HTTP ALG information in the QFP datapath.\r\nimap —Displays Internet Message Access Protocol (IMAP) ALG information in the QFP datapath.\r\nldap —Displays Lightweight Directory Access Protocol (LDAP) ALG information in the QFP\r\ndatapath.\r\nlogin —Displays login ALG information in the QFP datapath.\r\nmsrpc —Displays Microsoft Remote Procedure Call (MSRPC) ALG information in the QFP\r\ndatapath.\r\nnetbios —Displays Network Basic Input Output System (NetBIOS) ALG information in the QFP\r\ndatapath.\r\npop3 —Displays Post Office Protocol 3 (POP3) ALG information in the QFP datapath.\r\npptp —Displays Point-to-Point Tunneling Protocol (PPTP) ALG information in the QFP datapath.\r\nrtsp —Displays Rapid Spanning Tree Protocol (RSTP) ALG information in the QFP datapath.\r\nshell —Displays shell ALG information in the QFP datapath.\r\nsip —Displays Session Initiation Protocol (SIP) ALG information in the QFP datapath.\r\nskinny —Displays Skinny Client Control Protocol (SCCP) ALG information in the QFP datapath.\r\nsmtp —Displays Simple Mail Transfer Protocol (SMTP) ALG information in the QFP datapath.\r\nsunrpc —Displays Sun RPC ALG information in the QFP datapath.\r\ntftp —Displays TFTP ALG information in the QFP datapath.\r\nclear (Optional) Clears common ALG counters after display.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 2.2 This command was introduced.\r\nCisco IOS XE Release 3.1S This command was modified. Support for the NetBIOS protocol was added.\r\nCisco IOS XE Release 3.2S This command was modified. The sip keyword was added.\r\nCisco IOS XE Release 3.9S This command was modified. The gtp and pptp keywords were added.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 20 of 208\n\nThe show platform hardware qfp feature alg statistics netbios command displays the NetBIOS ALG memory usage and\r\nstatistics information of the processor.\r\nExamples\r\nThe following sample output from the show platform hardware qfp feature alg statistics netbios command displays the\r\nNetBIOS ALG statistics information of the processor:\r\nDevice# show platform hardware qfp active feature alg statistics netbios\r\nNetBIOS ALG Statistics:\r\n No. of allocated chunk elements in L7 data pool:0\r\n No. of times L7 data is allocated:0 No. of times L7 data is freed:0\r\n Datagram Service statistics\r\n Total packets :0\r\n Direct unique packets :0\r\n Direct group packets :0\r\n Broadcast packets :0\r\n DGM Error packets :0\r\n Query request packets :0\r\n Positive Qry response packets :0\r\n Negative Qry response packets:0\r\n Unknown packets :0\r\n Total error packets :0\r\n Name Service statistics\r\n Total packets :0\r\n Query request packets :0\r\n Query response packets :0\r\n Registration req packets :0\r\n Registration resp packets:0\r\n Release request packets :0\r\n Release response packets :0\r\n WACK packets :0\r\n Refresh packets :0\r\n Unknown packets :0\r\n Total error packets :0\r\n Session Service statistics\r\n Total packets :0\r\n Message packets :0\r\n Request packets :0\r\n Positive response packets:0\r\n Negative response packets:0\r\n Retarget response packets:0\r\n Keepalive packets :0\r\n Unknown packets :0\r\n Total error packets :0\r\nThe table below describes the significant fields shown in the display.\r\nTable 6. show platform hardware qfp feature alg statistics netbios Field Descriptions\r\nField Description\r\nNo. of allocated chunk elements in L7 data pool\r\nNumber of memory chunks allocated for processing NetBIOS\r\npackets.\r\nNo. of times L7 data is allocated:0 No. of times L7\r\ndata is freed\r\nNumber of times memory is allocated and freed for processing\r\nNetBIOS packets.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 21 of 208\n\nField Description\r\nDirect unique packets Number of direct unique NetBIOS packets processed.\r\nDirect group packets Number of direct group NetBIOS packets processed.\r\nBroadcast packets Number of broadcast NetBIOS packets processed.\r\nDGM Error packets Number of Datagram Error NetBIOS packets processed.\r\nQuery request packets Number of query request NetBIOS packets processed.\r\nPositive Qry response packets Number of positive query response NetBIOS packets processed.\r\nNegative Qry response packets Number of negative query response NetBIOS packets processed.\r\nUnknown packets Number of unknown packets.\r\nTotal error packets Counter tracking number of error packets.\r\nThe following sample output from the show platform hardware qfp feature alg statistics sip command displays SIP statistics\r\ninformation of the processor.\r\nDevice# show platform hardware qfp active feature alg statistics sip\r\nSIP info pool used chunk entries number: 6\r\nRECEIVE\r\nRegister: 0 -\u003e 200-OK: 0\r\nInvite: 6 -\u003e 200-OK: 6 Re-invite 0\r\nUpdate: 0 -\u003e 200-OK: 0\r\nBye: 0 -\u003e 200-OK: 0\r\nSubscribe: 0 -\u003e 200-OK: 0\r\nRefer: 0 -\u003e 200-OK: 0\r\nPrack: 0 -\u003e 200-OK: 0\r\nTrying: 0 Ringing: 6 Ack: 5\r\nInfo: 0 Cancel: 0 Sess Prog: 0\r\nMessage: 0 Notify: 0\r\nPublish: 0 Options: 0\r\n1xx: 0 2xx: 0\r\nOtherReq: 0 OtherOk: 0 3xx-6xx: 0\r\nEvents\r\nNull dport: 0 Media Port Zero: 0\r\nMalform Media: 0 No Content Length: 0\r\nCr Trunk Chnls: 6 Del Trunk Chnls: 0\r\nstart trunk timer: 6 restart trunk timer: 6\r\nstop trunk timer: 6 trunk timer timeout: 0\r\nMedia Addr Zero: 0 Need More Data: 0\r\nSIP PKT Alloc: 23 SIP PKT Free: 23\r\nSIP MSG Alloc: 0 SIP MSG Free: 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 22 of 208\n\nErrors\r\nCreate Token Err: 0 Add portlist Err: 0\r\nInvalid Offset: 0 Invalid Pktlen: 0\r\nFree Magic: 0 Double Free: 0\r\nSess Retmem Failed: 0 Sess Malloc Failed 0\r\nPkt Retmem Failed: 0 Pkt Malloc Failed: 0\r\nMsg Retmem Failed: 0 Msg Malloc Failed: 0\r\nBad Format: 0 Invalid Proto: 0\r\nAdd ALG state Fail: 0 No Call-id: 0\r\nParse SIP Hdr Fail: 0 Parse SDP Fail: 0\r\nError New Chnl: 0 Huge Size: 0\r\nCreate Failed: 0 Not SIP Msg: 0\r\nWriteback Errors\r\nOffset Err: 0 PA Err: 0\r\nNo Info: 0\r\nThe table below describes the significant fields shown in the display.\r\nTable 7. show platform hardware qfp feature alg statistics sip Field Descriptions\r\nField Description\r\nRegister Registers the address listed in the To field of the SIP ALG header with a SIP server.\r\nInvite Indicates that a user or a service is invited to participate in a call session.\r\nBye Terminates a call. This message can be sent either by the caller or the called party.\r\nRefer Indicates that the user (recipient) should contact a third party for transferring a call.\r\nPRACK\r\nImproves the network reliability by adding an acknowledgment system to the provisional responses.\r\nPRACK is a Provisional Response Acknowledgment message.\r\nThe following sample output from the show platform hardware qfp feature alg statistics gtp command displays GTP\r\n(GTPv0, GTPv1, and GTPv2) ALG information. The field descriptions are self-explanatory.\r\nDevice# show platform hardware qfp active feature alg statistics gtp\r\nGlobal info:\r\n Total pkts passed inspection:0\r\n GTP V0: Request: 0, Response: 0, Data: 0, Unknown: 0\r\n GTP V1: Request: 0, Response: 0, Data: 0, Unknown: 0\r\n GTP V2: Request: 0, Response: 0, Data: 0, Unknown: 0\r\n VFRed packets: 0\r\nDrop counters:\r\n Total dropped: 0\r\n Fatal error:\r\n Internal SW error: 0\r\n Packets subject to policy inspection:\r\n Policy not-exist: 0\r\n Policy dirty-bit set: 0\r\n Policy-mismatch: 0\r\n GTP global Info:\r\n GTP message rejected: 0\r\n GTP Request wasn't found: 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 23 of 208\n\nGTP info element is missing: 0\r\n GTP info element is incorrect: 0\r\n GTP info element out of order: 0\r\n GTP Request retransmit: 0\r\n GTPv0 Info:\r\n Message rejected: 0\r\n Request wasn't found: 0\r\n Info element is missing: 0\r\n Info element is incorrect: 0\r\n Info element out of order: 0\r\n Request retransmit: 0\r\n GTPv1 Info:\r\n Message rejected: 0\r\n Request wasn't found: 0\r\n Info element is missing: 0\r\n Info element is incorrect: 0\r\n Info element out of order: 0\r\n Request retransmit: 0\r\n GTPv2 Info:\r\n Message rejected: 0\r\n Request wasn't found: 0\r\n Info element is missing: 0\r\n Info element is incorrect: 0\r\n Info element out of order: 0\r\n Request retransmit: 0\r\nMemory management:\r\n GTP ctxt - allocated: 0, freed: 0, failed: 0\r\n GTP Primary - allocated: 0, freed: 0, failed: 0\r\n GTP Secondary - allocated: 0, freed: 0, failed: 0\r\n GTP Tunnel DB - allocated: 0, freed: 0, failed: 0\r\n GTP Req/Res - allocated: 0, freed: 0, failed: 0\r\n GTP Req/Resp entry - allocated: 0, freed: 0, failed: 0\r\n GTPv2 Session - allocated: 0, freed: 0, failed: 0\r\n GTPv2 Bearer - allocated: 0, freed: 0, failed: 0\r\nRelated Commands\r\nCommand Description\r\ndebug platform hardware qfp feature Debugs feature-specific information in the Cisco QFP.\r\nshow platform hardware qfp act feature ipsec datapath memory\r\nTo display debugging information about the consumption of IPsec datapath memory, use the show platform hardware qfp act\r\nfeature ipsec datapath memory command in privileged EXEC or diagnostic mode.\r\nshow platform hardware qfp act feature ipsec datapath memory\r\nCommand Default\r\nNo default behavior or values\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nDiagnostic (diag)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 24 of 208\n\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 2.4.2 This command was introduced on the Cisco ASR 1000 Series Routers.\r\nUsage Guidelines\r\nThis command displays the consumption of dynamic random access memory (DRAM) on the IPSec Cisco QuantumFlow\r\nProcessor (QFP) datapath.\r\nshow platform hardware qfp act feature ipsec datapath memory\r\npstate chunk totalfree: 80000, allocated: 0\r\nRelated Commands\r\nCommand Description\r\nshow platform software ipsec f0 encryption-processor registersDisplays dubugging information about the crypto engine\r\nprocessor registers.\r\nshow platform hardware qfp active feature acl dp hsl configuration\r\nTo display the current high-speed logging (HSL) configuration for security group access control lists (SGACLs), use the\r\nshow platform hardware qfp active feature acl dp hsl configurationin privileged EXEC mode.\r\nshow platform hardware qfp active feature acl dp hsl configuration\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nThis command has no default settings.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 17.15.1\r\nThis command was introduced on the following platforms:\r\nCisco ASR 1000 Series Aggregation Services Routers\r\nCisco Catalyst 8500 Series Edge Platforms\r\nUsage Guidelines\r\nThe show platform hardware qfp active feature acl dp hsl configuration command displays an overview of how SGACL\r\nlogging is set up, including parameters such as logging destinations, rates, and formats, specifically within the data plane's\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 25 of 208\n\nhardware component.\r\nExample\r\nThe following is a sample output from the show platform hardware qfp active feature acl dp hsl configuration command.\r\nSGACL HSL Config\r\n----------------\r\nHSL Config Initialized/Set: TRUE\r\nHSL Enabled: TRUE\r\nHSL Base Memory Address: 0p0xXXXX\r\nHSL Memory Size (bytes): 131072\r\nHSL Handle: 0x00001A\r\nHSL Version: 9\r\nHSL Maximum Records: 512\r\nHSL Record Threshold: 1024\r\nHSL Export Timeout (ms): 4\r\nSGACL_EXPORT_HSL_MTU_SIZE (bytes): 1450\r\nSGACL_EXPORT_HSL_BFR_THRHLD (bytes): 32000 /* (256 * 128) */\r\nSGACL_EXPORT_HSL_REC_THRHLD : 128 /* (512 / 4) */\r\nSGACL_EXPORT_HSL_TMP_RFSH_TMR: 0\r\nSGACL_EXPORT_HSL_TMP_RFSH_PKTS: 0\r\nSGACL_EXPORT_HSL_SRC_ID: 495\r\nSGACL_EXPORT_HSL_BFR_SIZE (bytes): 131072 /* (256 * 512) */\r\nSGACL_EXPORT_HSL_MAX_REC_SIZE(bytes): 256\r\nshow platform hardware qfp active feature ipsec\r\nTo display IPsec feature-specific information in the IPsec Cisco Quantum Flow Processor (QFP), use the show platform\r\nhardware qfp active feature ipsec command in the privileged EXEC mode.\r\nshow platform hardware qfp active feature ipsec {event-monitor| interface interface-name | spi | sp-obj number | spd |\r\ndatapath drops | | clear | {all | qfp-spd-number | [ace spd-class-group-id | [qfp-spd-class-id]]}}\r\nSyntax Description\r\nevent-monitor Displays IPsec monitored events and event-count thresholds.\r\ninterface\r\ninterface-name\r\nDisplays QFP information for the specified interface.\r\nspi Displays QFP IPsec security parameter index (SPI) information.\r\nsp-obj number Displays security policy information. The range is from 0 to 4294967295.\r\nspd Displays Security Policy Database (SPD) information.\r\ndatapath drops\r\nDisplays datapath drop counters, indicating the number of dropped packets, and a code number\r\nfor the error type. Error codes vary, depending on platform.\r\nclear Clears the datapath drop counters.\r\nstate Displays QFP IPsec state information.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 26 of 208\n\nall Displays information about all SPDs.\r\nqfp-spd-number Specific handle in IPsec Cisco QFP.\r\nace (Optional) Displays information about QFP IPsec SPD Cisco Application Control Engine (ACE).\r\nspd-class-group-id\r\n(Optional) SPD class group ID in Cisco ACE.\r\nqfp-spd-class-id (Optional) QFP class ID.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release\r\n3.9S\r\nThis command was introduced on the Cisco ASR 1000 Series Aggregation Services\r\nRouters.\r\nCisco IOS 12.2 XN The event-monitor type keyword was added.\r\nCisco IOS XE Fuji 16.8.1 Updated the error codes in the output when using datapath drops.\r\nUsage Guidelines\r\nThis command displays information that can help you to troubleshoot issues about IPsec flows.\r\nExamples\r\nThe following is a sample output of the show platform hardware qfp active feature ipsec event-monitor command. (The\r\nfields in the output are self-explanatory.)\r\nDevice# show platform hardware qfp active feature ipsec event-monitor\r\n \r\nAntiReplay Threshold Setting: 1\r\nDecryption Threshold Setting: 1000\r\nEncryption Threshold Setting: 0\r\nThe following is a sample output from the show platform hardware qfp active feature ipsec interface command:\r\nDevice# show platform hardware qfp active feature ipsec interface gigabitEthernet 1/1/3\r\nQFP ipsec intf sub-block Information\r\nIngress subblock for interface : 10\r\n spd_id : 1\r\n flags: 8000 (INTF ENABLED)\r\n spi tbl ptr: 0x898e4c00\r\n num labels: 1\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 27 of 208\n\ncce_w0: 0x10004\r\n cce_w1: 0x1084441\r\n def_q: 0x0\r\n pri_q: 0x0\r\n Ingress Statistics:\r\n pkts decrypted: 1\r\n pkts sent to crypto: 1\r\n pkts recv from crypt: 1\r\n pkts failed decryption: 0\r\n pkts failed policy check: 0\r\nEgress subblock for interface : 10\r\n spd_id : 1\r\n flags: 8000 (INTF ENABLED)\r\n spi tbl ptr: 0x0\r\n num labels: 1\r\n cce_w0: 0x10004\r\n cce_w1: 0x1084441\r\n def_q: 0x0\r\n pri_q: 0x0\r\n Egress Statistics:\r\n pkts encrypted : 1\r\n pkts sent to crypto : 1\r\n pkts recv from crypt: 1\r\n pkts failed encryption: 0\r\n \r\nThe following table describes the significant fields shown in the display.\r\nTable 8. show platform hardware qfp active feature ipsec interface Field Descriptions\r\nField Description\r\nIngress subblock for interface Incoming block for the interface.\r\nspd_id SPD identifier.\r\nflags Flags set for the interface.\r\nspi tbl ptr SPI table pointer.\r\nnum labels Numerical labels.\r\ndef_q Deferral queue.\r\npri_q Priority queue.\r\nIngress Statistics Incoming statistics.\r\npkts decrypted Number of packets decrypted.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 28 of 208\n\nField Description\r\npkts sent to crypto Number of packets sent to the crypto engine.\r\npkts recv from crypt Number of packets received from the crypto engine.\r\npkts failed decryption Number of packets that failed decryption.\r\npkts failed policy check Number of packets that failed security policy check.\r\nEgress subblock for interface Outgoing block for the interface.\r\nEgress Statistics Outgoing statistics.\r\npkts encrypted Number of packets encrypted.\r\npkts failed encryption Number of packets that failed encryption.\r\nThe following is a sample output from the show platform hardware qfp active feature ipsec spi command:\r\nDevice# show platform hardware qfp active feature ipsec spi\r\nQFP IPSEC SPI TABLE:\r\n IDX SPI PPE_ADDR NXT_PPE PROTO VRF SPD SA ADDR\r\n ---------------------------------------------------------------------------------------------\r\n 0x992 0x95002492 0x89afb420 0x0 0x32 0 1 7 IPV4\r\n \r\nThe following table describes the significant fields shown in the display.\r\nTable 9. show platform hardware qfp active feature ipsec spi Field Descriptions\r\nField Description\r\nIDX Identifier.\r\nSPI SPI.\r\nPPE_ADDR Memory address where the SPI is stored in the QFP.\r\nNXT_PPE Address of the next SPI.\r\nPROTO IPSec protocol of the SA which is associated with the SPI.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 29 of 208\n\nField Description\r\nVRF Virtual routing and forwarding id of the SA.\r\nSPD QFP handle of the SPD that the SPI belongs to.\r\nSA QFP handle of the SA that the SPI belongs to.\r\nAddr Type of address.\r\nThe following is a sample output from the show platform hardware qfp active feature ipsec sp-obj command for SP ID 1:\r\nDevice# show platform hardware qfp active feature ipsec sp-obj 4\r\nQFP ipsec sp Information\r\n QFP sp id: 4\r\n pal sp id: 6\r\n QFP spd id: 1\r\n number of intfs: 0\r\n cgid.cid.fid.rid: 1.2.2.1\r\n \r\nThe following table describes the significant fields shown in the display.\r\nTable 10. show platform hardware qfp active feature ipsec sp-obj Field Descriptions\r\nField Description\r\nQFP sp id QFP SP identifier.\r\nQFP spd id QFP SPD identifier.\r\nnumber of intfs Number of interfaces.\r\nThe following is a sample output from the show platform hardware qfp active feature ipsec spd all command:\r\nDevice# show platform hardware qfp active feature ipsec spd all\r\nCurrent number CONTEXTs: 8\r\nCurrent number SPDs: 1\r\nCurrent number SPs: 5\r\nCurrent number SAs: 2\r\n Active IN SAs: 1 (pending: 0)\r\n Active OUT SAs: 1 (pending: 0)\r\n ---spd_id--------cg_id-----------num of intf---\r\n 1 1 1\r\n \r\nThe following table describes the significant fields shown in the display.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 30 of 208\n\nTable 11. show platform hardware qfp active feature ipsec spd all Field Descriptions\r\nField Description\r\nCurrent number CONTEXTs Number of SPD contexts in the system.\r\nCurrent number SPDs Number of SPDs in the system.\r\nCurrent number SPs Number of SPs in the system.\r\nCurrent number SAs Number of SAs in the system.\r\nActive IN SAs Number of active SAs.\r\nspd_id SPD identifier.\r\ncg_id Class group identifier.\r\nnum of intf Number of interfaces.\r\nThe following is a sample output from the show platform hardware qfp active feature ipsec spd command for SPD ID 1:\r\nDevice# show platform hardware qfp active feature ipsec spd 1\r\n QFP id: 1\r\n pal id: 1\r\n num of aces: 6\r\n num of intfs: 1\r\n first intf name: GigabitEthernet1/1/3\r\n cgid: 1\r\n num of cm: 3\r\n cce_w0: 0x10004\r\n cce_w1: 0x1084441\r\n ---cgid.cid.fid----------num of aces---\r\n 1.1.1 2\r\n 1.2.2 2\r\n 1.3.3 2\r\n \r\nThe following table describes the significant fields shown in the display.\r\nTable 12. show platform hardware qfp active feature ipsec spd Field Descriptions\r\nField Description\r\nQFP id QFP identifier.\r\nnum of aces Number of Cisco Application Control Engines (ACEs).\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 31 of 208\n\nField Description\r\nnum of intfs Number of interfaces.\r\nfirst intf name Name of the first interface.\r\nThe following is a sample output from the show platform hardware qfp active feature ipsec state command:\r\nDevice# show platform hardware qfp active feature ipsec state\r\nQFP IPSEC state:\r\nMessage counter:\r\n Type Request Reply (OK) Reply (Error)\r\n -----------------------------------------------------------------------\r\n Initialize 1 1 0\r\n SPD Create 1 1 0\r\n SPD Intf Bind 1 1 0\r\n SPD CM Bind 3 3 0\r\n SP Create 5 5 0\r\n In SA Add 1 1 0\r\n Intf Enable 1 1 0\r\n Bulk SA Stats 128 128 0\r\n CGM Begin Batch 4 4 0\r\n CGM End Batch 4 4 0\r\n Inv SPI Notify 0 2 0\r\n Out SA Add Bind 1 1 0\r\nThe following table describes the significant fields shown in the display.\r\nTable 13. show platform hardware qfp active feature ipsec state Field Descriptions\r\nField Description\r\nMessage counter Number of messages.\r\nInitialize Number of messages exchanged to initialize a connection.\r\nSPD Create Number of messages exchanged to create an SPD.\r\nSPD Intf Bind Number of messages exchanged to bind the SPD interface.\r\nSPD CM Bind Number of messages exchanged to bind to the SPD crypto map.\r\nSP Create Number of messages exchanged to create an SP.\r\nIn SA Add Number of messages exchanged to create an inbound SA.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 32 of 208\n\nField Description\r\nIntf Enable Number of messages exchanged to enable an interface.\r\nBulk SA Stats SA statistics.\r\nCGM Begin Batch Number of messages exchanged to start Class Group Manager (CGM).\r\nCGM End Batch Number of messages exchanged to end CGM.\r\nInv SPI Notify Number of messages exchanged to notify an inverse SPI.\r\nOut SA Add Bind Number of messages exchanged to create an outbound SA.\r\nThe following is a sample output from the show platform hardware qfp active feature ipsec datapath drops command,\r\nshowing information about dropped packets. For dropped packets, the datapath drops output includes an error code number\r\nfor the type of packet drop, the name of the error, and the number of dropped packets.\r\nDevice#show platform hardware qfp active feature ipsec datapath drops\r\n------------------------------------------------------------------------\r\nDrop Type Name Packets\r\n------------------------------------------------------------------------\r\n30 IN_V4_POST_INPUT_POLICY_FAIL 25\r\nDevice#show platform hard qfp acti feat ipsec datapath drops clear\r\n------------------------------------------------------------------------\r\nDrop Type Name Packets\r\n------------------------------------------------------------------------\r\n \r\nThe following is a sample output from the show platform hardware qfp active feature ipsec datapath drops clear command,\r\nwhich clears the datapath drops counters.\r\nDevice#show platform hard qfp acti feat ipsec datapath drops clear\r\n------------------------------------------------------------------------\r\nDrop Type Name Packets\r\n------------------------------------------------------------------------\r\n \r\nRelated Commands\r\nCommand Description\r\nshow platform software ipsec fp active flow Displays information about active instances of IPsec flows in the ESP.\r\nshow platform software ipsec fp active spd-mapDisplays information about the active instances of IPsec SPD map\r\nobjects.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 33 of 208\n\nShow platorm hardware qfp active statistics drop history\r\nTo display the history of QFP drops for all interfaces in Packet Processor Engine (PPE), use the show platform hardware\r\nqfp active statistics drop history command.\r\nshow platform hardware qfp active statistics drop history\r\nSyntax Description\r\nThis command has no keywords or arguments.\r\nCommand Default\r\nNo default behaviour or values.\r\nCommand Modes\r\nPrivileged EXEC mode\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Dublin 17.13.1a Command introduced\r\nUsage Guidelines\r\nThe wrapper command show drops history qfp is the short hand notation of the show platform hardware qfp active statistics\r\ndrop history command.\r\nExamples\r\nThe following example displays the history of QFP drops for all interfaces in Packet Processor Engine.\r\nRouter# show platform hardware qfp active statistics\r\ndrop history\r\nLast clearing of QFP drops statistics : Mon Jun 26\r\n07:29:14 2023\r\n(21s ago)\r\n----------------------------------------------------\r\n----------------------------------------------------\r\n-----------------\r\nGlobal Drop Stats 1-Min\r\n5-Min 30-Min\r\nAll\r\n----------------------------------------------------\r\n----------------------------------------------------\r\n-----------------\r\nIpv4NoAdj 0\r\n0 0 99818\r\nIpv4NoRoute 0\r\n0 0 99853\r\nRelated Commands\r\nCommand Description\r\nshow platform hardware qfp active feature ipsec datapath drops Displays QFP IPSEC Datapath Drop Counters.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 34 of 208\n\nshow platform hardware qfp active statistics drop thresholds\r\nTo display the warning thresholds for per drop cause and/or total QFP drop in packets per second, use the show platform\r\nhardware qfp active statistics drop thresholds command.\r\nshow platform hardware qfp active statistics drop thresholds\r\nSyntax Description\r\nThis command has no keywords or arguments.\r\nCommand Default\r\nNo default behaviour or values.\r\nCommand Modes\r\nPrivileged EXEC mode\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE 17.14.1a Command introduced\r\nUsage Guidelines\r\nThe wrapper command show drops thresholds is the short hand notation of the show platform hardware qfp active statistics\r\ndrop thresholds command.\r\nNote\r\nThe wrapper command show drops thresholds is currently not available on Catalyst 8500L Edge Platform.\r\nExamples\r\nThe following example displays the warning thresholds for per drop cause and/or total QFP drop.\r\nRouter#show platform hardware qfp active statistics drop thresholds\r\n------------------------------------------------------\r\nDrop ID Drop Cause Name Threshold\r\n------------------------------------------------------\r\n10 BadIpChecksum 100\r\n206 PuntPerCausePolicerDrops 10\r\n20 QosPolicing 200\r\n Total 30\r\nRelated Commands\r\nCommand Description\r\nplatform qfp drops threshold Configures the warning thresholds for per drop cause and/or total QFP drop.\r\nshow platform hardware qfp feature alg statistics sip\r\nTo display Session Initiation Protocol (SIP) application layer gateway (ALG)-specific statistics information in the Cisco\r\nQuantum Flow Processor (QFP), use the show platform hardware qfp feature alg statistics sip command in privileged\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 35 of 208\n\nEXEC mode.\r\nshow platform hardware qfp feature alg statistics sip [clear | dbl [all | clear | entry entry-string [clear]] | dblcfg | l7data\r\n{callid call-id | clear} | processor | timer]\r\nSyntax Description\r\nclear (Optional) Clears ALG counters after display.\r\ndbl (Optional) Displays brief information about all SIP blocked list data.\r\nall (Optional) Displays all dynamic blocked list entries: blocked list and non blocked list entries.\r\nentry entry-string (Optional) Clears the specified blocked list entry.\r\ndblcfg (Optional) Displays all SIP blocked list settings.\r\nl7data (Optional) Displays brief information about all SIP Layer 7 data.\r\ncallid call-id (Optional) Displays information about the specified SIP call ID.\r\nprocessor (Optional) Displays SIP processor settings.\r\ntimer (Optional) Displays SIP timer settings.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.11S This command was introduced.\r\nUsage Guidelines\r\nThis command displays the following error details:\r\nSession write lock exceeded\r\nGlobal write lock exceeded\r\nBlocked list\r\nThis command also displays the following event details:\r\nBlocked list triggered\r\nBlocked list timeout\r\nA blocked list is a list of entities that are denied a particular privilege, service, or access.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 36 of 208\n\nThe following is sample output from the show platform hardware qfp active feature alg statistics sip command:\r\nDevice# show platform hardware qfp active feature alg statistics sip\r\nEvents\r\n...\r\nCr dbl entry: 10 Del dbl entry: 10\r\nCr dbl cfg entry: 8 Del dbl cfg entry: 4\r\nstart dbl trig tmr: 10 restart dbl trig tmr: 1014\r\nstop dbl trig tmr: 10 dbl trig timeout: 1014\r\nstart dbl blk tmr: 0 restart dbl blk tmr: 0\r\nstop dbl blk tmr: 0 dbl blk tmr timeout: 0\r\nstart dbl idle tmr: 10 restart dbl idle tmr: 361\r\nstop dbl idle tmr: 1 dbl idle tmr timeout: 9\r\nDoS Errors\r\nDbl Retmem Failed: 0 Dbl Malloc Failed: 0\r\nDblCfg Retm Failed: 0 DblCfg Malloc Failed: 0\r\nSession wlock ovflw: 0 Global wlock ovflw: 0\r\nBlacklisted: 561\r\n \r\nThe table below describes the significant fields shown in the display.\r\nTable 14. show platform hardware qfp active feature alg statistics sip Field Descriptions\r\nField Description\r\nCR dbl entry Number of dynamic blocked list entries.\r\nstart dbl blk tmr Number of events that have started the dynamic blocked list timer.\r\nstop dbl idle tmr Number of events that have stopped the dynamic blocked list idle timer.\r\nDel dbl entry Number of dynamic blocked list entries deleted.\r\nrestart dbl trig tmr Number of dynamic blocked list trigger timers restarted.\r\ndbl trig timeout Number of dynamic blocked list trigger timers timed out.\r\nrestart dbl blk tmr Number of dynamic blocked list timers to be restarted.\r\ndbl idle tmr timeout Number of dynamic blocked list idle timers timed out.\r\nDoS Errors Denial of service (DoS) related errors.\r\nDbl Retmem Failed Number of dynamic blocked list return memory failures.\r\nDblCfg Retm Failed Number of dynamic blocked list configuration return memory failures.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 37 of 208\n\nField Description\r\nSession wlock ovflw Number of packets that are dropped because the session-level write lock number is exceeded.\r\nBlocked list Number of packets dropped by dynamic blocked list.\r\nDbl Malloc Failed Number of dynamic blocked list memory allocation failures.\r\nDblCfg Malloc Failed Number of dynamic blocked list configuration memory allocation failures.\r\nGlobal wlock ovflw Number of packets dropped because the global-level write-lock number is exceeded.\r\nThe following is sample output from the show platform hardware qfp active feature alg statistics sip dbl entry\r\ncommand:\r\nDevice# show platform hardware qfp active feature alg statistics sip dbl entry a4a051e0a4a1ebd\r\nreq_src_addr: 10.74.30.189 req_dst_addr: 10.74.5.30\r\ntrigger_period: 1000(ms) block_timeout: 30(sec)\r\nidle_timeout: 60(sec) dbl_flags: 0x 1\r\ncfg_trig_cnt: 5 cur_trig_cnt: 0\r\nThe table below describes the significant fields shown in the display.\r\nTable 15. show platform hardware qfp active feature alg statistics sip Field Descriptions\r\nField Description\r\nreq_src_addr Source IP address of a SIP request message.\r\ntrigger_period Dynamic blocked list trigger period.\r\nidle_timeout Dynamic blocked list idle timeout entry.\r\ncfg_trig_cnt Configured trigger counter.\r\nreq_dst_addr Destination IP address of a SIP request message.\r\nblock_timeout Dynamic blocked list block timeout.\r\ndbl_flags Dynamic blocked list entry flags.\r\ncur_trig_cnt Current trigger counter.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 38 of 208\n\nRelated Commands\r\nalg sip blacklist Configures a dynamic SIP ALG blocked list for destinations.\r\nalg sip processor Configures the maximum number of backlog messages that wait for shared resources.\r\nalg sip timer Configures a timer that SIP ALG uses to manage SIP calls.\r\nshow platform hardware qfp feature firewall\r\nTo display firewall feature-specific information in the Cisco Quantum Flow Processor (QFP), use the show platform\r\nhardware qfp feature firewall command in privileged EXEC mode.\r\nshow platform hardware qfp {active | standby} feature firewall {memory | runtime | client {l7 policy {zone-pair-id layer4-\r\nclass-id | all} | statistics} | sess-query-context | session {create | delete | more} session-context number-of-sessions\r\n[zonepair zonepair-id] | zonepair zonepair-id}\r\nSyntax Description\r\nactive Displays the active instance of the processor.\r\nstandby Displays the standby instance of the processor.\r\nmemory Displays information about the Cisco QFP firewall datapath memory.\r\nruntime Displays information about the Cisco QFP firewall datapath runtime.\r\nclient Displays information about the Cisco QFP firewall client.\r\nl7 policy zone-pair-id layer4-\r\nclass-id\r\nDisplays information about the Layer 7 policy that has the specified zone-pair ID\r\nand Layer 4 class ID.\r\nall Displays information about all Cisco QFP firewall client Layer 7 policies.\r\nstatistics Displays information about Cisco QFP firewall client statistics.\r\nsess-query-context Displays information about Cisco QFP firewall session query context.\r\nsession Displays information about the Cisco QFP firewall sessions.\r\ncreate Creates new show session contexts.\r\ndelete Deletes the specified session context.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 39 of 208\n\nmore Reads all configured sessions that have the specified context.\r\nsession-context Session context. Valid values are 0 to 4294967295.\r\nnumber-of-sessions Number of sessions to read. Valid values are from 0 to 4294967295.\r\nzonepair zonepair-id\r\nDisplays information about Cisco QFP firewall zone pairs. Valid values are from 0 to\r\n4294967295.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release\r\n3.9S\r\nThis command was introduced.\r\nCisco IOS XE Release\r\n3.11S\r\nThis command was modified. The command output was modified to include the number of\r\nsimultaneous packets per flow.\r\nUsage Guidelines\r\nUse this command to troubleshoot firewall issues related to memory usage, runtime errors, and so on.\r\nExamples\r\nThe following is sample output from the show platform hardware qfp active feature firewall memory command:\r\nDevice# show platform hardware qfp active feature firewall memory\r\n ==FW memory info==\r\nChunk-Pool Allocated Total_Free Init-Num Low_Wat\r\n------------------------------------------------------------\r\nscb 0 16384 16384 4096\r\nhostdb 0 5120 5120 1024\r\nICMP Error 0 256 256 128\r\nteardown 0 160 160 80\r\nha retry 0 2048 2048 512\r\ndst pool 0 5120 5120 1024\r\n ------------Total History----------\r\nChunk-Pool Inuse |Allocated Freed Alloc_Fail|\r\n------------------------------------------------------------\r\nscb 0 0 0 0\r\nhostdb 0 0 0 0\r\nICMP Error 0 0 0 0\r\ndst pool 0 0 0 0\r\nTable-Name Address Size\r\n-----------------------------------------\r\n-----------------------------------------\r\nscb 0x8bc80000 65536\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 40 of 208\n\nhostdb 0x89941c00 1024\r\nzonepair 0x89950400 1024\r\ndchannel 0x8994cc00 2048\r\nFW persona timer tbl address 0x8c271020 entries: 131072 num_tbls 9 stagger 17,\r\nFW persona hostdb mtx (lock address): 0x89942c00\r\nFW persona ICMP Error pool address: 0x89956820\r\nFW persona un-created sessions due to max session limit: 0\r\nFW persona agg-age sess teardown halfopen: 0, non-halfopen: 0\r\nThe following is sample output from the show platform hardware qfp active feature firewall runtime command:\r\nDevice# show platform hardware qfp active feature firewall runtime\r\nFW internal: stop_traffic 0x0\r\nglobal 0xa2400021\r\n HA State Allow New Sess\r\n FW Configured (0x00000020)\r\n VRF Rsrc Chk (0x00400000)\r\n Syslog Deployed (0x02000000)\r\n VRF Enabled (0x20000000)\r\n B2B HA Enabled (0x80000000)\r\nglobal2 0x192c0012\r\n Global number of simultaneous packet per session allowed 44 \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\r\n Default number of simultaneous packet per session allowed 25\r\ndebug 0x00008041\r\n.\r\n.\r\n.\r\nThe following is sample output from the show platform hardware qfp active feature firewall client statistics command:\r\nDevice# show platform hardware qfp active feature firewall client statistics\r\nZonepair table entry count: 1\r\nFiller block count: 0\r\nAction block count: 0\r\nL7 params block count: 0\r\nStatistics table count: 0\r\nStatistics block count: 0\r\nClass name table entry count: 0\r\nNumber of vrf interfaces with zone: 0\r\nNumber of zoned interfaces: 2\r\nNumber of zones: 2\r\nNumber of zone pairs with policy: 0\r\nInspect parameter map count: 3\r\nVRF related objects: VRF-ParameterMap count: 1, VRF-ParameterMap Binding count: 0\r\nZone related objects: Zone-ParameterMap count: 0, Zone-ParameterMap Binding count: 0\r\nSCB pool: number of entries: 16384, entry limit: 1048576, size: 4719008, number of additions: 0\r\nSynflood Hostdb pool: number of entries: 5120, entry limit: 0, size: 573856, number of additions: 0\r\nSession Teardown pool: number of entries: 160, entry limit: 0, size: 5536, number of additions: 0\r\nSyncookie Destination pool: number of entries: 5120, entry limit: 262144, size: 410016, number of additions: 0\r\nThe following is sample output from the show platform hardware qfp active feature firewall zonepair command:\r\nDevice# show platform hardware qfp active feature firewall zonepair 1\r\nZonepair name:zp-ge000-ge003 | id:1\r\n Source zone name:ge0-0-0 | id:2\r\nDestination zone name:ge0-0-3 | id:1\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 41 of 208\n\nClass group name:policy1 | id:14841376\r\nlookup data in sw: 0x00010003, 0x00084441\r\nlookup data in hw: 0x00010003, 0x00084441\r\nClass name:c-ftp-tcp | id:13549553\r\nNumber of Protocols: 4\r\nProtocols: 1, 2, 4, 18\r\nMaxever number of packet per flow: 25\r\nFiller block/Action block/Stats table addresses: 0x8967f400, 0x8d70f400, 0x898d7400\r\nStats blocks addresses: 0x8d716c00, 0x8d716c40, 0x8d716c80, 0x8d716cc0\r\nResult: 0x08000000, 0x8967f400\r\nFiller block in sw: 0x8d70f400898d7400\r\nFiller block in hw: 0x0000000c00000000\r\nAction block in hw:\r\nClass name:class-default | id:1593\r\nNumber of Protocols: 0\r\nMaxever number of packet per flow: 0\r\nFiller block/Action block/Stats table addresses: 0x8967f400, 0x8d70f400, 0x898d7400\r\nStats blocks addresses: 0x8d716c00, 0x8d716c40, 0x8d716c80, 0x8d716cc0\r\nResult: 0x08000000, 0x8967f400\r\nFiller block in sw: 0x8d70f400898d7400\r\nFiller block in hw: 0x0000000c00000000\r\nAction block in hw:\r\nClass name:class-default | id:1593\r\nNumber of Protocols: 0\r\nMaxever number of packet per flow: 0\r\nFiller block/Action block/Stats table addresses: 0x8967f408, 0x8d70f4f0, 0x898d7520\r\nResult: 0x81000000, 0x8967f408\r\nFiller block in sw: 0x8d70f4f0898d7520\r\nFiller block in hw: 000000000000000000\r\nAction block in hw:\r\nTable 16. show platform hardware qfp feature firewall Field Descriptions\r\nField Description\r\nscb Memory allocated for the session control block (SCB) pool.\r\ndst pool Memory allocated for the destination pool.\r\nHA state High availability status.\r\nHSL Enabled Number of sessions for which high-speed logging (HSL) is enabled.\r\nteardowns Number of queues that were torn down.\r\nNum of ACK\r\nexceeds limit\r\nNumber of acknowledgment (ACK) requests that exceeded the configured limit.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 42 of 208\n\nField Description\r\nNum of RST\r\nexceeds limit\r\nNumber of reset (RST) requests that exceeded the configured limit.\r\nVRF Global\r\nAction Block\r\nInformation about the global virtual routing and forwarding (VRF) instance.\r\nhalf-open Information about the half-opened firewall sessions.\r\naggr-age high\r\nwatermark low\r\nwatermark\r\nInformation about the aggressive-aging high and low watermarks. Firewall sessions are\r\naggressively aged to make room for new sessions, thereby protecting the firewall session database\r\nfrom filling. Aggressive aging period starts when the session table crosses the high watermark and\r\nends when it falls below the low watermark.\r\nRelated Commands\r\nshow platform hardware qfp feature firewall\r\ndatapath\r\nDisplays information about the firewall datapath in the Cisco QFP.\r\nshow platform hardware qfp feature firewall drop\r\nDisplays information about the firewall packet drops in the Cisco\r\nQFP.\r\nshow platform hardware qfp feature firewall datapath scb\r\nTo display information about the session control block of the Cisco Quantum Flow Processor (QFP), use the show platform\r\nhardware qfp feature firewall datapath scb command in privileged EXEC mode.\r\nshow platform hardware qfp {active | standby} feature firewall datapath scb [ipv4-address | ipv4-address/mask | any | ipv6\r\nsource-ipv6-address] [source-port | any] [destination-ipv4-address | destination-ipv6-address | ipv4-address/prefix | any]\r\n[destination-port | any] [layer4-protocol | any] [all | imprecise | session] [vrf-id | any] [detail]\r\nSyntax Description\r\nactive Displays the active instance of the processor.\r\nstandby Displays the standby instance of the processor.\r\nipv4-address mask (Optional) IPv4 address and prefix mask.\r\nany\r\n(Optional) Specifies any source port, destination port, Layer 4 protocol number, or virtual\r\nrouting and forwarding (VRF) ID.\r\nipv6 source-ipv6-\r\naddress\r\n(Optional) Specifies an IPv6 address.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 43 of 208\n\nsource-port (Optional) Source port number. The range is from 0 to 65535.\r\ndestination-ipv4-\r\naddress\r\n(Optional) Destination IPv4 address.\r\ndestination-ipv6-\r\naddress\r\n(Optional) Destination IPv6 address.\r\ndestination-port (Optional) Destination port number. The range is from 0 to 65535.\r\nlayer4-protocol (Optional) Layer 4 protocol number. The range is from 0 to 255.\r\nall (Optional) Specifies all firewall databases.\r\nimprecise (Optional) Specifies the imprecise database.\r\nsession (Optional) Specifies the firewall session database.\r\nvrf-id (Optional) VRF ID. The range is from 0 to 65535.