The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS security show commands.
To display authentication, authorization, and accounting (AAA) accounting configuration, use the show aaa accounting command.
show aaa accounting
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the configuration of the accounting log:
switch# show aaa accounting
default: local
switch#
|
|
---|---|
aaa accounting default |
Configures AAA methods for accounting. |
To display authentication, authorization, and accounting (AAA) authentication configuration information, use the show aaa authentication command.
show aaa authentication login [error-enable | mschap]
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the configured authentication parameters:
switch# show aaa authentication
default: group t1
console: group t1
switch#
This example shows how to display the authentication login error enable configuration:
switch# show aaa authentication login error-enable
disabled
switch#
This example shows how to display the authentication login MS-CHAP configuration:
switch# show aaa authentication login mschap
MSCHAP is disabled
switch#
|
|
---|---|
aaa authentication |
Configures AAA authentication methods. |
To display AAA authorization configuration information, use the show aaa authorization command.
show aaa authorization [all]
all |
(Optional) Displays configured and default values. |
None
EXEC mode
|
|
---|---|
4.2(1)N1(1) |
This command was introduced. |
This example shows how to display the configured authorization methods:
switch# show aaa authorization
AAA command authorization:
default authorization for config-commands: none
switch#
To display authentication, authorization, and accounting (AAA) server group configuration, use the show aaa groups command.
show aaa groups
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display AAA group information:
switch# show aaa groups
radius
t1
tacacs
rad1
switch#
|
|
---|---|
aaa group server radius |
Creates a RADIUS server group. |
To display the status of the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the show aaa user command.
show aaa user default-role
default-role |
Displays the status of the default AAA role. |
None
EXEC mode.
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the status of the default role assigned by the AAA server administrator for remote authentication:
switch# show aaa user default-role
enabled
switch#
|
|
---|---|
aaa user default-role |
Configures the default user for remote authentication. |
show aaa authentication |
Displays AAA authentication information. |
To display all IPv4 and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.
show access-lists [access-list-name]
access-list-name |
(Optional) Name of an ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
The switch shows all ACLs unless you use the access-list-name argument to specify an ACL.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display all IPv4 and MAC ACLs on the switch:
switch# show access-lists
In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:
switch# show access-lists
IP access list BulkData
10 deny ip any any
IP access list CriticalData
10 deny ip any any
IP access list Scavenger
10 deny ip any any
MAC access list acl-mac
10 permit any any
IP access list denyv4
20 deny ip 10.10.10.0/24 10.20.10.0/24 fragments
30 permit udp 10.10.10.0/24 10.20.10.0/24 lt 400
40 permit icmp any any router-advertisement
60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
70 permit igmp any any host-report
80 deny tcp any any rst
90 deny tcp any any ack
100 permit tcp any any fin
110 permit tcp any gt 300 any lt 400
130 deny tcp any range 200 300 any lt 600
140 deny tcp any range 200 300 any lt 600
IP access list dot
statistics per-entry
10 permit ip 20.1.1.1 255.255.255.0 20.10.1.1 255.255.255.0 precedence f
lash-override
20 deny ip 20.1.1.1/24 20.10.1.1/24 fragments
30 permit tcp any any fragments
40 deny tcp any eq 400 any eq 500
IP access list ipPacl
statistics per-entry
10 deny tcp any eq 400 any eq 500
IP access list ipv4
10 permit ip 10.10.10.1 225.255.255.0 any fragments
20 permit ip any any dscp ef
IP access list ipv4Acl
10 permit ip 10.10.10.1/32 10.10.10.2/32
MAC access list test
statistics per-entry
10 deny 0000.1111.2222 0000.0000.0000 0000.1111.3333 ffff.0000.0000
IP access list voice
10 remark - avaya rtp range
20 permit udp any range 49072 50175 any range 49072 50175 dscp ef
30 permit udp any range 49072 50175 any range 50176 50353 dscp ef
40 permit udp any range 50176 50353 any range 49072 50175 dscp ef
50 permit udp any range 50176 50353 any range 50176 50353 dscp ef
60 permit udp any range 2048 2815 any range 2048 2815 dscp ef
70 permit udp any range 2048 2815 any range 2816 3028 dscp ef
80 permit udp any range 2816 3028 any range 2816 3028 dscp ef
90 permit udp any range 2816 3028 any range 2048 2815 dscp ef
100 remark -- cisco rtp range
switch#
To display the accounting log contents, use the show accounting log command.