\r\ndetail (Optional) Provides detailed information about the firewall session and imprecise databases.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.11S The command was introduced.\r\nUsage Guidelines\r\nThis command provides detailed information about firewall sessions and databases. The show policy-firewall sessions\r\nplatform all command also performs the same action as show platform hardware qfp active feature firewall datapath scb any\r\nany any any any all any detail command.\r\nExamples\r\nThe following is sample output from the show platform hardware qfp active feature firewall datapath scb any any any any\r\nany all any detail command:\r\nDevice# show platform hardware qfp active feature firewall datapath scb any any any any any all any detail\r\n[s=session i=imprecise channel c=control channel d=data channel]\r\nSession ID:0x00000002 100.0.0.2 8 100.0.0.1 92 proto 1 (0:0) [sc]\r\n pscb : 0x8ba00400, bucket : 55587, fw_flags: 0x204 0x204154c1,\r\n192.168.2.2 1024 192.168.1.2 1024 proto 17 (0:0) [sd]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 44 of 208\n\npscb : 0x8bd0ddc0, bucket : 34846, fw_flags: 0x4 0x20413481,\r\n scb state: active, scb debug: 0\r\n nxt_timeout: 360000, refcnt: 1, ha nak cnt: 0, rg: 0, sess id: 0\r\n hostdb: 0x0, L7: 0x0, stats: 0x8d8e3740, child: 0x0\r\n l4blk0: 29 l4blk1: 1ceabd0a l4blk2: 0 l4blk3: 805a46fd\r\n l4blk4: 0 l4blk5: 0 l4blk6: 0 l4blk7: 0\r\n l4blk8: 0 l4blk9: 2\r\n root scb: 0x0 act_blk: 0x8d8dbde0\r\n ingress/egress intf: TenGigabitEthernet1/3/0 (1011), TenGigabitEthernet0/3/0 (131057)\r\n current time 43491794128 create tstamp: 25627209695 last access: 43491799244\r\n nat_out_local_addr:port: 10.1.1.4:9 nat_in_global_addr:port: 192.0.2.5:7\r\n syncookie fixup: 0x0\r\n halfopen linkage: 0x0 0x0\r\n tw timer: 0x0 0x0 0x37ed5 0xaf32111\r\n Number of simultaneous packet per session: 70\r\nTable 17. show platform hardware qfp feature firewall datapath scb Field Descriptions\r\nField Description\r\nscb state State for the SCB; either active or standby.\r\ningress/egress intf: Incoming and outgoing interface IP addresses.\r\nnat_out_local_addr:port: Network Address Translation (NAT) outside local IP address and port number.\r\nnat_in_global_addr:port: NAT inside global IP address and port number.\r\nRelated Commands\r\nCommand Description\r\nparameter-map type\r\ninspect\r\nConfigures an inspect-type parameter map for connecting thresholds, timeouts, and other\r\nparameters pertaining to the inspect action.\r\nparameter-map type\r\ninspect global\r\nDefines a global parameter map and enter parameter-map type inspect configuration\r\nmode.\r\nshow parameter-map type\r\ninspect\r\nDisplays user-configured or default inspect-type parameter maps.\r\nshow platform hardware qfp feature td\r\nTo display threat-defense-specific information in the Cisco QuantumFlow Processor (QFP), use the show platform hardware\r\nqfp feature td command in privileged EXEC mode.\r\nshow platform hardware qfp {active | standby} feature td {client | datapath} memory\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 45 of 208\n\nactive Displays the active instance of the processor.\r\nstandby Displays the standby instance of the processor.\r\nclient Displays information about the threat defense (TD) client.\r\ndatapath Displays TD information in the datapath.\r\nmemory Displays information about the TD memory usage.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.9S This command was introduced.\r\nUsage Guidelines\r\nUse this command to check the virtual TCP (vTCP) statistics that are triggered by TCP application layer gateway (ALG)\r\nsessions.\r\nExamples\r\nThe following is sample output from the show platform hardware qfp active feature td datapath memory command:\r\nDevice# show platform hardware qfp active feature td datapath memory\r\n==VTCP ucode info==\r\ninfo alloc 0, free 0, fail 0\r\npkt buf alloc 0, free 0, fail 0\r\nbuf size alloc 0, free 0\r\nrx drop 0, tx drop 0, tcp drop 0, alg csum 0\r\nsending: rx ack 0, rst 0, hold rst 0 tx payload: seg 0, rexmit 0\r\nvtcp_info_chunk 0x8d54fcb0, totalfree: 2048, allocated: 0\r\nvtcp_pkt_pool 0x8d5d80c0, total: 1048240, free: 1048240\r\nvtcp_timer_wheel 0x8d6d84d0, vtcp_init 1\r\ntd_internal debug 0x0\r\ntd_global td_init 0x2\r\nalg_debug_vtcp 0x0\r\nThe table below describes the significant fields shown in the display.\r\nTable 18. show platform hardware qfp feature td datapath memory Field Descriptions\r\nField Description\r\ninfo alloc vTCP allocated counts.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 46 of 208\n\nField Description\r\npkt buf alloc Allocated packet buffer size.\r\nbuf size alloc Allocated buffer size.\r\nrx drop Transmit buffer (Rx) drop. Rx is memory spaces allocated by a device to handle traffic bursts.\r\ntx drop Receive buffer (Tx) drop. Rx is memory spaces allocated by a device to handle traffic bursts.\r\nRelated Commands\r\nCommand Description\r\nshow platform hardware qfp feature alg Displays ALG-specific information in the Cisco QFP.\r\nshow tech-support alg Displays ALG-specific information to assist in troubleshooting.\r\nshow platform software cerm-information\r\nTo display Crypto Export Restrictions Manager (CERM) information, use the show platform software cerm-information\r\ncommand in privileged EXEC mode.\r\nshow platform software cerm-information\r\nSyntax Description\r\nThis command has no keywords or arguments.\r\nCommand Default\r\nCERM information is not displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Fuji 16.9.1 This command was introduced.\r\nUsage Guidelines\r\nThis command displays Crypto Export Restrictions Manager (CERM) information of devices running on Cisco IOS XE\r\nsoftware.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 47 of 208\n\nThe following is a sample output of the show platform software cerm-information command:\r\nDevice# show platform software cerm-information\r\nCrypto Export Restrictions Manager(CERM) Information:\r\n CERM functionality: ENABLED\r\n ----------------------------------------------------------------\r\n Resource Maximum Limit Available\r\n ----------------------------------------------------------------\r\n Number of tunnels 1000 1000\r\n Number of TLS sessions 1000 1000\r\n Resource reservation information:\r\n D - Dynamic\r\n -----------------------------------------------------------------------\r\n Client Tunnels TLS Sessions\r\n -----------------------------------------------------------------------\r\n VOICE 0 0\r\n IPSEC 0 N/A\r\n SSLVPN 0 N/A\r\n Statistics information:\r\n Failed tunnels: 0\r\n Failed sessions: 0\r\n Failed encrypt pkts: 0\r\n Failed encrypt pkt bytes: 0\r\n Failed decrypt pkts: 0\r\n Failed decrypt pkt bytes: 0\r\nshow platform software firewall\r\nTo display the firewall configuration information, use the show platform software firewall command in privileged EXEC\r\nmode.\r\nshow platform software firewall {F0 | F1 } {bindings | pairs | parameter-maps | port-application-mapping | statistics | vrf-pmap-bindings | zones}\r\nshow platform software firewall {F0 | F1 } sessions zone-pair zone-pair-name [class-id class-id] [destination ip-address\r\n| ipv6 {destination ipv6-address | source ipv6-address [destination ipv6-address]} | source ip-address [destination ip-address]]\r\nshow platform software firewall {R0 | R1 } {bindings | pairs | parameter-maps | port-application-mapping | statistics | vrf-pmap-bindings | zones}\r\nshow platform software firewall {FP | RP} {active | standby} {bindings | pairs | parameter-maps | port-application-mapping\r\n| statistics | vrf-pmap-bindings | zones}\r\nSyntax Description\r\nF0 Displays information about the Embedded Service Processor (ESP) slot 0.\r\nF1 Displays information about the ESP slot 1.\r\nbindings Displays information about the configured security zone bindings.\r\npairs Displays information about configured security zone pairs.\r\nparameter-maps Displays information about configured parameter maps.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 48 of 208\n\nport-application-mapping\r\nDisplays information about the configured Port-to-Application Mapping (PAM).\r\nsessions Displays information about existing firewall sessions.\r\nstatistics Displays firewall statistics.\r\nvrf-pmap-bindings\r\nDisplays information about the configured virtual routing and forwarding (VRF) instance\r\nand parameter map bindings.\r\nzones Displays information about configured security zones.\r\nzone-pair zone-pair Displays existing firewall sessions for a zone pair.\r\nclass-id class-id Displays sessions in a class.\r\ndestination ip-address Displays sessions with specified destination IP address.\r\nipv6 Displays sessions with specified IPv6 address.\r\nipv6 destination ipv6-\r\naddress\r\nDisplays destination IPv6 address.\r\nipv6 source ipv6-\r\naddress\r\nDisplays source IPv6 address.\r\nsource ip-address Displays sessions with specified source IP address.\r\nR0 Displays information about the Route Processor (RP) slot 0.\r\nR1 Displays information about the RP slot 1.\r\nFP Displays information about the ESP.\r\nRP Displays information about the RP.\r\nactive Displays information about the active instance of the processor.\r\nstandby Displays information about the standby instance of the processor.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 49 of 208\n\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release\r\n3.9S\r\nThis command was introduced.\r\nCisco IOS XE Release\r\n3.11S\r\nThis command was modified. The command output was modified to display the number of\r\nsimultaneous packets per flow.\r\nUsage Guidelines\r\nUse this command to view information about the configured firewall policies, parameter maps, security zones, and security\r\nzone-pairs.\r\nExamples\r\nThe following is sample output from the show platform software firewall FP active parameter-maps command:\r\nDevice# show platform software firewall FP active parameter-maps\r\nForwarding Manager Inspect Parameter-Maps\r\n Inspect Parameter Map: global, Index 1\r\n Parameter Map Type: Parameter-Map\r\n Global Parameter-Map\r\n Alerts: On, Audits: Off, Drop-Log: Off\r\n HSL Mode: V9, Host: 10.1.1.1:9000, Port: 54174, Template: 300 sec\r\n Session Rate High: 2147483647, Session Rate Low: 2147483647, Time Duration: 60 sec\r\n Half-Open:\r\n High: 2147483647, Low: 2147483647, Host: 4294967295, Host Block Time: 0\r\n Inactivity Times [sec]:\r\n DNS: 5, ICMP: 10, TCP: 3600, UDP: 30\r\n Inactivity Age-out Times [sec]:\r\n ICMP: 10, TCP: 3600, UDP: 30\r\n TCP Timeouts [sec]:\r\n SYN wait time: 30, FIN wait time: 1\r\n TCP Ageout Timeouts [sec]:\r\n SYN wait time: 30, FIN wait time: 1\r\n TCP RST pkt control:\r\n half-open: On, half-close: On, idle: On\r\n UDP Timeout [msec]:\r\n UDP Half-open time: 30000\r\n UDP Ageout Timeout [msec]:\r\n UDP Half-open time: 30000\r\n Max Sessions: Unlimited\r\nNumber of Simultaneous Packet per Sessions: 0\r\n Syn Cookie and Resource Management:\r\n Global Syn Flood Limit: 4294967295\r\n Global Total Session : 4294967295\r\n Global Total Session Aggressive Aging Disabled\r\n Global alert : Off\r\n Global max incomplete : 4294967295\r\n Global max incomplete TCP: 4294967295\r\n Global max incomplete UDP: 4294967295\r\n Global max incomplete ICMP: 4294967295\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 50 of 208\n\nGlobal max incomplete Aggressive Aging Disabled\r\n Per Box Configuration\r\n syn flood limit : 4294967295\r\n Total Session Aggressive Aging Disabled\r\n max incomplete : 4294967295\r\n max incomplete TCP: 4294967295\r\n max incomplete UDP: 4294967295\r\n max incomplete ICMP: 4294967295\r\n max incomplete Aggressive Aging Disabled\r\n Inspect Parameter Map: vrf-default, Index 2\r\n Parameter Map Type: VRF-Parameter-Map\r\n VRF PMAP syn flood limit : 4294967295\r\n VRF PMAP total session : 4294967295\r\n VRF PMAP total session Aggressive Aging Disabled\r\n VRF PMAP alert : Off\r\n VRF PMAP max incomplete : 4294967295\r\n VRF PMAP max incomplete TCP: 4294967295\r\n VRF PMAP max incomplete UDP: 4294967295\r\n VRF PMAP max incomplete ICMP: 4294967295\r\n VRF PMAP max incomplete Aggressive Aging Disabled\r\n Inspect Parameter Map: pmap-hsl, Index 3\r\n Parameter Map Type: Parameter-Map\r\n Alerts: On, Audits: On, Drop-Log: Off\r\n Session Rate High: 2147483647, Session Rate Low: 2147483647, Time Duration: 60 sec\r\nTCP Window Scaling Loose: off\r\n session packet default\r\n Half-Open:\r\n High: 2147483647, Low: 2147483647, Host: 4294967295, Host Block Time: 0\r\n Inactivity Times [sec]:\r\n DNS: 5, ICMP: 10, TCP: 3600, UDP: 30\r\n Inactivity Age-out Times [sec]:\r\n ICMP: 10, TCP: 3600, UDP: 30\r\n TCP Timeouts [sec]:\r\n SYN wait time: 30, FIN wait time: 1\r\n TCP Ageout Timeouts [sec]:\r\n SYN wait time: 30, FIN wait time: 1\r\n TCP RST pkt control:\r\n half-open: On, half-close: On, idle: On\r\n UDP Timeout [msec]:\r\n UDP Half-open time: 30000\r\n UDP Ageout Timeout [msec]:\r\n UDP Half-open time: 30000\r\n Max Sessions: Unlimited\r\nNumber of Simultaneous Packet per Sessions: 0\r\n Syn Cookie and Resource Management:\r\n Global Syn Flood Limit: 4294967295\r\n Global Total Session : 4294967295\r\n Inspect Parameter Map: pmap1, Index 4\r\n Parameter Map Type: Parameter-Map\r\n Alerts: On, Audits: On, Drop-Log: Off\r\n Session Rate High: 2147483647, Session Rate Low: 2147483647, Time Duration: 60 sec\r\n TCP Window Scaling Loose: off\r\n session packet default\r\nHalf-Open:\r\n High: 2147483647, Low: 2147483647, Host: 4294967295, Host Block Time: 0\r\n Inactivity Times [sec]:\r\n DNS: 5, ICMP: 10, TCP: 3600, UDP: 30\r\n Inactivity Age-out Times [sec]:\r\n ICMP: 10, TCP: 3600, UDP: 30\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 51 of 208\n\nTCP Timeouts [sec]:\r\n SYN wait time: 30, FIN wait time: 1\r\n TCP Ageout Timeouts [sec]:\r\n SYN wait time: 30, FIN wait time: 1\r\n TCP RST pkt control:\r\n half-open: On, half-close: On, idle: On\r\n UDP Timeout [msec]:\r\n UDP Half-open time: 30000\r\n UDP Ageout Timeout [msec]:\r\n UDP Half-open time: 30000\r\n Max Sessions: 3000\r\nNumber of Simultaneous Packet per Sessions: 0\r\n Syn Cookie and Resource Management:\r\n Global Syn Flood Limit: 4294967295\r\n Global Total Session : 4294967295\r\n Inspect Parameter Map: pmap1, Index 4\r\n Parameter Map Type: Parameter-Map\r\n Alerts: On, Audits: On, Drop-Log: Off\r\n Session Rate High: 2147483647, Session Rate Low: 2147483647, Time Duration: 60 sec\r\n TCP Window Scaling Loose: off\r\n session packet default\r\nHalf-Open:\r\n High: 2147483647, Low: 2147483647, Host: 4294967295, Host Block Time: 0\r\n Inactivity Times [sec]:\r\n DNS: 5, ICMP: 10, TCP: 3600, UDP: 30\r\n Inactivity Age-out Times [sec]:\r\n ICMP: 10, TCP: 3600, UDP: 30\r\n TCP Timeouts [sec]:\r\n SYN wait time: 30, FIN wait time: 1\r\n TCP Ageout Timeouts [sec]:\r\n SYN wait time: 30, FIN wait time: 1\r\n TCP RST pkt control:\r\n half-open: On, half-close: On, idle: On\r\n UDP Timeout [msec]:\r\n UDP Half-open time: 30000\r\n UDP Ageout Timeout [msec]:\r\n UDP Half-open time: 30000\r\n Max Sessions: 3000\r\nNumber of Simultaneous Packet per Sessions: 0\r\n Syn Cookie and Resource Management:\r\n Global Syn Flood Limit: 4294967295\r\n Global Total Session : 4294967295\r\nThe table below describes the significant fields shown in the display.\r\nTable 19. show platform software firewall Field Descriptions\r\nField Description\r\nAlerts on Console display of stateful packet inspection alert messages. Valid values are On and Off.\r\nAudits off Audit trail messages. Valid values are On and Off.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 52 of 208\n\nField Description\r\nHSL mode High-speed logging (HSL) messages are logged.\r\nHost IP address of the host to which HSL messages are logged.\r\nSYN wait time\r\nTime period the software waits for a TCP session to reach the established state before dropping\r\nthe session.\r\nFIN wait time Time period a TCP session is managed after the firewall detects a finish (FIN) exchange.\r\nGlobal SYN Flood\r\nlimit\r\nConfigured TCP half-open session limit before triggering the synchronization (SYN) cookie\r\nprocessing for new SYN packets.\r\nThe following is sample output from the show command show platform software firewall F0 sessions zone-pairs\r\nDevice# show platform software firewall F0 sessions zone-pair in-self\r\nEstablished Sessions\r\nSession ID 0x00000001 (100.0.0.2:8)=\u003e(100.0.0.1:91) icmp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:02\r\n Bytes sent (initiator:responder) [360:360]\r\nThe following is sample output from the show platform software firewall RP active statistics command:\r\nDevice# show platform software firewall RP active statistics\r\nForwarding Manager Firewall Statistics\r\nZones:\r\n 3 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors)\r\n 6 Downloads (0 errors)\r\nZone-pairs:\r\n 1 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors)\r\n 2 Downloads (0 errors)\r\nZone-bindings:\r\n 4 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors)\r\n 8 Downloads (0 errors)\r\nInspect Parameter-Maps:\r\n 0 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors)\r\n 0 Downloads (0 errors)\r\nPAMs(Port Application Mapping):\r\n 0 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors)\r\n 0 Downloads (0 errors)\r\nVRF Bindings:\r\n 0 Adds (0 errors), 0 Mods (0 errors), 0 Deletes (0 errors)\r\n 0 Downloads (0 errors)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 53 of 208\n\nRelated Commands\r\nCommand Description\r\nparameter-map type\r\ninspect\r\nConfigures an inspect-type parameter map for connecting thresholds, timeouts, and other\r\nparameters pertaining to the inspect action.\r\nzone-pair security Creates a zone pair.\r\nshow platform software ipsec policy statistics\r\nTo display debugging information about the IP security policy statistics, use the show platform software ipsec policy\r\nstatistics command in Privileged EXEC mode.\r\nshow platform software ipsec policy statistics\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.8S This command was introduced.\r\nExamples\r\nThe following is sample output from the show platform software ipsec policy statistics command:\r\nRouter# show platform software ipsec policy statistics\r\nPAL CMD REQUEST REPLY OK REPLY ERR ABORT\r\nSADB_INIT_START 1 1 0 0\r\nSADB_INIT_COMPLETED 1 1 0 0\r\nSADB_DELETE 0 0 0 0\r\nSADB_ATTR_UPDATE 1 1 0 0\r\nSADB_INTF_ATTACH 1 1 0 0\r\nSADB_INTF_UPDATE 0 0 0 0\r\nSADB_INTF_DETACH 0 0 0 0\r\nACL_INSERT 1 1 0 0\r\nACL_MODIFY 0 0 0 0\r\nACL_DELETE 0 0 0 0\r\nPEER_INSERT 3 3 0 0\r\nPEER_DELETE 2 2 0 0\r\nSPI_INSERT 151 151 0 0\r\nSPI_DELETE 150 150 0 0\r\nCFLOW_INSERT 3 151 0 0\r\nCFLOW_MODIFY 148 148 0 0\r\nCFLOW_DELETE 2 2 0 0\r\nOUT_SA_DELETE 150 150 0 0\r\nTBAR_CREATE 0 0 0 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 54 of 208\n\nTBAR_UPDATE 0 0 0 0\r\nTBAR_REMOVE 0 0 0 0\r\nPAL NOTIFY RECEIVE COMPLETE PROC ERR IGNORE\r\nNOTIFY_RP 0 0 0 0\r\nSA_DEAD 2 2 0 0\r\nSA_SOFT_LIFE 80 80 0 0\r\nIDLE_TIMER 0 0 0 0\r\nDPD_TIMER 0 0 0 0\r\nINVALID_SPI 0 0 0 0\r\nThe following table describes the significant fields shown in the display:\r\nTable 20. show platform software ipsec policy statistics Field Descriptions\r\nField Description\r\nPAL CMD Name of a request sent from the IPsec control plane to the IPsec data plane.\r\nREQUEST Number of IPsec control plane requests sent.\r\nREPLY OK\r\nNumber of successful replies sent by the IPsec data plane for the requests sent by the IPsec control\r\nplane.\r\nREPLY ERR Number of failed replies sent by the IPsec data plane for the requests sent by the IPsec control plane.\r\nABORT Number of requests terminated because of a timeout.\r\nPAL\r\nNOTIFY\r\nName of a notification sent from the IPsec data plane to the IPsec control plane.\r\nRECEIVE Number of IPsec data plane notifications received.\r\nCOMPLETE Number of successful IPsec data plane notifications sent to the IPsec control plane.\r\nPROC ERR Number of IPsec data plane notifications that were not sent because of a process error.\r\nIGNORE Number of IPsec data plane notifications that can be safely ignored.\r\nTable 21. Related Commands\r\nCommand Description\r\nshow platform software ipsec f0 inventory Displays the IPsec object counts of a forwarding processor.\r\nshow platform software ipsec f0 encryption-processor registers\r\nTo display debugging information about the crypto engine processor registers, use the show platform software ipsec f0\r\nencryption-processor registers command in privileged EXEC or diagnostic mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 55 of 208\n\nshow platform software ipsec f0 encryption-processor registers\r\nCommand Default\r\nNo default behavior or values\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nDiagnostic (diag)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 2.4.2 This command was introduced on the Cisco ASR 1000 Series Routers.\r\nUsage Guidelines\r\nThis command displays debugging information for crypto engine processor registers.\r\nshow platform software ipsec f0 encryption-processor registers\r\nForwarding Manager Encryption-processor Registers\r\n reg_addr : 00000000, reg_val : 0000ca5b\r\n reg_addr : 00000008, reg_val : 00000000\r\n reg_addr : 00000010, reg_val : 00000000\r\n reg_addr : 00000018, reg_val : 22f10038\r\n reg_addr : 00000020, reg_val : 00000800\r\n reg_addr : 00000028, reg_val : 00002040\r\n reg_addr : 00000030, reg_val : 00000000\r\n reg_addr : 00000038, reg_val : 23158838\r\nRelated Commands\r\nCommand Description\r\nshow platform hardware qfp act feature ipsec\r\ndatapath memory\r\nDisplays debugging information about the consumption of IPsec\r\ndatapath memory.\r\nshow platform software ipsec fp active flow\r\nTo display information about active instances of IPsec flows in the Embedded Service Processor (ESP), use the show\r\nplatform software fp ipsec active flow command in privileged EXEC mode.\r\nshow platform software ipsec fp active flow {all | identifier number}\r\nSyntax Description\r\nall Displays information about all active IPsec flows in the instance.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 56 of 208\n\nidentifier\r\nnumber\r\nDisplays information about the specified IPsec flow in the instance. The range is from 0-\r\n4294967295.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release\r\n17.15.1a\r\nThe range of IPSec flow was increased to 0 to 4294967295. The initial range was from\r\n0 to 32767.\r\nCisco IOS XE Release 3.9S This command was introduced on Cisco ASR 1000 Series Routers.\r\nUsage Guidelines\r\nThis command displays information that can help you to troubleshoot issues about IPsec flows.\r\nExamples\r\nThe following is sample output from the show platform software ipsec fp active flow all command:\r\nDevice# show platform software ipsec fp active flow all\r\n=========== Flow id: 1\r\n mode: tunnel\r\n direction: inbound\r\n protocol: esp\r\n SPI: 0x95002492\r\n local IP addr: 100.0.0.1\r\n remote IP addr: 100.0.0.2\r\n crypto map id: 3\r\n SPD id: 1\r\n ACE line number: 1\r\n QFP SA handle: 7\r\n crypto device id: 0\r\nIOS XE interface id: 11\r\n interface name: GigabitEthernet1/1/3\r\n object state: active\r\n=========== Flow id: 2\r\n mode: tunnel\r\n direction: outbound\r\n protocol: esp\r\n SPI: 0xfd2fa486\r\n local IP addr: 100.0.0.1\r\n remote IP addr: 100.0.0.2\r\n crypto map id: 3\r\n SPD id: 1\r\n ACE line number: 1\r\n QFP SA handle: 8\r\n crypto device id: 0\r\nIOS XE interface id: 11\r\n interface name: GigabitEthernet1/1/3\r\n object state: active\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 57 of 208\n\nThe following table describes the significant fields shown in the display.\r\nTable 22. show platform software ipsec fp active flow all Field Descriptions\r\nField Description\r\nFlow id Flow identifier.\r\nmode Operation mode. In this case, it is tunnel mode.\r\ndirection Flow direction—inbound or outbound. In this case, it is outbound.\r\nprotocol Protocol used. In this case, it is Encapsulating Security Payloads (ESP).\r\nSPI Security Parameters Index (SPI) that is used to identify the security association (SA).\r\nlocal IP addr IP address of the local host.\r\nremote IP addr IP address of the remote host.\r\ncrypto map id Crypto map identifier.\r\nSPD id SPI identifier.\r\nACE line number Cisco Application Control Engine (ACE) number.\r\nQFP SA handle Quantum Flow Processor (QFP) SA identifier.\r\ncrypto device id Crypto device identifier.\r\nIOS XE interface id Interface ID in Cisco IOS XE software.\r\ninterface name Interface name.\r\nuse path MTU Maximum transmission unit (MTU) size.\r\nobject state Object state.\r\nobject bind state State of the object bound.\r\nThe following is sample output from the show platform software ipsec fp active flow command for flow ID 1:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 58 of 208\n\nDevice# show platform software ipsec fp active flow identifier 1\r\n=========== Flow id: 1\r\n mode: tunnel\r\n direction: inbound\r\n protocol: esp\r\n SPI: 0x95002492\r\n local IP addr: 100.0.0.1\r\n remote IP addr: 100.0.0.2\r\n crypto device id: 0\r\n crypto map id: 3\r\n SPD id: 1\r\n ACE line number: 1\r\n QFP SA handle: 7\r\nIOS XE interface id: 11\r\n interface name: GigabitEthernet1/1/3\r\n Crypto SA ctx id: 0x000000002dc3bfde\r\n cipher: 3DES\r\n auth: SHA1\r\n initial seq.number: 0\r\n timeout, mins: 0\r\n flags: exp time;exp traffic;DPD;\r\n Peer Flow handle: 0x0000000080000014\r\nTime limits\r\n soft limit: 3537\r\n hard limit: 3597\r\nTraffic limits\r\n soft limit: 3686400\r\n hard limit: 4608000\r\n--------------- DPD\r\n mode: periodic\r\n rearm countdown: 0\r\n next notify: *EXPIRED*\r\n last in packet: 0\r\n inline_tagging: DISABLED\r\n anti-replay window: 64\r\nSPI Selector:\r\n remote addr low: 0.0.0.0\r\n remote addr high: 0.0.0.0\r\n local addr low: 100.0.0.1\r\n local addr high: 100.0.0.1\r\nClassifier: range\r\n src IP addr low: 1.0.0.0\r\n src IP addr high: 1.0.0.255\r\n dst IP addr low: 2.0.0.0\r\n dst IP addr high: 2.0.0.255\r\n src port low: 0\r\n src port high: 65535\r\n dst port low: 0\r\n dst port high: 65535\r\n protocol low: 0\r\n protocol high: 255\r\n------- Statistics\r\n octets: 100\r\n total octets: 4718591900\r\n packets: 1\r\n dropped packets: 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 59 of 208\n\nreplay drops: 0\r\n auth packets: 1\r\n auth fails: 0\r\n encrypted packets: 1\r\n encrypt fails: 0\r\n---- End statistics\r\n object state: active\r\n--------------- AOM\r\n cpp aom id: 145\r\n cgm aom id: 0\r\n n2 aom id: 142\r\n if aom id: 0\r\nThe following table describes the significant fields shown in the display.\r\nTable 23. show platform software ipsec fp active flow identifier Field Descriptions\r\nField Description\r\nFlow id Flow identifier.\r\nmode Operation mode. In this case, it is tunnel mode.\r\ndirection Flow direction—inbound or outbound. In this case, it is outbound.\r\nprotocol Protocol used. In this case, it is Encapsulating Security Payloads (ESP).\r\nSPI Security Parameters Index (SPI) that is used to identify the security association (SA).\r\nlocal IP addr IP address of the local host.\r\nremote IP addr IP address of the remote host.\r\ncrypto map id Crypto map identifier.\r\nSPD id SPI identifier.\r\nACE line number Cisco Application Control Engine (ACE) number.\r\nQFP SA handle Quantum Flow Processor (QFP) SA identifier.\r\ncrypto device id Crypto device identifier.\r\nIOS XE interface id Interface ID in Cisco IOS XE software.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 60 of 208\n\nField Description\r\ninterface name Interface name.\r\nCrypto SA ctx id Context identifier of the crypto SA.\r\ncipher Type of encryption algorithm.\r\nauth Type of authentication algorithm.\r\ninitial seq.number Initial sequence number.\r\ntimeout, mins Timeout, in minutes.\r\nflags Flags set for the packet flow.\r\nPeer Flow handle Peer flow identifier.\r\nTime limits soft limit Minimum permissible time limit.\r\nTime limits hard limit Maximum permissible time limit.\r\nTraffic limits soft limit Minimum permissible traffic limit.\r\nTraffic limits hard limit Maximum permissible traffic limit.\r\nDPD Dead peer detection (DPD).\r\nmode DPD mode. In this case, it is periodic.\r\nrearm countdown Rearm for DPD.\r\nnext notify Status of next notification.\r\nlast in packet Status of the last packet.\r\ninline_tagging Status of inline tagging.\r\nanti-replay window Status of anti-replay window.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 61 of 208\n\nField Description\r\nSPI Selector Information about SPI selection.\r\nremote addr low Starting range address of the remote host.\r\nremote addr high Highest range address of the remote host.\r\nlocal addr low Starting range address of the local host.\r\nlocal addr high Highest range address of the local host.\r\nClassifier Type of classification.\r\nsrc IP addr low Starting range of the source IP address.\r\nsrc IP addr high Highest range of the source IP address.\r\ndst IP addr low Starting range of the destination IP address.\r\ndst IP addr high Highest range of the destination IP address.\r\nsrc port low Starting range of the source port.\r\nsrc port high Highest range of the source port.\r\ndst port low Starting range of the destination port.\r\ndst port high Highest range of the destination port.\r\nprotocol low Starting range of the protocol.\r\nprotocol high Highest range of the protocol.\r\noctets Number of octets in the packet.\r\ntotal octets Total number of octets.\r\npackets Number of packets.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 62 of 208\n\nField Description\r\ndropped packets Number of packets dropped.\r\nreplay drops Number of packets that were dropped again.\r\nauth packets Number of packets authenticated.\r\nauth fails Number of packets for which authentication failed.\r\nencrypted packets Number of encrypted packets.\r\nencrypt fails Number of packets for which encryption failed.\r\nobject state Object state. In this case, it is active.\r\ncpp aom id Cisco Packet Processor Asynchronous Object Manager (AOM) identifier.\r\ncgm aom id Class Group Manager AOM identifier.\r\nn2 aom id Cavium NITROX II cryptographic coprocessor AOM identifier.\r\nif aom id Interface AOM identifier.\r\nRelated Commands\r\nCommand Description\r\nshow platform hardware qfp active feature\r\nipsec\r\nDisplay IPsec feature-specific information in IPsec Cisco QFP.\r\nshow platform software ipsec fp active spd-mapDisplays information about the active instances of IPsec SPD map\r\nobjects.\r\nshow platform software ipsec fp active spd-map\r\nTo display information about the active instances of IPsec Security Policy Database (SPD) map objects in the Embedded\r\nService Processor (ESP), use the show platform software ipsec fp active spd-map command in privileged EXEC mode.\r\nshow platform software ipsec fp active spd-map {all | identifier number}\r\nSyntax Description\r\nall Displays information about all active IPsec flows in the instance.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 63 of 208\n\nidentifier\r\nnumber\r\nDisplays information about the specified IPsec flow in the instance. The range is from 0 to\r\n4294967295.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.9S This command was introduced on Cisco ASR 1000 Series Routers.\r\nUsage Guidelines\r\nSPD is an ordered list of policies applied to traffic. A policy decides if a packet requires IPsec processing, if should be\r\nallowed in clear text, or should be dropped. The IPsec SPDs are derived from user configuration of crypto maps. The\r\nInternet Key Exchange (IKE) SPD is configured by the user.\r\nExamples\r\nThe following is sample output from the show platform software ipsec fp active spd-map all command:\r\nDevice# show platform software ipsec fp active spd-map all\r\n======== SPD map id: 11\r\n SPD id: 1\r\n interface id: 11\r\n interface name: GigabitEthernet1/1/3\r\n inbound ACL id: 65535\r\n local address: 0\r\n object state: active\r\n bind state: active\r\n enable state: active\r\nThe following table describes the significant fields shown in the display.\r\nTable 24. show platform software ipsec fp active spd-map all Field Descriptions\r\nField Description\r\nSPD map id SPD map identifier.\r\nSPD id SPD identifier.\r\ninterface id Interface identifier.\r\ninterface name Interface name.\r\ninbound ACL id Inbound access control list (ACL) identifier.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 64 of 208\n\nField Description\r\nlocal address IP address of the local host.\r\nobject state Object status.\r\nbind state Bind status.\r\nenable state Enable status.\r\nThe following is sample output from the show platform software ipsec fp active spd-map identifier command for ID 11:\r\nDevice# show platform software ipsec fp active spd-map identifier 11\r\n======== SPD map id: 11\r\n SPD id: 1\r\n interface id: 11\r\n interface name: GigabitEthernet1/1/3\r\n inbound ACL id: 65535\r\n local address: 0\r\n object state: active\r\n tunnel state: new\r\n bind state: active\r\n enable state: active\r\n aom id: 101\r\nThe following table describes the significant fields shown in the display.\r\nTable 25. show platform software ipsec fp active spd-map identifier Field Descriptions\r\nField Description\r\nSPD map id SPD map identifier.\r\nSPD id SPD identifier.\r\ninterface id Interface identifier.\r\ninterface name Interface name.\r\ninbound ACL id Inbound access control list (ACL) identifier.\r\nlocal address IP address of the local host.\r\nobject state Object status.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 65 of 208\n\nField Description\r\ntunnel state Tunnel status.\r\nbind state Bind status.\r\nenable state Enable status.\r\naom id Asynchronous Object Manager (AOM) identifier.\r\nRelated Commands\r\nCommand Description\r\nshow platform hardware qfp active feature\r\nipsec\r\nDisplay IPsec feature-specific information in IPsec Cisco QFP.\r\nshow platform software ipsec fp active flow\r\nDisplays information about active instances of IPsec flows in the\r\nESP.\r\nshow platform software ipsec modexp-throttle0-stats\r\nTo display modexp throttle statistics for IPsec on a device, use the show platform software ipsec modexp-throttle0-stats\r\ncommand in privileged EXEC mode.\r\nshow platform software ipsec modexp-throttle0-stats\r\nSyntax Description\r\nThis command has no keywords or arguments.\r\nCommand Default\r\nModexp throttle statistics for IPsec is not displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Fuji 16.9.1 This command was introduced.\r\nUsage Guidelines\r\nThis command displays modexp throttle statistics information on devices running on Cisco IOS XE software.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 66 of 208\n\nThe following is a sample output of the show platform software ipsec modexp-throttle0-stats command:\r\nDevice# show platform software ipsec modexp-throttle0-stats\r\n========= MODEXP Message Statistic Information =======\r\nWindow size: 16 Queue max size: 1024\r\nTransmit request total: 59 sent: 59 failed: 0\r\nTransmit send total: 59 without delay: 59 with delay: 0\r\nQueue request total: 0, sent: 0 timeout: 0\r\nTransmit request error: 0\r\nCallback count: 59 pending: 0\r\nQueue max depth: 0 current depth: 0\r\nTransmit request rate (packet per second): 0 average rate: 0 max rate: 0\r\nCallback receive rate (packet per second): 0 average rate: 0 max rate: 0\r\nshow platform software urpf qfp active configuration\r\nTo confirm and display the Unicast Reverse Path Forwarding (uRPF) configuration on a forwarding processor of the Cisco\r\nASR 1000 Series Aggregation Services Routers, use the show platform software urpf qfp active configuration command in\r\nthe privileged EXEC mode.\r\nshow platform software urpf qfp active configuration ip-version interface-name\r\nSyntax Description\r\nip-version Version of the IP. Valid values are, IPv4 and IPv6.\r\ninterface-name Name of the interface.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release\r\n2.0S\r\nThis command was introduced on the Cisco ASR 1000 Series Aggregation Services\r\nRouters.\r\nUsage Guidelines\r\nThe uRPF configuration on an IPv4 or IPv6 interface is downloaded from the route processor to a forwarding processor and\r\nthe configuration is reflected on the forwarding processor. Use the show platform software urpf qfp active configuration\r\ncommand to display the uRPF configuration on a forwarding processor.\r\nExamples\r\nThe following is a sample output of the show platform software urpf qfp active configuration command:\r\nRouter# show platform software urpf qfp active configuration ipv6 gigabitethernet 0/0/0.777\r\nForwarding Manager uRPF IPv6 Configuration on Interface\r\nInterface Index FLAGS\r\n-------------------------------------------------------------------------------\r\nGigabitEthernet0/0/0.777 13\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 67 of 208\n\nACL: 1\r\nACL Binding AOM id: 152\r\n \r\nThe following table describes the significant fields shown in the display.\r\nTable 26. show platform software urpf qfp active configuration\r\nField Description\r\nInterface Interface number.\r\nIndex Interface ID of the QFP.\r\nACL Access Control List (ACL) name on uRPF.\r\nACL Binding Asynchronous Object Manager (AOM) ID created to enable uRPF ACL support.\r\nshow policy-firewall config\r\nTo display the firewall configuration on the router, use the show policy-firewall config command in privileged EXEC mode.\r\nCommand Syntax for Cisco IOS XE Release 3.14S and later\r\nshow policy-firewall config {all | class-map [class-map-name | protocol-name] | parameter-map [parameter-map-name |\r\ndefault | global | protocol-info | regex [protocol-info-name] ] | policy-map [policy-map-name | protocol-name] | zone [self]\r\n| zone-pair}\r\nshow policy-firewall config [zone-pair zone-pair-name | platform [standby]]\r\nSyntax Description\r\nall Displays the entire firewall configuration on the router.\r\nclass-map class-map-name Displays the class-maps configured on the router.\r\nprotocol-name Displays the protocols configured for the class-map.\r\nparameter-map Displays the parameter-maps configured in the router.\r\nparameter-map-name Displays configuration information about a specific parameter map.\r\ndefault Displays configuration information about the default inspect parameter map.\r\nglobal Displays configuration information about the global inspect parameter map.\r\nprotocol-info Displays configuration information about the protocol-specific inspect parameter map.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 68 of 208\n\nregex Displays configuration information about the regex inspect parameter map.\r\nprotocol-info-name Displays configuration information about a specific protocol.\r\npolicy-map policy-map-name Displays the policy maps configured on the router.\r\nprotocol-name Displays the protocols configured for the policy map.\r\nzone Displays configuration information about the zones configured on the router.\r\nself (Optional) Displays configuration information about the system-defined zone.\r\nzone-pair Displays configuration information about each zone-pair.\r\nzone-pair-name Security zone-pair name.\r\nplatform Displays firewall platform information.\r\nstandby Displays platform standby information.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nCisco IOS XE Release 3.14S This command was modified. The zone-pair-name argument was added.\r\nUsage Guidelines\r\nUse this command to display a summary of the firewall configuration on the device.\r\nExamples\r\nThe following is the sample output from the show policy-firewall config all command. The field descriptions are self-explanatory.\r\nDevice# show policy-firewall config all\r\nZone: self\r\n Description: System defined zone\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 69 of 208\n\nParameter-map Config:\r\n Global:\r\n alert on\r\n sessions maximum 2147483647\r\n waas disabled\r\n l2-transparent dhcp-passthrough disabled\r\n dropped-packets disabled\r\n log summary disabled\r\n max-incomplete low 2147483647\r\n max-incomplete high 2147483647\r\n one-minute low 2147483647\r\n one-minute high 2147483647\r\n Default:\r\n audit-trail off\r\n alert on\r\n max-incomplete low 2147483647\r\n max-incomplete high 2147483647\r\n one-minute low 2147483647\r\n one-minute high 2147483647\r\n udp idle-time 30\r\n icmp idle-time 10\r\n dns-timeout 5\r\n tcp idle-time 3600\r\n tcp finwait-time 5\r\n tcp synwait-time 30\r\n tcp max-incomplete host 4294967295 block-time 0\r\n sessions maximum 2147483647\r\nThe following is the sample output from the show policy-firewall config all command when a zone-pair is configured. The\r\nfield descriptions are self-explanatory.\r\nDevice# show policy-firewall config all\r\nZone-pair : z1-z2\r\nSource Zone : z1\r\n Member Interfaces:\r\n GigabitEthernet0/0/0\r\nDestination Zone : z2\r\n Member Interfaces:\r\n GigabitEthernet0/0/1\r\nService-policy inspect : pmap\r\n Class-map : cmap (match-all)\r\n Match protocol tcp\r\n Action : inspect\r\n Parameter-map : Default\r\n Class-map : class-default (match-any)\r\n Match any\r\n Action : drop log\r\n Parameter-map : Default\r\n---------------------------\r\nParameter-map Configuration:\r\n Parameter-map type inspect: pmap\r\n --------------------------\r\n alert messages : on\r\n all application inspection : on\r\n audit trailing : off\r\n logging dropped-packets : off\r\n icmp session idle-time : 10 sec, ageout-time: 10 sec\r\n dns session idle-time : 5 sec\r\n tcp session half-open : on, half-close: on, idle: on\r\n tcp session idle-time : 3600 sec, ageout-time: 3600 sec\r\n tcp session FIN wait-time : 1 sec, FIN ageout-time: 1 sec\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 70 of 208\n\ntcp session SYN wait-time : 30 sec, SYN ageout-time: 30 sec\r\n tcp loose window scaling enforcement: off\r\n tcp max-half-open connections/host : unlimited block-time: 0 min\r\n udp half-open session idle-time: 30000 ms, ageout-time: 30000 ms\r\n udp session idle-time : 30 sec, ageout-time: 30 sec\r\n sessions, connections/min threshold (low) : unlimited\r\n sessions, connections/min threshold (high): unlimited\r\n sessions, connection rate threshold (low) : unlimited\r\n sessions, connection rate threshold (high): unlimited\r\n sessions, max-incomplete threshold (low) : unlimited\r\n sessions, max-incomplete threshold (high) : unlimited\r\n sessions, maximum no. of inspect sessions : unlimited\r\n total number of packets per flow : default\r\n zone mismatch drop option : off\r\nThe following is the sample output from the show policy-firewall config zone-pair zone-pair-name command. The field\r\ndescriptions are self-explanatory.\r\nDevice# show policy-firewall config zone-pair z1-z2\r\nZone-pair : z1-z2\r\nSource Zone : z1\r\n Member Interfaces:\r\n GigabitEthernet0/0/0\r\nDestination Zone : z2\r\n Member Interfaces:\r\n GigabitEthernet0/0/1\r\nService-policy inspect : pmap\r\n Class-map : cmap (match-all)\r\n Match protocol tcp\r\n Action : inspect\r\n Parameter-map : Default\r\n Class-map : class-default (match-any)\r\n Match any\r\n Action : drop log\r\n Parameter-map : Default\r\nThe following example is a sample output from the show policy-firewall config class-map command:\r\nDevice# show policy-firewall config class-map c1\r\nClass Map type inspect match-all c1 (id 1)\r\n Match access-group 101\r\n Match protocol http\r\nThe following example shows output related to user-defined parameter map:\r\nDevice# show policy-firewall config parameter-map params1\r\nparameter-map type inspect params1\r\n audit-trail off\r\n alert on\r\n max-incomplete low 2147483647\r\n max-incomplete high 2147483647\r\n one-minute low 2147483647\r\n one-minute high 2147483647\r\n udp idle-time 30\r\n icmp idle-time 10\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 71 of 208\n\ndns-timeout 5\r\n tcp idle-time 3600\r\n tcp finwait-time 5\r\n tcp synwait-time 30\r\n tcp max-incomplete host 4294967295 block-time 0\r\n sessions maximum 2147483647\r\nThe following example shows output related default parameter map:\r\nDevice# show policy-firewall config parameter-map default\r\n \r\n audit-trail off\r\n alert on\r\n max-incomplete low 2147483647\r\n max-incomplete high 2147483647\r\n one-minute low 2147483647\r\n one-minute high 2147483647\r\n udp idle-time 30\r\n icmp idle-time 10\r\n dns-timeout 5\r\n tcp idle-time 3600\r\n tcp finwait-time 5\r\n tcp synwait-time 30\r\n tcp max-incomplete host 4294967295 block-time 0\r\n sessions maximum 2147483647\r\nThe following example shows output related to global parameter map:\r\nDevice# show policy-firewall config parameter-map global\r\n \r\n alert on\r\n sessions maximum 2147483647\r\n waas disabled\r\n l2-transparent dhcp-passthrough disabled\r\n log dropped-packets disabled\r\n log summary disabled\r\n max-incomplete low 2147483647\r\n max-incomplete high 2147483647\r\n one-minute low 2147483647\r\n one-minute high 2147483647\r\nshow policy-firewall mib\r\nTo display connection statistics of the firewall policy on the router, use the show policy-firewall mib command in privileged\r\nEXEC mode.\r\nshow policy-firewall mib connection-statistics {global | policy policy-name zone-pair name | L4-Protocol | L7-Protocol}\r\n{name | all}\r\nSyntax Description\r\nconnection-statistics Displays the statistics for one of the following selected options.\r\nglobal Displays the global connection statistics.\r\npolicy policy-name Displays statistics for a specific firewall policy.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 72 of 208\n\nzone-pair name Displays statistics for a zone pair in a specific firewall policy.\r\nL4-Protocol name Displays statistics for a specific Layer 4 protocol.\r\nL7-Protocol name Displays statistics for a specific Layer 7 protocol.\r\nall Displays statistics for all Layer 4 or Layer 7 protocols.\r\nCommand Default\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nUsage Guidelines\r\nUse this command to display the global connection statistics and the statistics per protocol in Layer 4 or Layer 7 for each\r\npolicy or zone pair. Use the debug policy-firewall mib command to toggle on or off the support for MIBs in zone-based\r\npolicy firewalls.\r\nExamples\r\nThe following is sample output from five versios of the show policy-firewall mib command:\r\nRouter# show policy-firewall mib connection-statistics global\r\n--------------------------------------------------\r\nConnections Attempted 26\r\nConnections Setup Aborted 0\r\nConnections Policy Declined 0\r\nConnections Resource Declined 0\r\nConnections Half Open 0\r\nConnections Active 0\r\nConnections Expired 25\r\nConnections Aborted 0\r\nConnections Embryonic 0\r\nConnections 1-min Setup Count 0\r\nConnections 5-min Setup Count 0\r\nRouter# show policy-firewall mib connection-statistics L4-Protocol all\r\n--------------------------------------------------\r\nProtocol udp\r\nConnections Attempted 1\r\nConnections Setup Aborted 0\r\nConnections Policy Declined 0\r\nConnections Resource Declined 0\r\nConnections Half Open 0\r\nConnections Active 0\r\nConnections Aborted 0\r\nConnections Embryonic 0\r\nConnections 1-min Setup Count 0\r\nConnections 5-min Setup Count 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 73 of 208\n\n--------------------------------------------------\r\nProtocol tcp\r\nConnections Attempted 25\r\nConnections Setup Aborted 0\r\nConnections Policy Declined 0\r\nConnections Resource Declined 0\r\nConnections Half Open 0\r\nConnections Active 0\r\nConnections Aborted 0\r\nConnections Embryonic 0\r\nConnections 1-min Setup Count 0\r\nConnections 5-min Setup Count 0\r\nRouter# show policy-firewall mib connection-statistics L7-Protocol all\r\n--------------------------------------------------\r\nProtocol http\r\nConnections Attempted 14\r\nConnections Setup Aborted 0\r\nConnections Policy Declined 0\r\nConnections Resource Declined 0\r\nConnections Half Open 0\r\nConnections Active 0\r\nConnections Aborted 0\r\nConnections Embryonic 0\r\nConnections 1-min Setup Count 0\r\nConnections 5-min Setup Count 0\r\n--------------------------------------------------\r\nProtocol tacacs\r\nConnections Attempted 12\r\nConnections Setup Aborted 0\r\nConnections Policy Declined 0\r\nConnections Resource Declined 0\r\nConnections Half Open 0\r\nConnections Active 0\r\nConnections Aborted 0\r\nConnections Embryonic 0\r\nConnections 1-min Setup Count 0\r\nConnections 5-min Setup Count 0\r\nRouter# show policy-firewall mib connection-statistics policy inout-policy zone-pair inout L4-Protocol all\r\n--------------------------------------------------\r\nPolicy inout-policy\r\nZone-pair inout\r\n--------------------------------------------------\r\nProtocol udp\r\nConnections Attempted 1\r\nConnections Setup Aborted 0\r\nConnections Policy Declined 0\r\nConnections Resource Declined 0\r\nConnections Half Open 0\r\nConnections Active 0\r\nConnections Aborted 0\r\n--------------------------------------------------\r\nProtocol tcp\r\nConnections Attempted 11\r\nConnections Setup Aborted 0\r\nConnections Policy Declined 0\r\nConnections Resource Declined 0\r\nConnections Half Open 0\r\nConnections Active 0\r\nConnections Aborted 0\r\nRouter# show policy-firewall mib connection-statistics policy inout-policy zone-pair inout L7-Protocol all\r\n--------------------------------------------------\r\nPolicy inout-policy\r\nZone-pair inout\r\n--------------------------------------------------\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 74 of 208\n\nProtocol tacacs\r\nConnections Attempted 12\r\nConnections Setup Aborted 0\r\nConnections Policy Declined 0\r\nConnections Resource Declined 0\r\nConnections Half Open 0\r\nConnections Active 0\r\nConnections Aborted 0\r\nThe table below describes the significant fields shown in the displays.\r\nTable 27. show policy-firewall mib Field Descriptions\r\nField Description\r\nConnections\r\nAttempted\r\nThe total number of connection attempts sent to the firewall. This is a cumulative value.\r\nConnections Policy\r\nDeclined\r\nThe number of connection attempts that were declined due to a firewall security policy. This\r\nis a cumulative value.\r\nConnections Resource\r\nDeclined\r\nThe number of connection attempts that were declined due to firewall resource constraints.\r\nThis is a cumulative value.\r\nConnections Half\r\nOpen\r\nThe number of connections that are being established with the firewall. This is a reflection of\r\nthe current state of the system.\r\nConnections Active\r\nThe number of connections that are currently active. This is a reflection of the current state of\r\nthe system.\r\nConnections Expired The number of connections that were active and terminated. This is a cumulative value.\r\nConnections Aborted\r\nThe number of connections that were abnormally terminated after a successful connection.\r\nThis is a cumulative value.\r\nConnections\r\nEmbryonic\r\nThe number of embryonic application layer connections. This is a reflection of the current\r\nstate of the system.\r\nConnections 1-min\r\nSetup Count\r\nThe number of connections that the firewall attempts to establish per second averaged over\r\nthe last 60 seconds. This is a reflection of the current state of the system.\r\nConnections 5-min\r\nSetup Count\r\nThe number of connections that the firewall attempts to establish per second, averaged over\r\nthe last 300 seconds. This is a reflection of the current state of the system.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 75 of 208\n\nCommand Description\r\ndebug policy-firewall mib Toggles on or off the MIB support.\r\nshow policy-firewall session\r\nTo display the session details of a firewall policy, use the show policy-firewall session command in privileged EXEC mode.\r\nshow policy-firewall session [msrpc | ha | zone-pair [ha]]\r\nSyntax Description\r\nmsrpc (Optional) Displays the Microsoft Remote Procedure Call (MSRPC) sessions.\r\nha (Optional) Displays high availability (HA) sessions pertaining to zone pairs.\r\nzone-pair (Optional) Displays the sessions pertaining to zone pairs.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\n15.1(4)M This command was modified. The msrpc keyword was added.\r\n15.2(3)T This command was modified. The ha keyword was added.\r\nUsage Guidelines\r\nUse the show policy-firewall session command to display session details. Session details can be either global, zone pair-specific, or MSRPC-specific. Global session details incorporate information about all sessions created by the firewall, and\r\nzone pair-specific details that pertain to each zone pair.\r\nExamples\r\nThe following is sample output from the show policy-firewall session command:\r\nRouter# show policy-firewall session zone-pair\r\nZone-pair: zone-pair-source2destination\r\n Service-policy inspect : policy-test\r\n Class-map: class-test (match-any)\r\n Inspect\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 76 of 208\n\nNumber of Established Sessions = 100\r\n Established Sessions\r\n Session 3F4DF38 (10.0.0.148:13686)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:01\r\n Bytes sent (initiator:responder) [257:10494]\r\n Session 43F0F58 (10.0.0.149:13687)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:01\r\n Bytes sent (initiator:responder) [274:10494]\r\n Session 3F3BD98 (10.0.0.98:13770)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:02\r\n Bytes sent (initiator:responder) [251:0]\r\n Session 3F2E498 (10.0.0.104:13774)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:01\r\n Bytes sent (initiator:responder) [277:10220]\r\n Session 3F3B008 (10.0.0.105:13775)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:01\r\n Bytes sent (initiator:responder) [264:10220]\r\n Session 3F31AD8 (10.0.0.108:13776)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:01\r\n Bytes sent (initiator:responder) [265:10220]\r\n Session 2F91030 (10.0.0.113:13780)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:01\r\n Bytes sent (initiator:responder) [257:10220]\r\n Session 3F35308 (10.0.0.229:13966)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:00, Last heard 00:00:00\r\n Bytes sent (initiator:responder) [278:10494]\r\n Session 3F30B58 (10.0.0.231:13968)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:00, Last heard 00:00:00\r\n Bytes sent (initiator:responder) [257:10494]\r\n Session 3F30588 (10.0.0.234:13969)=\u003e(10.0.0.33:80) http:tcp SIS_OPEN\r\n Created 00:00:00, Last heard 00:00:00\r\n Bytes sent (initiator:responder) [259:10494]\r\n Number of Half-open Sessions = 8\r\n Half-open Sessions\r\n Session 3F32298 (10.0.0.99:13068)=\u003e(10.0.0.33:80) http:tcp SIS_OPENING\r\n Created 00:00:06, Last heard 00:00:06\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 2F8F510 (10.0.0.123:13428)=\u003e(10.0.0.33:80) http:tcp SIS_OPENING\r\n Created 00:00:04, Last heard 00:00:04\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 3F4E128 (10.0.0.125:13430)=\u003e(10.0.0.33:80) http:tcp SIS_OPENING\r\n Created 00:00:04, Last heard 00:00:04\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 3F4E318 (10.0.0.126:13431)=\u003e(10.0.0.33:80) http:tcp SIS_OPENING\r\n Created 00:00:04, Last heard 00:00:04\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 3F4E6F8 (10.0.0.127:13432)=\u003e(10.0.0.33:80) http:tcp SIS_OPENING\r\n Created 00:00:04, Last heard 00:00:04\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 43ECF68 (10.0.0.138:13561)=\u003e(10.0.0.33:80) http:tcp SIS_OPENING\r\n Created 00:00:03, Last heard 00:00:03\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 3F4D968 (10.0.0.130:13674)=\u003e(10.0.0.33:80) http:tcp SIS_OPENING\r\n Created 00:00:02, Last heard 00:00:02\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 3F4DB58 (10.0.0.147:13685)=\u003e(10.0.0.33:80) http:tcp SIS_OPENING\r\n Created 00:00:02, Last heard 00:00:02\r\n Bytes sent (initiator:responder) [0:0]\r\n Number of Terminating Sessions = 3\r\n Terminating Sessions\r\n Session 2F9DD90 (10.0.0.203:13603)=\u003e(10.0.0.33:80) http:tcp SIS_CLOSING\r\n Created 00:00:03, Last heard 00:00:02\r\n Bytes sent (initiator:responder) [268:10494]\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 77 of 208\n\nSession 3F3AA38 (10.0.0.209:13844)=\u003e(10.0.0.33:80) http:tcp SIS_CLOSING\r\n Created 00:00:01, Last heard 00:00:01\r\n Bytes sent (initiator:responder) [251:2301]\r\n Session 43F20C8 (10.0.0.224:14070)=\u003e(10.0.0.33:80) http:tcp SIS_CLOSING\r\n Created 00:00:00, Last heard 00:00:00\r\n Bytes sent (initiator:responder) [264:2301]\r\nZone-pair: zone-pair-destination2source\r\n Service-policy inspect : policy-test\r\n Class-map: class-test (match-any)\r\n Inspect\r\nThe table below describes the significant fields shown in the display.\r\nTable 28. show policy-firewall session Field Descriptions\r\nField Description\r\nNumber of\r\nEstablished\r\nSessions\r\nNumber of established sessions. A session is established when traffic flows between the sessions.\r\nNumber of Half-open SessionsNumber of half-opened sessions. A TCP session that has not yet reached the established state is\r\ncalled a half-opened session.\r\nNumber of\r\nTerminating\r\nSessions\r\nA link or session between a pair of devices that get closed. The terminating side waits for a\r\ntimeout and closes the connection between the devices. After the connection is closed, the local\r\nport of the terminating side will not be available for new connections.\r\nThe following is sample output from the show policy-firewall session zone-pair ha command:\r\nRouter# show policy-firewall session zone-pair ha\r\nSession 3FAF888 (192.168.1.2:14401)=\u003e(10.99.75.1:80) http:tcp SIS_OPEN/TCP_ESTAB\r\nCreated 00:00:00, Last heard 00:00:00\r\nBytes sent (initiator:responder) [252:2301]\r\nHA State: ACTIVE, RG: rg_foo id 1\r\nSession 3FAF888 (192.168.1.3:14401)=\u003e(10.99.175.1:80) http:tcp SIS_OPEN/TCP_ESTAB\r\nCreated 00:00:00, Last heard 00:00:00\r\nBytes sent (initiator:responder) [252:2301]\r\nHA State: STANDBY, RG: rg_fzooid 2\r\nshow policy-firewall stats\r\nTo display the statistics of the firewall activity on the router, use the show policy-firewall stats command in privileged\r\nEXEC mode.\r\nshow policy-firewall stats [all | drop-counters | zone-pair [name]]\r\nSyntax Description\r\nall (Optional) Displays all firewall statistics on the router.\r\ndrop-counters (Optional) Displays the number of packets dropped for each error code.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 78 of 208\n\nzone-pair name (Optional) Displays statistics pertaining to zone-pair.\r\nCommand Default\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nUsage Guidelines\r\nThis command provides the statistics of all the firewall activity on the router. The command displays the box-wide statistics\r\nor the statistics for each zone pair. To get all statistics, use the all keyword. Use the drop-counters keyword to display the\r\npackets dropped and grouped by their error codes. The output displays only the error codes for which the drop counter is\r\ngreater than zero. If the number of packets dropped is similar for multiple error codes, the error codes are sorted in\r\nalphabetical order.\r\nExamples\r\nThe following is sample output from the show policy-firewall stats command. The field descriptions are self-explanatory.\r\nRouter# show policy-firewall stats drop-counters\r\nREASON PACKET\r\n Invalid Header length\r\n policy match failure\r\n Police rate limiting\r\n Session limiting\r\n Bidirectional traffic disabled\r\n SYN with data or with PSH/URG flags\r\n Segment matching no TCP connection\r\n Invalid Segment\r\n Invalid Seq#\r\n Invalid Ack (or no Ack)\r\n Invalid Flags\r\n Invalid Checksum\r\n SYN inside current window\r\n RST inside current window\r\n Out-Of-Order Segment\r\n Retransmitted Segment\r\n Retransmitted Segment with Invalid Flags\r\n Stray Segment\r\n Internal Error\r\n Invalid Window scale option\r\n Invalid TCP options\r\n No zone-pair between zones\r\n One of the interfaces not being configured for zoning 17\r\n Policy not present on zone-pair\r\n DROP action found in policy-map\r\nshow policy-firewall stats vrf\r\nTo display VPN routing and forwarding (VRF)-level policy firewall statistics, use the show policy-firewall stats vrf\r\ncommand in user EXEC or privileged EXEC mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 79 of 208\n\nshow policy-firewall stats vrf [vrf-pmap-name]\r\nSyntax Description\r\nvrf-pmap-name (Optional) VRF name.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE\r\nRelease 3.3S\r\nThis command was introduced.\r\nCisco IOS XE\r\nRelease 3.4S\r\nThis command was modified. The command output was modified to display UDP and Internet\r\nControl Message Protocol (ICMP) half-opened session counts.\r\nExamples\r\nThe following is sample output from the show policy-firewall stats vrf command:\r\nRouter# show policy-firewall stats vrf vrf-default\r\n \r\n VRF: default, Parameter-Map: vrf-default\r\n Interface reference count: 1\r\n Total Session Count(estab + half-open): 0, Exceed: 0\r\n Total Session Aggressive Aging Period Off, Event Count: 0\r\n Half Open\r\n Protocol Session Cnt Exceed\r\n -------- ----------- ------\r\n All 0 0\r\n UDP 0 0\r\n ICMP 0 0\r\n TCP 0 0\r\n TCP Syn Flood Half Open Count: 0, Exceed: 0\r\n Half Open Aggressive Aging Period Off, Event Count: 0\r\nThe table below describes the significant fields shown in the display.\r\nTable 29. show policy-firewall stats vrf Field Descriptions\r\nField Description\r\nTotal Session Count Total session count.\r\nExceed Number of sessions that exceeded the configured session count.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 80 of 208\n\nField Description\r\nTotal Session Aggressive Aging\r\nPeriod Off\r\nIndicates whether aggressive aging is enabled (On) or disabled (Off).\r\nEvent Count The number of times the event has been enabled in the past.\r\nTCP Syn Flood Half Open Count\r\nNumber of half-open synchronization (SYN) packets that exceeded the\r\nconfigured SYN flood rate limit.\r\nHalf Open Aggressive Aging\r\nPeriod Off\r\nAggressive aging of half-opened sessions is not configured.\r\nRelated Commands\r\nCommand Description\r\nclear policy-firewall stats vrf Clears the policy firewall statistics counter at a VRF level.\r\nshow policy-firewall stats vrf global\r\nTo display global VPN Routing and Forwarding (VRF) firewall policy statistics, use the show policy-firewall stats vrf global\r\ncommand in user EXEC or privileged EXEC mode.\r\nshow policy-firewall stats vrf global\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nThis command has no default settings.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.3S This command was introduced.\r\nExamples\r\nThe following is sample output from the show policy-firewall stats vrf global command:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 81 of 208\n\nRouter# show policy-firewall stats vrf global\r\n \r\nGlobal table statistics\r\n total_session_cnt: 0\r\n exceed_cnt: 0\r\n tcp_half_open_cnt: 0\r\n syn_exceed_cnt: 0\r\nThe table below describes the fields shown in the display.\r\nTable 30. show policy-firewall stats vrf global Field Descriptions\r\nField Description\r\ntotal_session_cnt Total session count.\r\nexceed_cnt Number of sessions that exceeded the configured session count.\r\ntcp_half_open_cnt\r\nTCP half-open sessions configured at a global VRF level. When the configured session limit is\r\nreached, the TCP synchronization (SYN) cookie verifies the source of the half-open TCP sessions\r\nbefore creating more sessions. A TCP half-open session is a session that has not reached the\r\nestablished state.\r\nsyn_exceed_cnt Number of SYN packets that exceeded the configured SYN flood rate limit.\r\nRelated Commands\r\nCommand Description\r\nclear policy-firewall stats vrf global Clears the global VRF policy firewall statistics.\r\nshow policy-firewall stats zone\r\nTo display policy firewall statistics at a zone level, use the show policy-firewall stats zone command in user EXEC or\r\nprivileged EXEC mode.\r\nshow policy-firewall stats zone [zone-name]\r\nSyntax Description\r\nzone-name (Optional) Zone name.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 82 of 208\n\nRelease Modification\r\nCisco IOS XE Release\r\n3.3S\r\nThis command was introduced.\r\nCisco IOS XE Release\r\n3.4S\r\nThis command was modified. The command output was modified to display threat\r\ndetection statistics.\r\nExamples\r\nThe following is sample output from the show policy-firewall stats zone command:\r\nRouter# show policy-firewall stats zone zone02\r\nZone: zone02\r\nParameter-map: zonepmap\r\nTCP SYN packet conform limit: 0\r\nTCP SYN packet exceed limit: 0\r\nThreat Detection Statistics:\r\n Average(eps) Current(eps) Threat Total events\r\n 10-min Basic FW Drop: 0 0 0 20\r\n 10-min Inspection Drop: 0 0 0 70\r\n 10-min Syn Attack: 0 0 0 0\r\nThe table below describes the significant fields shown in the display.\r\nTable 31. show policy-firewall stats zone Field Descriptions\r\nField Description\r\nZone Name of the zone.\r\nParameter-map Name of the configured zone-type parameter map.\r\nTCP SYN packet conform limit Number of TCP synchronization (SYN) packets that are within the configured limit.\r\nTCP SYN packet exceed limit Number of TCP SYN packets that exceeded the configured SYN packet rate limit.\r\nBasic FW Drop Threat detection rate for firewall drop events.\r\nInspection Drop Threat detection rate for firewall inspection-based drop events.\r\nSyn Attack Threat detection rate for SYN cookie attack events.\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 83 of 208\n\nCommand Description\r\nclear policy-firewall\r\nstats zone\r\nClears the policy firewall statistics counter at a zone level.\r\ntcp syn-flood limit\r\nConfigures a limit to the number of TCP half-open sessions before triggering SYN cookie\r\nprocessing for new SYN packets.\r\nthreat-detection Configures basic threat detection.\r\nshow policy-firewall summary-log\r\nTo display summary logs, use the show policy-firewall summary log command in privileged EXEC mode.\r\nshow policy-firewall summary-log\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Default\r\nSummary logs are not displayed.\r\nCommand Modes\r\nPrivileged EXEC(#)\r\nCommand History\r\nRelease Modification\r\n15.1(1)T This command was introduced.\r\nUsage Guidelines\r\nUse this command to display the summary logs captured as follows:\r\nConfigured flow\r\nConfigured flow value\r\nNumber of flows\r\nNote\r\nWhen the number of flows for the log summary reaches the configured flow value, some flows are not\r\nsummarized.\r\nExamples\r\nThe following is sample output from the show policy-firewall summary-log . The field descriptions are self-explanatory.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 84 of 208\n\nRouter# show policy-firewall summary-log\r\n*Apr 1 12:38:29.103: %FW-6-LOG_SUMMARY: 10 http packets were dropped from\r\n10.0.0.1:1024 =\u003e 20.0.0.1:23 (target: class)-(z1toz2:C1)\r\nRelated Commands\r\nCommand Description\r\nclear policy-firewall Clears the information collected by the firewall.\r\nshow policy-map type inspect\r\nTo display a specified policy map, use the show policy-map type inspect command in privileged EXEC mode.\r\nshow policy-map type inspect [policy-map-name] [class class-map-name]\r\nSyntax Description\r\npolicy-map-name (Optional) Name of the policy map.\r\nclass class-map-name (Optional) Name of the class map.\r\nCommand Default\r\nIf a policy-map name is not specified, all Level 7 policy maps are displayed.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\nExamples\r\nThe following example displays the policy map for policy map p1:\r\nRouter # show policy-map type inspect p1\r\n \r\n Policy Map type inspect p1\r\n Class c1\r\n Inspect\r\nThe following example shows sample command output:\r\nRouter# show policy-map type inspect p_inside\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 85 of 208\n\nPolicy Map type inspect p_inside\r\n Description: Policy map with inspect action\r\n Class c_permit\r\n Pass\r\n Class c_test\r\n Class class-default\r\nThe table below describes the significant fields shown in the display.\r\nTable 32. show policy-map type inspect Field Descriptions\r\nField Description\r\np_inside Name of the policy map.\r\nDescription Description of the policy map.\r\nClass Name of the class map.\r\nPass Allows packets to be sent to the router without being inspected.\r\nshow policy-map type inspect urlfilter\r\nTo display the details of a URL filtering policy map, use the show policy-map type inspect urlfilter command in privileged\r\nEXEC mode.\r\nshow policy-map type inspect urlfilter [policy-map-name]\r\nSyntax Description\r\npolicy-map-name (Optional) Name of the policy map for which details are displayed.\r\nCommand Default\r\nThe details of all URL filtering policy maps are displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(15)XZ This command was introduced.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 86 of 208\n\nUse the show policy-map type inspect urlfilter command to display the details of all URL filtering policy maps. To display\r\nthe details of a particular URL filtering policy map, specify the name of the policy map.\r\nThe output of the show ip urlfilter cache command displays the pages cached by a device.\r\nExamples\r\nThe following is sample output from the show policy-map type inspect urlfilter command for a policy map named\r\nwebsense-policy:\r\nRouter# show policy-map type inspect urlfilter websense-policy\r\npolicy-map type inspect urlfilter url-websense-policy\r\n parameter-map urlfpolicy websense websense-parameter-map\r\n class type urlfilter trusted-domain-lists\r\n allow\r\n class type urlfilter untrusted-domain-lists\r\n reset\r\n class type urlfilter block-url-keyword-lists\r\n reset\r\n class type urlfilter websense websense-map\r\n server-specified-action\r\nshow policy-map type inspect zone-pair\r\nTo display runtime inspect type policy map statistics and other information such as sessions existing on a specified zone\r\npair, use the show policy-map type inspect zone-pair command in privileged EXEC mode.\r\nshow policy-map type inspect zone-pair [zone-pair-name [sessions]] [sessions]ipv6 | {destination destination-ip\r\n[sourcesource-ip ] | sourcesource-ip [destination destination-ip ]}destination destination-ip [sourcesource-ip]sourcesource-ip\r\n[destination destination-ip]\r\nSyntax Description\r\nzone-pair-name\r\n(Optional) Zone pair for which the system displays the runtime inspect type policy-map\r\nstatistics.\r\nsessions\r\n(Optional) Displays stateful packet inspection sessions created because a policy map is applied\r\non the specified zone pair.\r\nipv6 (Optional) Displays information about the IPv6 session.\r\ndestination\r\ndestination-ip\r\n(Optional) Displays information about the destination IPv4 or IPv6 address of the session.\r\nsource source-ip (Optional) Displays information about the source IPv4 or IPv6 address of the session.\r\nCommand Default\r\nInformation about policy maps for all zone pairs is displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 87 of 208\n\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\n12.4(9)T\r\nThis command was modified. The output was enhanced to display the police action\r\nconfiguration.\r\n12.4(15)XZ\r\nThis command was integrated into Cisco IOS Release 12.4(15)XZ and implemented on the\r\nfollowing platforms: Cisco 881 and Cisco 888.\r\nCisco IOS XE\r\nRelease 3.1S\r\nThis command was integrated into Cisco IOS XE Release 3.1S.\r\nCisco IOS XE\r\nRelease 3.4S\r\nThis command was modified. The output was enhanced to display the General Packet Radio\r\nService (GPRS) Tunneling Protocol (GTP) configuration.\r\nCisco IOS XE\r\nRelease 3.6S\r\nThis command was modified. The output was enhanced to display both IPv4 and IPv6 firewall\r\nsessions.\r\nCisco IOS XE\r\nRelease 3.9S\r\nThis command was modified. The destination, ipv6, and source keywords and thedestination-ip\r\nand source-ip arguments were added.\r\nUsage Guidelines\r\nIf you do not specify a zone-pair name, policy maps on all zone pairs are displayed.\r\nWhen packets are matched to an access group (match access-group ), a protocol (match protocol ), or a class map (match\r\nclass-map ), a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a\r\nsession matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead\r\nmatch the session directly. The statistics related to subsequent packets are shown as part of the “inspect” action and are\r\ndisplayed using the show policy-map type inspect zone-pair sessions command.\r\nCommand Limitations\r\nThe cumulative counters in the show policy-map type inspect zone-pair command output do not increment for match\r\nstatements in a nested class map configuration in Cisco IOS Releases 12.4(15)T and 12.4(20)T. The problem with the\r\ncounters exists regardless of whether the top-level class map uses the match-any or match-all keyword.\r\nThe following configuration example shows the match counter problem:\r\nclass-map type inspect match-any y\r\n match protocol tcp\r\n match protocol icmp\r\nclass-map type inspect match-all x\r\n match class y\r\nThe following sample output from the show policy-map type inspect zone-pair command displays cumulative counters for\r\nthe above configuration (if the class map matches any class map):\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 88 of 208\n\nDevice# show policy-map type inspect zone-pair sessions\r\npolicy exists on zp\r\n Zone-pair: zp\r\n Service-policy inspect : fw\r\n Class-map: x (match-any)\r\n Match: class-map match-any y\r\n 2 packets, 48 bytes \u003c======== Cumulative class map counters are incrementing.\r\n 30 second rate 0 bps\r\n Match: protocol tcp\r\n 0 packets, 0 bytes \u003c===== The match for the protocol is not incrementing.\r\n 30 second rate 0 bps\r\n Match: protocol icmp\r\n 0 packets, 0 bytes\r\n 30 second rate 0 bps\r\n Inspect\r\n Number of Established Sessions = 1\r\n Established Sessions\r\n Session 53105C0 (10.1.1.2:19180)=\u003e(10.2.1.2:23) tacacs:tcp SIS_OPEN\r\n Created 00:00:02, Last heard 00:00:02\r\n Bytes sent (initiator:responder) [30:69]\r\n Class-map: class-default (match-any)\r\n Match: any\r\n Drop\r\n 0 packets, 0 bytes\r\nExamples\r\nThe following sample output from the show policy-map type inspect zone-pair command shows information about zone\r\npairs zp and trusted-untrusted:\r\nDevice# show policy-map type inspect zone-pair zp\r\n \r\n Zone-pair: zp\r\n Service-policy : p1\r\n Class-map: c1 (match-all)\r\n Match: protocol tcp\r\n Inspect\r\n Session creations since subsystem startup or last reset 0\r\n Current session counts (estab/half-open/terminating) [0:0:0]\r\n Maxever session counts (estab/half-open/terminating) [0:0:0]\r\n Last session created never\r\n Last statistic reset never\r\n Last session creation rate 0\r\n half-open session total 0\r\n Class-map: c2 (match-all)\r\n Match: protocol udp\r\n Pass\r\n 0 packets, 0 bytes\r\n Class-map: class-default (match-any)\r\n Match: any\r\n Drop\r\n 0 packets, 0 bytes\r\nDevice# show policy-map type inspect zone-pair trusted-untrusted\r\n Zone-pair: trusted-untrusted\r\n Service-policy inspect : firewall-policy\r\nClass-map: class_4 (match-any)\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 89 of 208\n\nMatch: protocol dbcontrol-agent\r\n Match: protocol ddns-v3\r\n Match: protocol dhcp-failover\r\n Match: protocol discard\r\n Match: protocol dns\r\n Match: protocol dnsix\r\n Match: protocol echo\r\n Match: protocol entrust-svc-handler\r\n Inspect\r\n Packet inspection statistics [process switch:fast switch]\r\n dns packets: [0:28949015]\r\n Session creations since subsystem startup or last reset 4\r\n Current session counts (estab/half-open/terminating) [0:0:0]\r\n Maxever session counts (estab/half-open/terminating) [1:0:0]\r\n Last session created 00:06:16\r\n Last statistic reset never\r\n Last session creation rate 0\r\n Last half-open session total 0\r\nNote\r\nOnly some protocols that undergo Layer 7 inspections have dedicated statistics; others are grouped into either\r\nTCP statistics or UDP statistics.\r\nThe following is sample output from the show policy-map type inspect zone-pair command for a GTP configuration:\r\nDevice# show policy-map type inspect zone-pair zp\r\nZone-pair: zp\r\n Service-policy inspect : L4-Policy\r\n Class-map: L4-Class (match-all)\r\n Match: protocol gtpv0\r\n Inspect\r\n Session creations since subsystem startup or last reset 0\r\n Current session counts (estab/half-open/terminating) [0:0:0]\r\n Maxever session counts (estab/half-open/terminating) [0:0:0]\r\n Last session created never\r\n Last statistic reset never\r\n Last session creation rate 0\r\n Last half-open session total 0\r\n Service-policy inspect gtpv0 : L7-Policy\r\n Class-map: L7-Class (match-any)\r\n 0 packets, 0 bytes\r\n 30 second offered rate 0000 bps, drop rate 0000 bps\r\n Match: match mcc 772 mnc 331\r\n Class-map: class-default (match-any)\r\n 0 packets, 0 bytes\r\n 30 second offered rate 0000 bps, drop rate 0000 bps\r\n Match: any\r\n Class-map: class-default (match-any)\r\n Match: any\r\n Drop (default action)\r\n 0 packets, 0 bytes\r\nThe following is sample output from the show policy-map type inspect zone-pair sessions command:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 90 of 208\n\nDevice# show policy-map type inspect zone-pair sessions\r\n \r\nZone-pair: hi2int\r\n Service-policy inspect : pg1\r\n Class-map: c1 (match-any)\r\n Match: protocol ftp\r\n Match: protocol telnet\r\n Match: protocol smtp\r\n Match: protocol http\r\n Match: protocol tacacs\r\n Match: protocol dns\r\n Match: protocol sql-net\r\n Match: protocol https\r\n Match: protocol tftp\r\n Match: protocol gopher\r\n Match: protocol finger\r\n Match: protocol kerberos\r\n Match: protocol pop3\r\n Match: protocol sunrpc\r\n Match: protocol msrpc\r\n Match: protocol icmp\r\n Inspect\r\n Established Sessions\r\n Session 10E28550 (10.1.1.1:50536)=\u003e(172.16.1.1:111) sunrpc SIS_OPEN\r\n Created 00:09:44, Last heard 00:09:18\r\n Bytes sent (initiator:responder) [108:0]\r\n Session 10E28550 (10.1.1.1:39377)=\u003e(172.16.1.1:150) sql-net SIS_CLOSED\r\n Created 00:03:01, Last heard 00:03:01\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 10E2859C (10.1.1.1:39377)=\u003e(172.16.1.1:110) pop3 SIS_CLOSED\r\n Created 00:02:59, Last heard 00:02:59\r\n Bytes sent (initiator:responder) [0:0]\r\n Session 10E285E8 (10.1.1.1:39377)=\u003e(172.16.1.1:443) https SIS_CLOSED\r\n Created 00:03:33, Last heard 00:03:33\r\n Bytes sent (initiator:responder) [0:0]\r\n Class-map: class-default (match-any)\r\n Match: any\r\n Drop (default action)\r\n 147127 packets, 8485742 bytes\r\nNote\r\nIn the preceding sample output, the information displayed below the Class-map field is the traffic rate (bits-per-second) of the traffic belonging to only the connection-initiating traffic. Unless the connection setup rate is\r\nsignificantly high and sustained for multiple intervals over which the rate is computed, no significant data is\r\nshown for the connection.\r\nThe following sample output from the show policy-map type inspect zone-pair sessions command displays IPv6 firewall\r\nsessions:\r\nDevice# show policy-map type inspect zone-pair sessions\r\nZone-pair: hi2int\r\n Service-policy inspect : pg1\r\n Class-map: c1 (match-any)\r\n Match: protocol ftp\r\n Match: protocol telnet\r\n Match: protocol icmp\r\n Inspect\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 91 of 208\n\nEstablished Sessions\r\n Session 10E28550 ([2001:DB8::1]:50536)=\u003e( [2001:DB8:2::1]:111) sunrpc SIS_OPEN\r\n Created 00:09:44, Last heard 00:09:18\r\n Bytes sent (initiator:responder) [108:0]\r\n Session 10E28550 ([2001:DB8::1]:39377)=\u003e([2001:DB8:2::1]:150) sql-net IS_CLOSED\r\n Created 00:03:01, Last heard 00:03:01\r\n Bytes sent (initiator:responder) [0:0]\r\n Class-map: class-default (match-any)\r\n Match: any\r\n Drop (default action)\r\n 147127 packets, 8485742 bytes\r\nThe following sample output from the show policy-map type inspect zone-pair command displays the police action\r\nconfiguration:\r\nDevice# show policy-map type inspect zone-pair\r\n \r\nZone-pair: zp\r\nService-policy inspect : test-udp\r\n Class-map: check-udp (match-all)\r\n Match: protocol udp\r\n Inspect\r\n Packet inspection statistics [process switch:fast switch]\r\n udp packets: [3:4454]\r\n Session creations since subsystem startup or last reset 92\r\n Current session counts (estab/half-open/terminating) [5:33:0]\r\n Maxever session counts (estab/half-open/terminating) [5:59:0]\r\n Last session created 00:00:06\r\n Last statistic reset never\r\n Last session creation rate 61\r\n Last half-open session total 33\r\n Class-map: class-default (match-any)\r\n Match: any\r\n Drop (default action)\r\n 0 packets, 0 bytes\r\nThe table below describes the significant fields shown in the display:\r\nTable 33. show parameter-map type inspect zone-pair Field Descriptions\r\nField Description\r\nZone-pair Name of the configured security zone pair.\r\nService-policy inspect Name of the service policy that was inspected.\r\nClass-map Name of the configured class map and the configured match criterion.\r\nMatch Protocols that were configured as match criteria.\r\nInspect Session details such as packets received, current session count, and total session count.\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 92 of 208\n\nCommand Description\r\nmatch access-group Configures the match criteria for a class map on the basis of the specified ACL.\r\nmatch class-map Uses a traffic class as a classification policy.\r\nmatch protocol Configures the match criterion for a class map on the basis of a specified protocol.\r\npolicy-map type inspect Creates a Layer 3 and Layer 4 or a Layer 7 (protocol-specific) inspect-type policy map.\r\nshow policy-map type inspect zone-pair urlfilter\r\nTo display the details of a URL filtering policy map--URL filter state, URL filter statistics, and URL filter server details--use\r\nthe show policy-map type inspect zone-pair urlfilter command in privileged EXEC mode.\r\nshow policy-map type inspect zone-pair [zone-pair-name] urlfilter cache [detail]\r\nSyntax Description\r\nzone-pair-name(Optional) Zone pair for which the system will display the runtime inspect type policy-map statistics.\r\nDefault: The requested information is shown for all zone pairs.\r\ncache Displays information about the URL filter cache.\r\ndetail\r\n(Optional) Displays each entry in the cache. Because cache entries can be long, only the first few bytes\r\nare displayed.\r\nCommand Default\r\nThe URL filter information for all zone pairs is displayed. Details about the URL filtering cache are not displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(6)T This command was introduced.\r\n12.4(15)XZ\r\nThis command was implemented on the following platforms: Cisco 881 and Cisco 888. The detail\r\nkeyword was added to show more information about the URL filtering cache.\r\n12.4(20)T\r\nThis command was integrated into Cisco IOS Release 12.4(20)T. The detail keyword was added to show\r\nmore information about the URL filtering cache.