show accounting log [size] [start-time year month day HH:MM:SS] [end-time year month day HH:MM:SS]
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the entire accounting log:
switch# show accounting log
In Cisco NX-OS Release, this command displays the following output:
switch# show accounting log
Mon Aug 16 09:37:43 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface vfc3 ; bind interface Ethernet1/12 (SUCCESS)
Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface vfc3 ; no shutdown (REDIRECT)
Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=Inte
rface vfc3 state updated to up
Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface vfc3 ; no shutdown (SUCCESS)
Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface vfc3 ; no shutdown (SUCCESS)
Mon Aug 16 09:48:05 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface Ethernet2/1 (SUCCESS)
Mon Aug 16 09:55:27 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp mode client (FAILURE)
Mon Aug 16 09:55:35 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp mode server (FAILURE)
Mon Aug 16 10:03:46 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; no vtp mode (FAILURE)
Mon Aug 16 10:04:11 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp mode transparent (SUCCESS)
Mon Aug 16 10:04:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp domain MyDomain (SUCCESS)
Mon Aug 16 10:04:39 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp password MyPass (SUCCESS)
Mon Aug 16 10:05:17 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; no vtp password (SUCCESS)
Mon Aug 16 10:06:46 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; vtp pruning (SUCCESS)
Mon Aug 16 10:09:11 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf
igure terminal ; interface Ethernet1/12 (SUCCESS)
Mon Aug 16 10:32:33 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=clea
r vtp counters (SUCCESS)
Mon Aug 16 10:35:20 2010:type=stop:id=72.163.177.184@pts/0:user=admin:cmd=shell
terminated because of telnet closed
--More--
switch#
This example shows how to display 400 bytes of the accounting log:
switch# show accounting log 400
This example shows how to display the accounting log starting at 16:00:00 on February 16, 2008:
switch# show accounting log start-time 2008 Feb 16 16:00:00
This example shows how to display the accounting log starting at 15:59:59 on February 1, 2008 and ending at 16:00:00 on February 29, 2008:
switch# show accounting log start-time 2008 Feb 1 15:59:59 end-time 2008 Feb 29 16:00:00
|
|
---|---|
clear accounting log |
Clears the accounting log. |
To display all ARP access control lists (ACLs) or a specific ARP ACL, use the show arp access-lists command.
show arp access-lists [access-list-name]
access-list-name |
(Optional) Name of an ARP ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
None
Any command mode
|
|
5.1(3)N1(1) |
This command was introduced. |
Note As of Cisco NX-OS Release 5.1(3)N1(1), an ARP access list is supported only for Control Plane Policing (CoPP).
The device shows all ARP ACLs, unless you use the access-list-name argument to specify an ACL.
This command does not require a license.
This example shows how to display all ARP ACLs on a switch:
switch# show arp access-lists
This example shows how to display an ARP ACL named arp-permit-all:
switch# show arp access-lists arp-permit-all
|
|
---|---|
arp access-list |
Configures an ARP ACL. |
To display the configuration at the time a checkpoint was implemented, use the show checkpoint command.
show checkpoint [checkpoint-name] [all [system | user]]
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
The command output displays a history of the most recent (up to ten) checkpoint IDs. The checkpoint IDs represent the rollback points that allow the user to restore the system to a checkpoint configuration.
This example shows how to display the rollback checkpoints configured in the local switch:
switch# show checkpoint
--------------------------------------------------------------------------------
Name: chkpnt-1
!Command: Checkpoint cmd vdc 1
!Time: Mon Sep 6 09:40:47 2010
version 5.0(2)N1(1)
feature telnet
feature tacacs+
cfs eth distribute
feature private-vlan
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex
username adminbackup password 5 ! role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin
no password strength-check
ip domain-lookup
ip domain-lookup
hostname switch
ip access-list ip1
class-map type qos class-fcoe
match cos 4
class-map type qos match-all cq1
match cos 4
match precedence 7
class-map type qos match-all cq2
match cos 5
match dscp 10
class-map type qos match-any cq3
match precedence 7
<--output truncated-->
switch#
This example shows how to display information about a specific checkpoint:
switch# show checkpoint chkpnt-1
--------------------------------------------------------------------------------
Name: chkpnt-1
!Command: Checkpoint cmd vdc 1
!Time: Mon Sep 6 09:40:47 2010
version 5.0(2)N1(1)
feature telnet
feature tacacs+
cfs eth distribute
feature private-vlan
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex
username adminbackup password 5 ! role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin
no password strength-check
ip domain-lookup
ip domain-lookup
hostname switch
ip access-list ip1
class-map type qos class-fcoe
match cos 4
class-map type qos match-all cq1
match cos 4
match precedence 7
--More--
switch#
This example shows how to display all configured rollback checkpoints:
switch# show checkpoint all
To display a summary of the configured checkpoints, use the show checkpoint summary command.
show checkpoint summary [system | user]
system |
(Optional) Displays a summary of the system-configured checkpoints. |
user |
(Optional) Displays a summary of the user-configured checkpoints. |
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
This example shows how to display the configuration rollback checkpoints summary:
switch# show checkpoint summary
User Checkpoint Summary
User Checkpoint Summary
--------------------------------------------------------------------------------
1) chkpnt-1:
Created by admin
Created at Tue, 08:10:23 14 Sep 2010
Size is 21,508 bytes
Description: Checkpoint to save current configuration, Sep 9 10:02 A.M.
2) chkpnt-2:
Created by admin
Created at Tue, 08:11:46 14 Sep 2010
Size is 21,536 bytes
Description: None
3) user-checkpoint-4:
Created by admin
Created at Tue, 08:16:48 14 Sep 2010
Size is 21,526 bytes
Description: None
switch#
This example shows how to display the summary of the system-configured rollback checkpoints:
switch# show checkpoint summary system
This example shows how to display the summary of the user-configured rollback checkpoints:
switch# show checkpoint summary user
--------------------------------------------------------------------------------
1) chkpnt-1:
Created by admin
Created at Tue, 08:10:23 14 Sep 2010
Size is 21,508 bytes
Description: Checkpoint to save current configuration, Sep 9 10:02 A.M.
2) chkpnt-2:
Created by admin
Created at Tue, 08:11:46 14 Sep 2010
Size is 21,536 bytes
Description: None
3) user-checkpoint-4:
Created by admin
Created at Tue, 08:16:48 14 Sep 2010
Size is 21,526 bytes
Description: None
switch#
To display only the system-configured checkpoints, use the show checkpoint system command.
show checkpoint system
This command has no arguments or keywords.
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
This example shows how to display the rollback checkpoints defined by the system:
switch# show checkpoint system
To display only the user-configured checkpoints, use the show checkpoint user command.
show checkpoint user
This command has no arguments or keywords.
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
This example shows how to display the rollback checkpoints configured by the current user:
switch# show checkpoint user
--------------------------------------------------------------------------------
Name: myChkpoint
!Command: Checkpoint cmd vdc 1
!Time: Mon Sep 6 09:40:47 2010
version 5.0(2)N1(1)
feature telnet
feature tacacs+
cfs eth distribute
feature private-vlan
feature udld
feature interface-vlan
feature lacp
feature vpc
feature lldp
feature fex
username adminbackup password 5 ! role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin
no password strength-check
ip domain-lookup
ip domain-lookup
hostname switch
ip access-list ip1
class-map type qos class-fcoe
match cos 4
class-map type qos match-all cq1
match cos 4
match precedence 7
<--output truncated-->
switch#
To display the configuration differences between two checkpoints, use the show diff rollback-patch checkpoint command.
show diff rollback-patch checkpoint src-checkpoint-name checkpoint dest-checkpoint-name
src-checkpoint-name |
Source checkpoint name. The name can be a maximum of 32 characters. |
dest-checkpoint-name |
Destination checkpoint name. The name can be a maximum of 32 characters. |
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
Use this command to view the differences between the source and destination checkpoints that reference current or saved configurations. The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system.