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 93 of 208\n\nExamples\r\nThe following example shows sample output for a Websense URL filtering server:\r\nRouter# show policy-map type inspect zone-pair urlfilter cache\r\n \r\nZone-pair: zp\r\n Urlfilter\r\n Websense URL Filtering is ENABLED\r\n \r\n Websense Primary server: 10.3.3.3(port : 15868)\r\n recount: 0\r\n Current packet buffer count(in use): 0\r\n Current cache entry count: 0\r\n Maxever request count: 0\r\n Maxever packet buffer count: 0\r\n Maxever cache entry count: 0\r\n Total requests sent to URL Filter Server :0\r\n Total responses received from URL Filter Server :0\r\n Total requests allowed: 0\r\n Total requests blocked: 0\r\nDrop (default action)\r\n packets, 0 bytes\r\n Service-policy inspect : test\r\n Class-map: test (match-all)\r\n Match: protocol http\r\n Class-map: class-default (match-any)\r\n Match: any\r\nThe following example shows sample output for a Trend Micro URL filtering server, including the cache details:\r\nRouter# show policy-map type inspect zone-pair urlfilter cache detail\r\n \r\npolicy exists on zp zp_in\r\n Zone-pair: zp_in\r\n Service-policy inspect : trend-global-policy\r\n Class-map: http-class (match-all)\r\n Match: protocol http\r\n Match: access-group 101\r\n Inspect\r\n Packet inspection statistics [process switch:fast switch]\r\n tcp packets: [3353:0]\r\n Session creations since subsystem startup or last reset 21\r\n Current session counts (estab/half-open/terminating) [3:0:0]\r\n Maxever session counts (estab/half-open/terminating) [4:1:1]\r\n Last session created 00:00:22\r\n Last statistic reset never\r\n Last session creation rate 7\r\n Maxever session creation rate 14\r\n Last half-open session total 0\r\n Maximum number of bytes in cache: 131072000\r\n Time to live for eache cache entry (in hrs): 1\r\n Total number of bytes used by cache: 442\r\n Number of bytes used by domain type cache: 442\r\n Number of bytes used by directory type cache: 0\r\n ------------------------------------------------------------\r\n URL Age Access #/ Cat::Rep\r\n (Directory cache end with /) (day:h:m:s) Idle Time\r\n ------------------------------------------------------------\r\n example.com 0:00:00:23 28 58::100\r\n example1.com 0:00:00:25 1 56::100\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 94 of 208\n\nexample.example2.com 0:00:00:34 1 56::100\r\n Class-map: class-default (match-any)\r\n Match: any\r\n Drop\r\n 0 packets, 0 bytes\r\n \r\npolicy exists on zp zp_out\r\n Zone-pair: zp_out\r\n \r\n Service-policy inspect : icmp_permit\r\n \r\n Class-map: icmp_permit (match-all)\r\n Match: access-group 110\r\n Pass\r\n 0 packets, 0 bytes\r\n \r\n Class-map: class-default (match-any)\r\n Match: any\r\n Drop\r\n 0 packets, 0 bytes\r\nshow port-security\r\nTo display information about the port-security setting in EXEC command mode, use the show port-security command.\r\nshow port-security [interface interface interface-number]\r\nshow port-security [interface interface interface-number] {address | vlan}\r\nSyntax Description\r\ninterface\r\ninterface\r\n(Optional) Specifies the interface type; possible valid values are ethernet , fastethernet ,\r\ngigabitethernet , and longreachethernet .\r\ninterface-number\r\nInterface number. Valid values are 1 to 6.\r\naddress\r\nDisplays all the secure MAC addresses that are configured on all the switch interfaces or on a\r\nspecified interface with aging information for each address.\r\nvlan Virtual LAN.\r\nCommand Default\r\nThis command has no default settings.\r\nCommand Modes\r\nEXEC\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 95 of 208\n\nRelease Modification\r\n12.2(14)SX Support for this command was introduced on the Supervisor Engine 720.\r\n12.2(17d)SXB Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.\r\n12.2(18)SXE\r\nThe address keyword was added to display the maximum number of MAC addresses configured per\r\nVLAN on a trunk port on the Supervisor Engine 720 only.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\nUsage Guidelines\r\nThe vlan keyword is supported on trunk ports only and displays per-Vlan maximums set on a trunk port.\r\nThe interface-number argument designates the module and port number. Valid values for interface-number depend on the\r\nspecified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface\r\nand have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number\r\nare from 1 to 13 and valid values for the port number are from 1 to 48.\r\nExamples\r\nThis example shows the output from the show port-security command when you do not enter any options:\r\nRouter# show port-security\r\nSecure Port MaxSecureAddr CurrentAddr SecurityViolation Security\r\nAction\r\n (Count) (Count) (Count)\r\n----------------------------------------------------------------------------\r\n \r\n Fa5/1 11 11 0 Shutdown\r\n Fa5/5 15 5 0 Restrict\r\n Fa5/11 5 4 0 Protect\r\n----------------------------------------------------------------------------\r\n \r\nTotal Addresses in System: 21\r\nMax Addresses limit in System: 128\r\nRouter#\r\nThis example shows how to display port-security information for a specified interface:\r\nRouter# show port-security interface fastethernet 5/1\r\nPort Security: Enabled\r\nPort status: SecureUp\r\nViolation mode: Shutdown\r\nMaximum MAC Addresses: 11\r\nTotal MAC Addresses: 11\r\nConfigured MAC Addresses: 3\r\nAging time: 20 mins\r\nAging type: Inactivity\r\nSecureStatic address aging: Enabled\r\nSecurity Violation count: 0\r\nRouter#\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 96 of 208\n\nThis example show how to display all the secure MAC addresses that are configured on all the switch interfaces or on a\r\nspecified interface with aging information for each address:\r\nRouter# show port-security address\r\nDefault maximum: 10\r\nVLAN Maximum Current\r\n1 5 3\r\n2 4 4\r\n3 6 4\r\nRouter#\r\nRelated Commands\r\nCommand Description\r\nclear port-securityDeletes configured secure MAC addresses and sticky MAC addresses from the MAC address\r\ntable.\r\nshow ppp queues\r\nTo monitor the number of requests processed by each authentication, authorization, and accounting (AAA) background\r\nprocess, use the show ppp queues command in privileged EXEC mode.\r\nshow ppp queues\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n11.3(2)AA This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX\r\nrelease of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nUse the show ppp queues command to display the number of requests handled by each AAA background process, the\r\naverage amount of time it takes to complete each request, and the requests still pending in the work queue. This information\r\ncan help you balance the data load between the network access server and the AAA server.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 97 of 208\n\nThis command displays information about the background processes configured by the aaa processes global configuration\r\ncommand. Each line in the display contains information about one of the background processes. If there are AAA requests in\r\nthe queue when you enter this command, the requests will be printed as well as the background process data.\r\nExamples\r\nThe following example shows output from the show ppp queues command:\r\nRouter# show ppp queues\r\nProc #0 pid=73 authens=59 avg. rtt=118s. authors=160 avg. rtt=94s.\r\nProc #1 pid=74 authens=52 avg. rtt=119s. authors=127 avg. rtt=115s.\r\nProc #2 pid=75 authens=69 avg. rtt=130s. authors=80 avg. rtt=122s.\r\nProc #3 pid=76 authens=44 avg. rtt=114s. authors=55 avg. rtt=106s.\r\nProc #4 pid=77 authens=70 avg. rtt=141s. authors=76 avg. rtt=118s.\r\nProc #5 pid=78 authens=64 avg. rtt=131s. authors=97 avg. rtt=113s.\r\nProc #6 pid=79 authens=56 avg. rtt=121s. authors=57 avg. rtt=117s.\r\nProc #7 pid=80 authens=43 avg. rtt=126s. authors=54 avg. rtt=105s.\r\nProc #8 pid=81 authens=139 avg. rtt=141s. authors=120 avg. rtt=122s.\r\nProc #9 pid=82 authens=63 avg. rtt=128s. authors=199 avg. rtt=80s.\r\nqueue len=0 max len=499\r\nThe table below describes the fields shown in the example.\r\nTable 34. show ppp queues Field Descriptions\r\nField Description\r\nProc #\r\nIdentifies the background process allocated by the aaa processes command to handle AAA requests for\r\nPPP. All of the data in this row relates to this process.\r\npid= Identification number of the background process.\r\nauthens= Number of authentication requests the process has performed.\r\navg. rtt= Average delay (in seconds) until the authentication request was completed.\r\nauthors= Number of authorization requests the process has performed.\r\navg. rtt= Average delay (in seconds) until the authorization request was completed.\r\nqueue\r\nlen=\r\nCurrent queue length.\r\nmax len= Maximum length the queue ever reached.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 98 of 208\n\nCommand Description\r\naaa\r\nprocesses\r\nAllocates a specific number of background processes to be used to process AAA authentication and\r\nauthorization requests for PPP.\r\nshow pppoe session\r\nTo display information about currently active PPP over Ethernet (PPPoE) sessions, use the show pppoe session in privileged\r\nEXEC mode.\r\nshow pppoe session [all | interface type number | packets [all | interface type number | ipv6 ]]\r\nSyntax Description\r\nall (Optional) Displays detailed information about the PPPoE session.\r\ninterface type number (Optional) Displays information about the interface on which the PPPoE session is active.\r\npackets (Optional) Displays packet statistics for the PPPoE session.\r\nipv6 (Optional) Displays PPPoE session packet statistics for IPv6 traffic\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(4)YG This command was introduced on the Cisco SOHO 76, 77, and 77H routers.\r\n12.3(4)T\r\nThis command was integrated into Cisco IOS Release 12.3(4)T and was enhanced to display\r\ninformation about relayed PPPoE Active Discovery (PAD) messages.\r\n12.2(28)SB\r\nThis command was integrated into Cisco IOS Release 12.2(28)SB and support was added for the\r\nCisco 7200, 7301, 7600, and 10000 series platforms.\r\n12.2(31)SB2\r\nThis command was integrated into Cisco IOS Release 12.2(31)SB2 and the output following the\r\nuse of the all keyword was modified to indicate if a session is Interworking Functionality (IWF)-\r\nspecific or if the tag ppp-max-payload tag is in the discovery frame and accepted.\r\n12.4(15)XF\r\nThe output was modified to display Virtual Multipoint Interface (VMI) and PPPoE process-level\r\nvalues.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 99 of 208\n\nRelease Modification\r\n12.4(15)T\r\nThis command was integrated into Cisco IOS Release 12.4(15)T to support VMIs in Mobile Ad\r\nHoc Router-to-Radio Networks (MANETs).\r\n12.2(33)SRC This command was integrated into Cisco IOS Release 12.2(33)SRC.\r\nCisco IOS XE\r\nRelease 2.5\r\nThis command was implemented on Cisco ASR 1000 series routers.\r\nCisco IOS XE\r\nRelease 3.5S\r\nThis command was modified. The ipv6 keyword was added.\r\nExamples\r\nThe following is sample output from the show pppoe session command:\r\nRouter# show pppoe session\r\n 1 session in FORWARDED (FWDED) State\r\n 1 session total\r\nUniq ID PPPoE SID RemMAC Port VT VA State LocMAC VA-st\r\n26 19 0001.96da.a2c0 Et0/0.1 5 N/A RELFWD 000c.8670.1006 VLAN:3\r\nExamples\r\nThe following is sample output from the show pppoe session command when there is an IWF session and the ppp-max-payload tag is accepted in the discovery frame (available in Cisco IOS Release 12.2(31)SB2):\r\nRouter# show pppoe session\r\n \r\n 1 session in LOCALLY_TERMINATED (PTA) State\r\n 1 session total. 1 session of it is IWF type\r\nUniq ID PPPoE SID RemMAC Port VT VA State LocMAC VA-st\r\n26 21 0001.c9f2.a81e Et1/2 1 Vi2.1 PTA 0006.52a4.901e UP\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 100 of 208\n\nThe table below describes the significant fields shown in the displays.\r\nTable 35. show pppoe session Field Descriptions\r\nField Description\r\nUniq ID Unique identifier for the PPPoE session.\r\nPPPoE\r\nSID\r\nPPPoE session identifier.\r\nRemMAC Remote MAC address.\r\nPort Port type and number.\r\nVT Virtual-template interface.\r\nVA Virtual access interface.\r\nState\r\nDisplays the state of the session, which will be one of the following:\r\nFORWARDED\r\nFORWARDING\r\nLCP_NEGOTIATION\r\nLOCALLY_TERMINATED\r\nPPP_START\r\nPTA\r\nRELFWD (a PPPoE session was forwarded for which the Active discovery messages were\r\nrelayed)\r\nSHUTTING_DOWN\r\nVACCESS_REQUESTED\r\nLocMAC Local MAC address.\r\nExamples\r\nThe following example shows information per session for the show pppoe session all command.\r\nRouter# show pppoe session all\r\nTotal PPPoE sessions 1\r\nsession id: 21\r\nlocal MAC address: 0006.52a4.901e, remote MAC address: 0001.c9f2.a81e\r\nvirtual access interface: Vi2.1, outgoing interface: Et1/2, IWF\r\nPPP-Max-Payload tag: 1500\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 101 of 208\n\n15942 packets sent, 15924 received\r\n 224561 bytes sent, 222948 received\r\nExamples\r\nThe following example shows the output from the show pppoe session all command. This version of the display includes\r\nPPPoE credit flow statistics for the session.\r\nRouter# show pppoe session all\r\nTotal PPPoE sessions 1\r\nsession id: 1\r\nlocal MAC address: aabb.cc00.0100, remote MAC address: aabb.cc00.0200\r\nvirtual access interface: Vi2, outgoing interface: Et0/0\r\n17 packets sent, 24 received\r\n1459 bytes sent, 2561 received\r\nPPPoE Flow Control Stats\r\nLocal Credits: 65504 Peer Credits: 65478\r\nCredit Grant Threshold: 28000 Max Credits per grant: 65534\r\nPADG Seq Num: 7 PADG Timer index: 0\r\nPADG last rcvd Seq Num: 7\r\nPADG last nonzero Seq Num: 0\r\nPADG last nonzero rcvd amount: 0\r\nPADG Timers: [0]-1000 [1]-2000 [2]-3000 [3]-4000\r\nPADG xmit: 7 rcvd: 7\r\nPADC xmit: 7 rcvd: 7\r\nPADQ xmit: 0 rcvd: 0\r\nExamples\r\nThe following is sample output form the show pppoe session packet ipv6 command. The output field descriptions are self-explanatory.\r\nDevice# show pppoe session packet ipv6\r\nSID Pkts -In Pkts-Out Bytes-In Bytes-Out\r\n1 2800 9 2721600 770\r\nRelated Commands\r\nCommand Description\r\nclear pppoe relay context Clears PPPoE relay contexts created for relaying PAD messages.\r\nshow pppoe relay context all Displays PPPoE relay contexts created for relaying PAD messages.\r\nshow private-hosts access-lists\r\nTo display the access lists for your Private Hosts configuration, use the show private-hosts access-lists command in\r\nprivileged EXEC mode.\r\nshow private-hosts access-lists\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 102 of 208\n\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(33)SRB This command was introduced.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nExamples\r\nThe following example shows how to display the Private Hosts access lists for your configuration:\r\nRouter# s\r\nhow private-hosts access-lists\r\n \r\nPromiscuous ACLs\r\nAction Permit Sequence # 010\r\n Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff\r\nAction Deny Sequence # 020\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffff\r\nIsolated ACLs\r\nAction Deny Sequence # 010\r\n Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff\r\nAction Permit Sequence # 020\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.1111.4001 0000.0000.0000 Action Redirect Sequence # 030 Redirect\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:ffff.ffff.ffff 0000.0000.0000\r\nAction Permit Sequence # 040\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:0100.5e00.0000 0000.007f.ffff\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:3333.0000.0000 0000.ffff.ffff\r\nAction Deny Sequence # 050\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffff\r\nMixed ACLs\r\nAction Permit Sequence # 010\r\n Source:0000.1111.4001 0000.0000.0000 Destination:ffff.ffff.ffff 0000.0000.0000 Action Redirect Sequence # 020 Redirect\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:ffff.ffff.ffff 0000.0000.0000\r\nAction Permit Sequence # 030\r\n Source:0000.1111.4001 0000.0000.0000 Destination:0000.0000.0000 ffff.ffff.ffff\r\nAction Permit Sequence # 040\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.1111.4001 0000.0000.0000\r\nAction Deny Sequence # 050\r\n Source:0000.0000.0000 ffff.ffff.ffff Destination:0000.0000.0000 ffff.ffff.ffff\r\nRelated Commands\r\nCommand Description\r\nshow fm private-hosts Displays information about the Private Hosts feature manager.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 103 of 208\n\nCommand Description\r\nshow private-hosts configuration\r\nDisplays Private Hosts configuration information for the networking\r\ndevice.\r\nshow private-hosts interface\r\nconfiguration\r\nDisplays Private Hosts configuration information for individual interfaces.\r\nshow private-hosts configuration\r\nTo display information about the Private Hosts configuration on the router, use the show private-hosts configuration\r\ncommand in privileged EXEC mode.\r\nshow private-hosts configuration\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.2(33)SRB This command was introduced.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nExamples\r\nThe following example shows sample command output:\r\nRouter# show private-hosts configuration\r\n \r\nPrivate hosts enabled. BR INDEX 6 State 0000000F\r\nPrivated hosts vlans lists:\r\n200\r\nPrivated promiscuous MAC configuration:\r\nA '*' mark behind the mac list indicates non-existent mac-list\r\n--------------------------------------------------------------------------------\r\nMAC-list VLAN list\r\n--------------------------------------------------------------------------------\r\nbras-list *** Uses the isolated vlans (if any) ***\r\nThe following example shows sample command output:\r\nRouter# show private-hosts configuration\r\nPrivate-hosts enabled\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 104 of 208\n\nIsolated vlan-list 10,12,15,200-300\r\nPromiscuous MAC configuration:\r\n------------------------------------------------------------------------------------\r\nMAC-List VLAN List\r\n-----------------------------------------------------------------------------------\r\nBras_list 10,12,15,200-300\r\nMcast_server_list 10,12,15\r\nRouter#\r\nRelated Commands\r\nCommand Description\r\nprivate-hosts Enables or configures the Private Hosts feature.\r\nprivate-hosts mode Sets the switchport mode.\r\nshow fm private-hosts interface\r\nconfiguration\r\nDisplays the FM-related Private Hosts information.\r\nshow private-hosts interface configuration\r\nDisplays Private Hosts configuration information for individual\r\ninterfaces.\r\nshow private-hosts interface configuration\r\nTo display information about the Private Hosts configuration on individual interfaces (ports), use the show private-hosts\r\ninterface configuration command in privileged EXEC mode.\r\nshow private-hosts interface configuration\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(33)SRB This command was introduced.\r\n12.2(33)SXH This command was integrated in Cisco IOS Release 12.2(33)SXH.\r\nExamples\r\nThe following example shows sample command output:\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 105 of 208\n\nRouter# show private-hosts interface configuration\r\n \r\nPrivate hosts enabled\r\nDebug Events: 0 Acl: 0 API: 0\r\nPromiscuous interface list\r\n--------------------------\r\nGigabitEthernet1/1 promiscuous connected Facing BRAS Jupiter\r\nIsolated interface list\r\n-------------------------\r\nFastEthernet3/1-14 isolated connected Facing DSLAM AB-125-1\r\nMixed mode interface list\r\n--------------------------\r\nGigabitEthernet1/4-5 mixed connected Facing Server Mars\r\nRouter#\r\nRelated Commands\r\nCommand Description\r\nprivate-hosts Enables or configures the Private Hosts feature.\r\nprivate-hosts mode Sets the switchport mode.\r\nshow fm private-hosts Displays the FM-related Private Hosts information.\r\nshow private-hosts configuration Displays Private Hosts configuration information for the router.\r\nshow private-hosts mac-list\r\nTo display the contents of the MAC address lists defined for Private Hosts, use the show private-hosts mac-list command in\r\nprivileged EXEC mode.\r\nshow private-hosts mac-list [list-name]\r\nSyntax Description\r\nlist-name (Optional) The name of the MAC address list whose contents you want to display.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(33)SRB This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 106 of 208\n\nRelease Modification\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\nExamples\r\nThe following example shows sample command output:\r\nRouter# show private-hosts mac-list\r\n \r\nMAC-List: bras-list\r\n------------------------------------------------------------------\r\nMAC address Description\r\n------------------------------------------------------------------\r\n0000.1111.1111 BRAS-SERVER\r\nRelated Commands\r\nCommand Description\r\nprivate-hosts mac-listCreates a MAC address list that identifies a content server that is being used to provide\r\nbroadband services to isolated hosts.\r\nshow privilege\r\nTo display your current level of privilege, use the show privilege command in EXEC mode.\r\nshow privilege\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nEXEC\r\nCommand History\r\nRelease Modification\r\n10.3 This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX\r\nrelease of this train depends on your feature set, platform, and platform hardware.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 107 of 208\n\nThe following example shows sample output from the show privilege command. The current privilege level is 15.\r\nRouter# show privilege\r\nCurrent privilege level is 15\r\nRelated Commands\r\nCommand Description\r\nenable password Sets a local password to control access to various privilege levels.\r\nenable secret Specifies an additional layer of security over the enable password command.\r\nshow radius local-server statistics\r\nTo display the statistics for the local authentication server, use the show radius local-server statistics command in privileged\r\nEXEC mode.\r\nshow radius local-server statistics\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.2(11)JA\r\nThis command was introduced on the Cisco Aironet Access Point 1100 and the Cisco Aironet Access\r\nPoint 1200.\r\n12.3(11)T\r\nThis command was integrated into Cisco IOS Release 12.3(11)T and implemented on the following\r\nplatforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800\r\nseries routers.\r\nExamples\r\nThe following output displays statistics for the local authentication server.\r\nRouter# show radius local-server statistics\r\nSuccesses : 11262 Unknown usernames : 0\r\nClient blocks : 0 Invalid passwords : 8\r\nUnknown NAS : 0 Invalid packet from NAS: 0\r\nNAS : 10.0.0.1\r\nSuccesses : 11262 Unknown usernames : 0\r\nClient blocks : 0 Invalid passwords : 8\r\nCorrupted packet : 0 Unknown RADIUS message : 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 108 of 208\n\nNo username attribute : 0 Missing auth attribute : 0\r\nShared key mismatch : 0 Invalid state attribute: 0\r\nUnknown EAP message : 0 Unknown EAP auth type : 0\r\nPAC refresh : 0 Invalid PAC received : 0\r\nMaximum number of configurable users: 50, current user count: 11\r\nUsername Successes Failures Blocks\r\nvayu-ap-1 2235 0 0\r\nvayu-ap-2 2235 0 0\r\nvayu-ap-3 2246 0 0\r\nvayu-ap-4 2247 0 0\r\nvayu-ap-5 2247 0 0\r\nvayu-11 3 0 0\r\nvayu-12 5 0 0\r\nvayu-13 5 0 0\r\nvayu-14 30 0 0\r\nvayu-15 3 0 0\r\nscm-test 1 8 0\r\nThe first section of statistics lists cumulative statistics from the local authenticator.\r\nThe second section lists statistics for each access point (NAS) authorized to use the local authenticator. The EAP-FAST\r\nstatistics in this section include the following:\r\nAuto provision success--the number of PACs generated automatically\r\nAuto provision failure--the number of PACs not generated because of an invalid handshake packet or invalid\r\nusername or password\r\nPAC refresh--the number of PACs renewed by clients\r\nInvalid PAC received--the number of PACs received that were expired, that the authenticator could not decrypt, or\r\nthat were assigned to a client username not in the authenticator’s database\r\nThe third section lists stats for individual users. If a user is blocked and the lockout time is set to infinite, blocked appears at\r\nthe end of the stat line for that user. If the lockout time is not infinite, Unblocked in x seconds appears at the end of the stat\r\nline for that user.\r\nUse the clear radius local-server statistics command in privileged EXEC mode to reset local authenticator statistics to zero.\r\nRelated Commands\r\nCommand Description\r\nblock count\r\nConfigures the parameters for locking out members of a group to help protect against\r\nunauthorized attacks.\r\nclear radius local-server\r\nClears the statistics display or unblocks a user.\r\ndebug radius local-server\r\nDisplays the debug information for the local server.\r\ngroup Enters user group configuration mode and configures shared setting for a user group.\r\nnas Adds an access point or router to the list of devices that use the local authentication server.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 109 of 208\n\nCommand Description\r\nradius-server host Specifies the remote RADIUS server host.\r\nradius-server local\r\nEnables the access point or router to be a local authentication server and enters into\r\nconfiguration mode for the authenticator.\r\nreauthentication time\r\nSpecifies the time (in seconds) after which access points or wireless-aware routers must\r\nreauthenticate the members of a group.\r\nssid Specifies up to 20 SSIDs to be used by a user group.\r\nuser Authorizes a user to authenticate using the local authentication server.\r\nvlan Specifies a VLAN to be used by members of a user group.\r\nshow radius server-group\r\nTo display properties for the RADIUS server group, use the show radius server-group command in user EXEC or privileged\r\nEXEC mode.\r\nshow radius server-group {server-group-name | all | 123}\r\nSyntax Description\r\nserver-group-nameDisplays properties for the server group named. The character string used to name the group of servers\r\nmust be defined using the aaa group server radius command.\r\nall Displays properties for all the server group.\r\nserver Displays properties for a specific server or servers in the group.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(2)T This command was introduced.\r\n12.2(33)SRA The server argument was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 110 of 208\n\nUsage Guidelines\r\nUse the show radius server-group command to display the server groups that you defined by using the aaa group server\r\nradius command.\r\nExamples\r\nThe following show radius server-group command output displays properties for the server group \"rad_sg\":\r\nRouter# show radius server-group rad_sg\r\nserver group rad-sg\r\n Sharecount = 1 sg_unconfigured = FALSE\r\n Type = standard Memlocks = 1\r\nThe following show radius server-group command output displays the properties for two server groups, 123 and 456,\r\nrespectively. Using the aaa group server radius command, the configuration of each server group is also shown.\r\nRouter(config)# aaa new-model\r\n!\r\n!\r\nRouter(config)# aaa group server radius 123\r\n server 10.9.8.1 auth-port 1645 acct-port 1646\r\n!\r\nRouter(config)# aaa group server radius 456\r\n server 10.9.8.2 auth-port 1645 acct-port 1646\r\nRouter(config)# exit\r\nRouter# show radius server-group all\r\nServer group 123\r\n Sharecount = 1 sg_unconfigured = FALSE\r\n Type = standard\r\nServer group 456\r\n Sharecount = 1 sg_unconfigured = FALSE\r\n Type = standard\r\nRouter# show radius server-group 123\r\nServer group 123\r\n Sharecount = 1 sg_unconfigured = FALSE\r\n Type = standard\r\nThe table below describes the significant fields shown in the display.\r\nTable 36. show radius server-group command Field Descriptions\r\nField Description\r\nServer group Name of the server group.\r\nSharecount\r\nNumber of method lists that are sharing this server group. For example, if one method list uses a\r\nparticular server group, the sharecount would be 1. If two method lists use the same server group,\r\nthe sharecount would be 2.\r\nsg_unconfigured Server group has been unconfigured.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 111 of 208\n\nField Description\r\nType\r\nThe type can be either \"standard\" or \"nonstandard\". The type indicates whether the servers in the\r\ngroup accept nonstandard attributes. If all servers within the group are configured with the\r\nnonstandard option, the type will be shown as \"nonstandard\".\r\nMemlocks\r\nAn internal reference count for the server-group structure that is in memory. The number represents\r\nhow many internal data structure packets or transactions are holding references to this server group.\r\nMemlocks is used internally for memory management purposes.\r\nRelated Commands\r\nCommand Description\r\naaa group server radius Groups different RADIUS server hosts into distinct lists and distinct methods.\r\nshow aaa servers Displays information about the number of packets sent to and received from AAA servers.\r\nshow radius statistics Displays the RADIUS statistics for accounting and authentication packets.\r\nshow radius statistics\r\nTo display the RADIUS statistics for accounting and authentication packets, use the show radius statistics command in user\r\nEXEC or privileged EXEC mode.\r\nshow radius statistics\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.1(3)T This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX\r\nrelease of this train depends on your feature set, platform, and platform hardware.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 112 of 208\n\nRelease Modification\r\n15.1(1)S\r\nThis command was integrated into Cisco IOS Release 15.1(1)S. Support for the CISCO-RADIUS-EXT-MIB was added.\r\n15.1(4)M This command was modified. Support for the CISCO-RADIUS-EXT-MIB was added.\r\nUsage Guidelines\r\nThe values in queue related fields (Maximum inQ length:, Maximum waitQ length:, and Maximum doneQ length:) of the\r\nshow radius statistics command is shown as NA in vEWLC, as these queue related information is applicable only in IOS.\r\nExamples\r\nThe following is sample output from the show radius statistics command:\r\nRouter# show radius statistics\r\n Auth. Acct. Both\r\nMaximum inQ length: NA NA 1\r\nMaximum waitQ length: NA NA 2\r\nMaximum doneQ length: NA NA 1\r\nTotal responses seen: 33 67 100\r\nPackets with responses: 33 67 100\r\nPackets without responses: 0 0 0\r\nAccess Rejects : 0\r\nAverage response delay(ms) : 1331 124 523\r\nMaximum response delay(ms): 5720 4800 5720\r\nNumber of Radius timeouts: 8 2 10\r\nDuplicate ID detects: 0 0 0\r\nBuffer Allocation Failures: 0 0 0\r\nMaximum Buffer Size (bytes): 156 327 327\r\nMalformed Responses : 0 0 0\r\nBad Authenticators : 0 0 0\r\nSource Port Range: (2 ports only)\r\n1645 - 1646\r\nLast used Source Port/Identifier:\r\n1645/33\r\n1646/69\r\nThe table below describes significant fields shown in the display.\r\nTable 37. show radius statistics Field Descriptions\r\nField Description\r\nAuth. Statistics for authentication packets.\r\nAcct. Statistics for accounting packets.\r\nBoth Combined statistics for authentication and accounting packets.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 113 of 208\n\nField Description\r\nMaximum inQ\r\nlength Maximum number of entries allowed in the queue that holds the RADIUS messages not yet sent.\r\nMaximum waitQ\r\nlength\r\nMaximum number of entries allowed in the queue that holds the RADIUS messages that have\r\nbeen sent and are waiting for a response.\r\nMaximum doneQ\r\nlength\r\nMaximum number of entries allowed in the queue that holds the messages that have received a\r\nresponse and will be forwarded to the code that is waiting for the messages.\r\nTotal responses\r\nseen\r\nNumber of RADIUS responses seen from the server. In addition to the expected packets, the\r\nnumber includes repeated packets and packets that do not have a matching message in the waitQ.\r\nPackets with\r\nresponses\r\nNumber of packets that received a response from the RADIUS server.\r\nPackets without\r\nresponses\r\nNumber of packets that never received a response from any RADIUS server.\r\nAccess Rejects Number of times access requests have been rejected by a RADIUS server.\r\nAverage response\r\ndelay\r\nAverage time, in milliseconds (ms), from when the packet was first transmitted to when it\r\nreceived a response. If the response timed out and the packet was sent again, this value includes\r\nthe timeout. If the packet never received a response, this value is not included in the average.\r\nMaximum\r\nresponse delay Maximum delay, in ms, observed while gathering the average response delay information.\r\nNumber of\r\nRADIUS timeouts\r\nNumber of times a server did not respond and the RADIUS server re-sent the packet.\r\nDuplicate ID\r\ndetects\r\nRADIUS has a maximum of 255 unique IDs. In some instances, there can be more than 255\r\noutstanding packets. When a packet is received, the doneQ is searched from the oldest entry to\r\nthe youngest. If the IDs are the same, further techniques are used to see if this response matches\r\nthis entry. If this response does not match, the duplicate ID detect counter is increased.\r\nBuffer Allocation\r\nFailures\r\nNumber of times the buffer failed to get allocated.\r\nMaximum Buffer\r\nSize (bytes)\r\nDisplays the maximum size of the buffer.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 114 of 208\n\nField Description\r\nMalformed\r\nResponses\r\nNumber of corrupted responses, mostly due to bad authenticators.\r\nBad\r\nAuthenticators\r\nNumber of authentication failures due to shared secret mismatches.\r\nSource Port\r\nRange: (2 ports\r\nonly)\r\nDisplays the port numbers.\r\nLast used Source\r\nPort/Identifier\r\nPorts that were last used by the RADIUS server for authentication.\r\nThe fields in the output are mapped to Simple Network Management Protocol (SNMP) objects in the CISCO-RADIUS-EXT-MIB and are used in SNMP reporting. The first line of the report is mapped to the CISCO-RADIUS-EXT-MIB as\r\nfollows:\r\nMaximum inQ length maps to creClientTotalMaxInQLength\r\nMaximum waitQ length maps to creClientTotalMaxWaitQLength\r\nMaximum doneQ length maps to creClientTotalMaxDoneQLength\r\nThe field \"Both\" in the output can be derived from the authentication and accounting MIB objects. The calculation formula\r\nfor each field, as displayed in the output, is given in the table below.\r\nTable 38. Calculation Formula for the Both field in show radius statistics Command Output\r\nshow radius statistics Command\r\nOutput Data\r\nCalculation Formula for the Both Field\r\nMaximum inQ length creClientTotalMaxInQLength\r\nMaximum waitQ length creClientTotalWaitQLength\r\nMaximum doneQ length creClientDoneQLength\r\nTotal responses seen creAuthClientTotalResponses + creAcctClientTotalResponses\r\nPackets with responses\r\ncreAuthClientTotalPacketsWithResponses +\r\ncreAcctClientTotalPacketsWithResponses\r\nPackets without responses\r\ncreAuthClientTotalPacketsWithoutResponses +\r\ncreAcctClientTotalPacketsWithoutResponses\r\nAccess Rejects creClientTotalAccessRejects\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 115 of 208\n\nshow radius statistics Command\r\nOutput Data\r\nCalculation Formula for the Both Field\r\nAverage response delay creClientAverageResponseDelay\r\nMaximum response delay MAX(creAuthClientMaxResponseDelay, creAcctClientMaxResponseDelay)\r\nNumber of RADIUS timeouts creAuthClientTimeouts + creAcctClientTimeouts\r\nDuplicate ID detects creAuthClientDupIDs + creAcctClientDupIDs\r\nBuffer Allocation Failures creAuthClientBufferAllocFailures + creAcctClientBufferAllocFailures\r\nMaximum Buffer Size (bytes) MAX(creAuthClientMaxBufferSize, creAcctClientMaxBufferSize)\r\nMalformed Responses creAuthClientMalformedResponses + creAcctClientMalformedResponses\r\nBad Authenticators creAuthClientBadAuthenticators + creAcctClientBadAuthenticators\r\nMapping the following set of objects listed in the CISCO-RADIUS-EXT-MIB map to fields displayed by the show radius\r\nstatistics command is straightforward. For example, the creClientLastUsedSourcePort field corresponds to the Last used\r\nSource Port/Identifier portion of the report, creAuthClientBufferAllocFailures corresponds to the Buffer Allocation Failures\r\nfor authentication packets, creAcctClientBufferAllocFailure corresponds to the Buffer Allocation Failures for accounting\r\npackets, and so on.\r\ncreClientTotalMaxInQLength\r\ncreClientTotalMaxWaitQLength\r\ncreClientTotalMaxDoneQLength\r\ncreClientTotalAccessRejects\r\ncreClientTotalAverageResponseDelay\r\ncreClientSourcePortRangeStart\r\ncreClientSourcePortRangeEnd\r\ncreClientLastUsedSourcePort\r\ncreClientLastUsedSourceId\r\ncreAuthClientBadAuthenticators\r\ncreAuthClientUnknownResponses\r\ncreAuthClientTotalPacketsWithResponses\r\ncreAuthClientBufferAllocFailures\r\ncreAuthClientTotalResponses\r\ncreAuthClientTotalPacketsWithoutResponses\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 116 of 208\n\ncreAuthClientAverageResponseDelay\r\ncreAuthClientMaxResponseDelay\r\ncreAuthClientMaxBufferSize\r\ncreAuthClientTimeouts\r\ncreAuthClientDupIDs\r\ncreAuthClientMalformedResponses\r\ncreAuthClientLastUsedSourceId\r\ncreAcctClientBadAuthenticators\r\ncreAcctClientUnknownResponses\r\ncreAcctClientTotalPacketsWithResponses\r\ncreAcctClientBufferAllocFailures\r\ncreAcctClientTotalResponses\r\ncreAcctClientTotalPacketsWithoutResponses\r\ncreAcctClientAverageResponseDelay\r\ncreAcctClientMaxResponseDelay\r\ncreAcctClientMaxBufferSize\r\ncreAcctClientTimeouts\r\ncreAcctClientDupIDs\r\ncreAcctClientMalformedResponses\r\ncreAcctClientLastUsedSourceId\r\nTo locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at\r\nthe following URL: http://www.cisco.com/go/mibs .\r\nRelated Commands\r\nCommand Description\r\nradius-server host Specifies a RADIUS server host.\r\nradius-server\r\nretransmit\r\nSpecifies how many times the Cisco IOS software searches the list of RADIUS server hosts\r\nbefore giving up.\r\nradius-server timeout Sets the interval for which a router waits for a server host to reply.\r\nshow radius table attributes\r\nTo display a list of all attributes supported by the RADIUS subsystem, use the show radius table attributes command in user\r\nEXEC or privileged EXEC mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 117 of 208\n\nshow radius table attributes\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(33)SRA This command was introduced.\r\nUsage Guidelines\r\nThis command enables you to verify that a required RADIUS attribute is supported in a specific release.\r\nExamples\r\nThe following example displays the complete table attribute list from the show radius table attributes command.