This example shows how to view the changes between two checkpoints, chkpnt-1 and chkpnt-2:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2
<-- modify configuration in running configuration--->
switch# checkpoint
...
user-checkpoint-4 created Successfully
Done
switch#
<-- modify configuration in running configuration--->
switch# show diff rollback-patch checkpoint user-checkpoint-4 checkpoint chkpnt-1
#Generating Rollback Patch
!!
interface Ethernet1/2
no untagged cos
no description Sample config
exit
!
interface Ethernet1/2
channel-group 1
!
line vty
switch# rollback chkpnt-1
switch#
To display the differences between the two checkpoint configuration files, use the show diff rollback-patch file command.
show diff rollback-patch file {bootflash: | volatile:}[//server][directory/][src-filename] {checkpoint dest-checkpoint-name | file {bootflash: | volatile:}[//server][directory/][dest-filename] | running-config | startup-config}
Note There can be no spaces in the filesystem://server/directory/filename string. Individual elements of this string are separated by colons (:) and slashes (/).
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
Use this command to view the differences between the source and destination checkpoint configuration files that reference current or saved configurations. The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system.
This example shows how to view the changes between two checkpoint configurations stored in files in the bootflash storage system:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2
switch# show diff rollback-patch file bootflash:///chkpnt_configSep9-2.txt file bootflash:///chkpnt_configSep9-1.txt
switch# rollback file bootflash:///chkpnt_configSep9-1.txt
switch#
To display the differences between the current running configuration and the saved (checkpointed) configuration, use the show diff rollback-patch running-config command.
show diff rollback-patch running-config {checkpoint checkpoint-name | file {bootflash: | volatile:}[//server][directory/][filename] | running-config | startup-config}
Note There can be no spaces in the filesystem://server/directory/filename string. Individual elements of this string are separated by colons (:) and slashes (/).
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
Use this command to view the differences between the current running configuration and destination checkpoints that reference a saved configuration. The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system.
This example shows how to view the configuration changes between the current running configuration and a checkpoint named chkpnt-1:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2
<-- modify configuration in running configuration--->
switch# show diff rollback-patch running-config checkpoint chkpnt-1
Collecting Running-Config
#Generating Rollback Patch
!!
interface Ethernet1/2
no description Sample config
exit
switch#
This example shows how to view the configuration changes between the current running configuration and a saved configuration in the bootflash storage system:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt
<-- modify configuration in running configuration--->
switch# show diff rollback-patch running-config file chkpnt_configSep9-1.txt
This example shows how to view the configuration changes between the current running configuration and a checkpointed running configuration:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt
<-- modify configuration in running configuration--->
switch# show diff rollback-patch running-config running-config
This example shows how to view the configuration changes between the current running configuration and a saved startup configuration:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt
<-- modify configuration in running configuration--->
switch# copy running-config startup-config
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2
switch# show diff rollback-patch running-config startup-config
Collecting Running-Config
Collecting Startup-Config
#Generating Rollback Patch
!!
interface Ethernet1/2
no untagged cos
no description Sample config
exit
password strength-check
no username admin
no username adminbackup
!
interface Ethernet1/2
channel-group 1
no feature ssh
no feature telnet
switch#
To display the differences between the current startup configuration and the saved (checkpointed) configuration, use the show diff rollback-patch startup-config command.
show diff rollback-patch startup-config {checkpoint checkpoint-name | file {bootflash: | volatile:}[//server][directory/][filename] | running-config | startup-config}
Note There can be no spaces in the filesystem://server/directory/filename string. Individual elements of this string are separated by colons (:) and slashes (/).
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
Use this command to view the differences between the current startup configuration and destination checkpoints that reference a saved configuration. The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system.
This example shows how to view the configuration changes between the current startup configuration and a checkpoint named chkpnt-1:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint chkpnt-2
<-- modify configuration in running configuration--->
switch# copy running-config startup-config
switch# show diff rollback-patch startup-config checkpoint chkpnt-1
Collecting Startup-Config
#Generating Rollback Patch
!!
!
feature telnet
feature ssh
username adminbackup password 5 ! role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin
no password strength-check
switch#
This example shows how to view the configuration changes between the current startup configuration and a saved configuration in the bootflash storage system:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt
<-- modify configuration in running configuration--->
switch# copy running-config startup-config
switch# show diff rollback-patch startup-config file chkpnt_configSep9-1.txt
switch#
This example shows how to view the configuration changes between the current startup configuration and a checkpointed running configuration:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt
<-- modify configuration in running configuration--->
switch# copy running-config startup-config
<-- modify configuration in running configuration--->
switch# show diff rollback-patch startup-config running-config
Collecting Running-Config
Collecting Startup-Config
#Generating Rollback Patch
!!
!
feature telnet
feature ssh
username adminbackup password 5 ! role network-operator
username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin
no password strength-check
switch#
This example shows how to view the configuration changes between the current startup configuration and a saved startup configuration:
switch# checkpoint chkpnt-1
<-- modify configuration in running configuration--->
switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt
<-- modify configuration in running configuration--->
switch# copy running-config startup-config
switch# checkpoint file bootflash:///chkpnt_configSep9-2.txt
<-- modify configuration in running configuration--->
switch# show diff rollback-patch startup-config startup-config
Collecting Startup-Config
#Generating Rollback Patch
Rollback Patch is Empty
switch#
To display information about the HTTP or HTTPS configuration, use the show http-server command.
show http-server
This command has no arguments or keywords.
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
In releases earlier than Cisco NX-OS Release 5.0(2)N1(1), HTTP or HTTPS is enabled on the switch by default.
This example shows how to display the status of the HTTP server:
switch# show http-server
http-server enabled
switch#
|
|
---|---|
feature http-server |
Enables or disables the HTTP or HTTPS server on the switch. |
To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-lists command.
show ip access-lists [access-list-name]
access-list-name |
(Optional) Name of an IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
The switch shows all IPv4 ACLs unless you use the access-list-name argument to specify an ACL.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
By default, this command displays the IPv4 ACLs configured on the switch. The command displays the statistics information for an IPv4 ACL only if the IPv4 ACL is applied to the management (mgmt0) interface. If the ACL is applied to an SVI interface or in a QoS class map, then the command does not display any statistics information.
This example shows how to display all IPv4 ACLs on the switch:
switch# show ip access-lists
In Cisco NX-OS release 5.0(2)N1(1), this example shows how to display all IPv4 ACLs on the switch:
switch# show ip access-lists
IP access list BulkData
10 deny ip any any
IP access list CriticalData
10 deny ip any any
IP access list Scavenger
10 deny ip any any
IP access list denyv4
20 deny ip 10.10.10.0/24 10.20.10.0/24 fragments
30 permit udp 10.10.10.0/24 10.20.10.0/24 lt 400
40 permit icmp any any router-advertisement
60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
70 permit igmp any any host-report
80 deny tcp any any rst
90 deny tcp any any ack
100 permit tcp any any fin
110 permit tcp any gt 300 any lt 400
130 deny tcp any range 200 300 any lt 600
140 deny tcp any range 200 300 any lt 600
IP access list dot
statistics per-entry
10 permit ip 20.1.1.1 255.255.255.0 20.10.1.1 255.255.255.0 precedence f
lash-override
20 deny ip 20.1.1.1/24 20.10.1.1/24 fragments
30 permit tcp any any fragments
40 deny tcp any eq 400 any eq 500
IP access list ipPacl
statistics per-entry
10 deny tcp any eq 400 any eq 500
IP access list ipv4
10 permit ip 10.10.10.1 225.255.255.0 any fragments
20 permit ip any any dscp ef
IP access list ipv4Acl
10 permit ip 10.10.10.1/32 10.10.10.2/32
IP access list voice
--More--
switch#
|
|
---|---|
ip access-list |
Configures an IPv4 ACL. |
show access-lists |
Displays all ACLs or a specific ACL. |
show mac access-lists |
Displays all MAC ACLs or a specific MAC ACL. |
To display the Address Resolution Protocol (ARP) table statistics, use the show ip arp command.
show ip arp [client | [statistics | summary] [ethernet slot/port | loopback intf-num | mgmt mgmt-intf-num | port-channel channel-num | vlan vlan-id] [fhrp-non-active-learn] [static] [detail] [vrf {vrf-name | all | default | management}]]
None
EXEC mode
You must use the feature interface-vlan command before you can display the ARP information for VLAN interfaces.