\r\nRouter# show radius table attributes\r\n \r\nIETF ATTRIBUTE LIST:\r\n Name User-Name Format String\r\n Name User-Password Format Binary\r\n Name CHAP-Password Format Binary\r\n Name NAS-IP-Address Format IPv4 Address\r\n Name NAS-Port Format Ulong\r\n Name Service-Type Format Enum\r\n Name Framed-Protocol Format Enum\r\n Name Framed-IP-Address Format IPv4 Address\r\n Name Framed-IP-Netmask Format IPv4 Address\r\n Name Framed-Routing Format Ulong\r\n Name Filter-Id Format Binary\r\n Name Framed-MTU Format Ulong\r\n Name Framed-Compression Format Enum\r\n Name login-ip-addr-host Format IPv4 Address\r\n Name Login-Service Format Enum\r\n Name login-tcp-port Format Ulong\r\n Name Reply-Message Format Binary\r\n Name Callback-Number Format String\r\n Name Framed-Route Format String\r\n Name Framed-IPX-Network Format IPv4 Address\r\n Name State Format Binary\r\n Name Class Format Binary\r\n Name Vendor-Specific Format Binary\r\n Name Session-Timeout Format Ulong\r\n Name Idle-Timeout Format Ulong\r\n Name Termination-Action Format Boolean\r\n Name Called-Station-Id Format String\r\n Name Calling-Station-Id Format String\r\n Name Nas-Identifier Format String\r\n Name Acct-Status-Type Format Enum\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 118 of 208\n\nName Acct-Delay-Time Format Ulong\r\n Name Acct-Input-Octets Format Ulong\r\n Name Acct-Output-Octets Format Ulong\r\n Name Acct-Session-Id Format String\r\n Name Acct-Authentic Format Enum\r\n Name Acct-Session-Time Format Ulong\r\n Name Acct-Input-Packets Format Ulong\r\n Name Acct-Output-Packets Format Ulong\r\n Name Acct-Terminate-Cause Format Enum\r\n Name Multilink-Session-ID Format String\r\n Name Acct-Link-Count Format Ulong\r\n Name Acct-Input-Giga-Words Format Ulong\r\n Name Acct-Output-Giga-Words Format Ulong\r\n Name Event-Timestamp Format Ulong\r\n Name CHAP-Challenge Format Binary\r\n Name NAS-Port-Type Format Enum\r\n Name Port-Limit Format Ulong\r\n Name Tunnel-Type Format Enum\r\n Name Tunnel-Medium-Type Format Enum\r\n Name Tunnel-Client-Endpoint Format String\r\n Name Tunnel-Server-Endpoint Format String\r\n Name Acct-Tunnel-Connection Format String\r\n Name Tunnel-Password Format Binary\r\n Name Prompt Format Enum\r\n Name Connect-Info Format String\r\n Name EAP-Message Format Binary\r\n Name Message-Authenticator Format Binary\r\n Name Tunnel-Private-Group-Id Format String\r\n Name Tunnel-Assignment-Id Format String\r\n Name Tunnel-Preference Format Ulong\r\n Name Acct-Interim-Interval Format Ulong\r\n Name Tunnel-Packets-Lost Format Ulong\r\n Name NAS-Port-Id Format String\r\n Name Tunnel-Client-Auth-ID Format String\r\n Name Tunnel-Server-Auth-ID Format String\r\n Name Framed-Interface-Id Format Binary\r\n Name Framed-IPv6-Prefix Format Binary\r\n Name login-ip-addr-host Format Binary\r\n Name Framed-IPv6-Route Format String\r\n Name Framed-IPv6-Pool Format String\r\n Name Dynamic-Author-Error-Cause Format Enum\r\nNon Standard ATTRIBUTE LIST:\r\n Name Old-Password Format Binary\r\n Name Ascend-Filter-Required Format Enum\r\n Name Ascend-Cache-Refresh Format Enum\r\n Name Ascend-Cache-Time Format Ulong\r\n Name Ascend-Auth-Type Format Ulong\r\n Name Ascend-Redirect-Number Format String\r\n Name Ascend-Private-Route Format String\r\n Name Ascend-Shared-Profile-Enable Format Boolean\r\n Name Ascend-Client-Primary-DNS Format IPv4 Address\r\n Name Ascend-Client-Secondary-DNS Format IPv4 Address\r\n Name Ascend-Client-Assign-DNS Format Ulong\r\n Name Ascend-Session-Svr-Key Format String\r\n Name Ascend-Multicast-Rate-Limit Format Ulong\r\n Name Ascend-Multicast-Client Format Ulong\r\n Name Ascend-Multilink-Session-ID Format Ulong\r\n Name Ascend-Num-In-Multilink Format Ulong\r\n Name Ascend-Presession-Octets-In Format Ulong\r\n Name Ascend-Presession-Octets-Out Format Ulong\r\n Name Ascend-Presession-Packets-In Format Ulong\r\n Name Ascend-Presession-Packets-Out Format Ulong\r\n Name Ascend-Max-Time Format Ulong\r\n Name Ascend-Disconnect-Cause Format Enum\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 119 of 208\n\nName Ascend-Connection-Progress Format Enum\r\n Name Ascend-Data-Rate Format Ulong\r\n Name Ascend-Presession-Time Format Ulong\r\n Name Ascend-Require-Auth Format Ulong\r\n Name Ascend-PW-Liftime Format Ulong\r\n Name Ascend-IP-Direct Format IPv4 Address\r\n Name Ascend-PPP-VJ-Slot-Comp Format Boolean\r\n Name Ascend-Asyncmap Format Ulong\r\n Name Ascend-Send-Secret Format Binary\r\n Name ascend_pool_definition Format String\r\n Name Ascend-IP-Pool Format Ulong\r\n Name Ascend-Dial-Number Format String\r\n Name Ascend-Route-IP Format Boolean\r\n Name Ascend-Send-Auth Format Enum\r\n Name Ascend-Link-Compression Format Enum\r\n Name Ascend-Target-Util Format Ulong\r\n Name Ascend-Max-Channels Format Ulong\r\n Name Ascend-Data-Filter Format Binary\r\n Name Ascend-Call-Filter Format Binary\r\n Name Ascend-Idle-Limit Format Ulong\r\n Name Ascend-Data-Service Format Ulong\r\n Name Ascend-Force-56 Format Ulong\r\n Name Ascend-Xmit-Rate Format Ulong\r\nCisco VSA ATTRIBUTE LIST:\r\n Name Cisco AVpair Format String\r\n Name cisco-nas-port Format String\r\n Name fax_account_id_origin Format String\r\n Name fax_msg_id Format String\r\n Name fax_pages Format String\r\n Name fax_modem_time Format String\r\n Name fax_connect_speed Format String\r\n Name fax_mdn_address Format String\r\n Name fax_mdn_flag Format String\r\n Name fax_auth_status Format String\r\n Name email_server_address Format String\r\n Name email_server_ack_flag Format String\r\n Name gateway_id Format String\r\n Name call_type Format String\r\n Name port_used Format String\r\n Name abort_cause Format String\r\n Name h323-remote-address Format String\r\n Name Conf-Id Format String\r\n Name h323-setup-time Format String\r\n Name h323-call-origin Format String\r\n Name h323-call-type Format String\r\n Name h323-connect-time Format String\r\n Name h323-disconnect-time Format String\r\n Name h323-disconnect-cause Format String\r\n Name h323-voice-quality Format String\r\n Name h323-gw-id Format String\r\n Name Cisco AVpair Format Binary\r\n Name Cisco encrypted string vsa Format String\r\n Name Sub_Policy_In Format String\r\n Name Sub_Policy_Out Format String\r\n Name h323-credit-amount Format String\r\n Name h323-credit-time Format String\r\n Name h323-return-code Format String\r\n Name h323-prompt-id Format String\r\n Name h323-time-and-day Format String\r\n Name h323-redirect-number Format String\r\n Name h323-preferred-lang Format String\r\n Name h323-redirect-ip-address Format String\r\n Name h323-billing-model Format String\r\n Name h323-currency Format String\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 120 of 208\n\nName ssg-account-info Format String\r\n Name ssg-service-info Format String\r\n Name ssg-command-code Format Binary\r\n Name ssg-control-info Format String\r\nMicrosoft VSA ATTRIBUTE LIST:\r\n Name MS-CHAP-Response Format Binary\r\n Name MS-CHAP-ERROR Format Binary\r\n Name MS-CHAP-CPW-1 Format Binary\r\n Name MS-CHAP-CPW-2 Format Binary\r\n Name MS-CHAP-LM-Enc-PW Format Binary\r\n Name MS-CHAP-NT-Enc-PW Format Binary\r\n Name MS-MPPE-Enc-Policy Format Binary\r\n Name MS-MPPE-Enc-Type Format Binary\r\n Name MS-RAS-Vendor Format String\r\n Name MS-CHAP-DOMAIN Format String\r\n Name MSCHAP_Challenge Format Binary\r\n Name MS-CHAP-MPPE-Keys Format Binary\r\n Name MS-BAP-Usage Format Binary\r\n Name MS-Link-Util-Thresh Format Binary\r\n Name MS-Link-Drop-Time-Limit Format Binary\r\n Name MS-MPPE-Send-Key Format Binary\r\n Name MS-MPPE-Recv-Key Format Binary\r\n Name MS-RAS-Version Format String\r\n Name MS-Old-ARAP-Password Format Binary\r\n Name New-ARAP-Password Format Binary\r\n Name MS-ARAP-PW-Change-Reason Format Binary\r\n Name MS-Filter Format Binary\r\n Name MS-Acct-Auth-Type Format Binary\r\n Name MS-MPPE-EAP-Type Format Binary\r\n Name MS-CHAP-V2-Response Format Binary\r\n Name MS-CHAP-V2-Success Format String\r\n Name MS-CHAP-CPW-2 Format Binary\r\n Name MS-Primary-DNS Format IPv4 Address\r\n Name MS-Secondary-DNS Format IPv4 Address\r\n Name MS-1st-NBNS-Server Format IPv4 Address\r\n Name MS-2nd-NBNS-Server Format IPv4 Address\r\n Name MS-ARAP-Challenge Format Binary\r\n3GPP VSA ATTRIBUTE LIST:\r\n Name Charging-ID Format Ulong\r\n Name PDP Type Format Enum\r\n Name Charging-Gateway-Address Format IPv4 Address\r\n Name GPRS-QoS-Profile Format String\r\n Name SGSN-Address Format IPv4 Address\r\n Name GGSN-Address Format IPv4 Address\r\n Name IMSI-MCC-MNC Format String\r\n Name GGSN-MCC-MNC Format String\r\n Name NSAPI Format String\r\n Name Session-Stop-Ind Format Binary\r\n Name Selection-Mode Format String\r\n Name Charging-Characteristics Format String\r\n3GPP2 VSA ATTRIBUTE LIST:\r\n Name cdma-reverse-tnl-spec Format Ulong\r\n Name cdma-diff-svc-class-opt Format Ulong\r\n Name cdma-container Format String\r\n Name cdma-ha-ip-addr Format IPv4 Address\r\n Name cdma-pcf-ip-addr Format IPv4 Address\r\n Name cdma-bs-msc-addr Format String\r\n Name cdma-user-id Format Ulong\r\n Name cdma-forward-mux Format Ulong\r\n Name cdma-reverse-mux Format Ulong\r\n Name cdma-forward-rate Format Ulong\r\n Name cdma-reverse-rate Format Ulong\r\n Name cdma-service-option Format Ulong\r\n Name cdma-forward-type Format Ulong\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 121 of 208\n\nName cdma-reverse-type Format Ulong\r\n Name cdma-frame-size Format Ulong\r\n Name cdma-forward-rc Format Ulong\r\n Name cdma-reverse-rc Format Ulong\r\n Name cdma-ip-tech Format Ulong\r\n Name cdma-comp-flag Format Enum\r\n Name cdma-reason-ind Format Enum\r\n Name cdma-bad-frame-count Format Ulong\r\n Name cdma-num-active Format Ulong\r\n Name cdma-sdb-input-octets Format Ulong\r\n Name cdma-sdb-output-octets Format Ulong\r\n Name cdma-numsdb-input Format Ulong\r\n Name cdma-numsdb-output Format Ulong\r\n Name cdma-ip-qos Format Ulong\r\n Name cdma-airlink-qos Format Ulong\r\n Name cdma-rp-session-id Format Ulong\r\n Name cdma-hdlc-layer-bytes-in Format Ulong\r\n Name cdma-correlation-id Format String\r\n Name cdma-moip-inbound Format Ulong\r\n Name cdma-moip-outbound Format Ulong\r\n Name cdma-session-continue Format Ulong\r\n Name cdma-active-time Format Ulong\r\n Name cdma-frame-size Format Ulong\r\n Name cdma-esn Format String\r\n Name cdma-mn-ha-spi Format Ulong\r\n Name cdma-mn-ha-shared-key Format Binary\r\n Name cdma-sess-term-capability Format Ulong\r\n Name cdma-disconnect-reason Format Ulong\r\nVerizon VSA ATTRIBUTE LIST:\r\n Name mip-key-data Format Binary\r\n Name aaa-authenticator Format Binary\r\n Name public-key-invalid Format Binary\r\nThe table below describes the significant fields shown in the display.\r\nTable 39. show radius table attributes Field Descriptions\r\nField Description\r\nUser-Name The name of the user on the system. The format is String.\r\nUser-Password The password of the user on the system. The format is Binary.\r\nCHAP-Password Challenge Handshake Authentication Protocol (CHAP) password. The format is Binary.\r\nNAS-IP-Address Network-Attached Storage (NAS) IP address. The format is IPv4 Address.\r\nNAS-Port\r\nThe RADIUS Attribute 5 (NAS-Port) format specified on a per-server group level. The\r\nformat is Ulong.\r\nService-Type Sets the service type. The format is Enum.\r\nFramed-Protocol\r\nIndicates the framing to be used for framed access. It may be used in both Access-Request\r\nand Access-Accept packets. The format is Enum.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 122 of 208\n\nField Description\r\nFramed-IP-Address\r\nIndicates the address to be configured for the user. It may be used in Access-Accept\r\npackets. The format is IPv4 Address.\r\nFramed-IP-Netmask\r\nIndicates the IP netmask to be configured for the user when the user is a router to a\r\nnetwork. The format is IPv4 Address.\r\nFramed-Routing\r\nIndicates the routing method for the user when the user is a router to a network. The format\r\nis Ulong.\r\nFilter-Id To disable, enable, get, or set a filter, the filter ID must be valid. The format is Binary.\r\nFramed-MTU\r\nIndicates the maximum transmission unit to be configured for the user, when it is not\r\nnegotiated by some other means (such as PPP). The format is Ulong.\r\nFramed-Compression Indicates a compression protocol to be used for the link. The format is Enum.\r\nlogin-ip-addr-host\r\nIndicates the host to which the user will connect when the Login-Service attribute is\r\nincluded. The format is IPv4 Address.\r\nLogin-Service\r\nThe Login-IP-Host AVP (AVP Code 14) is of type Address and contains the system with\r\nwhich to connect the user, when the Login-Service AVP is included. The format is Enum.\r\nlogin-tcp-port\r\nThe Login-TCP-Port AVP (AVP Code 16) is of type Integer32 and contains the TCP port\r\nwith which the user is to be connected, when the Login-Service AVP is also present. The\r\nformat is Ulong.\r\nReply-Message Indicates text that may be displayed to the user. The format is Binary.\r\nCallback-Number Indicates a dialing string to be used for callback. The format is String.\r\nFramed-Route\r\nProvides routing information to be configured for the user on the NAS. The format is\r\nString.\r\nFramed-IPX-Network\r\nThe Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32, and contains the\r\nIPX Network number to be configured for the user. The format is Pv4 Address.\r\nState\r\nIs available to be sent by the server to the client in an Access-Challenge and must be sent\r\nunmodified from the client to the server in the new Access-Request reply to that challenge,\r\nif any. The format is Binary.\r\nClass Is available to be sent by the server to the client in an Access-Accept and should be sent\r\nunmodified by the client to the accounting server as part of the Accounting-Request packet\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 123 of 208\n\nField Description\r\nif accounting is supported. The format is Binary.\r\nVendor-Specific\r\nIs available to allow vendors to support their own extended attributes not suitable for\r\ngeneral usage. The format is Binary.\r\nSession-Timeout\r\nSets the maximum number of seconds of service to be provided to the user before\r\ntermination of the session or prompt. The format is Ulong.\r\nIdle-Timeout\r\nSets the maximum number of consecutive seconds of idle connection allowed to the user\r\nbefore termination of the session or prompt. The format is Ulong.\r\nTermination-Action\r\nIndicates what action the NAS should take when the specified service is completed. The\r\nformat is Boolean.\r\nCalled-Station-Id\r\nThe Called-Station-Id AVP (AVP Code 30) is of type String and allows the NAS to send in\r\nthe request the phone number that the user called, using Dialed Number Identification\r\n(DNIS) or a similar technology. The format is String.\r\nCalling-Station-Id\r\nThe Calling-Station-Id AVP (AVP Code 31) is of type String and allows the NAS to send in\r\nthe request the phone number that the call came from, using Automatic Number\r\nIdentification (ANI) or a similar technology. The format is String.\r\nNas-Identifier Contains a string identifying the NAS originating the access request. The format is String.\r\nAcct-Status-Type\r\nIndicates whether this Accounting-Request marks the beginning of the user service (Start)\r\nor the end (Stop). The format is Enum.\r\nAcct-Delay-Time\r\nIndicates how many seconds the client has been trying to send this record for, and can be\r\nsubtracted from the time of arrival on the server to find the approximate time of the event\r\ngenerating this Accounting-Request. (Network transit time is ignored.) The format is\r\nUlong.\r\nAcct-Input-Octets\r\nIndicates how many octets have been received from the port over the course of this service\r\nbeing provided, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.\r\nAcct-Output-Octets\r\nIndicates how many octets have been sent to the port in the course of delivering this\r\nservice, and can only be present in Accounting-Request records where Acct-Status-Type is\r\nset to Stop. The format is Ulong.\r\nAcct-Session-Id\r\nIs a unique accounting ID to make it easy to match start and stop records in a log file. The\r\nformat is String.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 124 of 208\n\nField Description\r\nAcct-Authentic\r\nIndicate how the user was authenticated, whether by Radius, the NAS itself, or another\r\nremote authentication protocol. It may be included in an Accounting-Request. The format is\r\nEnum.\r\nAcct-Session-Time\r\nIndicates how many seconds the user has received service for, and can only be present in\r\nAccounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.\r\nAcct-Input-Packets\r\nIndicates how many packets have been received from the port over the course of this\r\nservice being provided to a framed user, and can only be present in Accounting-Request\r\nrecords where Acct-Status-Type is set to Stop. The format is Ulong.\r\nAcct-Output-Packets\r\nIndicates how many packets have been sent to the port in the course of delivering this\r\nservice to a framed user, and can only be present in Accounting-Request records where\r\nAcct-Status-Type is set to Stop. The format is Ulong.\r\nAcct-Terminate-Cause\r\nIndicates how the session was terminated, and can only be present in Accounting-Request\r\nrecords where Acct-Status-Type is set to Stop. The format is Enum.\r\nMultilink-Session-ID\r\nIndicates the service to use to connect the user to the login host. It is only used in Access-Accept packets. The format is String.\r\nAcct-Link-Count\r\nGives the count of links which are known to have been in a given multilink session at the\r\ntime the accounting record is generated. The format is Ulong.\r\nAcct-Input-Giga-Words\r\nIndicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the\r\ncourse of this service being provided, and can only be present in Accounting-Request\r\nrecords where the Acct-Status-Type is set to Stop or Interim-Update. The format is Ulong.\r\nAcct-Output-Giga-Words\r\nIndicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the\r\ncourse of delivering this service, and can only be present in Accounting-Request records\r\nwhere the Acct-Status-Type is set to Stop or Interim-Update. The format is Ulong.\r\nEvent-Timestamp\r\nUse to include the Event-Timestamp attribute in Acct-Start or Acct-Stop messages. The\r\nformat is Ulong.\r\nCHAP-Challenge\r\nThe CHAP is used to verify periodically the identity of the peer using a 3-way handshake.\r\nThe format is Binary.\r\nNAS-Port-Type\r\nIndicates the physical port number of the NAS which is authenticating the user. The format\r\nis Enum.\r\nPort-Limit\r\nSets the maximum number of ports to be provided to the user by the NAS. The format is\r\nUlong.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 125 of 208\n\nField Description\r\nTunnel-Type\r\nIndicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the\r\ntunneling protocol in use (in the case of a tunnel terminator). The format is Enum.\r\nTunnel-Medium-Type\r\nIndicates which transport medium to use when creating a tunnel for those protocols (such as\r\nL2TP) that can operate over multiple transports. The format is Enum.\r\nTunnel-Client-Endpoint Contains the address of the initiator end of the tunnel. The format is String.\r\nTunnel-Server-Endpoint Indicates the address of the server end of the tunnel. The format is String.\r\nAcct-Tunnel-Connection Indicates the identifier assigned to the tunnel session. The format is String.\r\nTunnel-Password Can contain a password to be used to authenticate to a remote server. The format is Binary.\r\nPrompt\r\nUsed only in Access-Challenge packets, and indicates to the NAS whether it should echo\r\nthe user's response as it is entered, or not echo it. The format is Enum.\r\nConnect-Info Is sent from the NAS to indicate the nature of the user's connection. The format is String.\r\nEAP-Message\r\nEncapsulates Extensible Authentication Protocol packets so as to allow the NAS to\r\nauthenticate dial-in users via EAP without having to understand the protocol. The format is\r\nBinary.\r\nMessage-Authenticator\r\nCan be used to authenticate and integrity-protect Access-Requests in order to prevent\r\nspoofing. The format is Binary.\r\nTunnel-Private-Group-Id Indicates the group ID for a particular tunneled session. The format is String.\r\nTunnel-Assignment-Id\r\nUsed to indicate to the tunnel initiator the particular tunnel to which a session is to be\r\nassigned. The format is String.\r\nTunnel-Preference\r\nShould be included in each set to indicate the relative preference assigned to each tunnel if\r\nmore than one set of tunneling attributes is returned by the RADIUS server to the tunnel\r\ninitiator. The format is Ulong.\r\nAcct-Interim-Interval\r\nIndicates the number of seconds between each interim update in seconds for this specific\r\nsession. The format is Ulong.\r\nTunnel-Packets-Lost Indicates the number of packets lost on a given link. The format is Ulong.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 126 of 208\n\nField Description\r\nNAS-Port-Id\r\nUsed to identify the IEEE 802.1X Authenticator port which authenticates the Supplicant.\r\nThe format is String.\r\nTunnel-Client-Auth-ID\r\nSpecifies the name used by the tunnel initiator during the authentication phase of tunnel\r\nestablishment. The format is String.\r\nTunnel-Server-Auth-ID\r\nSpecifies the name used by the tunnel terminator during the authentication phase of tunnel\r\nestablishment. The format is String.\r\nFramed-Interface-Id Indicates the IPv6 interface identifier to be configured for the user. The format is Binary.\r\nFramed-IPv6-Prefix\r\nIndicates an IPv6 prefix (and corresponding route) to be configured for the user. The format\r\nis Binary.\r\nFramed-IPv6-Route\r\nProvides routing information to be configured for the user on the NAS. The format is\r\nString.\r\nFramed-IPv6-Pool\r\nContains the name of an assigned pool that should be used to assign an IPv6 prefix for the\r\nuser. The format is String.\r\nDynamic-Author-Error-Cause\r\nSpecifies the error causes associated with dynamic authorization. The format is Enum.\r\nOld-Password\r\nIs 16 octets in length. It contains the encrypted Lan Manager hash of the old password. The\r\nformat is Binary.\r\nAscend-Filter-Required\r\nSpecifies whether the call should be permitted if the specified filter is not found. If present,\r\nthis attribute will be applied after any authentication, authorization, and accounting (AAA)\r\nfilter method-list. The format is Enum.\r\nAscend-Cache-Refresh\r\nSpecifies whether cache entries should be refreshed each time an entry is referenced by a\r\nnew session. This attribute corresponds to the cache refresh command. The format is Enum.\r\nAscend-Cache-Time\r\nSpecifies the idle time out, in minutes, for cache entries. This attribute corresponds to the\r\ncache clear age command. The format is Ulong.\r\nAscend-Auth-Type Indicates the type of name and password (PPP) authorization to use. The format Ulong.\r\nAscend-Redirect-Number\r\nIndicates the original number in the information sent to the authentication server when the\r\nnumber dialed by a device is redirected to another number for authentication. The format is\r\nString.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 127 of 208\n\nField Description\r\nAscend-Private-Route Specifies whether IP routing is allowed for the user profile. The format is String.\r\nAscend-Shared-Profile-EnableSpecifies whether multiple incoming callers can share a single RADIUS user profile. The\r\nformat is Boolean.\r\nAscend-Client-Primary-DNSSpecifies a primary DNS server address to send to any client connecting to the MAX TNT.\r\nThe format is IPv4 Address.\r\nAscend-Client-Secondary-DNSSpecifies a secondary DNS server address to send to any client connecting to the MAX\r\nTNT. The format is IPv4 Address.\r\nAscend-Client-Assign-DNSSpecifies whether or not the MAX TNT sends the Ascend-Client-Primary-DNS and\r\nAscend-Client-Secondary-DNS values during connection negotiation. The format is Ulong.\r\nAscend-Session-Svr-KeySpecifies the session key that identifies the user session. You can specify up to 16\r\ncharacters. The default value is null. The format is String.\r\nAscend-Multicast-Rate-LimitSpecifies how many seconds the MAX waits before accepting another packet from the\r\nmulticast client. The format is Ulong.\r\nAscend-Multicast-Client Specifies whether the user is a multicast client of the MAX. The format is Ulong.\r\nAscend-Multilink-Session-IDSpecifies the ID number of the Multilink bundle when the session closes. A Multilink\r\nbundle is a multichannel MP or MP+ call. The format is Ulong.\r\nAscend-Num-In-MultilinkIndicates the number of sessions remaining in a Multilink bundle when the session closes.\r\nA Multilink bundle is a multichannel MP or MP+ call. The format is Ulong.\r\nAscend-Presession-Octets-In\r\nReports the number of octets received before authentication. The value reflects only the\r\ndata delivered by PPP or other encapsulation. It does not include the header or other\r\nprotocol-dependent components of the packet. The format is Ulong.\r\nAscend-Presession-Octets-Out\r\nReports the number of octets transmitted before authentication. The value reflects only the\r\ndata delivered by PPP or other encapsulation. It does not include the header or other\r\nprotocol-dependent components of the packet. The format is Ulong.\r\nAscend-Presession-Packets-In\r\nReports the number of packets received before authentication. The packets are counted\r\nbefore the encapsulation is removed. The attribute's value does not include maintenance\r\npackets, such as keepalive or management packets. The format is Ulong.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 128 of 208\n\nField Description\r\nAscend-Presession-Packets-Out\r\nReports the number of packets transmitted before authentication. The packets are counted\r\nbefore the encapsulation is removed. The attribute's value does not include maintenance\r\npackets, such as keepalive or management packets. The format is Ulong.\r\nAscend-Max-Time\r\nSpecifies the maximum length of time in seconds that any session can remain online. Once\r\na session reaches the time limit, its connection goes offline. The format is Ulong.\r\nAscend-Disconnect-Cause\r\nIndicates the reason a connection went offline. The format is Enum.\r\nAscend-Connection-Progress\r\nIndicates the state of the connection before it disconnects. The format is Enum.\r\nAscend-Data-Rate\r\nSpecifies the rate of data received on the connection in bits per second. The format is\r\nUlong.\r\nAscend-Presession-Time\r\nReports the length of time in seconds from when a call connected to when it completes\r\nauthentication. The format is Ulong.\r\nAscend-Require-Auth\r\nSpecifies whether the MAX TNT requires additional authentication after Calling-Line ID\r\n(CLID) or called-number authentication. The format is Ulong.\r\nAscend-PW-Liftime Specifies the number of days that a password is valid. The format is Ulong.\r\nAscend-IP-Direct\r\nSpecifies the IP address to which the MAX TNT redirects packets from the user. When you\r\ninclude this attribute in a user profile, the MAX TNT bypasses all internal routing tables,\r\nand simply sends all packets it receives on the connection's WAN interface to the specified\r\nIP address. The format is IPv4 Address.\r\nAscend-PPP-VJ-Slot-CompInstructs the MAX TNT to not use slot compression when sending VJ-compressed packets.\r\nThe format is Boolean.\r\nAscend-Asyncmap The format is Ulong.\r\nAscend-Send-Secret\r\nSpecifies the password that the RADIUS server sends to the remote end of a connection on\r\nan outgoing call. It is encrypted when passed between the RADIUS server and the MAX\r\nTNT. The format is Binary.\r\nAscend_pool_definition Specifies all the addresses in the pool. The format is String.\r\nAscend-IP-Pool\r\nSpecifies the first address in an IP address pool, as well as the number of addresses in the\r\npool. The format is Ulong.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 129 of 208\n\nField Description\r\nAscend-Dial-Number\r\nSpecifies the phone number the MAX TNT dials to reach the router or node at the remote\r\nend of the link. The format is String.\r\nAscend-Route-IP Specifies whether IP routing is allowed for the user profile. The format is Boolean.\r\nAscend-Send-Auth\r\nSpecifies the authentication protocol that the MAX TNT requests when initiating a PPP or\r\nMP+ connection. The answering side of the connection determines which authentication\r\nprotocol, if any, the connection uses. The format is Enum.\r\nAscend-Link-Compression\r\nTurns data compression on or off for a PPP link. The format is Enum.\r\nAscend-Target-Util\r\nSpecifies the percentage of bandwidth use at which the MAX TNT adds or subtracts\r\nbandwidth. The format is Ulong.\r\nAscend-Max-Channels Specifies the maximum number of channels allowed on an MP+ call. The format is Ulong.\r\nAscend-Data-Filter\r\nSpecifies the characteristics of a data filter in a RADIUS user profile. The MAX TNT uses\r\nthe filter only when it places or receives a call associated with the profile that includes the\r\nfilter definition. The format is Binary.\r\nAscend-Call-Filter\r\nSpecifies the characteristics of a call filter in a RADIUS user profile. The MAX TNT uses\r\nthe filter only when it places a call or receives a call associated with the profile that\r\nincludes the filter definition. The format is Binary.\r\nAscend-Idle-Limit\r\nSpecifies the number of seconds the MAX TNT waits before clearing a call when a session\r\nis inactive. The format is Ulong.\r\nAscend-Data-Service Specifies the type of data service the link uses for outgoing calls. The format is Ulong.\r\nAscend-Force-56\r\nIndicates whether the MAX uses only the 56-kbps portion of a channel, even when all 64-\r\nkbps appear to be available. The format is Ulong.\r\nAscend-Xmit-Rate\r\nSpecifies the rate of data transmitted on the connection in bits per second. For ISDN calls,\r\nAscend-Xmit-Rate indicates the transmit data rate. For analog calls, it indicates the modem\r\nbaud rate at the time of the initial connection. The format is Ulong.\r\nCisco AVpair\r\nThe Cisco RADIUS implementation supports one vendor-specific option using the format\r\nrecommended in the specification. Cisco's vendor-ID is 9, and the supported option has\r\nvendor-type 1, which is named \"cisco-avpair\". The format is String.\r\ncisco-nas-port Enables the display of physical interface information and parent interface details as part of\r\nthe of the cisco-nas-port vendor-specific attribute (VSA) for login calls. The format is\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 130 of 208\n\nField Description\r\nString.\r\nfax_account_id_origin\r\nIndicates the account ID origin as defined by system administrator for the mmoip aaa\r\nreceive-id or the mmoip aaa send-id command. The format is String.\r\nfax_msg_id\r\nIndicates a unique fax message identification number assigned by Store and Forward Fax.\r\nThe format is String.\r\nfax_pages\r\nIndicates the number of pages transmitted or received during this fax session. This page\r\ncount includes cover pages. The format is String.\r\nfax_modem_time\r\nIndicates the amount of time in seconds the modem sent fax data (x) and the amount of time\r\nin seconds of the total fax session (y), which includes both fax-mail and PSTN time, in the\r\nform x/y. For example, 10/15 means that the transfer time took 10 seconds, and the total fax\r\nsession took 15 seconds. The format is String.\r\nfax_connect_speed\r\nIndicates the modem speed at which this fax-mail was initially transmitted or received.\r\nPossible values are 1200, 4800, 9600, and 14400. The format is String.\r\nfax_mdn_address\r\nIndicates the address to which message delivery notifications (MDNs) will be sent. The\r\nformat is String.\r\nfax_mdn_flag\r\nIndicates whether or not MDNs has been enabled. True indicates that MDN had been\r\nenabled; false means that MDN had not been enabled. The format is String.\r\nfax_auth_status\r\nIndicates whether or not authentication for this fax session was successful. Possible values\r\nfor this field are success, failed, bypassed, or unknown. The format is String.\r\nemail_server_address\r\nIndicates the IP address of the e-mail server handling the on-ramp fax-mail message. The\r\nformat is String.\r\nemail_server_ack_flag\r\nIndicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message. The format is String.\r\ngateway_id\r\nIndicates the name of the gateway that processed the fax session. The name appears in the\r\nfollowing format: hostname.domain-name. The format is String.\r\ncall_type Describes the type of fax activity: fax receive or fax send. The format is String.\r\nport_used\r\nIndicates the slot/port number of the Cisco AS5300 used to either transmit or receive this\r\nfax-mail. The format is String.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 131 of 208\n\nField Description\r\nabort_cause\r\nIf the fax session terminates, it indicates the system component that signaled the\r\ntermination. Examples of system components that could trigger a termination are FAP (Fax\r\nApplication Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail\r\nserver, ESMTP client, or ESMTP server. The format is String.\r\nh323-remote-address Indicates the IP address of the remote gateway. The format is String.\r\nConf-Id\r\nIndicates a unique call identifier generated by the gateway. Used to identify the separate\r\nbillable events (calls) within a single calling session. The format is String.\r\nh323-setup-time\r\nIndicates the setup time in NTP format: hour, minutes, seconds, microseconds, time_zone,\r\nday, month, day_of_month, year. The format is String.\r\nh323-call-origin\r\nIndicates the gateway's behavior in relation to the connection that is active for this leg. The\r\nformat is String.\r\nh323-call-type Indicates the protocol type or family used on this leg of the call. The format is String.\r\nh323-connect-time\r\nIndicates the connect time in Network Time Protocol (NTP) format: hour, minutes, seconds,\r\nmicroseconds, time_zone, day, month, day_of_month, and year. The format is String.\r\nh323-disconnect-time\r\nIndicates the disconnect time in NTP format: hour, minutes, seconds, microseconds,\r\ntime_zone, day, month, day_of_month, year. The format is String.\r\nh323-disconnect-cause\r\nIndicates the Q.931 disconnect cause code retrieved from CCAPI. The source of the code is\r\nthe disconnect location such as a PSTN, terminating gateway, or SIP. The format is String.\r\nh323-voice-quality Indicates the ICPIF of the voice quality. The format is String.\r\nh323-gw-id Indicate the name of the tenor. The format is String.\r\nCisco AVpair\r\nThe Cisco RADIUS implementation supports one vendor-specific option using the format\r\nrecommended in the specification. Cisco's vendor-ID is 9, and the supported option has\r\nvendor-type 1, which is named \"cisco-avpair\". The format is String.\r\nCisco encrypted string\r\nvsa\r\nCisco allows several forms of sub-attribute encryption. The only method supported is the\r\nCisco Encrypted String VSA Format also supported by an IETF draft for Salt-Encryption of\r\nRADIUS attributes. The format is String.\r\nSub_Policy_In Defines the service policy input. The format is String.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 132 of 208\n\nField Description\r\nSub_Policy_Out Defines the service policy output. The format is String.\r\nh323-credit-amount Indicates the amount of credit (in currency) that the account contains. The format is String.\r\nh323-credit-time Indicates the number of seconds for which the call is authorized. The format is String.\r\nh323-return-code\r\nReturn codes are instructions from the RADIUS server to the voice gateway. The format is\r\nString.\r\nh323-prompt-id Indexes into an array that selects prompt files used at the gateway. The format is String.\r\nh323-time-and-day\r\nIndicates the time of day at the dialed number or at the remote gateway in the format: hour,\r\nminutes, seconds. The format is String.\r\nh323-redirect-number\r\nIndicates the phone number to which the call is redirected; for example, to a toll-free\r\nnumber or a customer service number. The format is String.\r\nh323-preferred-lang\r\nIndicates the language to use when playing the audio prompt specified by the h323-prompt-id. The format is String.\r\nh323-redirect-ip-address Indicates the IP address for an alternate or redirected call. The format is String.\r\nh323-billing-model Indicates the type of billing service for a specific call. The format is String.\r\nh323-currency Indicates the currency to use with h323-credit-amount. The format is String.\r\nssg-account-info\r\nSubscribes the subscriber to the specified service and indicates that the subscriber should be\r\nautomatically connected to this service after successful logon. The format is String.\r\nssg-service-info\r\nSSG redirects the user's HTTP traffic to a server in the specified server group. All the\r\nservice features (such as quality of service (QoS) and prepaid billing) are applied to the\r\nHTTP traffic. The format is String.\r\nssg-command-code\r\nSpecifies account logon and logoff, session query, and service activate and deactivate\r\ninformation. The format is Binary.\r\nssg-control-info Indicates the control-info code for prepaid quota. The format is String.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 133 of 208\n\nField Description\r\nMS-CHAP-Response\r\nThis attribute contains the response value provided by a PPP Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user in response to the challenge. The\r\nformat is Binary.\r\nMS-CHAP-ERROR Contains error data related to the preceding MS-CHAP exchange. The format is Binary.\r\nMS-CHAP-CPW-1 Allows the user to change their password if it has expired. The format is Binary.\r\nMS-CHAP-CPW-2 Allows the user to change their password if it has expired. The format is Binary.\r\nMS-CHAP-LM-Enc-PW\r\nContains the new Windows NT password encrypted with the old LAN Manager password\r\nhash. The format is Binary.\r\nMS-CHAP-NT-Enc-PW\r\nContains the new Windows NT password encrypted with the old Windows NT password\r\nhash. The format is Binary.\r\nMS-MPPE-Enc-Policy\r\nThe MS-MPPE-Encryption-Policy attribute may be used to signify whether the use of\r\nencryption is allowed or required. The format is Binary.\r\nMS-MPPE-Enc-Type\r\nThe MS-MPPE-Encryption-Types attribute is used to signify the types of encryption\r\navailable for use with Microsoft Point-to-Point Encryption (MPPE). The format is Binary.\r\nMS-RAS-Vendor Used to indicate the manufacturer of the RADIUS client machine. The format is Binary.\r\nMS-CHAP-DOMAIN\r\nIndicates the Windows NT domain in which the user was authenticated. The format is\r\nBinary.\r\nMSCHAP_Challenge Contains the challenge sent by a NAS to a MS-CHAP user. The format is Binary.\r\nMS-CHAP-MPPE-Keys Contains two session keys for use by the MPPE. The format is Binary.\r\nMS-BAP-Usage\r\nDescribes whether the use of Bandwidth Allocation Protocol (BAP) is allowed, disallowed\r\nor required on new multilink calls. The format is Binary.\r\nMS-Link-Util-Thresh\r\nRepresents the percentage of available bandwidth utilization below which the link must fall\r\nbefore the link is eligible for termination. The format is Binary.\r\nMS-Link-Drop-Time-LimitIndicates the length of time (in seconds) that a link must be underutilized before it is\r\ndropped. The format is Binary.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 134 of 208\n\nField Description\r\nMS-MPPE-Send-Key Contains a session key for use by the MPPE. The format is Binary.\r\nMS-MPPE-Recv-Key Contains a session key for use by the MPPE. The format is Binary.\r\nMS-RAS-Version Used to indicate the version of the RADIUS client software. The format is Binary.\r\nMS-Old-ARAP-PasswordUsed to transmit the old Apple Remote Access Protocol (ARAP) password during an ARAP\r\npassword change operation. The format is Binary.\r\nNew-ARAP-Password\r\nUsed to transmit the new ARAP password during an ARAP password change operation.\r\nThe format is Binary.\r\nMS-ARAP-PW-Change-Reason\r\nUsed to indicate reason for a server-initiated password change. The format is Binary.\r\nMS-Filter Used to transmit traffic filters. The format is Binary.\r\nMS-Acct-Auth-Type Used to represent the method used to authenticate the dial-up user. The format is Binary.\r\nMS-MPPE-EAP-Type Used to represent the EAP type used to authenticate the dial-up user. The format is Binary.\r\nMS-CHAP-V2-\r\nResponse\r\nThis attribute is identical in format to the standard CHAP Response packet. The format is\r\nBinary.\r\nMS-CHAP-V2-Success\r\nContains a 42-octet authenticator response string and must be included in the Message field\r\npacket sent from the NAS to the peer. The format is Binary.\r\nMS-CHAP-CPW-2 Allows the user to change their password if it has expired. The format is Binary.\r\nMS-Primary-DNS\r\nUsed to indicate the address of the primary DNS server to be used by the PPP peer. The\r\nformat is IPv4 Address.\r\nMS-Secondary-DNS\r\nUsed to indicate the address of the secondary DNS server to be used by the PPP peer. The\r\nformat is IPv4 Address.\r\nMS-1st-NBNS-Server\r\nUsed to indicate the address of the primary NetBIOS Name Server (NBNS) server to be\r\nused by the PPP peer. The format is IPv4 Address.\r\nMS-2nd-NBNS-Server\r\nUsed to indicate the address of the secondary NBNS server to be used by the PPP peer. The\r\nformat is IPv4 Address.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 135 of 208\n\nField Description\r\nMS-ARAP-Challenge\r\nOnly present in an Access-Request packet containing a Framed-Protocol Attribute with the\r\nvalue 3 (ARAP). The format is Binary.\r\nCharging-ID\r\nGenerated for each activated context. It is a unique four octet value generated by the GGSN\r\nwhen a PDP Context is activated. The format is Ulong.\r\nPDP Type\r\nIndicates the Packet Data Protocol (PDP) is to be used by the mobile for a certain service.\r\nThe format is Enum.\r\nCharging-Gateway-Address\r\nThe IP address of the recommended Charging Gateway Functionality to which the SGSN\r\nshould transfer the Charging Detail Records (CDR) for this PDP Context. The format is\r\nIPv4 Address.\r\nGPRS-QoS-Profile Controls the QoS negotiated values. The format is String.\r\nSGSN-Address\r\nThis is the IP address of the SGSN that is used by the GTP control plane for handling\r\ncontrol messages. The format is IPv4 Address.\r\nGGSN-Address\r\nIP address of the GGSN that is used by the GTP control plane for the context establishment.\r\nThis address is the same as the GGSN IP address used in G-CDRs. The format is IPv4\r\nAddress.\r\nIMSI-MCC-MNC\r\nThe MCC and MNC extracted from the user's IMSI number (the first 5 or 6 digits\r\ndepending on the IMSI). The format is String.\r\nGGSN-MCC-MNC The MCC and MNC of the network to which the GGSN belongs. The format is String.\r\nNSAPI\r\nIdentifies a particular PDP context for the associated PDN and MSISDN/IMSI from\r\ncreation to deletion. The format is String.\r\nSession-Stop-Ind\r\nIndicates to the AAA server that the last PDP context of a session is released and that the\r\nPDP session has been terminated. The format is Binary\r\nSelection-Mode\r\nContains the selection mode for this PDP Context received in the Create PDP Context\r\nRequest Message. The format is String.\r\nCharging-Characteristics\r\nContains the charging characteristics for this PDP Context received in the Create PDP\r\nContext Request Message (only available in R99 and later releases). The format is String.\r\ncdma-reverse-tnl-spec\r\nIndicates the style of reverse tunneling that is required, and optionally appears in a\r\nRADIUS Access-Accept message. The format is Ulong.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 136 of 208\n\nField Description\r\ncdma-diff-svc-class-opt\r\nThis attribute is deprecated and is replaced by the Allowed Differentiated Services Marking\r\nattribute. The Home RADIUS server authorizes differentiated services via the\r\nDifferentiated Services Class Options attribute, and optionally appears in a RADIUS\r\nAccess-Accept message. The format is Ulong.\r\ncdma-container\r\nContains embedded 3GPP2 VSAs and/or RADIUS accounting attributes. The format is\r\nString.\r\ncdma-ha-ip-addr\r\nA Home Agent (HA) IP address used during a MIP session by the user as defined in IETF\r\nRFC 2002. The format is IPv4 Address.\r\ncdma-pcf-ip-addr\r\nThe IP address of the serving PCF (the PCF in the serving RN). The format is IPv4\r\nAddress.\r\ncdma-bs-msc-addr The Base Station (BS) Mobile Switching Center (MSC) address. The format is String.\r\ncdma-user-id The name of the user on the system. The format is Ulong.\r\ncdma-forward-mux Forwards FCH multiplex option. The format is Ulong.\r\ncdma-reverse-mux Reverses FCH multiplex option. The format is Ulong.\r\ncdma-forward-rate\r\nThe format and structure of the radio channel in the forward Dedicated Control Channel. A\r\nset of forward transmission formats that are characterized by data rates, modulation\r\ncharacterized, and spreading rates. The format is Ulong.\r\ncdma-reverse-rate\r\nThe format and structure of the radio channel in the reverse Dedicated Control Channel. A\r\nset of reverse transmission formats that are characterized by data rates, modulation\r\ncharacterized, and spreading rates. The format is Ulong.\r\ncdma-service-option\r\nCode Division Multiple Access (CDMA) service option as received from the RN. The\r\nformat is Ulong.\r\ncdma-forward-type Forward direction traffic type. It is either Primary or Secondary. The format is Ulong.\r\ncdma-reverse-type Reverse direction traffic type. It is either Primary or Secondary. The format is Ulong.\r\ncdma-frame-size Specifies the Fundamental Channel (FCH) frame size. The format is Ulong.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 137 of 208\n\nField Description\r\ncdma-forward-rc\r\nThe format and structure of the radio channel in the forward FCH. A set of forward\r\ntransmission formats that are characterized by data rates, modulation characterized, and\r\nspreading rates. The format is Ulong.\r\ncdma-reverse-rc\r\nThe format and structure of the radio channel in the reverse FCH. A set of reverse\r\ntransmission formats that are characterized by data rates, modulation characterized, and\r\nspreading rates. The format is Ulong.\r\ncdma-ip-tech Identifies the IP technology to use for the call: Simple IP or Mobile IP. The format is Ulong.\r\ncdma-comp-flag Indicates the type of compulsory tunnel. The format is Ulong.\r\ncdma-reason-ind Indicates the reasons for a stop record. The format is Ulong.\r\ncdma-bad-frame-count\r\nThe total number of PPP frames from the MS dropped by the Packet Data Serving Node\r\n(PDSN) due to uncorrectable errors. The format is Ulong.\r\ncdma-num-active The number of active transitions. The format is Ulong.\r\ncdma-sdb-input-octets\r\nThis is the Short Data Burst (SDB) octet count reported by the RN in the SDB Airlink\r\nRecord. The format is Ulong.\r\ncdma-sdb-output-octets The SDB octet count reported by the RN in the SDB Airlink Record. The format is Ulong.\r\ncdma-numsdb-input The number of terminating SDBs. The format is Ulong.\r\ncdma-numsdb-output The number of originating SDBs. The format is Ulong.\r\ncdma-ip-qos Indicates the IP Quality of Service (QoS). The format is Ulong.\r\ncdma-airlink-qos\r\nIdentifies Airlink Priority associated with the user. This is the user's priority associated with\r\nthe packet data service. The format is Ulong.\r\ncdma-rp-session-id Identifies the resource reservation protocol type session identifier. The format is Ulong.\r\ncdma-hdlc-layer-bytes-inThe count of all octets received in the reverse direction by the High-Level Data Link\r\nControl (HDLC) layer in the PDSN. The format is Ulong.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 138 of 208\n\nField Description\r\ncdma-correlation-id\r\nIndicates a unique accounting ID created by the Serving PDSN for each packet data session\r\nthat allows multiple accounting events for each associated R-P connection or P-P\r\nconnection to be correlated.The format is String.\r\ncdma-moip-inbound\r\nThis is the total number of octets in registration requests and solicitations sent by the MS.\r\nThe format is Ulong.\r\ncdma-moip-outbound\r\nThis is the total number of octets in registration replies and agent advertisements, sent to\r\nthe MS. The format is Ulong.\r\ncdma-session-continue\r\nThis attribute when set to \"true\" means it is not the end of a Session and an Accounting\r\nStop is immediately followed by an Account Start Record. \"False\" means end of a session.\r\nThe format is Ulong.\r\ncdma-active-time The total active connection time on traffic channel in seconds. The format is Ulong.\r\ncdma-frame-size Specifies the FSH frame size. The format is Ulong.\r\ncdma-esn Indicates the Electronic Serial Number (ESN). The format is String.\r\ncdma-mn-ha-spi\r\nThe SPI for the MN-HA shared key that optionally appears in a RADIUS Access-Request\r\nmessage. It is used to request an MN-HA shared key. The format is Ulong.\r\ncdma-mn-ha-shared-key\r\nA shared key for MN-HA that may appear in a RADIUS Access-Accept message. The MN-HA shared key is encrypted using a method based on the RSA Message Digest Algorithm\r\nMD5 [RFC 1321] as described in Section 3.5 of RFC 2868. The format is Binary.\r\ncdma-sess-term-capability\r\nThe value shall be bitmap encoded rather than a raw integer. This attribute shall be included\r\nin a RADIUS Access-Request message to the Home RADIUS server and shall contain the\r\nvalue 3 to indicate that the PDSN and HA support both Dynamic authorization with\r\nRADIUS and Registration Revocation for Mobile IPv4. The attribute shall also be included\r\nin the RADIUS Access-Accept message and shall contain the preferred resource\r\nmanagement mechanism by the home network, which shall be used for the session and may\r\ninclude values 1 to 3. The format is Ulong.\r\ncdma-disconnect-reason\r\nIndicates the reason for disconnecting the user. This attribute may be included in a\r\nRADIUS Disconnect-Request message from Home RADIUS server to the PDSN. The\r\nformat is Ulong.\r\nmip-key-data\r\nThis is the key data payload containing the encrypted MN_AAA key, MN_HA key, CHAP\r\nkey, MN_Authenticator, and AAA_Authenticator. The format is Binary.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 139 of 208\n\nField Description\r\naaa-authenticator\r\nThis is the 64-bit AAA_Authenticator value decrypted by the Home RADIUS AAA Server.\r\nThe format is Binary.\r\npublic-key-invalid\r\nThe home RADIUS AAA Server includes this attribute to indicate that the Public key used\r\nby the MN is not valid. The format is Binary.\r\nRelated Commands\r\nCommand Description\r\nshow radius Displays information about the RADIUS servers that are configured in the system.\r\nshow redundancy application asymmetric-routing\r\nTo display asymmetric routing information for a redundancy group, use the show redundancy application asymmetric-routing command in user EXEC or privileged EXEC mode.\r\nshow redundancy application asymmetric-routing {interface | tunnel} group id\r\nSyntax Description\r\ninterface Displays asymmetric routing interface information.\r\ntunnel Displays asymmetric routing tunnel information.\r\ngroup id Displays information about the redundancy group.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.2(3)T This command was introduced.\r\nExamples\r\nThe following is sample output from the show redundancy application asymmetric-routing interface group command:\r\nDevice# show redundancy application asymmetric-routing interface group 1\r\nAR Group ID:1 interface Ethernet1/1\r\nneighbor 10.3.3.2,\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 140 of 208\n\ntransport context:\r\n my ip 10.9.9.1, my port 53000\r\npeer ip 10.9.9.2, peer port 53000\r\nThe following is sample output from the show redundancy application asymmetric-routing tunnel group command:\r\nDevice# show redundancy application asymmetric-routing tunnel group 1\r\nGroup ID:1\r\n rii 1000, idb Ethernet1/2\r\n packet sent: 0, packet received: 0\r\n byte sent: 0, byte recv: 0\r\n encap: length 32\r\n IP :45 00 00 00 00 00 00 00 FF 11 00 00 09 09 09 01 09 09 09 02\r\n UDP:CF 08 CF 08 00 00 00 00\r\n AR :00 01 03 E8\r\nThe following table describes the significant fields shown in the displays.\r\nTable 40. show redundancy application asymmetric-routing Field Descriptions\r\nField Description\r\nAR Group ID The identifier for the asymmetric routing redundancy group.\r\ninterface The interface type and number.\r\nneighbor The IP address of the peer redundancy group's control interface.\r\ntransport\r\ncontext:\r\nThe IP address of the asymmetric routing interface and the IP address of the peer asymmetric routing\r\ninterface are displayed under the transport context.\r\nGroup ID The identifier for the asymmetric routing redundancy group.\r\nrii The redundancy interface identifier.\r\nRelated Commands\r\nCommand Description\r\nredundancy application asymmetric-routingAssociates a redundancy group with an interface that is used for asymmetric\r\nrouting.\r\nshow redundancy application control-interface group\r\nTo display control interface information for a redundancy group, use the show redundancy application control-interface\r\ngroup command in privileged EXEC mode.\r\nshow redundancy application control-interface group [group-id]\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 141 of 208\n\ngroup-id (Optional) Redundancy group ID. Valid values are 1 and 2.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.1S This command was introduced.\r\nUsage Guidelines\r\nThe show redundancy application control-interface command shows information for the redundancy group control\r\ninterfaces.\r\nExamples\r\nThe following is sample output from the show redundancy application control-interface command:\r\nRouter# show redundancy application control-interface group 2\r\nThe control interface for rg[2] is GigabitEthernet0/1/0\r\nInterface is Control interface associated with the following protocols: 2 1\r\nBFD Enabled\r\nInterface Neighbors:\r\nRelated Commands\r\nCommand Description\r\nshow redundancy application faults Displays fault-specific information for a redundancy group.\r\nshow redundancy application group Displays redundancy group information.\r\nshow redundancy application if-mgr Displays if-mgr information for a redundancy group.\r\nshow redundancy application protocol Displays protocol-specific information for a redundancy group.\r\nshow redundancy application data-interface\r\nTo display data interface-specific information, use the show redundancy application data-interface command in privileged\r\nEXEC mode.\r\nshow redundancy application data-interface group [group-id]\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 142 of 208\n\ngroup Specifies the redundancy group.\r\ngroup-id (Optional) Redundancy group ID. Valid values are 1 and 2.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.1S This command was introduced.\r\nUsage Guidelines\r\nThe show redundancy application data-interface command displays information about the redundancy group data interfaces.\r\nExamples\r\nThe following is sample output from the show redundancy application data-interface command:\r\nRouter# show redundancy application data-interface group 1\r\nThe data interface for rg[1] is GigabitEthernet0/1/1\r\nRelated Commands\r\nCommand Description\r\nshow redundancy application control-interface Displays control interface information for a redundancy group.\r\nshow redundancy application faults Displays fault-specific information for a redundancy group.\r\nshow redundancy application group Displays redundancy group information.\r\nshow redundancy application if-mgr Displays if-mgr information for a redundancy group.\r\nshow redundancy application protocol Displays protocol-specific information for a redundancy group.\r\nshow redundancy application faults group\r\nTo display fault-specific information for a redundancy group, use the show redundancy application faults group command in\r\nprivileged EXEC mode.\r\nshow redundancy application faults group [group-id]\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 143 of 208\n\ngroup-id (Optional) Redundancy group ID. Valid values are 1 and 2.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.1S This command was introduced.\r\nUsage Guidelines\r\nThe show redundancy application faults command shows information returned by redundancy group faults.\r\nExamples\r\nThe following is sample output from the show redundancy application faults command:\r\nRouter# show redundancy application faults group 2\r\nFaults states Group 2 info:\r\n Runtime priority: [150]\r\n RG Faults RG State: Up.\r\n Total # of switchovers due to faults: 2\r\n Total # of down/up state changes due to faults: 2\r\nRelated Commands\r\nCommand Description\r\nshow redundancy application control-interface Displays control interface information for a redundancy group.\r\nshow redundancy application group Displays redundancy group information.\r\nshow redundancy application if-mgr Displays if-mgr information for a redundancy group.\r\nshow redundancy application protocol Displays protocol-specific information for a redundancy group.\r\nshow redundancy application group\r\nTo display the redundancy group information, use the show redundancy application group command in privileged EXEC\r\nmode.\r\nshow redundancy application group [group-id | all]\r\nSyntax Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 144 of 208\n\ngroup-id (Optional) Redundancy group ID. Valid values are 1 and 2.\r\nall (Optional) Display information about all redundancy groups.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.1S This command was introduced.\r\n15.3(2)T This command was integrated into Cisco IOS Release 15.3(2)T.\r\nUsage Guidelines\r\nUse the show redundancy application group command to display the current state of each interbox redundancy group on the\r\ndevice and the peer device.\r\nExamples\r\nThe following is sample output from the show redundancy application group all command:\r\nDevice# show redundancy application group all\r\n \r\nFaults states Group 1 info:\r\n Runtime priority: [200]\r\n RG Faults RG State: Up.\r\n Total # of switchovers due to faults: 3\r\n Total # of down/up state changes due to faults: 2\r\nGroup ID:1\r\nGroup Name:grp2\r\nAdministrative State: No Shutdown\r\nAggregate operational state : Up\r\nMy Role: ACTIVE\r\nPeer Role: UNKNOWN\r\nPeer Presence: No\r\nPeer Comm: No\r\nPeer Progression Started: No\r\nRF Domain: btob-one\r\n RF state: ACTIVE\r\n Peer RF state: DISABLED\r\nRG Protocol RG 1\r\n------------------\r\n Role: Active\r\n Negotiation: Enabled\r\n Priority: 200\r\n Protocol state: Active\r\n Ctrl Intf(s) state: Down\r\n Active Peer: Local\r\n Standby Peer: Not exist\r\n Log counters:\r\n role change to active: 2\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 145 of 208\n\nrole change to standby: 0\r\n disable events: rg down state 1, rg shut 0\r\n ctrl intf events: up 0, down 2, admin_down 1\r\n reload events: local request 3, peer request 0\r\nRG Media Context for RG 1\r\n--------------------------\r\n Ctx State: Active\r\n Protocol ID: 1\r\n Media type: Default\r\n Control Interface: GigabitEthernet0/1/0\r\n Hello timer: 5000\r\n Effective Hello timer: 5000, Effective Hold timer: 15000\r\n LAPT values: 0, 0\r\n Stats:\r\n Pkts 0, Bytes 0, HA Seq 0, Seq Number 0, Pkt Loss 0\r\n Authentication not configured\r\n Authentication Failure: 0\r\n Reload Peer: TX 0, RX 0\r\n Resign: TX 1, RX 0\r\n Standby Peer: Not Present.\r\nFaults states Group 2 info:\r\n Runtime priority: [150]\r\n RG Faults RG State: Up.\r\n Total # of switchovers due to faults: 2\r\n Total # of down/up state changes due to faults: 2\r\nGroup ID:2\r\nGroup Name:name1\r\nAdministrative State: No Shutdown\r\nAggregate operational state : Up\r\nMy Role: ACTIVE\r\nPeer Role: UNKNOWN\r\nPeer Presence: No\r\nPeer Comm: No\r\nPeer Progression Started: No\r\nRF Domain: btob-two\r\n RF state: ACTIVE\r\n Peer RF state: DISABLED\r\nRG Protocol RG 2\r\n------------------\r\n Role: Active\r\n Negotiation: Enabled\r\n Priority: 150\r\n Protocol state: Active\r\n Ctrl Intf(s) state: Down\r\n Active Peer: Local\r\n Standby Peer: Not exist\r\n Log counters:\r\n role change to active: 1\r\n role change to standby: 0\r\n disable events: rg down state 1, rg shut 0\r\n ctrl intf events: up 0, down 2, admin_down 1\r\n reload events: local request 2, peer request 0\r\nRG Media Context for RG 2\r\n--------------------------\r\n Ctx State: Active\r\n Protocol ID: 2\r\n Media type: Default\r\n Control Interface: GigabitEthernet0/1/0\r\n Hello timer: 5000\r\n Effective Hello timer: 5000, Effective Hold timer: 15000\r\n LAPT values: 0, 0\r\n Stats:\r\n Pkts 0, Bytes 0, HA Seq 0, Seq Number 0, Pkt Loss 0\r\n Authentication not configured\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 146 of 208\n\nAuthentication Failure: 0\r\n Reload Peer: TX 0, RX 0\r\n Resign: TX 0, RX 0\r\n Standby Peer: Not Present.\r\nThe table below describes the significant fields shown in the display.\r\nTable 41. show redundancy application group all Field Descriptions\r\nField Description\r\nFaults states Group 1 info Redundancy group faults information for Group 1.\r\nRuntime priority Current priority of the redundancy group.\r\nRG Faults RG State Redundancy group state returned by redundancy group faults.\r\nTotal # of switchovers due to faults Number of switchovers triggered by redundancy group fault events.\r\nTotal # of down/up state changes due to\r\nfaults\r\nNumber of down and up state changes triggered by redundancy group\r\nfault events.\r\nGroup ID Redundancy group ID.\r\nGroup Name Redundancy group name.\r\nAdministrative State Redundancy group state configured by users.\r\nAggregate operational state Current redundancy group state.\r\nMy Role Current role of the device.\r\nPeer Role Current role of the peer device.\r\nPeer Presence Indicates if the peer device is detected or not.\r\nPeer Comm Indicates the communication state with the peer device.\r\nPeer Progression Started\r\nIndicates if the peer device has started Redundancy Framework (RF)\r\nprogression.\r\nRF Domain Name of the RF domain for the redundancy group.\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 147 of 208\n\nCommand Description\r\nshow redundancy application control-interface Displays control interface information for a redundancy group.\r\nshow redundancy application faults Displays fault-specific information for a redundancy group.\r\nshow redundancy application if-mgr Displays if-mgr information for a redundancy group.\r\nshow redundancy application protocol Displays protocol-specific information for a redundancy group.\r\nshow redundancy application if-mgr\r\nTo display interface manager information for a redundancy group, use the show redundancy application if-mgr command in\r\nprivileged EXEC mode.\r\nshow redundancy application if-mgr group [group-id]\r\nSyntax Description\r\ngroup Specifies the redundancy group.\r\ngroup-id (Optional) Redundancy group ID. Valid values are 1 to 2.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.1S This command was introduced.\r\nUsage Guidelines\r\nThe show redundancy application if-mgr command shows information of traffic interfaces protected by redundancy groups.\r\nWhen a traffic interface is functioning with the redundancy group, the state is no shut on the active device, and shut on the\r\nstandby device. On the other hand, it is always shut on the standby device.\r\nExamples\r\nThe following is sample output from the show redundancy application if-mgr command:\r\nRouter# show redundancy application if-mgr group 2\r\nRG ID: 2\r\n Interface VIP VMAC Shut Decrement\r\n ==========================================================\r\n GigabitEthernet0/1/7 10.1.1.3 0007.b422.0016 no shut 50\r\n GigabitEthernet0/3/1 11.1.1.3 0007.b422.0017 no shut 50\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 148 of 208\n\nThe table below describes the significant fields shown in the display.\r\nTable 42. show redundancy application if-mgr Field Descriptions\r\nField Description\r\nRG ID Redundancy group ID.\r\nInterface Interface name.\r\nVIP Virtual IP address for this traffic interface.\r\nVMAC Virtual MAC address for this traffic interface.\r\nShut\r\nThe state of this interface.\r\nNote\r\n \r\nIt is always “shut” on the standby box.\r\nDecrement\r\nThe decrement value for this interface. When this interface goes down, the runtime priority of its\r\nredundancy group decreases.\r\nRelated Commands\r\nCommand Description\r\nshow redundancy application control-interface Displays control interface information for a redundancy group.\r\nshow redundancy application faults Displays fault-specific information for a redundancy group.\r\nshow redundancy application group Displays redundancy group information.\r\nshow redundancy application protocol Displays protocol-specific information for a redundancy group\r\nshow redundancy application protocol\r\nTo display protocol-specific information for a redundancy group, use the show redundancy application protocol command in\r\nprivileged EXEC mode.\r\n(explicit id )\r\nshow redundancy application protocol {protocol-id | group [group-id] }\r\nSyntax Description\r\nprotocol-id Protocol ID. The range is from 1 to 8.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 149 of 208\n\ngroup Specifies the redundancy group.\r\ngroup-id (Optional) Redundancy group ID. Valid values are 1 and 2.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.1S This command was introduced.\r\nUsage Guidelines\r\nThe show redundancy application protocol command shows information returned by redundancy group protocol.\r\nExamples\r\nThe following is sample output from the show redundancy application protocol command:\r\nRouter# show redundancy application protocol 3\r\n \r\nProtocol id: 3, name:\r\n BFD: ENABLE\r\n Hello timer in msecs: 0\r\n Hold timer in msecs: 0\r\nThe table below describes the significant fields shown in the display.\r\nTable 43. show redundancy application protocol Field Descriptions\r\nField Description\r\nProtocol id Redundancy group protocol ID.\r\nBFD Indicates whether the BFD protocol is enabled for the redundancy group protocol.\r\nHello timer in\r\nmsecs\r\nRedundancy group hello timer, in milliseconds, for the redundancy group protocol. The default is\r\n3000 msecs.\r\nHold timer in\r\nmsecs\r\nRedundancy group hold timer, in milliseconds, for the redundancy group protocol. The default is\r\n10000 msecs.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 150 of 208\n\nCommand Description\r\nshow redundancy application group Displays redundancy group information.\r\nshow redundancy application control-interface Displays control interface information for a redundancy group.\r\nshow redundancy application faults Displays fault-specific information for a redundancy group.\r\nshow redundancy application if-mgr Displays if-mgr information for a redundancy group.\r\nshow redundancy application transport\r\nTo display transport-specific information for a redundancy group, use the show redundancy application transport command\r\nin privileged EXEC mode.\r\nshow redundancy application transport {client | group [group-id] }\r\nSyntax Description\r\nclient Displays transport client-specific information.\r\ngroup Displays the redundancy group name.\r\ngroup-id (Optional) Redundancy group ID. Valid values are 1 and 2.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.1S This command was introduced.\r\nUsage Guidelines\r\nThe show redundancy application transport command shows information for redundancy group transport.\r\nExamples\r\nThe following is sample output from the show redundancy application transport group command:\r\nRouter# show redundancy application transport group 1\r\nTransport Information for RG (1)\r\nRelated Commands\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 151 of 208\n\nCommand Description\r\nshow redundancy application control-interface Displays control interface information for a redundancy group.\r\nshow redundancy application faults Displays fault-specific information for a redundancy group.\r\nshow redundancy application group Displays redundancy group information.\r\nshow redundancy application if-mgr Displays if-mgr information for a redundancy group.\r\nshow redundancy application protocol Displays protocol-specific information for a redundancy group.\r\nshow redundancy linecard-group\r\nTo display the components of a Blade Failure Group, use the show redundancy linecard-group command in privileged\r\nEXEC mode.\r\nshow redundancy linecard-group group-id\r\nSyntax Description\r\nCommand Default\r\nNo default behavior or values.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.2(18)SXE2 This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nExamples\r\nThe following example shows the components of a Blade Failure Group:\r\nRouter# show redundancy linecard-group\r\n \r\n1\r\nLine Card Redundancy Group:1 Mode:feature-card\r\nClass:load-sharing\r\nCards:\r\nSlot:3 Subslot:0\r\nSlot:5 Subslot:0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 152 of 208\n\nRelated Commands\r\nCommand Description\r\nlinecard-group feature card Assigns a group ID to a Blade Failure Group.\r\nshow running-config\r\nTo display the contents of the current running configuration file or the configuration for a specific module, Layer 2 VLAN,\r\nclass map, interface, map class, policy map, or virtual circuit (VC) class, use the show running-config command in\r\nprivileged EXEC mode.\r\nshow running-config [options]\r\nSyntax Description\r\noptions\r\n(Optional) Keywords used to customize output. You can enter more than one keyword.\r\nall --Expands the output to include the commands that are configured with default parameters. If the\r\nall keyword is not used, the output does not display commands configured with default parameters.\r\nbrief --Displays the configuration without certification data and encrypted filter details. The brief\r\nkeyword can be used with the linenum keyword.\r\nclass-map [name ] [linenum ]--Displays class map information. The linenum keyword can be used\r\nwith the class-map name option.\r\ncontrol-plane [cef-exception | host | transit ]--Displays control-plane information. The cef-exception ,\r\nhost , and transit keywords can be used with the control-plane option.\r\nflow {exporter | monitor | record }--Displays global flow configuration commands. The exporter ,\r\nmonitor , and record keywords can be used with the flow option.\r\nfull --Displays the full configuration.\r\ninterface type number -- Displays interface-specific configuration information. If you use the interface\r\nkeyword, you must specify the interface type and the interface number (for example, interface ethernet\r\n0 ). Keywords for common interfaces include async , ethernet , fastEthernet , group-async , loopback ,\r\nnull , serial , and virtual-template . Use the show run interface ? command to determine the interfaces\r\navailable on your system.\r\nlinenum --Displays line numbers in the output. The brief or full keyword can be used with the linenum\r\nkeyword. The linenum keyword can be used with the class-map , interface , map-class , policy-map ,\r\nand vc-class keywords.\r\nmap-class [atm | dialer | frame-relay ] [name ] [linenum ]--Displays map class information. This\r\noption is described separately; see the show running-config map-class command page.\r\npartition types -- Displays the configuration corresponding to a partition. The types keyword can be\r\nused with the partition option.\r\npolicy-map [name ] [linenum ]--Displays policy map information. The linenum keyword can be used\r\nwith the policy-map name option.\r\nvc-class [name ] [linenum ]--Displays VC-class information (the display is available only on certain\r\ndevices such as the Cisco 7500 series devices). The linenum keyword can be used with the vc-class\r\nname option.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 153 of 208\n\nview full --Enables the display of a full running configuration. This is for view-based users who\r\ntypically can only view the configuration commands that they are entitled to access for that particular\r\nview.\r\nvrf name --Displays the Virtual routing and forwarding (VRF)-aware configuration module number .\r\nvlan [vlan-id ]--Displays the specific VLAN information ; valid values are from 1 to 4094.\r\nCommand Default\r\nThe default syntax, show running-config , displays the contents of the running configuration file, except commands\r\nconfigured using the default parameters.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n11.0 This command was introduced.\r\n12.0 This command was replaced by the more system:running-config command.\r\n12.0(1)T\r\nThis command was integrated into Cisco IOS Release 12.0(1)T, and the output modifier (| ) was\r\nadded.\r\n12.2(4)T This command was modified. The linenum keyword was added.\r\n12.3(8)T This command was modified. The view full option was added.\r\n12.2(14)SX\r\nThis command was integrated into Cisco IOS Release 12.2(14)SX. The module number and vlan\r\nvlan-id keywords and arguments were added for the Supervisor Engine 720.\r\n12.2(17d)SXB\r\nThis command was integrated into Release 12.2(17d)SXB and implemented on the Supervisor Engine\r\n2.\r\n12.2(33)SXH This command was modified. The all keyword was added.\r\n12.2(31)SB2\r\nThis command was integrated into Cisco IOS Release 12.2(31)SB2. This command was enhanced to\r\ndisplay the configuration information for traffic shaping overhead accounting for ATM and was\r\nimplemented on the Cisco 10000 series device for the PRE3.\r\n12.2(33)SRC This command was integrated into Cisco IOS Release 12.2(33)SRC.\r\n12.2(33)SB This command was modified. Support for the Cisco 7300 series device was added.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 154 of 208\n\nRelease Modification\r\n12.4(24)T\r\nThis command was modified in a release earlier than Cisco IOS Release 12.4(24)T. The partition and\r\nvrf keywords were added. The module and vlan keywords were removed.\r\n15.0(1)M This command was modified. The output was modified to include encrypted filter information.\r\n12.2(33)SXI\r\nThis command was modified. The output was modified to display Access Control List (ACL)\r\ninformation.\r\nUsage Guidelines\r\nThe show running-config command is technically a command alias (substitute or replacement syntax) of the more\r\nsystem:running-config command. Although the use of more commands is recommended (because of their uniform structure\r\nacross platforms and their expandable syntax), the show running-config command remains enabled to accommodate its\r\nwidespread use, and to allow typing shortcuts such as show run .\r\nThe show running-config interface command is useful when there are multiple interfaces and you want to look at the\r\nconfiguration of a specific interface.\r\nThe linenum keyword causes line numbers to be displayed in the output. This option is useful for identifying a particular\r\nportion of a very large configuration.\r\nYou can enter additional output modifiers in the command syntax by including a pipe character (|) after the optional\r\nkeyword. For example, show running-config interface serial 2/1 linenum | begin 3 . To display the output modifiers that are\r\navailable for a keyword, enter | ? after the keyword. Depending on the platform you are using, the keywords and the\r\narguments for the options argument may vary.\r\nPrior to Cisco IOS Release 12.2(33)SXH, the show running-config command output omitted configuration commands set\r\nwith default values. Effective with Cisco IOS Release 12.2(33)SXH, the show running-config all command displays\r\ncomplete configuration information, including the default settings and values. For example, if the Cisco Discovery Protocol\r\n(abbreviated as CDP in the output) hold-time value is set to its default of 180:\r\nThe show running-config command does not display this value.\r\nThe show running-config all displays the following output: cdp holdtime 180.\r\nIf the Cisco Discovery Protocol holdtime is changed to a nondefault value (for example, 100), the output of the show\r\nrunning-config and show running-config all commands is the same; that is, the configured parameter is displayed.\r\nNote\r\nIn Cisco IOS Release 12.2(33)SXH, the all keyword expands the output to include some of the commands that\r\nare configured with default values. In subsequent Cisco IOS releases, additional configuration commands that\r\nare configured with default values will be added to the output of the show running-config all command.\r\nEffective with Cisco IOS Release 12.2(33)SXI, the show running-config command displays ACL information. To exclude\r\nACL information from the output, use the show running | section exclude ip access | access list command.\r\nCisco 7600 Series Device\r\nIn some cases, you might see a difference in the duplex mode that is displayed between the show interfaces command and\r\nthe show running-config command. The duplex mode that is displayed in the show interfaces command is the actual duplex\r\nmode that the interface is running. The show interfaces command displays the operating mode of an interface, and the show\r\nrunning-config command displays the configured mode of the interface.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 155 of 208\n\nThe show running-config command output for an interface might display the duplex mode but no configuration for the\r\nspeed. This output indicates that the interface speed is configured as auto and that the duplex mode that is displayed\r\nbecomes the operational setting once the speed is configured to something other than auto. With this configuration, it is\r\npossible that the operating duplex mode for that interface does not match the duplex mode that is displayed with the show\r\nrunning-config command.\r\nExamples\r\nThe following example shows the configuration for serial interface 1. The fields are self-explanatory.\r\nDevice# show running-config interface serial 1\r\nBuilding configuration...\r\nCurrent configuration:\r\n!\r\ninterface Serial1\r\n no ip address\r\n no ip directed-broadcast\r\n no ip route-cache\r\n no ip mroute-cache\r\n shutdown\r\nend\r\nThe following example shows the configuration for Ethernet interface 0/0. Line numbers are displayed in the output. The\r\nfields are self-explanatory.\r\nDevice# show running-config interface ethernet 0/0 linenum\r\nBuilding configuration...\r\nCurrent configuration : 104 bytes\r\n 1 : !\r\n 2 : interface Ethernet0/0\r\n 3 : ip address 10.4.2.63 255.255.255.0\r\n 4 : no ip route-cache\r\n 5 : no ip mroute-cache\r\n 6 : end\r\nThe following example shows how to set line numbers in the command output and then use the output modifier to start the\r\ndisplay at line 10. The fields are self-explanatory.\r\nDevice# show running-config linenum | begin 10\r\n 10 : boot-start-marker\r\n 11 : boot-end-marker\r\n 12 : !\r\n 13 : no logging buffered\r\n 14 : enable password #####\r\n 15 : !\r\n 16 : spe 1/0 1/7\r\n 17 : firmware location bootflash:mica-modem-pw.172.16.0.0.bin\r\n 18 : !\r\n 19 : !\r\n 20 : resource-pool disable\r\n 21 : !\r\n 22 : no aaa new-model\r\n 23 : ip subnet-zero\r\n 24 : ip domain name cisco.com\r\n 25 : ip name-server 172.16.11.48\r\n 26 : ip name-server 172.16.2.133\r\n 27 : !\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 156 of 208\n\n28 : !\r\n 29 : isdn switch-type primary-5ess\r\n 30 : !\r\n .\r\n .\r\n .\r\n 126 : end\r\nThe following example shows how to display the module and status configuration for all modules on a Cisco 7600 series\r\ndevice. The fields are self-explanatory.\r\nDevice#\r\nshow running-config\r\nBuilding configuration...\r\nCurrent configuration:\r\n!\r\nversion 12.0\r\nservice timestamps debug datetime localtime\r\nservice timestamps log datetime localtime\r\nno service password-encryption\r\n!\r\nhostname device\r\n!\r\nboot buffersize 126968\r\nboot system flash slot0:7600r\r\nboot bootldr bootflash:c6msfc-boot-mz.120-6.5T.XE1.0.83.bin\r\nenable password lab\r\n!\r\nclock timezone Pacific -8\r\nclock summer-time Daylight recurring\r\nredundancy\r\n main-cpu\r\n auto-sync standard\r\n!\r\nip subnet-zero\r\n!\r\nip multicast-routing\r\nip dvmrp route-limit 20000\r\nip cef\r\nmls flow ip destination\r\nmls flow ipx destination\r\ncns event-service server\r\n!\r\nspanning-tree portfast bpdu-guard\r\nspanning-tree uplinkfast\r\nspanning-tree vlan 200 forward-time 21\r\nport-channel load-balance sdip\r\n!\r\n!\r\n!\r\n shutdown\r\n!\r\n!\r\n.\r\n.\r\n.\r\nIn the following sample output from the show running-config command, the shape average command indicates that the\r\ntraffic shaping overhead accounting for ATM is enabled. The BRAS-DSLAM encapsulation type is qinq and the subscriber\r\nline encapsulation type is snap-rbe based on the ATM adaptation layer 5 (AAL5) service. The fields are self-explanatory\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 157 of 208\n\nDevice# show running-config\r\n.\r\n.\r\n.\r\nsubscriber policy recording rules limit 64\r\nno mpls traffic-eng auto-bw timers frequency 0\r\ncall rsvp-sync\r\n!\r\ncontroller T1 2/0\r\nframing sf\r\nlinecode ami\r\n!\r\ncontroller T1 2/1\r\nframing sf\r\nlinecode ami\r\n!\r\n!\r\npolicy-map unit-test\r\nclass class-default\r\nshape average percent 10 account qinq aal5 snap-rbe\r\n!\r\nThe following is sample output from the show running-config class-map command. The fields in the display are self-explanatory.\r\nDevice# show running-config class-map\r\nBuilding configuration...\r\nCurrent configuration : 2910 bytes\r\n!\r\nclass-map type stack match-all ip_tcp_stack\r\n match field IP protocol eq 0x6 next TCP\r\nclass-map type access-control match-all my\r\n match field UDP dest-port eq 1111\r\n match encrypted\r\n filter-version 0.1, Dummy Filter 2\r\n filter-id 123\r\n filter-hash DE0EB7D3C4AFDD990038174A472E4789\r\n algorithm aes256cbc\r\n cipherkey realm-cisco.sym\r\n ciphervalue #\r\noeahb4L6JK+XuC0q8k9AqXvBeQWzVfdg8WV67WEXbiWdXGQs6BEXqQeb4Pfow570zM4eDw0gxlp/Er8w\r\n/lXsmolSgYpYuxFMYb1KX/H2iCXvA76VX7w5TElb/+6ekgbfP/d5ms6DEzKa8DlOpl+Q95lP194PsIlU\r\nwCyfVCwLS+T8p3RDLi8dKBgQMcDW4Dha1ObBJTpV4zpwhEdMvJDu5PATtEQhFjhN/UYeyQiPRthjbkJn\r\nLzT8hQFxwYwVW8PCjkyqEwYrr+R+mFG/C7tFRiooaW9MU9PCpFd95FARvlU=#\r\n exit\r\nclass-map type stack match-all ip_udp_stack\r\n match field IP protocol eq 0x11 next UDP\r\nclass-map type access-control match-all psirt1\r\n match encrypted\r\n filter-version 0.0_DummyVersion_20090101_1830\r\n filter-id cisco-sa-20090101-dummy_ddts_001\r\n filter-hash FC50BED10521002B8A170F29AF059C53\r\n algorithm aes256cbc\r\n cipherkey realm-cisco.sym\r\n ciphervalue #\r\nDkGbVq0FPAsVJKguU15lQPDfZyTcHUXWsj8+tD+dCSYW9cjkRU9jyST4vO4u69/L62QlbyQuKdyQmb10\r\n6sAeY5vDsDfDV05k4o5eD+j8cMt78iZT0Qg7uGiBSYBbak3kKn/5w2gDd1vnivyQ7g4Ltd9+XM+GP6XL\r\n27RrXeP5A5iGbzC7KI9t6riZXk0gmR/vFw1a5wck0D/iQHIlFa/yRPoKMSFlqfIlLTe5NM7JArSTKET2\r\npu7wZammTz4FF6rY#\r\n exit\r\n match start TCP payload-start offset 0 size 10 regex \"abc.*def\"\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 158 of 208\n\nmatch field TCP source-port eq 1234\r\nclass-map type access-control match-all psirt2\r\n match encrypted\r\n filter-version 0.0_DummyVersion_20090711_1830\r\n filter-id cisco-sa-20090711-dummy_ddts_002\r\n filter-hash DE0EB7D3C4AFDD990038174A472E4789\r\n algorithm aes256cbc\r\n cipherkey realm-cisco.sym\r\nThe following example shows that the teletype (tty) line 2 is reserved for communicating with the 2nd core:\r\nDevice# show running\r\nBuilding configuration...\r\nCurrent configuration:\r\n!\r\nversion 12.0\r\nservice timestamps debug uptime\r\nservice timestamps log uptime\r\nno service password-encryption\r\n!\r\nhostname device\r\n!\r\nenable password lab\r\n!\r\nno ip subnet-zero\r\n!\r\n!\r\n!\r\ninterface Ethernet0\r\n ip address 172.25.213.150 255.255.255.128\r\n no ip directed-broadcast\r\n no logging event link-status\r\n!\r\ninterface Serial0\r\n no ip address\r\n no ip directed-broadcast\r\n no ip mroute-cache\r\n shutdown\r\n no fair-queue\r\n!\r\ninterface Serial1\r\n no ip address\r\n no ip directed-broadcast\r\n shutdown\r\n!\r\nip default-gateway 172.25.213.129\r\nip classless\r\nip route 0.0.0.0 0.0.0.0 172.25.213.129\r\n!\r\n!\r\nline con 0\r\n transport input none\r\nline 1 6\r\n no exec\r\n transport input all\r\nline 7\r\n no exec\r\n exec-timeout 300 0\r\n transport input all\r\nline 8 9\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 159 of 208\n\nno exec\r\n transport input all\r\nline 10\r\n no exec\r\n transport input all\r\n stopbits 1\r\nline 11 12\r\n no exec\r\n transport input all\r\nline 13\r\n no exec\r\n transport input all\r\n speed 115200\r\nline 14 16\r\n no exec\r\n transport input all\r\nline aux 0\r\nline vty 0 4\r\n password cisco\r\n login\r\n!\r\nend\r\nRelated Commands\r\nCommand Description\r\nbandwidth\r\nSpecifies or modifies the bandwidth allocated for a class belonging to a policy map, and\r\nenables ATM overhead accounting.\r\nboot config\r\nSpecifies the device and filename of the configuration file from which the device configures\r\nitself during initialization (startup).\r\nconfigure terminal Enters global configuration mode.\r\ncopy running-config\r\nstartup-config\r\nCopies the running configuration to the startup configuration. (Command alias for the copy\r\nsystem:running-config nvram:startup-config command.)\r\nshape\r\nShapes traffic to the indicated bit rate according to the algorithm specified, and enables ATM\r\noverhead accounting.\r\nshow interfaces Displays statistics for all interfaces configured on the device or access server.\r\nshow policy-map\r\nDisplays the configuration of all classes for a specified service policy map or all classes for all\r\nexisting policy maps, and displays ATM overhead accounting information, if configured.