This example shows how to display the ARP table:
switch# show ip arp
IP ARP Table for context default
Total number of entries: 1
Address Age MAC Address Interface
90.10.10.2 00:03:11 000d.ece7.df7c Vlan900
switch#
This example shows how to display the detailed ARP table:
switch# show ip arp detail
IP ARP Table for context default
Total number of entries: 1
Address Age MAC Address Interface Physical Interface
90.10.10.2 00:02:55 000d.ece7.df7c Vlan900 Ethernet1/12
switch#
This example shows how to display the ARP table for VLAN 10 and all VRFs:
switch# show ip arp vlan 10 vrf all
Table 1 describes the fields shown in the above displays.
|
|
---|---|
clear ip arp |
Clears the ARP cache and table. |
feature interface-vlan |
Enables the creation of VLAN interfaces. |
show running-config arp |
Displays the running ARP configuration. |
To display the Dynamic ARP Inspection (DAI) configuration status, use the show ip arp inspection command.
show ip arp inspection
This command has no arguments or keywords.
None
Any command mode
|
|
5.0(3)N1(1) |
This command was introduced. |
This example shows how to display the status of the DAI configuration:
switch# show ip arp inspection
To display the trust state for the specified interface, use the show ip arp inspection interfaces command.
show ip arp inspection interfaces {ethernet slot/port | port-channel channel-number}
None
Any command mode
|
|
5.0(3)N1(1) |
This command was introduced. |
This example shows how to display the trust state for a trusted interface:
switch# show ip arp inspection interfaces ethernet 2/1
To display the Dynamic ARP Inspection (DAI) log configuration, use the show ip arp inspection log command.
show ip arp inspection log
This command has no arguments or keywords.
None
Any command mode
|
|
5.0(3)N1(1) |
This command was introduced. |
This example shows how to display the DAI log configuration:
switch# show ip arp inspection log
Syslog Buffer Size : 12
Syslog Rate : 5 entries per 1 seconds
switch#
To display the Dynamic ARP Inspection (DAI) statistics, use the show ip arp inspection statistics command.
show ip arp inspection statistics [vlan vlan-list]
vlan vlan-list |
(Optional) Specifies the list of VLANs for which to display DAI statistics. Valid VLAN IDs are from 1 to 4094. You can specify a VLAN or range of VLANs. |
None
Any command mode
|
|
5.0(3)N1(1) |
This command was introduced. |
This example shows how to display the DAI statistics for VLAN 1:
switch# show ip arp inspection statistics vlan 1
To display the Dynamic ARP Inspection (DAI) status for the specified list of VLANs, use the show ip arp inspection vlan command.
show ip arp inspection vlan vlan-list
None
Any command mode
|
|
5.0(3)N1(1) |
This command was introduced. |
This example shows how to display the DAI status for VLAN 1:
switch# show ip arp inspection vlan 1
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Enabled
Vlan : 1
-----------
Configuration : Disabled
Operation State : Inactive
switch#
To display the Address Resolution Protocol (ARP) table information after an ARP table synchronization, use the show ip arp sync-entries command.
show ip arp sync-entries [detail | vrf {vrf-name | all | default | management}]
None
EXEC mode
|
|
---|---|
5.1(3)N1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to display the global ARP statistics on virtual port channels (vPCs):
switch# show ip arp sync-entries
|
|
---|---|
ip arp synchronize |
Enables ARP synchronization on a vPC domain. |
show running-config arp |
Displays the running configuration information for ARP tables. |
To display general status information for Dynamic Host Configuration Protocol (DHCP) snooping, use the show ip dhcp snooping command.
show ip dhcp snooping
This command has no arguments or keywords.