\r\nshow startup-config\r\nDisplays the contents of NVRAM (if present and valid) or displays the configuration file\r\npointed to by the CONFIG_FILE environment variable. (Command alias for the more:nvram\r\nstartup-config command.)\r\nshow running-config vrf\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 160 of 208\n\nTo display the subset of the running configuration of a router that is linked to a specific VPN routing and forwarding (VRF)\r\ninstance or linked to all VRFs configured on the router, use the show running-config vrf command in privileged EXEC\r\nmode.\r\nshow running-config vrf [vrf-name]\r\nSyntax Description\r\nvrf-name (Optional) Name of the VRF configuration that you want to display.\r\nCommand Default\r\nIf you do not specify the name of a VRF configuration, the running configurations of all VRFs on the router are displayed.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.2(28)SB This command was introduced.\r\n12.2(33)SRB This command was integrated into Cisco IOS Release 12.2(33)SRB.\r\n12.2(33)SXH This command was integrated into Cisco IOS Release 12.2(33)SXH.\r\n12.4(20)T This command was integrated into Cisco IOS Release 12.4(20)T.\r\nCisco IOS XE Release\r\n2.1\r\nThis command was integrated into Cisco IOS XE Release 2.1.\r\nCisco IOS XE Release\r\n3.5S\r\nThis command was modified. The output of the command was modified to display the\r\nNetwork Address Translation (NAT) configuration.\r\nUsage Guidelines\r\nUse the show running-config vrf command to display a specific VRF configuration or to display all VRF configurations on\r\nthe router. To display the configuration of a specific VRF, specify the name of the VRF.\r\nThis command displays the following elements of the VRF configuration:\r\nThe VRF submode configuration.\r\nThe routing protocol and static routing configurations associated with the VRF.\r\nThe configuration of interfaces in the VRF, which includes the configuration of any owning controller and physical\r\ninterface for a subinterface.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 161 of 208\n\nThe following is sample output from the show running-config vrf command. It includes a base VRF configuration for VRF\r\nvpn3 and Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF) configurations associated with VRF vpn3.\r\nRouter# show running-config vrf vpn3\r\nBuilding configuration...\r\nCurrent configuration : 720 bytes\r\nip vrf vpn3\r\n rd 100:1\r\n route-target export 100:1\r\n route-target import 100:1\r\n!\r\n!\r\ninterface GigabitEthernet0/0/1\r\n description connected to nat44-1ru-ce1 g0/0/0\r\n ip vrf forwarding vpn3\r\n ip address 172.17.0.1 255.0.0.0\r\n ip nat inside\r\n shutdown\r\n negotiation auto\r\n!\r\ninterface GigabitEthernet0/0/3\r\n no ip address\r\n negotiation auto\r\n!\r\ninterface GigabitEthernet0/0/3.2\r\n encapsulation dot1Q 2\r\n ip vrf forwarding vpn3\r\n ip address 10.0.0.1 255.255.255.0\r\n ip nat inside\r\n!\r\nrouter bgp 100\r\n !\r\n address-family ipv4 vrf vpn3\r\n redistribute connected\r\n redistribute static\r\n exit-address-family\r\nip nat inside source route-map rm-vpn3 pool shared-pool vrf vpn3 match-in-vrf overload\r\nip nat pool shared-pool 10.0.0.2 10.0.0.254 prefix-length 24\r\n!\r\nrouter ospf 101 vrf vpn3\r\n log-adjacency-changes\r\n area 1 sham-link 10.43.43.43 10.23.23.23 cost 10\r\n network 172.17.0.0 0.255.255.255 area 1\r\n.\r\n.\r\n.\r\nend\r\nThe table below describes the significant fields shown in the display.\r\nTable 44. show running-config vrf Field Descriptions\r\nField Description\r\nCurrent configuration: 720 bytes Indicates the number of bytes (720) in the VRF vpn3 configuration.\r\nip vrf vpn3 Indicates the name of the VRF (vpn3) for which the configuration is displayed.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 162 of 208\n\nField Description\r\nrd 100:1 Identifies the route distinguisher (100:1) for VRF vpn3.\r\nroute-target export 100:1\r\nroute-target import 100:1\r\nSpecifies the route-target extended community for VRF vpn3.\r\nRoutes tagged with route-target export 100:1 are exported from VRF\r\nvpn3.\r\nRoutes tagged with the route-target import 100:1 are imported into VRF\r\nvpn3.\r\ninterface GigabitEthernet0/0/1 Specifies the interface associated with VRF vpn3.\r\nip vrf forwarding vpn3 Associates VRF vpn3 with the named interface.\r\nip address 172.17.0.1 255.0.0.0 Configures the IP address of the Gigabit Ethernet interface.\r\nip nat inside Enables NAT of inside addresses.\r\nrouter bgp 100\r\nSets up a BGP routing process for the router with the autonomous system\r\nnumber as 100.\r\naddress-family ipv4 vrf vpn3\r\nSets up a routing session for VRF vpn3 using the standard IPv4 address\r\nprefixes.\r\nredistribute connected\r\nRedistributes routes that are automatically established by the IP on an interface\r\ninto the BGP routing domain.\r\nip nat pool Defines a pool of IP addresses for NAT.\r\nrouter ospf 101 vrf vpn3\r\nSets up an OSPF routing process and associates VRF vpn3 with OSPF VRF\r\nprocesses.\r\narea 1 sham-link 10.43.43.43\r\n10.23.23.23 cost 10\r\nConfigures a sham-link interface on a provider edge (PE) router in a\r\nMultiprotocol Label Switching (MPLS) VPN backbone.\r\n1 is the ID number of the OSPF area assigned to the sham-link.\r\n10.43.43.43 is the IP address of the source PE router.\r\n10.23.23.23 is the IP address of the destination PE router.\r\n10 is the OSPF cost to send IP packets over the sham-link interface.\r\nnetwork 172.17.0.0 0.255.255.255\r\narea 1\r\nDefines the interfaces on which OSPF runs and defines the area ID for those\r\ninterfaces.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 163 of 208\n\nRelated Commands\r\nCommand Description\r\nip vrf Configures a VRF routing table.\r\nshow ip interface Displays the usability status of interfaces configured for IP.\r\nshow ip vrf Displays the set of defined VRFs and associated interfaces.\r\nshow running-config interface Displays the configuration for a specific interface.\r\nshow sasl\r\nTo display Simple Authentication and Security Layer (SASL) information, use the show sasl command in user EXEC or\r\nprivileged EXEC mode.\r\nshow sasl {all | context | mechanisms | profile {profile-name | all}}\r\nSyntax Description\r\nall Displays detailed information for all SASL profiles.\r\ncontext Displays context information for SASL profiles.\r\nmechanisms Displays the mechanisms applied for all SASL profiles.\r\nprofile profile-name Displays detailed information for the specified SASL profile.\r\nprofile all Displays all configured profiles.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.3(1) This command was introduced.\r\n12.2(33)SRC This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SRC.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 164 of 208\n\nRelease Modification\r\n12.2(33)SXI This command was integrated into a release earlier than Cisco IOS Release 12.2(33)SXI.\r\nCisco IOS XE Release 2.1 This command was integrated into Cisco IOS XE Release 2.1.\r\nExamples\r\nThe following is sample output from the show sasl profile all command:\r\nRouter# show sasl profile all\r\nSASL profile 'sgw_sasl' Refs:0 Mechs:0x2\r\n client: \u003cNONE\u003e/\u003cNONE\u003e\r\n servers: ravi/ravi\r\n \r\nSASL profile 'sgw_1' Refs:0 Mechs:0x1\r\n client: us1/pw1\r\n servers: server1/user\r\nThe table below describes the significant fields shown in the display.\r\nTable 45. show sasl profile all Field Descriptions\r\nField Description\r\nSASL profile Indicates the name of the SASL profile.\r\nRefs Indicates the number of active sessions.\r\nMechs Indicates the profile mechanisms configured.\r\nclient Indicates the SASL client configured for the specified profile.\r\nservers Indicates the SASL server configured for the specified profile.\r\nRelated Commands\r\nCommand Description\r\nsasl Configures SASL.\r\nshow secure bootset\r\nTo display the status of Cisco IOS image and configuration resilience, use the show secure command in privileged EXEC\r\nmode.\r\nshow secure bootset\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 165 of 208\n\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.3(8)T This command was introduced.\r\nUsage Guidelines\r\nUse the show secure bootset command, instead of the Cisco IOS directory listing dir command, to verify the existence of an\r\nimage archive. This command also displays output that specifies whether the image or configuration archive is ready for an\r\nupgrade.\r\nExamples\r\nThe following is sample output from the show secure bootset command. The field descriptions are self-explanatory:\r\nRouter# show secure bootset\r\n%IOS image and configuration resilience is not active\r\nRouter# show secure bootset\r\nIOS resilience router id JMX0704L5GH\r\nIOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002\r\nSecure archive slot0:c3745-js2-mz type is image (elf) []\r\n file size is 25469248 bytes, run size is 25634900 bytes\r\n Runnable image, entry point 0x80008000, run from ram\r\nIOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002\r\nSecure archive slot0:.runcfg-20020616-081702.ar type is config\r\nconfiguration archive size 1059 bytes\r\nRelated Commands\r\nCommand Description\r\ndir Displays a list of files on a file system.\r\nsecure boot-config Saves a secure copy of the router running configuration in persistent storage.\r\nsecure boot-image Enables Cisco IOS image resilience.\r\nshow smm\r\nTo display string matching module (SMM) information, use the show smm command in privileged EXEC mode.\r\nshow smm {counters | timing | tree [tree-index | details]}\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 166 of 208\n\nSyntax Description\r\ncounters Displays information about SMM counters.\r\ntiming Displays timing information about the SMM.\r\ntree Displays the AVL tree containing the string information.\r\ntree-index (Optional) Specifies the tree index.\r\ndetails (Optional) Displays detailed information about the AVL tree.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n15.0(1)\r\nThis command was introduced in a release earlier than Cisco IOS Release 15.0(1) on Cisco 3845 series\r\nrouters.\r\nExamples\r\nThe following is sample output from the show smm counters command. Fields in the output are self-explanatory.\r\nRouter# show smm counters\r\n \r\nNumber of non-matching packets processed - 0\r\nNumber of cache hits - 0\r\nNumber of cache misses - 0\r\nCache full instances - 0\r\nNumber of matching packets processed - 0\r\nNumber of matches for Stage0 - 0\r\nNumber of matches for Stage1 - 0\r\nNumber of matches for Stage2 - 0\r\nNumber of matches for Stage3 - 0\r\nNumber of signatures in signature database - 0\r\nThe following is sample output from the show smm timing command:\r\nRouter# show smm timing\r\nPacket processing stats (in microseconds) :\r\n--------------------------------------------\r\nMinimum processing time per packet - 0\r\nMaximum processing time per packet - 0\r\nAverage processing time for non-matching packets - 0\r\nAverage processing time for matching packets - 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 167 of 208\n\nRelated Commands\r\nCommand Description\r\naction string\r\nmatch\r\nReturns 1 to the $_string_result, if the string matches the pattern when an EEM applet is\r\ntriggered.\r\nshow snmp mib nhrp status\r\nTo display status information about the Next Hop Resolution Protocol (NHRP) MIB, use the show snmp mib nhrp status\r\ncommand in privileged EXEC mode.\r\nshow snmp mib nhrp status\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nUsage Guidelines\r\nThis command is used to display the status of the MIB for NHRP and whether the NHRP MIB is enabled or disabled.\r\nExamples\r\nThe following output is from the show snmp mib nhrp status command:\r\nSpoke_103# show snmp mib nhrp status\r\nNHRP-SNMP Agent Feature: Enabled\r\nNHRP-SNMP Tree State: Good\r\nListEnqueue Count = 0 Node Malloc Counts = 1\r\nSpoke_103#\r\nTable 1 describes the significant fields shown in the display.\r\nTable 46. show snmp mib nhrp status Field Descriptions\r\nField Description\r\nNHRP-SNMP Agent\r\nFeature:\r\nShows the status of the NHRP MIB. \"Enabled\" indicates that the NHRP MIB is enabled. If the\r\nNHRP MIB was disabled, it would display \"Disabled\".\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 168 of 208\n\nField Description\r\nListEnqueue Count Indicates how many nodes have been queued for freeing.\r\nNode Malloc Counts Indicates how many nodes are allocated.\r\nRelated Commands\r\nCommand Description\r\nshow snmp mib Displays a list of the MIB OIDs registered on the system.\r\nshow ssh\r\nTo display the status of Secure Shell (SSH) server connections on the router, use the show ssh command in user EXEC or\r\nprivileged EXEC mode.\r\nshow ssh vty [ssh-number]\r\nSyntax Description\r\nvty Displays virtual terminal line (VTY) connection details.\r\nssh-number(Optional) The number of SSH server connections on the router. Range is from 0 to 1510. The default\r\nvalue is 0.\r\nCommand Modes\r\nUser Exec (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.1(15)T This command was introduced.\r\n12.2(33)SRA This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRA.\r\n12.2(33)SXI This command was modified. It was integrated into Cisco IOS Release 12.2(33)SXI.\r\nCisco IOS XE Release 2.1 This command was modified. It was integrated into Cisco IOS XE Release 2.1.\r\nUsage Guidelines\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 169 of 208\n\nUse the show ssh command to display the status of the SSH connections on your router. This command does not display any\r\nSSH configuration data. Use the show ip ssh command for SSH configuration information such as timeouts and retries.\r\nExamples\r\nThe following is sample output from the show ssh command with SSH enabled:\r\nRouter# show ssh\r\nConnection Version Encryption State Username\r\n0 1.5 3DES Session Started guest\r\nThe table below describes the significant fields shown in the display.\r\nTable 47. show ssh Field Descriptions\r\nField Description\r\nConnection Number of SSH connections on the router.\r\nVersion Version number of the SSH terminal.\r\nEncryption Type of transport encryption.\r\nState The status of SSH connection to indicate if the session has started or stopped.\r\nUsername Uesrname to log in to the SSH.\r\nRelated Commands\r\nCommand Description\r\nshow ip ssh Displays version and configuration data for SSH.\r\nshow ssl-proxy module state\r\nTo display the spanning-tree state for the specified VLAN, enter the showssl-proxymodulestate command in user EXEC\r\nmode.\r\nshow ssl-proxy module mod state\r\nSyntax Description\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nCommand History\r\nRelease Modification\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 170 of 208\n\nRelease Modification\r\n12.2(18)SXD Support for this command was introduced on the Supervisor Engine 720.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.2(33)SRA.\r\nUsage Guidelines\r\nThis command is supported on Cisco 7600 series routers that are configured with a Secure Sockets Layer (SSL) Services\r\nModule only.\r\nExamples\r\nThis example shows how to verify that the VLAN information displayed matches the VLAN configuration. The fields\r\nshown in the display are self-explanatory.\r\nRouter# show ssl-proxy module 6 state\r\nSSL-services module 6 data-port:\r\n Switchport:Enabled\r\nAdministrative Mode:trunk\r\nOperational Mode:trunk\r\nAdministrative Trunking Encapsulation:dot1q\r\nOperational Trunking Encapsulation:dot1q\r\nNegotiation of Trunking:Off\r\nAccess Mode VLAN:1 (default)\r\nTrunking Native Mode VLAN:1 (default)\r\nTrunking VLANs Enabled:100\r\nPruning VLANs Enabled:2-1001\r\nVlans allowed on trunk:100\r\nVlans allowed and active in management domain:100\r\nVlans in spanning tree forwarding state and not pruned:\r\n100\r\nAllowed-vlan :100\r\nRouter#\r\nRelated Commands\r\nCommand Description\r\nssl-proxy module allowed-vlan Adds the VLANs allowed over the trunk to the SSL Services Module.\r\nshow tacacs\r\nTo display statistics for a TACACS+ server, use the show tacacs command in privileged EXEC mode.\r\nshow tacacs [private | public]\r\nSyntax Description\r\nprivate (Optional) Displays private tacacs+ server statistics.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 171 of 208\n\npublic (Optional) Displays public tacacs+ server statistics.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n11.2 This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX\r\nrelease of this train depends on your feature set, platform, and platform hardware.\r\nCisco IOS XE\r\nRelease 2.3\r\nThis command was integrated into Cisco IOS XE Release 2.3. The private and public keywords\r\nwere added.\r\nExamples\r\nThe following example is sample output for the show tacacs command:\r\nRouter# show tacacs\r\n \r\nTacacs+ Server : 172.19.192.80/49\r\n Socket opens: 3\r\n Socket closes: 3\r\n Socket aborts: 0\r\n Socket errors: 0\r\n Socket Timeouts: 0\r\n Failed Connect Attempts: 0\r\n Total Packets Sent: 7\r\n Total Packets Recv: 7\r\n Expected Replies: 0\r\n No current connection\r\nhe following is sample output from the show tacacs command for the private IP address 192.168.0.0:\r\nRouter# show tacacs private 192.168.0.0\r\nTacacs+ Server - private : 192.168.0.0\r\n Socket opens: 0\r\n Socket closes: 0\r\n Socket aborts: 0\r\n Socket errors: 0\r\n Socket Timeouts: 0\r\n Failed Connect Attempts: 0\r\n Total Packets Sent: 0\r\n Total Packets Recv: 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 172 of 208\n\nThe following is sample output from the show tacacs command for the public IP address 209.165.200.224:\r\nRouter# show tacacs public 209.165.200.224\r\nTacacs+ Server - public : 209.165.200.224\r\n Socket opens: 0\r\n Socket closes: 0\r\n Socket aborts: 0\r\n Socket errors: 0\r\n Socket Timeouts: 0\r\n Failed Connect Attempts: 0\r\n Total Packets Sent: 0\r\n Total Packets Recv: 0\r\nThe table below describes the significant fields shown in the display.\r\nTable 48. show tacacs Field Descriptions\r\nField Description\r\nTacacs+ Server IP address of the TACACS+ server.\r\nSocket opens Number of successful TCP socket connections to the TACACS+ server.\r\nSocket closes Number of successfully closed TCP socket attempts.\r\nSocket aborts\r\nNumber of premature TCP socket closures to the TACACS+ server; That is, the peer did not wait\r\nfor a reply from the server after a the peer sent its request.\r\nSocket errors Any other socket read or write errors, such as incorrect packet format and length.\r\nFailed Connect\r\nAttempts\r\nNumber of failed TCP socket connections to the TACACS+ server.\r\nTotal Packets Sent Number of packets sent to the TACACS+ server.\r\nTotal Packets\r\nRecv\r\nNumber of packets received from the TACACS+ server.\r\nTacacs+ Server IP address of the TACACS+ server.\r\nRelated Commands\r\nCommand Description\r\ntacacs-server host Specifies a TACACS+ host.\r\nshow tcp intercept connections\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 173 of 208\n\nTo display TCP incomplete and established connections, use the show tcp intercept connections command in EXEC mode.\r\nshow tcp intercept connections\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nEXEC\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX\r\nrelease of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nUse the show tcp intercept connections command to display TCP incomplete and established connections.\r\nExamples\r\nThe following is sample output from the show tcp intercept connections command:\r\nRouter# show tcp intercept connections\r\n \r\nIncomplete:\r\nClient Server State Create Timeout Mode\r\n172.19.160.17:58190 10.1.1.30:23 SYNRCVD 00:00:09 00:00:05 I\r\n172.19.160.17:57934 10.1.1.30:23 SYNRCVD 00:00:09 00:00:05 I\r\n \r\nEstablished:\r\nClient Server State Create Timeout Mode\r\n172.16.232.23:1045 10.1.1.30:23 ESTAB 00:00:08 23:59:54 I\r\nThe table below describes significant fields shown in the display.\r\nTable 49. show tcp intercept connections Field Descriptions\r\nField Description\r\nIncomplete: Rows of information under \"Incomplete\" indicate connections that are not yet established.\r\nClient IP address and port of the client.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 174 of 208\n\nField Description\r\nServer IP address and port of the server being protected by TCP intercept.\r\nState\r\nSYNRCVD--establishing with client.\r\nSYNSENT--establishing with server.\r\nESTAB--established with both, passing data.\r\nCreate Hours:minutes:seconds since the connection was created.\r\nTimeout Hours:minutes:seconds until the retransmission timeout.\r\nMode\r\nI--intercept mode.\r\nW--watch mode.\r\nEstablished:\r\nRows of information under \"Established\" indicate connections that are established. The fields are the\r\nsame as those under \"Incomplete\" except for the Timeout field described below.\r\nTimeout\r\nHours:minutes:seconds until the connection will timeout, unless the software sees a FIN exchange, in\r\nwhich case this indicates the hours:minutes:seconds until the FIN or RESET timeout.\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept connection-timeoutChanges how long a TCP connection will be managed by the TCP intercept after no\r\nactivity.\r\nip tcp intercept finrst-timeout\r\nChanges how long after receipt of a reset or FIN-exchange the software ceases to\r\nmanage the connection.\r\nip tcp intercept list Enables TCP intercept.\r\nshow tcp intercept statistics Displays TCP intercept statistics.\r\nshow tcp intercept statistics\r\nTo display TCP intercept statistics, use the show tcp intercept statistics command in EXEC mode.\r\nshow tcp intercept statistics\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 175 of 208\n\nCommand Modes\r\nEXEC\r\nCommand History\r\nRelease Modification\r\n11.2 F This command was introduced.\r\n12.2(33)SRA This command was integrated into Cisco IOS release 12.(33)SRA.\r\n12.2SX\r\nThis command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX\r\nrelease of this train depends on your feature set, platform, and platform hardware.\r\nUsage Guidelines\r\nUse the show tcp intercept statistics command to display TCP intercept statistics.\r\nExamples\r\nThe following is sample output from the show tcp intercept statistics command:\r\nRouter# show tcp intercept statistics\r\nintercepting new connections using access-list 101\r\n2 incomplete, 1 established connections (total 3)\r\n1 minute connection request rate 2 requests/sec\r\nRelated Commands\r\nCommand Description\r\nip tcp intercept connection-timeoutChanges how long a TCP connection will be managed by the TCP intercept after no\r\nactivity.\r\nip tcp intercept finrst-timeout\r\nChanges how long after receipt of a reset or FIN-exchange the software ceases to\r\nmanage the connection.\r\nip tcp intercept list Enables TCP intercept.\r\nshow tcp intercept\r\nconnections\r\nDisplays TCP incomplete and established connections.\r\nshow tech-support alg\r\nTo display application layer gateway (ALG)-specific information to assist in troubleshooting, use the show tech-support alg\r\ncommand in privileged EXEC mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 176 of 208\n\nshow tech-support alg platform\r\nSyntax Description\r\nplatform Displays platform-specific ALG information.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.9S This command was introduced.\r\nUsage Guidelines\r\nThe show tech-support alg command is useful for collecting a large amount of information about ALGs for troubleshooting\r\npurposes. The output of this command can be provided to technical support representatives when reporting a problem. The\r\ncommand output displays the output of a number of show commands at once. The output from this command varies\r\ndepending on your platform and configuration.\r\nExamples\r\nThe following is sample output from the show tech-support alg platform command:\r\nDevice# show tech-support alg platform\r\nshow platform hardware qfp active feature alg memory\r\nPool information:\r\nPool-Name Num-Entries Entry-Limit Size(bytes) Num-Additions\r\n-----------------------------------------------------------------------------\r\nFTP pool 640 0 41376 0\r\nSCCP pool 160 0 8096 0\r\nSIP pool 640 0 348576 0\r\nSIP pkt pool 160 0 18336 0\r\nSIP msg pool 320 0 26016 0\r\nRTSP pool 160 0 10656 0\r\nH323 info pool 100 5000 61216 0\r\nH323 fs olc pool 100 5000 3616 0\r\nH323 pkt sb pool 100 5000 3616 0\r\nH323 indus pool 1000 2000 4112416 0\r\nH323 tl olc pool 100 5000 3616 0\r\nH323 msg info pool 100 5000 8416 0\r\nDNS pool 1024 0 82336 0\r\nLDAP pool 128 5000 4512 0\r\nLDAP pkt info pool 32 160 670624 0\r\nRCMD pool 160 5000 5536 0\r\nHTTP info pool 2400 1048576 192416 0\r\nHTTP req ctxt pool 6400 2097152 1638816 0\r\nHTTP resp ctxt pool 6400 2097152 1331616 0\r\nHTTP hdr fld pool 6400 2097152 307616 0\r\nHTTP MIME ctxt pool 6400 2097152 819616 0\r\nNetBIOS L7 data pool 1024 5000 33184 0\r\nAct token pool 640 0 143776 0\r\nExt state pool 160 0 5536 0\r\nALG HA ntuple hdr pool 10000 0 640416 0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 177 of 208\n\nSun RPC info pool 1024 7168 33184 0\r\nMS RPC info pool 1024 7168 49568 0\r\nMS RPC extended toke... 1024 7168 82336 0\r\nSMTP l7 info pool 2400 524288 1075616 0\r\nSMTP command pool 6400 1048576 307616 0\r\nSMTP log filter pool 6400 1048576 307616 0\r\nSMTP mask pool 6400 1048576 307616 0\r\nIMAP info pool 2400 524288 154016 0\r\nPOP3 info pool 2400 524288 154016 0\r\nGTP AIC ctxt pool 2400 1048576 154016 0\r\nGTP request response... 2400 524288 154016 0\r\nGTP hash info pool 2400 2097152 192416 0\r\nGTP master pdp pool 2400 524288 1421216 0\r\nGTP secondary pdp pool 2400 524288 269216 0\r\nGTP req_resp hash en... 2400 1048576 192416 0\r\nTable information:\r\nHa hash table: Num-Entries: 10000, Size(bytes): 40000\r\nshow platform hardware qfp active feature td datapath memory\r\n==VTCP ucode info==\r\ninfo alloc 0, free 0, fail 0\r\npkt buf alloc 0, free 0, fail 0\r\nbuf size alloc 0, free 0\r\nrx drop 0, tx drop 0, tcp drop 0, alg csum 0\r\nsending: rx ack 0, rst 0, hold rst 0 tx payload: seg 0, rexmit 0\r\nvtcp_info_chunk 0x8d54fcb0, totalfree: 2048, allocated: 0\r\nvtcp_pkt_pool 0x8d5d80c0, total: 1048240, free: 1048240\r\nvtcp_timer_wheel 0x8d6d84d0, vtcp_init 1\r\ntd_internal debug 0x0\r\ntd_global td_init 0x2\r\nalg_debug_vtcp 0x0\r\nshow platform hardware qfp active feature alg statistics\r\nALG counters:\r\nALG Cntrl-Pkt Parser-Err\u0026Drop Parser-No-Act\r\nFTP 0 0 0\r\nSIP 0 0 0\r\nSKINNY 0 0 0\r\nH225 0 0 0\r\nH245 0 0 0\r\nH225ras 0 0 0\r\nRTSP 0 0 0\r\nDNS 0 0 0\r\nLDAP 0 0 0\r\nTFTP 0 0 0\r\nHTTP 0 0 0\r\nSHELL 0 0 0\r\nLOGIN 0 0 0\r\nNETBIOS-NS 0 0 0\r\nNETBIOS-SSN 0 0 0\r\nALG chunk pool:\r\nPool-Name Used-Entries Free-Entries\r\nFTP pool 0 640\r\nSCCP pool 0 160\r\nSIP pool 0 640\r\nSIP pkt pool 0 160\r\nSIP msg pool 0 320\r\nRTSP pool 0 160\r\nH323 info pool 0 100\r\nH323 fs olc pool 0 100\r\nH323 pkt sb pool 0 100\r\nH323 indus pool 50 950\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 178 of 208\n\nH323 tl olc pool 0 100\r\nH323 msg info pool 0 100\r\nDNS pool 0 1024\r\nLDAP pool 0 128\r\nLDAP pkt info pool 0 32\r\nHTTP info pool 0 0\r\nHTTP req ctxt pool 0 0\r\nHTTP resp ctxt pool 0 0\r\nHTTP hdr fld pool 0 0\r\nHTTP MIME ctxt pool 0 0\r\nNetBIOS L7 data pool 0 1024\r\n \r\nCommon ALG chunk pool:\r\nPool-Name Used-Entries Free-Entries\r\nAct Token Pool 0 640\r\nExt State Pool 0 160\r\nHA ntuple hdr Pool 0 10000\r\nSun RPC info pool 0 1024\r\nMS RPC info pool 0 1024\r\nSMTP l7 info pool 0 0\r\nSMTP command pool 0 0\r\nSMTP log filter pool 0 0\r\nSMTP mask pool 0 0\r\nIMAP info pool 0 0\r\nPOP3 info pool 0 0\r\nGTP AIC ctxt pool 0 0\r\nGTP Req/Res pool 0 0\r\nGTP hash info pool 0 0\r\nGTP master pdp pool 0 0\r\nGTP secondary pdp pool 0 0\r\nGTP req_res hash entry pool 0 0\r\n.\r\n.\r\n.\r\nThe table below describes the significant fields shown in the display.\r\nTable 50. show tech-support alg platform Field Descriptions\r\nField Description\r\nPool information Detailed information about ALG pools.\r\nPool-Name Name of the ALG pool.\r\nNum-Entries Number of pool entries.\r\nEntry-Limit Configured limit for the number of packets that can access the pool.\r\ninfo alloc Virtual TCP (vTCP) allocated counts.\r\npak buf alloc Allocated packet buffer.\r\nbuf siz alloc Allocated buffer size.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 179 of 208\n\nRelated Commands\r\nCommand Description\r\nshow platform hardware qfp feature alg Displays ALG-specific information in the QFP.\r\nshow tech-support ipsec\r\nTo display IPsec information to assist in troubleshooting, use the show tech-support ipsec command in privileged EXEC\r\nmode.\r\nshow tech-support ipsec [peer ipv4-address | vrf vrf-name | platform]\r\nSyntax Description\r\npeer ipv4-address (Optional) Displays information about the specified IPv4 peer.\r\nvrf vrf-name (Optional) Displays information about the specified VPN routing and forwarding (VRF) instance.\r\nplatform (Optional) Displays platform specific information about the IPsec flow.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nCisco IOS XE\r\nRelease 2.4\r\nThis command was implemented on the Cisco ASR 1000 Series Aggregation Service Routers.\r\nCisco IOS XE\r\nRelease 3.7S\r\nThis command was modified. The platform keyword was added. The output was enhanced to\r\ndisplay platform specific information about the IPsec flow.\r\nUsage Guidelines\r\nThe show tech-support ipsec command simplifies the collection of IPsec-related information if you are troubleshooting a\r\nproblem.\r\nThe show tech-support ipsec command without any keywords displays the output from the following show commands, as\r\nlisted in the order below:\r\nshow version\r\nshow running-config\r\nshow crypto isakmp sa count\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 180 of 208\n\nshow crypto ipsec sa count\r\nshow crypto session summary\r\nshow crypto session detail\r\nshow crypto isakmp sa detail\r\nshow crypto ipsec sa detail\r\nshow crypto isakmp peers\r\nshow crypto ruleset detail\r\nshow processes memory | include Crypto IKMP\r\nshow processes cpu | include Crypto IKMP\r\nshow crypto eli\r\nshow crypto engine accelerator statistic\r\nThe show tech-support ipsec command with the peer keyword and the ipv4-address argument displays the output from the\r\nfollowing show commands, as listed in the order below:\r\nshow version\r\nshow running-config\r\nshow crypto session remote ipv4address detail\r\nshow crypto isakmp sa peer ipv4address detail\r\nshow crypto ipsec sa peer ipv4address detail\r\nshow crypto isakmp peers ipv4address\r\nshow crypto ruleset detail\r\nshow processes memory | include Crypto IKMP\r\nshow processes cpu | include Crypto IKMP\r\nshow crypto eli\r\nshow crypto engine accelerator statistic\r\nThe show tech-support ipsec command with the vrf vrf-name keyword and argument displays the output from the following\r\nshow commands as listed in the order below:\r\nshow version\r\nshow running-config\r\nshow crypto isakmp sa count vrf vrf-name\r\nshow crypto ipsec sa count vrf vrf-name\r\nshow crypto session ivrf ivrf-name detail\r\nshow crypto session fvrf fvrf-name detail\r\nshow crypto isakmp sa vrf vrf-name detail\r\nshow crypto ipsec sa vrf vrf-name detail\r\nshow crypto ruleset detail\r\nshow processes memory | include Crypto IKMP\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 181 of 208\n\nshow processes cpu | include Crypto IKMP\r\nshow crypto eli\r\nshow crypto engine accelerator statistic\r\nThe show tech-support ipsec platform command displays the output from the following show commands, as listed in the\r\norder below:\r\nshow clock\r\nshow version\r\nshow running-config\r\nshow crypto tech-support\r\nshow crypto isakmp sa count\r\nshow crypto ipsec sa count\r\nshow crypto isakmp sa detail\r\nshow crypto ipsec sa detail\r\nshow crypto session summary\r\nshow crypto session detail\r\nshow crypto isakmp peers\r\nshow crypto ruleset detail\r\nshow processes memory\r\nshow processes cpu\r\nshow crypto eli\r\nshow crypto engine accelerator statistic\r\nshow crypto isakmp diagnose error\r\nshow crypto isakmp diagnose error count\r\nshow crypto call admission statistics\r\nRelated Commands\r\nCommand Description\r\nshow tech-support Displays information about the device when the device reports a problem.\r\nshow tech-support pki\r\nTo display public key infrastructure (PKI)-specific information to assist in troubleshooting, use the show tech-support pki\r\ncommand in privileged EXEC mode.\r\nshow tech-support pki\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nCommand Modes\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 182 of 208\n\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Fuji 16.8.1 This command was introduced.\r\nCisco IOS XE Fuji 16.9.1 This command was modified to display the clock, version and other configuration details.\r\nUsage Guidelines\r\nThe show tech-support pki command is useful for collecting the complete set of PKI-related information for troubleshooting\r\npurposes. The output of this command can be provided to technical support representatives when reporting a problem.\r\nExamples\r\nThe following is sample output from the show tech-support pki command:\r\nDevice# show tech-support pki\r\n------------------ show clock ------------------\r\n07:07:35.291 IST Sun Jun 3 2018\r\n------------------ show version ------------------\r\nCisco IOS XE Software, Version 2018-05-31_14.33_sudsirig\r\nCisco IOS Software [Fuji], IOS-XE Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Experimental Version 16.10.201805\r\nCopyright (c) 1986-2018 by Cisco Systems, Inc.\r\nCompiled Thu 31-May-18 14:26 by sudsirig\r\nCisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.\r\nAll rights reserved. Certain components of Cisco IOS-XE software are\r\nlicensed under the GNU General Public License (\"GPL\") Version 2.0. The\r\nsoftware code licensed under GPL Version 2.0 is free software that comes\r\nwith ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such\r\nGPL code under the terms of GPL Version 2.0. For more details, see the\r\ndocumentation or \"License Notice\" file accompanying the IOS-XE software,\r\nor the applicable URL provided on the flyer accompanying the IOS-XE\r\nsoftware.\r\nROM: IOS-XE ROMMON\r\npki_a uptime is 6 hours, 53 minutes\r\nUptime for this control processor is 6 hours, 54 minutes\r\nSystem returned to ROM by reload\r\nSystem restarted at 00:14:18 IST Sun Jun 3 2018\r\nSystem image file is \"cdrom0:packages.conf\"\r\nLast reload reason: reload\r\nThis product contains cryptographic features and is subject to United\r\nStates and local country laws governing import, export, transfer and\r\nuse. Delivery of Cisco cryptographic products does not imply\r\nthird-party authority to import, export, distribute or use encryption.\r\nImporters, exporters, distributors and users are responsible for\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 183 of 208\n\ncompliance with U.S. and local country laws. By using this product you\r\nagree to comply with applicable laws and regulations. If you are unable\r\nto comply with U.S. and local laws, return this product immediately.\r\nA summary of U.S. laws governing Cisco cryptographic products may be found at:\r\nhttp://www.cisco.com/wwl/export/crypto/tool/stqrg.html\r\nIf you require further assistance please contact us by sending email to\r\nexport@cisco.com.\r\nLicense Level: ax\r\nLicense Type: Default. No valid license found.\r\nNext reload license Level: ax\r\ncisco CSR1000V (VXE) processor (revision VXE) with 2372442K/3075K bytes of memory.\r\nProcessor board ID 9VJK6T4IQMT\r\n4 Gigabit Ethernet interfaces\r\n32768K bytes of non-volatile configuration memory.\r\n8113356K bytes of physical memory.\r\n16162815K bytes of virtual hard disk at bootflash:.\r\n0K bytes of WebUI ODM Files at webui:.\r\nConfiguration register is 0x2102\r\n------------------ show running-config ------------------\r\nBuilding configuration...\r\nCurrent configuration : 6003 bytes\r\n!\r\n! Last configuration change at 07:07:18 IST Sun Jun 3 2018\r\n!\r\nversion 16.10\r\nservice timestamps debug datetime msec localtime show-timezone\r\nservice timestamps log datetime msec localtime show-timezone\r\nplatform qfp utilization monitor load 80\r\nno platform punt-keepalive disable-kernel-core\r\nplatform console serial\r\n!\r\nhostname pki_a\r\n!\r\nboot-start-marker\r\nboot-end-marker\r\n!\r\n!\r\nlogging buffered 1000000\r\nno logging console\r\n!\r\nno aaa new-model\r\nclock timezone IST 5 30\r\nclock calendar-valid\r\n!\r\n!\r\nip admission watch-list expiry-time 0\r\n!\r\nsubscriber templating\r\n!\r\nmultilink bundle-name authenticated\r\n!\r\ncrypto pki server rootca\r\nno database archive\r\nissuer-name CN=RCA1 C=pki\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 184 of 208\n\ngrant auto\r\nhash sha512\r\nlifetime certificate 364\r\nlifetime ca-certificate 364\r\n!\r\ncrypto pki trustpoint TP-self-signed-777972883\r\nenrollment selfsigned\r\nsubject-name cn=IOS-Self-Signed-Certificate-777972883\r\nrevocation-check none\r\nrsakeypair TP-self-signed-777972883\r\n!\r\ncrypto pki trustpoint rootca\r\nrevocation-check none\r\nrsakeypair rootca 1024\r\nhash sha512\r\n!\r\ncrypto pki trustpoint test\r\nenrollment url http://9.45.3.241:80\r\nusage ike\r\nsubject-name CN=R1 C=pki\r\nrevocation-check crl\r\nrsakeypair test 1024\r\nauto-enroll 3\r\nhash sha512\r\n!\r\n!\r\ncrypto pki certificate chain TP-self-signed-777972883\r\ncrypto pki certificate chain rootca\r\ncertificate ca 02\r\n 30820203 3082016C A0030201 02020102 300D0609 2A864886 F70D0101 0D050030\r\n 15311330 11060355 0403130A 52434131 20433D70 6B69301E 170D3138 30363033\r\n 30313334 35365A17 0D313930 36303230 31333435 365A3015 31133011 06035504\r\n 03130A52 43413120 433D706B 6930819F 300D0609 2A864886 F70D0101 01050003\r\n 818D0030 81890281 8100AD12 BD3E2CA7 3B3F1C19 A18CD53B DF618277 00512357\r\n A95C141E 4DE7B147 EF4FC9DC C0EB8B7D A81D20E3 25A4B53C 87D19F61 F63AE52A\r\n 82724182 F3DE33AE A59ABB7B 9C6F4D9D F944B0AB 789F635C 740CC101 73CE3043\r\n 7EA692F4 DCFAB15B 99782B0C 0143EFA4 BA4242CD E20F77DD B968C0C8 B5EF2A3F\r\n D3313C6F 49D93E12 D98D0203 010001A3 63306130 0F060355 1D130101 FF040530\r\n 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680\r\n 1446E428 7A45971E 1904AB57 D78E8249 54FF9C1F 90301D06 03551D0E 04160414\r\n 46E4287A 45971E19 04AB57D7 8E824954 FF9C1F90 300D0609 2A864886 F70D0101\r\n 0D050003 8181005A CC810010 60BB1DD5 6847F3CE AAE871C9 6E214C60 FD5C56C1\r\n 05A15C67 99CB7464 B518897E 2FE96C87 5FF54631 1224BCE2 AEF599DB 61CB0576\r\n A70757E6 183A3238 863E54FB 959333C8 562150DE F6FA68D8 DE2526D6 8F41BE72\r\n 26C30292 042D16D3 ADA81A98 CC1D94CD ED06A9EA 6B2BE946 82760C7F A7146306\r\n D95D07A6 F1ADF6\r\n quit\r\ncrypto pki certificate chain test\r\ncertificate 04\r\n 30820203 3082016C A0030201 02020104 300D0609 2A864886 F70D0101 0D050030\r\n 15311330 11060355 0403130A 52434131 20433D70 6B69301E 170D3138 30363033\r\n 30313336 31395A17 0D313930 36303230 31333435 365A3029 3111300F 06035504\r\n 03130852 3120433D 706B6931 14301206 092A8648 86F70D01 09021605 706B695F\r\n 6130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100CDB7\r\n 98AF2475 DF4A4DD5 26C602CD C27358F2 D90A4BE7 FA58F5AB 2E5495C7 EEB55513\r\n A357339C 319392CD FD28F607 BDBDBB77 21261F94 A623B694 A966F9F6 0327582B\r\n 6A6CA0EE C0E8AD8E 7715FFB5 01BCBE7D 2DE0ECD2 D985A524 BFDEAA21 47D7D45A\r\n 19820585 B314EAA7 E939AC85 2A2385AF F9DE5871 3C9A41DF 683BAFD5 D2D30203\r\n 010001A3 4F304D30 0B060355 1D0F0404 030205A0 301F0603 551D2304 18301680\r\n 1446E428 7A45971E 1904AB57 D78E8249 54FF9C1F 90301D06 03551D0E 04160414\r\n EFBBABD1 EECCC80E 3CAE59B0 C6AC6333 91070AC1 300D0609 2A864886 F70D0101\r\n 0D050003 81810086 59F8185A 5B769128 C37F1C7B 1A32D024 438BC872 1AC6AD50\r\n F1E9E96F C8DC9413 9ACDFA82 4858F4FA 829F7BAC 09A040AF 5A5A53AB AC6EA5E6\r\n EADC2BFC BFB33036 C4295B18 C5CC141D A3BCE791 6E25123F 4ABC5746 E569F072\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 185 of 208\n\n51AC1E71 0E872A09 8012E547 820E229E F73D8C0E 8818BB5C 8F9E49D6 22EE9BF3\r\n 028A40BB D0EAE0\r\n quit\r\ncertificate ca 02\r\n 30820203 3082016C A0030201 02020102 300D0609 2A864886 F70D0101 0D050030\r\n 15311330 11060355 0403130A 52434131 20433D70 6B69301E 170D3138 30363033\r\n 30313334 35365A17 0D313930 36303230 31333435 365A3015 31133011 06035504\r\n 03130A52 43413120 433D706B 6930819F 300D0609 2A864886 F70D0101 01050003\r\n 818D0030 81890281 8100AD12 BD3E2CA7 3B3F1C19 A18CD53B DF618277 00512357\r\n A95C141E 4DE7B147 EF4FC9DC C0EB8B7D A81D20E3 25A4B53C 87D19F61 F63AE52A\r\n 82724182 F3DE33AE A59ABB7B 9C6F4D9D F944B0AB 789F635C 740CC101 73CE3043\r\n 7EA692F4 DCFAB15B 99782B0C 0143EFA4 BA4242CD E20F77DD B968C0C8 B5EF2A3F\r\n D3313C6F 49D93E12 D98D0203 010001A3 63306130 0F060355 1D130101 FF040530\r\n 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680\r\n 1446E428 7A45971E 1904AB57 D78E8249 54FF9C1F 90301D06 03551D0E 04160414\r\n 46E4287A 45971E19 04AB57D7 8E824954 FF9C1F90 300D0609 2A864886 F70D0101\r\n 0D050003 8181005A CC810010 60BB1DD5 6847F3CE AAE871C9 6E214C60 FD5C56C1\r\n 05A15C67 99CB7464 B518897E 2FE96C87 5FF54631 1224BCE2 AEF599DB 61CB0576\r\n A70757E6 183A3238 863E54FB 959333C8 562150DE F6FA68D8 DE2526D6 8F41BE72\r\n 26C30292 042D16D3 ADA81A98 CC1D94CD ED06A9EA 6B2BE946 82760C7F A7146306\r\n D95D07A6 F1ADF6\r\n quit\r\n!\r\nlicense udi pid CSR1000V sn 9VJK6T4IQMT\r\nno license smart enable\r\ndiagnostic bootup level minimal\r\n!\r\nspanning-tree extend system-id\r\n!\r\nredundancy\r\n!\r\ninterface GigabitEthernet1\r\nno ip address\r\nshutdown\r\nnegotiation auto\r\nno mop enabled\r\nno mop sysid\r\n!