None
Any command mode
|
|
5.0(2)N2(1) |
This command was introduced. |
This example shows how to display general status information about DHCP snooping:
switch# show ip dhcp snooping
DHCP snooping service is enabled
Switch DHCP snooping is enabled
DHCP snooping is configured on the following VLANs:
1,13
DHCP snooping is operational on the following VLANs:
1
Insertion of Option 82 is disabled
Verification of MAC address is enabled
DHCP snooping trust is configured on the following interfaces:
Interface Trusted
------------ -------
Ethernet2/3 Yes
switch#
To display IP-to-MAC address bindings for all interfaces or a specific interface, use the show ip dhcp snooping binding command.
show ip dhcp snooping binding [IP-address] [MAC-address] [interface ethernet slot/port] [vlan vlan-id]
show ip dhcp snooping binding [dynamic]
show ip dhcp snooping binding [static]
None
Any command mode
|
|
5.0(2)N2(1) |
This command was introduced. |
The binding interface includes static IP source entries. Static entries appear with the term "static" in the Type column.
This example shows how to show all bindings:
switch# show ip dhcp snooping binding
MacAddress IpAddress LeaseSec Type VLAN Interface
----------------- --------------- -------- ---------- ---- -------------
0f:00:60:b3:23:33 10.3.2.2 infinite static 13 Ethernet2/46
0f:00:60:b3:23:35 10.2.2.2 infinite static 100 Ethernet2/10
switch#
To display Dynamic Host Configuration Protocol (DHCP) snooping statistics, use the show ip dhcp snooping statistics command.
show ip dhcp snooping statistics
This command has no arguments or keywords.
None
Any command mode
|
|
5.0(2)N2(1) |
This command was introduced. |
This example shows how to display DHCP snooping statistics:
switch# show ip dhcp snooping statistics
Packets processed 61343
Packets received through cfsoe 0
Packets forwarded 0
Packets forwarded on cfsoe 0
Total packets dropped 61343
Packets dropped from untrusted ports 0
Packets dropped due to MAC address check failure 0
Packets dropped due to Option 82 insertion failure 0
Packets dropped due to o/p intf unknown 0
Packets dropped which were unknown 0
Packets dropped due to dhcp relay not enabled 0
Packets dropped due to no binding entry 0
Packets dropped due to interface error/no interface 61343
Packets dropped due to max hops exceeded 0
switch#
To display all IPv6 access control lists (ACLs) or a specific IPv6 ACL, use the show ipv6 access-lists command.
show ipv6 access-lists [access-list-name] [expanded | summary]
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The device shows all IPv6 ACLs, unless you use the access-list-name argument to specify an ACL.
The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:
•Whether per-entry statistics is configured for the ACL.
•The number of rules in the ACL configuration. This number does not reflect how many entries the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
•The interfaces that the ACL is applied to.
•The interfaces that the ACL is active on.
The show ipv6 access-lists command displays statistics for each entry in an ACL if the following conditions are both true:
•The ACL configuration contains the statistics per-entry command.
•The ACL is applied to an interface that is administratively up.
This example shows how to display all IPv6 ACLs on a switch:
switch# show ipv6 access-lists
|
|
---|---|
ipv6 access-list |
Configures an IPv6 ACL. |
To display the IP Source Guard-enabled interfaces and the IP-to-MAC address bindings, use the show ip verify source command.
show ip verify source [interface {ethernet slot/port | port-channel channel-number}]
None
Any command mode
|
|
5.0(3)N1(1) |
This command was introduced. |
This example shows how to display the IP Source Guard-enabled interfaces and the IP-to-MAC address bindings on the switch:
switch# show ip verify source
IP source guard is enabled on the following interfaces:
------------------------------------------------------
Ethernet1/2
Ethernet1/5
IP source guard operational entries:
-----------------------------------
Interface Filter-mode IP-address Mac-address Vlan
------------ ----------- ---------- -------------- ----
Ethernet1/2 inactive-no-snoop-vlan
Ethernet1/5 inactive-no-snoop-vlan
switch#
To display all Media Access Control (MAC) access control lists (ACLs) or a specific MAC ACL, use the show mac access-lists command.