\r\ninterface GigabitEthernet2\r\nip address 9.45.3.241 255.255.0.0\r\nnegotiation auto\r\nno mop enabled\r\nno mop sysid\r\n!\r\ninterface GigabitEthernet3\r\nno ip address\r\nshutdown\r\nnegotiation auto\r\nno mop enabled\r\nno mop sysid\r\n!\r\ninterface GigabitEthernet4\r\nip address 33.33.33.1 255.255.0.0\r\nnegotiation auto\r\nno mop enabled\r\nno mop sysid\r\n!\r\nip forward-protocol nd\r\nip http server\r\nip http secure-server\r\nip tftp source-interface GigabitEthernet2\r\nip route 202.153.0.0 255.255.0.0 9.45.0.1\r\n!\r\ncontrol-plane\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 186 of 208\n\n!\r\nline con 0\r\nexec-timeout 0 0\r\nstopbits 1\r\nline vty 0 4\r\nlogin\r\n!\r\nend\r\n------------------ show crypto pki certificate verbose ------------------\r\nCertificate\r\n Status: Available\r\n Version: 3\r\n Certificate Serial Number (hex): 04\r\n Certificate Usage: General Purpose\r\n Issuer:\r\n cn=RCA1 C=pki\r\n Subject:\r\n Name: pki_a\r\n hostname=pki_a\r\n cn=R1 C=pki\r\n Validity Date:\r\n start date: 07:06:19 IST Jun 3 2018\r\n end date: 07:04:56 IST Jun 2 2019\r\n Subject Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n RSA Public Key: (1024 bit)\r\n Signature Algorithm: SHA512 with RSA Encryption\r\n Fingerprint MD5: 11BC5664 377EEEDC 665FD807 FC9FB976\r\n Fingerprint SHA1: 5DE8E5B9 EDD3F73B 37A0FF8B E4F6397E 19B6B124\r\n X509v3 extensions:\r\n X509v3 Key Usage: A0000000\r\n Digital Signature\r\n Key Encipherment\r\n X509v3 Subject Key ID: EFBBABD1 EECCC80E 3CAE59B0 C6AC6333 91070AC1\r\n X509v3 Authority Key ID: 46E4287A 45971E19 04AB57D7 8E824954 FF9C1F90\r\n Authority Info Access:\r\n Associated Trustpoints: test\r\n Key Label: test\r\nCA Certificate\r\n Status: Available\r\n Version: 3\r\n Certificate Serial Number (hex): 02\r\n Certificate Usage: Signature\r\n Issuer:\r\n cn=RCA1 C=pki\r\n Subject:\r\n cn=RCA1 C=pki\r\n Validity Date:\r\n start date: 07:04:56 IST Jun 3 2018\r\n end date: 07:04:56 IST Jun 2 2019\r\n Subject Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n RSA Public Key: (1024 bit)\r\n Signature Algorithm: SHA512 with RSA Encryption\r\n Fingerprint MD5: 0C61C633 C72CE9EC 45E86045 03611E16\r\n Fingerprint SHA1: 3737DC2B 576D41F5 86ABCD44 F8D05B95 FC2661DF\r\n X509v3 extensions:\r\n X509v3 Key Usage: 86000000\r\n Digital Signature\r\n Key Cert Sign\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 187 of 208\n\nCRL Signature\r\n X509v3 Subject Key ID: 46E4287A 45971E19 04AB57D7 8E824954 FF9C1F90\r\n X509v3 Basic Constraints:\r\n CA: TRUE\r\n X509v3 Authority Key ID: 46E4287A 45971E19 04AB57D7 8E824954 FF9C1F90\r\n Authority Info Access:\r\n Associated Trustpoints: test rootca\r\n------------------ show clock detail ------------------\r\n07:07:35.514 IST Sun Jun 3 2018\r\nTime source is user configuration\r\n------------------ show crypto pki timers detail ------------------\r\nPKI Timers\r\n| 1:44.647 (2018-06-03T07:09:19Z)\r\n | 1:44.647 (2018-06-03T07:09:19Z) SHADOW test\r\n | 11:11.420 (2018-06-03T07:18:46Z) SESSION CLEANUP\r\nExpiry Alert Timers\r\n|303d23:57:20.646 (2019-04-03T07:04:55Z)\r\n |303d23:57:20.646 (2019-04-03T07:04:55Z) ID(test)\r\n |303d23:57:21.325 (2019-04-03T07:04:56Z) CS(test)\r\nTrustpool Timers\r\n|3693d22:22:24.339 (2028-07-14T05:29:59Z)\r\n |3693d22:22:24.339 (2028-07-14T05:29:59Z) TRUSTPOOL\r\nCS Timers\r\n| 5:57:21.277 (2018-06-03T13:04:56Z)\r\n | 5:57:21.277 (2018-06-03T13:04:56Z) CS CRL UPDATE\r\n |363d23:57:20.995 (2019-06-02T07:04:55Z) CS CERT EXPIRE\r\n------------------ show crypto pki trustpoint ------------------\r\nTrustpoint TP-self-signed-777972883:\r\n Subject Name:\r\n cn=IOS-Self-Signed-Certificate-777972883\r\n Serial Number (hex): 01\r\n Persistent self-signed certificate trust point\r\n Using key label TP-self-signed-777972883\r\nTrustpoint rootca:\r\n Subject Name:\r\n cn=RCA1 C=pki\r\n Serial Number (hex): 02\r\n Certificate configured.\r\nTrustpoint test:\r\n Subject Name:\r\n cn=RCA1 C=pki\r\n Serial Number (hex): 02\r\n Certificate configured.\r\n SCEP URL: http://9.45.3.241:80/cgi-bin\r\n------------------ show crypto pki counters ------------------\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 188 of 208\n\nPKI Sessions Started: 9\r\nPKI Sessions Ended: 9\r\nPKI Sessions Active: 0\r\nSuccessful Validations: 1\r\nFailed Validations: 0\r\nBypassed Validations: 0\r\nPending Validations: 0\r\nCRLs checked: 0\r\nCRL - fetch attempts: 0\r\nCRL - failed attempts: 0\r\nCRL - rejected busy fetching: 0\r\nAAA authorizations: 0\r\n------------------ show crypto pki crls ------------------\r\n------------------ show crypto pki sessions ------------------\r\n------------------ show crypto key mypubkey all ------------------\r\n% Key pair was generated at: 03:41:10 IST Jun 3 2018\r\nKey name: rootca#\r\nKey type: RSA KEYS\r\nStorage Device: not specified\r\nUsage: General Purpose Key\r\nKey is not exportable.\r\nKey Data:\r\n 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B2A2CB\r\n 981220AC 5148C520 B3758EF2 FD00534D E8ECFAA1 C22F9680 C184C785 7FAB0DA1\r\n 505FFB68 E66BD1B6 2560849E 071A3AA8 77B2CA36 00DB9F0A 6DEF0067 C7F95031\r\n 41825E0F C0000417 28A31029 0E0AEF25 BF3C3425 DB03E4D0 7C338411 41873EC7\r\n 044A9EF0 FEB11A07 484F0B26 6BF83C80 21D89FB2 85B2CFD4 3C571D2C D7020301\r\n 0001\r\n% Key pair was generated at: 07:04:56 IST Jun 3 2018\r\nKey name: rootca\r\nKey type: RSA KEYS\r\nStorage Device: not specified\r\nUsage: General Purpose Key\r\nKey is not exportable. Redundancy enabled.\r\nKey Data:\r\n 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AD12BD\r\n 3E2CA73B 3F1C19A1 8CD53BDF 61827700 512357A9 5C141E4D E7B147EF 4FC9DCC0\r\n EB8B7DA8 1D20E325 A4B53C87 D19F61F6 3AE52A82 724182F3 DE33AEA5 9ABB7B9C\r\n 6F4D9DF9 44B0AB78 9F635C74 0CC10173 CE30437E A692F4DC FAB15B99 782B0C01\r\n 43EFA4BA 4242CDE2 0F77DDB9 68C0C8B5 EF2A3FD3 313C6F49 D93E12D9 8D020301\r\n 0001\r\n% Key pair was generated at: 07:04:56 IST Jun 3 2018\r\nKey name: rootca.server\r\nKey type: RSA KEYS\r\nTemporary key\r\nUsage: Encryption Key\r\nKey is not exportable.\r\nKey Data:\r\n 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DB008C C1220131\r\n 2ABB976F 1210B31D 0F84E5AE 24840A01 7A459228 7BB785C4 98DABB13 A8FCE70D\r\n 13A38E40 0FFAC835 A294348C FAC36445 5D128775 8526BE2F D68539C6 91584899\r\n 915BDB10 E963CB56 2FBCFAF1 76CA6C42 C004D778 81A5C614 AD020301 0001\r\n% Key pair was generated at: 07:06:03 IST Jun 3 2018\r\nKey name: client\r\nKey type: RSA KEYS\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 189 of 208\n\nStorage Device: not specified\r\nUsage: General Purpose Key\r\nKey is not exportable. Redundancy enabled.\r\nKey Data:\r\n 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 009E6F1C\r\n B3748AFA 5679B076 A7D3F692 C9F560BB BD61BE66 4DD01B53 9EB5B633 96BC6E63\r\n A5485193 B9651CA6 09CF2E07 F4841313 E5191B54 011C10DC A639093E 55A015CA\r\n 15B73B31 829D6E55 A69A93E6 9BF321AB 06A2A3C8 547A7F25 DFDF0421 0F9F53B5\r\n 7AFB72BB D65CB226 50515468 23E0D057 7F9675EA 30845D72 F1BB2BB0 85020301\r\n 0001\r\n% Key pair was generated at: 07:06:19 IST Jun 3 2018\r\nKey name: test\r\nKey type: RSA KEYS\r\nStorage Device: not specified\r\nUsage: General Purpose Key\r\nKey is not exportable. Redundancy enabled.\r\nKey Data:\r\n 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00CDB798\r\n AF2475DF 4A4DD526 C602CDC2 7358F2D9 0A4BE7FA 58F5AB2E 5495C7EE B55513A3\r\n 57339C31 9392CDFD 28F607BD BDBB7721 261F94A6 23B694A9 66F9F603 27582B6A\r\n 6CA0EEC0 E8AD8E77 15FFB501 BCBE7D2D E0ECD2D9 85A524BF DEAA2147 D7D45A19\r\n 820585B3 14EAA7E9 39AC852A 2385AFF9 DE58713C 9A41DF68 3BAFD5D2 D3020301\r\n 0001\r\n------------------ show crypto pki certificate storage ------------------\r\nTrustpool - certificates will be stored in nvram:\r\nTP-self-signed-777972883 - certificates will be stored in nvram:\r\nrootca - certificates will be stored in nvram:\r\ntest - certificates will be stored in nvram:\r\n------------------ show crypto pki certificate pem ------------------\r\n------Trustpoint: TP-self-signed-777972883------\r\n% The specified trustpoint is not enrolled (TP-self-signed-777972883).\r\n% Only export the CA certificate in PEM format.\r\n% Error: failed to get CA cert.\r\n------Trustpoint: rootca------\r\n% The specified trustpoint is not enrolled (rootca).\r\n% Only export the CA certificate in PEM format.\r\n% CA certificate:\r\n-----BEGIN CERTIFICATE-----\r\nMIICAzCCAWygAwIBAgIBAjANBgkqhkiG9w0BAQ0FADAVMRMwEQYDVQQDEwpSQ0Ex\r\nIEM9cGtpMB4XDTE4MDYwMzAxMzQ1NloXDTE5MDYwMjAxMzQ1NlowFTETMBEGA1UE\r\nAxMKUkNBMSBDPXBraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArRK9Piyn\r\nOz8cGaGM1TvfYYJ3AFEjV6lcFB5N57FH70/J3MDri32oHSDjJaS1PIfRn2H2OuUq\r\ngnJBgvPeM66lmrt7nG9NnflEsKt4n2NcdAzBAXPOMEN+ppL03PqxW5l4KwwBQ++k\r\nukJCzeIPd925aMDIte8qP9MxPG9J2T4S2Y0CAwEAAaNjMGEwDwYDVR0TAQH/BAUw\r\nAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAURuQoekWXHhkEq1fXjoJJ\r\nVP+cH5AwHQYDVR0OBBYEFEbkKHpFlx4ZBKtX146CSVT/nB+QMA0GCSqGSIb3DQEB\r\nDQUAA4GBAFrMgQAQYLsd1WhH886q6HHJbiFMYP1cVsEFoVxnmct0ZLUYiX4v6WyH\r\nX/VGMRIkvOKu9ZnbYcsFdqcHV+YYOjI4hj5U+5WTM8hWIVDe9vpo2N4lJtaPQb5y\r\nJsMCkgQtFtOtqBqYzB2Uze0GqeprK+lGgnYMf6cUYwbZXQem8a32\r\n-----END CERTIFICATE-----\r\n------Trustpoint: test------\r\n% CA certificate:\r\n-----BEGIN CERTIFICATE-----\r\nMIICAzCCAWygAwIBAgIBAjANBgkqhkiG9w0BAQ0FADAVMRMwEQYDVQQDEwpSQ0Ex\r\nIEM9cGtpMB4XDTE4MDYwMzAxMzQ1NloXDTE5MDYwMjAxMzQ1NlowFTETMBEGA1UE\r\nAxMKUkNBMSBDPXBraTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArRK9Piyn\r\nOz8cGaGM1TvfYYJ3AFEjV6lcFB5N57FH70/J3MDri32oHSDjJaS1PIfRn2H2OuUq\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 190 of 208\n\ngnJBgvPeM66lmrt7nG9NnflEsKt4n2NcdAzBAXPOMEN+ppL03PqxW5l4KwwBQ++k\r\nukJCzeIPd925aMDIte8qP9MxPG9J2T4S2Y0CAwEAAaNjMGEwDwYDVR0TAQH/BAUw\r\nAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAURuQoekWXHhkEq1fXjoJJ\r\nVP+cH5AwHQYDVR0OBBYEFEbkKHpFlx4ZBKtX146CSVT/nB+QMA0GCSqGSIb3DQEB\r\nDQUAA4GBAFrMgQAQYLsd1WhH886q6HHJbiFMYP1cVsEFoVxnmct0ZLUYiX4v6WyH\r\nX/VGMRIkvOKu9ZnbYcsFdqcHV+YYOjI4hj5U+5WTM8hWIVDe9vpo2N4lJtaPQb5y\r\nJsMCkgQtFtOtqBqYzB2Uze0GqeprK+lGgnYMf6cUYwbZXQem8a32\r\n-----END CERTIFICATE-----\r\n% General Purpose Certificate:\r\n-----BEGIN CERTIFICATE-----\r\nMIICAzCCAWygAwIBAgIBBDANBgkqhkiG9w0BAQ0FADAVMRMwEQYDVQQDEwpSQ0Ex\r\nIEM9cGtpMB4XDTE4MDYwMzAxMzYxOVoXDTE5MDYwMjAxMzQ1NlowKTERMA8GA1UE\r\nAxMIUjEgQz1wa2kxFDASBgkqhkiG9w0BCQIWBXBraV9hMIGfMA0GCSqGSIb3DQEB\r\nAQUAA4GNADCBiQKBgQDNt5ivJHXfSk3VJsYCzcJzWPLZCkvn+lj1qy5UlcfutVUT\r\no1cznDGTks39KPYHvb27dyEmH5SmI7aUqWb59gMnWCtqbKDuwOitjncV/7UBvL59\r\nLeDs0tmFpSS/3qohR9fUWhmCBYWzFOqn6TmshSojha/53lhxPJpB32g7r9XS0wID\r\nAQABo08wTTALBgNVHQ8EBAMCBaAwHwYDVR0jBBgwFoAURuQoekWXHhkEq1fXjoJJ\r\nVP+cH5AwHQYDVR0OBBYEFO+7q9HuzMgOPK5ZsMasYzORBwrBMA0GCSqGSIb3DQEB\r\nDQUAA4GBAIZZ+BhaW3aRKMN/HHsaMtAkQ4vIchrGrVDx6elvyNyUE5rN+oJIWPT6\r\ngp97rAmgQK9aWlOrrG6l5urcK/y/szA2xClbGMXMFB2jvOeRbiUSP0q8V0blafBy\r\nUawecQ6HKgmAEuVHgg4invc9jA6IGLtcj55J1iLum/MCikC70Org\r\n-----END CERTIFICATE-----\r\n------------------ show crypto pki server ------------------\r\nCertificate Server rootca:\r\n Status: enabled\r\n State: enabled\r\n Server's configuration is locked (enter \"shut\" to unlock it)\r\n Issuer name: CN=RCA1 C=pki\r\n CA cert fingerprint: 0C61C633 C72CE9EC 45E86045 03611E16\r\n Granting mode is: auto\r\n Last certificate issued serial number (hex): 4\r\n CA certificate expiration timer: 07:04:56 IST Jun 2 2019\r\n CRL NextUpdate timer: 13:04:56 IST Jun 3 2018\r\n Current primary storage dir: nvram:\r\n Database Level: Minimum - no cert data written to storage\r\n------------------ show crypto pki server rootca certificates ------------------\r\nSerial Issued date Expire date Subject Name\r\n1 \u003ccert file not accessible\u003e\r\n2 \u003ccert file not accessible\u003e\r\n3 \u003ccert file not accessible\u003e\r\n4 \u003ccert file not accessible\u003e\r\n------------------ show crypto pki server rootca crl ------------------\r\nCertificate Revocation List:\r\n Issuer: cn=RCA1 C=pki\r\n This Update: 07:04:56 IST Jun 3 2018\r\n Next Update: 13:04:56 IST Jun 3 2018\r\n Number of CRL entries: 0\r\n CRL size: 220 bytes\r\n------------------ show crypto pki server rootca requests ------------------\r\nThe Enrollment Request Database is empty.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 191 of 208\n\nRelated Commands\r\nCommand Description\r\nshow tech-support Displays information about the device when the device reports a problem.\r\nshow tunnel endpoints\r\nTo display the contents of the tunnel endpoint database that is used for tunnel endpoint address resolution, when running a\r\ntunnel in multipoint generic routing encapsulation (mGRE) mode, use the show tunnel endpoints command in privileged\r\nEXEC mode.\r\nshow tunnel endpoints [tunnel tunnel-number]\r\nSyntax Description\r\ntunnel\r\n(Optional) Specifies the tunnel interface. If a tunnel is specified, only the endpoint database for that\r\ntunnel is displayed. If a tunnel is not specified, endpoint databases for all tunnels are displayed.\r\ntunnel-number\r\n(Optional) Tunnel interface number. The range is from 0 to 2147483647.\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.0(27)S This command was introduced.\r\n12.2(18)SXE This command was integrated into Cisco IOS Release 12.2(18)SXE.\r\n12.2(33)SRA This command was integrated into Cisco IOS Release 12.(33)SRA.\r\n12.4(11)T This command was integrated into Cisco IOS Release 12.4(11)T.\r\nCisco IOS XE Release 2.1 This command was implemented on the Cisco ASR 1000 series routers.\r\nUsage Guidelines\r\nThe output of show tunnel endpoints command displays the tunnel destination and transport address together with any\r\noverlay or virtual private network (VPN) address that resolves to it.\r\nExamples\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 192 of 208\n\nThe following example shows that there are two tunnel endpoints in the database that are associated with tunnel 1 (192.0.2.0\r\nand 192.0.2.1). Through these endpoints, VPN destination 192.0.2.3 is reachable by tunneling to endpoint 192.0.2.0 and\r\nVPN destination 192.0.2.2 is reachable by tunneling to endpoint 192.0.2.1.\r\nRouter# show tunnel endpoints\r\nTunnel0 running in multi-GRE/IP mode\r\n \r\n Endpoint transport 20.20.20.20 Refcount 4 Base 0x55BCC5E8 Create Time 00:01:08\r\n overlay ::FFFF:20.20.20.20 Refcount 2 Parent 0x55BCC5E8 Create Time 00:01:08\r\n overlay 20.20.20.20 Refcount 2 Parent 0x55BCC5E8 Create Time 00:01:08\r\nThe table below describes the significant fields shown in the display..\r\nTable 51. show tunnel endpoints Field Descriptions\r\nField Description\r\nTransport Displays the transport address.\r\nRefcount Number of overlay addresses that are resolving through the destination address.\r\nBase Displays the base address.\r\nOverlay Displays the overlay address.\r\nParent Reference to the tunnel endpoint.\r\nRelated Commands\r\nCommand Description\r\ntunnel mode Sets the encapsulation mode for the tunnel interface.\r\ntunnel protection Associates a tunnel interface with an IPSec profile.\r\nshow usb controllers\r\nTo display USB host controller information, use the show usb controllers command in privileged EXEC mode.\r\nshow usb controllers [controller-number]\r\nSyntax Description\r\ncontroller-number (Optional) Displays information only for the specified controller.\r\nCommand Default\r\nInformation about all controllers on the system are displayed.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 193 of 208\n\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.4(11)T This command was integrated into the Cisco 7200VXR NPE-G2 platform.\r\nUsage Guidelines\r\nUse the show usb controllers command to display content such as controller register specific information, current\r\nasynchronous buffer addresses, and period scheduling information. You can also use this command to verify that copy\r\noperations are occurring successfully onto a USB flash module.\r\nExamples\r\nThe following example is sample output from the show usb controllers command:\r\nRouter# show usb controllers\r\nName:1362HCD\r\nController ID:1\r\nController Specific Information:\r\n Revision:0x11\r\n Control:0x80\r\n Command Status:0x0\r\n Hardware Interrupt Status:0x24\r\n Hardware Interrupt Enable:0x80000040\r\n Hardware Interrupt Disable:0x80000040\r\n Frame Interval:0x27782EDF\r\n Frame Remaining:0x13C1\r\n Frame Number:0xDA4C\r\n LSThreshold:0x628\r\n RhDescriptorA:0x19000202\r\n RhDescriptorB:0x0\r\n RhStatus:0x0\r\n RhPort1Status:0x100103\r\n RhPort2Status:0x100303\r\n Hardware Configuration:0x3029\r\n DMA Configuration:0x0\r\n Transfer Counter:0x1\r\n Interrupt:0x9\r\n Interrupt Enable:0x196\r\n Chip ID:0x3630\r\n Buffer Status:0x0\r\n Direct Address Length:0x80A00\r\n ATL Buffer Size:0x600\r\n ATL Buffer Port:0x0\r\n ATL Block Size:0x100\r\n ATL PTD Skip Map:0xFFFFFFFF\r\n ATL PTD Last:0x20\r\n ATL Current Active PTD:0x0\r\n ATL Threshold Count:0x1\r\n ATL Threshold Timeout:0xFF\r\nInt Level:1\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 194 of 208\n\nTransfer Completion Codes:\r\n Success :920 CRC :0\r\n Bit Stuff :0 Stall :0\r\n No Response :0 Overrun :0\r\n Underrun :0 Other :0\r\n Buffer Overrun :0 Buffer Underrun :0\r\nTransfer Errors:\r\n Canceled Transfers :2 Control Timeout :0\r\nTransfer Failures:\r\n Interrupt Transfer :0 Bulk Transfer :0\r\n Isochronous Transfer :0 Control Transfer:0\r\nTransfer Successes:\r\n Interrupt Transfer :0 Bulk Transfer :26\r\n Isochronous Transfer :0 Control Transfer:894\r\nUSBD Failures:\r\n Enumeration Failures :0 No Class Driver Found:0\r\n Power Budget Exceeded:0\r\nUSB MSCD SCSI Class Driver Counters:\r\n Good Status Failures :3 Command Fail :0\r\n Good Status Timed out:0 Device not Found:0\r\n Device Never Opened :0 Drive Init Fail :0\r\n Illegal App Handle :0 Bad API Command :0\r\n Invalid Unit Number :0 Invalid Argument:0\r\n Application Overflow :0 Device in use :0\r\n Control Pipe Stall :0 Malloc Error :0\r\n Device Stalled :0 Bad Command Code:0\r\n Device Detached :0 Unknown Error :0\r\n Invalid Logic Unit Num:0\r\nUSB Aladdin Token Driver Counters:\r\n Token Inserted :1 Token Removed :0\r\n Send Insert Msg Fail :0 Response Txns :434\r\n Dev Entry Add Fail :0 Request Txns :434\r\n Dev Entry Remove Fail:0 Request Txn Fail:0\r\n Response Txn Fail :0 Command Txn Fail:0\r\n Txn Invalid Dev Handle:0\r\nUSB Flash File System Counters:\r\n Flash Disconnected :0 Flash Connected :1\r\n Flash Device Fail :0 Flash Ok :1\r\n Flash startstop Fail :0 Flash FS Fail :0\r\nUSB Secure Token File System Counters:\r\n Token Inserted :1 Token Detached :0\r\n Token FS success :1 Token FS Fail :0\r\n Token Max Inserted :0 Create Talker Failures:0\r\n Token Event :0 Destroy Talker Failures:0\r\n Watched Boolean Create Failures:0\r\nshow usb device\r\nTo display USB device information, use the show usb device command in privileged EXEC mode.\r\nshow usb device [controller-ID [device-address] ]\r\nSyntax Description\r\ncontroller-ID (Optional) Displays information only for the devices under the specified controller.\r\ndevice-address (Optional) Displays information only for the device with the specified address.\r\nCommand Default\r\nInformation for all devices attached to the system are displayed.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 195 of 208\n\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.4(11)T This command was integrated into the Cisco 7200VXR NPE-G2 platform.\r\nUsage Guidelines\r\nUse the show usb device command to display information for either a USB flash drive or a USB eToken, as appropriate.\r\nExamples\r\nThe following example is sample output from the show usb device command:\r\nRouter# show usb device\r\n \r\nHost Controller:1\r\nAddress:0x1\r\nDevice Configured:YES\r\nDevice Supported:YES\r\nDescription:DiskOnKey\r\nManufacturer:M-Sys\r\nVersion:2.0\r\nSerial Number:0750D84030316868\r\nDevice Handle:0x1000000\r\nUSB Version Compliance:2.0\r\nClass Code:0x0\r\nSubclass Code:0x0\r\nProtocol:0x0\r\nVendor ID:0x8EC\r\nProduct ID:0x15\r\nMax. Packet Size of Endpoint Zero:64\r\nNumber of Configurations:1\r\nSpeed:Full\r\nSelected Configuration:1\r\nSelected Interface:0\r\nConfiguration:\r\n Number:1\r\n Number of Interfaces:1\r\n Description:\r\n Attributes:None\r\n Max Power:140 mA\r\n Interface:\r\n Number:0\r\n Description:\r\n Class Code:8\r\n Subclass:6\r\n Protocol:80\r\n Number of Endpoints:2\r\n Endpoint:\r\n Number:1\r\n Transfer Type:BULK\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 196 of 208\n\nTransfer Direction:Device to Host\r\n Max Packet:64\r\n Interval:0\r\n Endpoint:\r\n Number:2\r\n Transfer Type:BULK\r\n Transfer Direction:Host to Device\r\n Max Packet:64\r\n Interval:0\r\nHost Controller:1\r\nAddress:0x11\r\nDevice Configured:YES\r\nDevice Supported:YES\r\nDescription:eToken Pro 4254\r\nManufacturer:AKS\r\nVersion:1.0\r\nSerial Number:\r\nDevice Handle:0x1010000\r\nUSB Version Compliance:1.0\r\nClass Code:0xFF\r\nSubclass Code:0x0\r\nProtocol:0x0\r\nVendor ID:0x529\r\nProduct ID:0x514\r\nMax. Packet Size of Endpoint Zero:8\r\nNumber of Configurations:1\r\nSpeed:Low\r\nSelected Configuration:1\r\nSelected Interface:0\r\nConfiguration:\r\n Number:1\r\n Number of Interfaces:1\r\n Description:\r\n Attributes:None\r\n Max Power:60 mA\r\n Interface:\r\n Number:0\r\n Description:\r\n Class Code:255\r\n Subclass:0\r\n Protocol:0\r\n Number of Endpoints:0\r\nThe following table describes the significant fields shown in the display.\r\nTable 52. show usb device Field Descriptions\r\nField Description\r\nDevice\r\nhandle\r\nInternal memory handle allocated to the device.\r\nDevice\r\nClass code\r\nThe class code supported by the device.\r\nThis number is allocated by the USB-IF. If this field is reset to 0, each interface within a configuration\r\nspecifies its own class information, and the various interfaces operate independently. If this field is set to\r\na value between 1 and FEH, the device supports different class specifications on different interfaces, and\r\nthe interfaces may not operate independently. This value identifies the class definition used for the\r\naggregate interfaces. If this field is set to FFH, the device class is vendor-specific.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 197 of 208\n\nField Description\r\nDevice\r\nSubclass\r\ncode\r\nThe subclass code supported by the device. This number is allocated by the USB-IF.\r\nDevice\r\nProtocol\r\nThe protocol supported by the device. If this field is set to 0, the device does not use class-specific\r\nprotocols on a device basis. If this field is set to 0xFF, the device uses a vendor-specific protocol on a\r\ndevice basis.\r\nInterface\r\nClass code\r\nThe class code supported by the interface. If the value is set to 0xFF, the interface class is vendor\r\nspecific. All other values are allocated by the USB-IF.\r\nInterface\r\nSubclass\r\ncode\r\nThe subclass code supported by the interface. All values are allocated by the USB-IF.\r\nInterface\r\nProtocol\r\nThe protocol code supported by the interface. If this field is set to 0, the device does not use a class-specific protocol on this interface. If this field is set to 0xFF, the device uses a vendor-specific protocol\r\nfor this interface.\r\nMax\r\nPacket Maximum data packet size, in bytes.\r\nshow usb driver\r\nTo display information about registered USB class drivers and vendor-specific drivers, use the show usb driver command in\r\nprivileged EXEC mode.\r\nshow usb driver [index]\r\nSyntax Description\r\nindex (Optional) Displays information only for drivers on the specified index.\r\nCommand Default\r\nInformation about all drivers is displayed.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 198 of 208\n\nRelease Modification\r\n12.4(11)T This command was integrated into the Cisco 7200VXR NPE-G2 platform.\r\nCisco IOS XE Release 3.6 This command was integrated into Cisco IOS XE Release 3.6.\r\nExamples\r\nThe following example is sample output for the show usb driver command:\r\nRouter# show usb driver\r\n \r\nIndex:0\r\nOwner Mask:0x6\r\nClass Code:0x0\r\nSubclass Code:0x0\r\nProtocol:0x0\r\nInterface Class Code:0x8\r\nInterface Subclass Code:0x6\r\nInterface Protocol Code:0x50\r\nProduct ID:0x655BD598\r\nVendor ID:0x64E90000\r\nAttached Devices:\r\n Controller ID:1, Device Address:1\r\nIndex:1\r\nOwner Mask:0x1\r\nClass Code:0x0\r\nSubclass Code:0x0\r\nProtocol:0x0\r\nInterface Class Code:0x0\r\nInterface Subclass Code:0x0\r\nInterface Protocol Code:0x0\r\nProduct ID:0x514\r\nVendor ID:0x529\r\nAttached Devices:\r\n Controller ID:1, Device Address:17\r\nIndex:2\r\nOwner Mask:0x5\r\nClass Code:0x9\r\nSubclass Code:0x6249BD58\r\nProtocol:0x2\r\nInterface Class Code:0x5DC0\r\nInterface Subclass Code:0x5\r\nInterface Protocol Code:0xFFFFFFFF\r\nProduct ID:0x2\r\nVendor ID:0x1\r\nAttached Devices:\r\n None\r\nIndex:3\r\nOwner Mask:0x10\r\nClass Code:0x0\r\nSubclass Code:0x0\r\nProtocol:0x0\r\nInterface Class Code:0x0\r\nInterface Subclass Code:0x0\r\nInterface Protocol Code:0x0\r\nProduct ID:0x0\r\nVendor ID:0x0\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 199 of 208\n\nAttached Devices:\r\n None\r\nThe following table describes the significant field shown in the display.\r\nTable 53. show usb driver Field Descriptions\r\nField Description\r\nOwner\r\nMask\r\nIndicates the fields that are used in enumeration comparison. The driver can own different devices on the\r\nbasis of their product or vendor IDs and device or interface class, subclass, and protocol codes.\r\nshow usb port\r\nTo sisplay USB root hub port information, use the show usb port command in privileged EXEC mode.\r\nshow usb port [port-number]\r\nSyntax Description\r\nport-number(Optional) Displays information only for a specified. If the port-number is not issued, information for all\r\nroot ports will be displayed.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nExamples\r\nThe following sample from the show usb port command shows the status of the port 1 on the router:\r\nRouter# show usb port\r\nPort Number:0\r\nStatus:Enabled\r\nConnection State:Connected\r\nSpeed:Full\r\nPower State:ON\r\nPort Number:1\r\nStatus:Enabled\r\nConnection State:Connected\r\nSpeed:Low\r\nPower State:ON\r\nshow usb-devices summary\r\nTo display USB device summary information for all USB devices attached to the router, use the show usb-devices summary\r\ncommand in privileged EXEC mode.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 200 of 208\n\nshow usb-devices summary\r\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\nCisco IOS XE Release 3.6 This command was integrated into Cisco IOS XE Release 3.6.\r\nUsage Guidelines\r\nUse the show usb-devices summary command to display information for either a USB flash drive or a USB eToken, as\r\nappropriate.\r\nExamples\r\nThe following example is sample output from the show usb-devices summary command, which shows that a USB token\r\ndevice is supported by Cisco (see the text in bold).:\r\nRouter# show usb-devices summary\r\nUSB Device: OHCI Host Controller\r\nBus: 03 Port: 00 Cnt: 00 Speed: 12\r\nVendor: 1d6b ProdID: 0001 Rev: 2.06\r\nSerial Number: 0001:01:11.1\r\nUSB Device: OHCI Host Controller\r\nBus: 02 Port: 00 Cnt: 00 Speed: 12\r\nVendor: 1d6b ProdID: 0001 Rev: 2.06\r\nSerial Number: 0001:01:11.0\r\nUSB Device: Token 4.28.1.1 2.7.195\r\nBus: 02 Port: 00 Cnt: 01 Speed: 12\r\nVendor: 0529 ProdID: 0600 Rev: 1.00\r\nSerial Number:\r\nUSB Device: EHCI Host Controller\r\nBus: 01 Port: 00 Cnt: 00 Speed: 480\r\nVendor: 1d6b ProdID: 0002 Rev: 2.06\r\nSerial Number: 0001:01:11.2\r\nUSB Device: eUSB\r\nBus: 01 Port: 03 Cnt: 01 Speed: 480\r\nVendor: 0e39 ProdID: 2b00 Rev: b9.00\r\nSerial Number: 1E884812183636210510\r\nshow usb tree\r\nTo display information about the port state and all attached devices, use the show usb tree command in privileged EXEC\r\nmode.\r\nshow usb tree\r\nSyntax Description\r\nThis command has no arguments or keywords.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 201 of 208\n\nCommand Modes\r\nEXEC\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\nExamples\r\nThe following example is sample output from the show usb tree command. This output shows that both a USB flash module\r\nand a USB eToken are currently enabled.\r\nRouter# show usb tree\r\n \r\n[Host Id:1, Host Type:1362HCD, Number of RH-Port:2]\r\n\u003cRoot Port0:Power=ON Current State=Enabled\u003e\r\n Port0:(DiskOnKey) Addr:0x1 VID:0x08EC PID:0x0015 Configured (0x1000000)\r\n\u003cRoot Port1:Power=ON Current State=Enabled\u003e\r\n Port1:(eToken Pro 4254) Addr:0x11 VID:0x0529 PID:0x0514 Configured (0x1010000)\r\nshow usbtoken\r\nTo display information about the USB eToken (such as the eToken ID), use the show usbtoken command in privileged\r\nEXEC mode.\r\nshow usbtoken [0-9]: {all | filesystem}\r\nSyntax Description\r\n0-9\r\n(Optional) One of the ten available flash drives you can choose from; valid values: 0-9. If you do not\r\nspecify a number, 0 is used by default\r\nall (Optional) All configuration files stored on the eToken.\r\nfilesystem (Optional) Name of a configuration file.\r\nCommand Modes\r\nPrivileged EXEC\r\nCommand History\r\nRelease Modification\r\n12.3(14)T This command was introduced.\r\n12.4(11)T This command was integrated into the Cisco 7200VXR NPE-G2 platform.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 202 of 208\n\nRelease Modification\r\nCisco IOS XE Release 3.6 This command was integrated into Cisco IOS XE Release 3.6.\r\nUsage Guidelines\r\nUse the show usbtoken command to verify whether a USB eToken is inserted in the router.\r\nExamples\r\nThe following example is sample output from the show usbtoken command:\r\nRouter# show usbtoken0\r\nToken ID :43353334\r\nToken device name : token0\r\nVendor name : Vendor34\r\nProduct Name :Etoken Pro\r\nSerial number : 22273a334353\r\nFirmware version : 4.1.3.2\r\nTotal memory size : 32 KB\r\nFree memory size : 16 KB\r\nFIPS version : Yes/No\r\nToken state : “Active” | “User locked” | “Admin locked” | “System Error” | “Uknown”\r\nATR (Answer To Reset) :\"3B F2 98 0 FF C1 10 31 FE 55 C8 3\"\r\nThe following table describes the significant fields shown in the display.\r\nTable 54. show usbtoken Field Descriptions\r\nField Description\r\nToken ID Token identifier.\r\nToken device name A unique name derived by the token driver.\r\nATR (Answer to Reset) Information replied by Smart cards when a reset command is issued.\r\nshow user-group\r\nTo display information about user groups, use the show user-group command in privileged EXEC mode.\r\nshow user-group [group-name | count]\r\nSyntax Description\r\ngroup-name\r\n(Optional) Name of the user-group.\r\ncount\r\n(Optional) Displays the total number of user groups, the names of the user groups, and the number of\r\nmembers in each.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 203 of 208\n\nCommand Modes\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n12.4(20)T This command was introduced.\r\nExamples\r\nThe following is sample output from the show user-group command when the auth_proxy_ug user group is specified.\r\nRouter# show user-group auth_proxy_ug\r\n!\r\nUsergroup: auth_proxy_ug\r\n----------------------------------------------------------------\r\nUser Name Type Interface Learn\r\n----------------------------------------------------------------\r\n192.168.101.131 IPv4 Vlan333 Dynamic\r\n!\r\nThe following is sample output from the show user-group command when the count keyword is used.\r\nRouter# show user-group count\r\n!\r\nTotal Usergroup: 2\r\n--------------------------\r\nUser Group Members\r\n--------------------------\r\nauth_proxy_ug 1\r\neng_group_ug 1\r\n!\r\nThe table below describes the significant fields shown in the displays.\r\nTable 55. show user-group Field Descriptions\r\nField Description\r\nUser Name IP address of the user-group.\r\nLearn Describes how the mapping of source IP addresses to user groups is learned.\r\nRelated Commands\r\nCommand Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 204 of 208\n\nCommand Description\r\nclass-map Creates a class map to be used for matching packets to a specified class.\r\nuser-group Defines the user-group associated with the identity policy.\r\nshow users\r\nTo displa y information about the active lines on the router, use the show users command in user EXEC or privileged EXEC\r\nmode.\r\nshow users [ [all] [wide] | slot {slot-number | all} | summary] [lawful-intercept]\r\nSyntax Description\r\nall (Optional) Specifies that all lines be displayed, regardless of whether anyone is using them.\r\nwide (Optional) Specifies that the wide format be used.\r\nslot (Optional) Displays information about remote logins to other processes in the chassis.\r\nslot-number (Optional) The slot number.\r\nsummary (Optional) Displays a summary of user sessions.\r\nlawful-intercept (Optional) Displays lawful-intercept users.\r\nCommand Modes\r\nUser EXEC (\u003e)\r\nPrivileged EXEC (#)\r\nCommand History\r\nRelease Modification\r\n10.0 This command was introduced.\r\n12.3(2)T The summary keyword was introduced.\r\n12.3(7)T The lawful-intercept keyword was introduced.\r\n12.2(33)SRB This command was integrated into Cisco IOS Release 12.2(33)SRB.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 205 of 208\n\nRelease Modification\r\n12.2(33)SXI\r\nThis command was modified in a release earlier than Cisco IOS Release 12.2(33)SXI. The slot\r\nkeyword and slot-number argument were added.\r\nCisco IOS XE\r\nRelease 2.1\r\nThis command was implemented on the Cisco ASR 1000 Series Aggregation Sevices Routers.\r\nUsage Guidelines\r\nThis command displays the line number, connection name, idle time, hosts (including virtual access interfaces), and terminal\r\nlocation. An asterisk (*) indicates the current terminal session.\r\nIf the lawful-intercept keyword is issued, the names of all users who have access to a configured lawful intercept view will\r\nbe displayed. To access the show users lawful-intercept command, you must be an authorized lawful-intercept-view user.\r\nWhen an idle timeout is configured on a full virtual access interface and a subvirtual access interface, the show users\r\ncommand displays the idle time for both the interfaces. However, if the idle timeout is not configured on both the interfaces,\r\nthen the show users command will display the idle time for the full virtual access interface only.\r\nExamples\r\nThe following is sample output from the show users command:\r\nRouter# show users\r\n Line User Host(s) Idle Location\r\n 0 con 0 idle\r\n* 2 vty 0 user1 idle 0 SERVICE1.CISCO.COM\r\nThe following is sample output identifying an active virtual access interface:\r\nRouter# show users\r\nLine User Host(s) Idle Location\r\n* 0 con 0 idle 01:58\r\n 10 vty 0 Virtual-Access2 0 1212321\r\nThe following is sample output from the show users all command:\r\nRouter# show users all\r\n Line User Host(s) Idle Location\r\n* 0 vty 0 user1 idle 0 SERVICE1.CISCO.COM\r\n 1 vty 1\r\n 2 con 0\r\n 3 aux 0\r\n 4 vty 2\r\nThe table below describes the significant fields shown in the displays.\r\nTable 56. show users Field Descriptions\r\nField Description\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 206 of 208\n\nField Description\r\nLine\r\nContains three subfields:\r\nThe first subfield (0 in the sample output) is the absolute line number.\r\nThe second subfield (vty in the sample output) indicates the type of line. Possible values follow:\r\naux--auxiliary port\r\ncon--console\r\ntty--asynchronous terminal port\r\nvty--virtual terminal\r\nThe third subfield (0 in the * sample output) indicates the relative line number within the type.\r\nUser User using the line. If no user is listed in this field, no one is using the line.\r\nHost(s)\r\nHost to which the user is connected (outgoing connection). A value of idle means that there is no outgoing\r\nconnection to a host.\r\nIdle Interval (in minutes) since the user has entered something.\r\nLocation\r\nEither the hard-wired location for the line or, if there is an incoming connection, the host from which the\r\nincoming connection came.\r\nThe following sample output from the show users lawful intercept command shows three LI-View users on the system--\r\nli_admin, li-user1, and li-user2:\r\nRouter# show users lawful-intercept\r\n \r\nli_admin\r\nli-user1\r\nli-user2\r\nRouter#\r\nRelated Commands\r\nCommand Description\r\nline Identifies a specific line for configuration and starts the line configuration command collection mode.\r\nli-view Initializes a lawful intercept view.\r\nshow line Displays the parameters of a terminal line.\r\nusername Establishes a username-based authentication system.\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 207 of 208\n\n1\r\nBack to Top\r\nSource: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html\r\nPage 208 of 208\n\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html \nField Description \nSPI Selector Information about SPI selection. \nremote addr low Starting range address of the remote host.\nremote addr high Highest range address of the remote host.\nlocal addr low Starting range address of the local host.\nlocal addr high Highest range address of the local host.\nClassifier Type of classification. \nsrc IP addr low Starting range of the source IP address.\nsrc IP addr high Highest range of the source IP address.\ndst IP addr low Starting range of the destination IP address.\ndst IP addr high Highest range of the destination IP address.\nsrc port low Starting range of the source port. \nsrc port high Highest range of the source port. \ndst port low Starting range of the destination port.\ndst port high Highest range of the destination port.\nprotocol low Starting range of the protocol. \nprotocol high Highest range of the protocol. \noctets Number of octets in the packet. \ntotal octets Total number of octets. \npackets Number of packets. \n Page 62 of 208\n\n------------------------------------------------------------ example.com 0:00:00:23 28 58::100 \nexample1.com 0:00:00:25 1 56::100 \n Page 94 of 208\n\nInterface ========================================================== VIP VMAC Shut Decrement\nGigabitEthernet0/1/7 10.1.1.3 0007.b422.0016 no shut 50\nGigabitEthernet0/3/1 11.1.1.3 0007.b422.0017 no shut 50\n Page 148 of 208\n\nPool-Name ----------------------------------------------------------------------------- Num-Entries Entry-Limit Size(bytes) Num-Additions\nFTP pool 640 0 41376 0\nSCCP pool 160 0 8096 0\nSIP pool 640 0 348576 0\nSIP pkt pool 160 0 18336 0\nSIP msg pool 320 0 26016 0\nRTSP pool 160 0 10656 0\nH323 info pool 100 5000 61216 0\nH323 fs olc pool 100 5000 3616 0\nH323 pkt sb pool 100 5000 3616 0\nH323 indus pool 1000 2000 4112416 0\nH323 tl olc pool 100 5000 3616 0\nH323 msg info pool 100 5000 8416 0\nDNS pool 1024 0 82336 0\nLDAP pool 128 5000 4512 0\nLDAP pkt info pool 32 160 670624 0\nRCMD pool 160 5000 5536 0\nHTTP info pool 2400 1048576 192416 0\nHTTP req ctxt pool 6400 2097152 1638816 0\nHTTP resp ctxt pool 6400 2097152 1331616 0\nHTTP hdr fld pool 6400 2097152 307616 0\nHTTP MIME ctxt pool 6400 2097152 819616 0\nNetBIOS L7 data pool 1024 5000 33184 0\nAct token pool 640 0 143776 0\nExt state pool 160 0 5536 0\nALG HA ntuple hdr pool 10000 0 640416 0\n Page 177 of 208\n\n https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html \n51AC1E71 0E872A09 8012E547 820E229E F73D8C0E 8818BB5C 8F9E49D6 22EE9BF3\n028A40BB D0EAE0 \n quit \ncertificate ca 02 \n30820203 3082016C A0030201 02020102 300D0609 2A864886 F70D0101 0D050030\n15311330 11060355 0403130A 52434131 20433D70 6B69301E 170D3138 30363033\n30313334 35365A17 0D313930 36303230 31333435 365A3015 31133011 06035504\n03130A52 43413120 433D706B 6930819F 300D0609 2A864886 F70D0101 01050003\n818D0030 81890281 8100AD12 BD3E2CA7 3B3F1C19 A18CD53B DF618277 00512357\nA95C141E 4DE7B147 EF4FC9DC C0EB8B7D A81D20E3 25A4B53C 87D19F61 F63AE52A\n82724182 F3DE33AE A59ABB7B 9C6F4D9D F944B0AB 789F635C 740CC101 73CE3043\n7EA692F4 DCFAB15B 99782B0C 0143EFA4 BA4242CD E20F77DD B968C0C8 B5EF2A3F\nD3313C6F 49D93E12 D98D0203 010001A3 63306130 0F060355 1D130101 FF040530\n030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680\n1446E428 7A45971E 1904AB57 D78E8249 54FF9C1F 90301D06 03551D0E 04160414\n46E4287A 45971E19 04AB57D7 8E824954 FF9C1F90 300D0609 2A864886 F70D0101\n0D050003 8181005A CC810010 60BB1DD5 6847F3CE AAE871C9 6E214C60 FD5C56C1\n05A15C67 99CB7464 B518897E 2FE96C87 5FF54631 1224BCE2 AEF599DB 61CB0576\nA70757E6 183A3238 863E54FB 959333C8 562150DE F6FA68D8 DE2526D6 8F41BE72\n26C30292 042D16D3 ADA81A98 CC1D94CD ED06A9EA 6B2BE946 82760C7F A7146306\nD95D07A6 F1ADF6 \n quit \n! \nlicense udi pid CSR1000V sn 9VJK6T4IQMT \nno license smart enable \ndiagnostic bootup level minimal \n! \nspanning-tree extend system-id \n! \nredundancy \n! \ninterface GigabitEthernet1 \nno ip address \nshutdown \nnegotiation auto \nno mop enabled \nno mop sysid \n! \ninterface GigabitEthernet2 \nip address 9.45.3.241 255.255.0.0 \nnegotiation auto \nno mop enabled \nno mop sysid \n! \ninterface GigabitEthernet3 \nno ip address \nshutdown \nnegotiation auto \nno mop enabled \nno mop sysid \n! \ninterface GigabitEthernet4 \nip address 33.33.33.1 255.255.0.0 \nnegotiation auto \nno mop enabled \nno mop sysid \n! \nip forward-protocol nd \nip http server \nip http secure-server \nip tftp source-interface GigabitEthernet2 \nip route 202.153.0.0 255.255.0.0 9.45.0.1 \n! \ncontrol-plane \n Page 186 of 208", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html" ], "report_names": [ "sec-cr-s5.html" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434132, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/624780872aea55bfa6282883afcacfae37862160.pdf", "text": "https://archive.orkl.eu/624780872aea55bfa6282883afcacfae37862160.txt", "img": "https://archive.orkl.eu/624780872aea55bfa6282883afcacfae37862160.jpg" } }