show mac access-lists [access-list-name]
access-list-name |
(Optional) Name of a MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
The switch shows all MAC ACLs unless you use the access-list-name argument to specify an ACL.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display all MAC ACLs on the switch:
switch# show mac access-lists
MAC access list acl-mac
10 permit any any
MAC access list test
statistics per-entry
10 deny 0000.1111.2222 0000.0000.0000 0000.1111.3333 ffff.0000.0000
switch#
|
|
---|---|
mac access-list |
Configures a MAC ACL. |
show access-lists |
Displays all ACLs or a specific ACL. |
show ip access-lists |
Displays all IPv4 ACLs or a specific IPv4 ACL. |
To show the current privilege level, username, and status of cumulative privilege support, use the show privilege command.
show privilege
This command has no arguments or keywords.
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.
This example shows how to view the current privilege level, username, and status of cumulative privilege support:
switch# show privilege
User name: admin
Current privilege level: -1
Feature privilege: Enabled
switch#
To display RADIUS server information, use the show radius-server command.
show radius-server [hostname | ipv4-address | ipv6-address] [directed-request | groups [group-name] | sorted | statistics hostname | ipv4-address | ipv6-address]
Displays the global RADIUS server configuration.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys.
This example shows how to display information for all RADIUS servers:
switch# show radius-server
retransmission count:1
timeout value:5
deadtime value:0
source interface:any available
total number of servers:1
following RADIUS servers are configured:
192.168.1.1:
available for authentication on port:1812
available for accounting on port:1813
RADIUS shared secret:********
switch#
This example shows how to display information for a specified RADIUS server:
switch# show radius-server 192.168.1.1
192.168.1.1:
available for authentication on port:1812
available for accounting on port:1813
RADIUS shared secret:********
idle time:0
test user:test
test password:********
switch#
This example shows how to display the RADIUS directed request configuration:
switch# show radius-server directed-request
disabled
switch#
This example shows how to display information for RADIUS server groups:
switch# show radius-server groups
total number of groups:2
following RADIUS server groups are configured:
group radius:
server: all configured radius servers
deadtime is 0
group RadServer:
server: 192.168.1.1 on auth-port 1812, acct-port 1813
deadtime is 0
switch#
This example shows how to display information for a specified RADIUS server group:
switch# show radius-server groups RadServer
group RadServer:
server: 10.193.128.5 on auth-port 1812, acct-port 1813
deadtime is 0
switch#
This example shows how to display sorted information for all RADIUS servers:
switch# show radius-server sorted
timeout value:5
retransmission count:1
deadtime value:0
source interface:any available
total number of servers:1
following RADIUS servers are configured:
192.168.1.1:
available for authentication on port:1812
available for accounting on port:1813
RADIUS shared secret:********
switch#
This example shows how to display statistics for a specified RADIUS servers:
switch# show radius-server statistics 192.168.1.1
Server is not monitored
Authentication Statistics
failed transactions: 0
sucessfull transactions: 0
requests sent: 0
requests timed out: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
Accounting Statistics
failed transactions: 0
sucessfull transactions: 0
requests sent: 0
requests timed out: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
switch#
|
|
---|---|
show running-config radius |
Displays the RADIUS information in the running configuration file. |
To display the user role configuration, use the show role command.
show role [name role-name]
name role-name |
(Optional) Displays information for a specific user role name. |
Displays information for all user roles.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display information for a specific user role:
switch# show role name MyRole
Role: MyRole
Description: new role
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 deny command pwd
switch#
This example shows how to display information for all user roles:
switch# show role
In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:
switch# show role
Role: network-admin
Description: Predefined network admin role has access to all commands
on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: network-operator
Description: Predefined network operator role has access to all read
commands on the switch
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read
Role: vdc-admin
Description: Predefined vdc admin role has access to all commands within
a VDC instance
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: vdc-operator
Description: Predefined vdc operator role has access to all read commands
within a VDC instance
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read
Role: priv-14
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: priv-13
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-12
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-11
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-10
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-9
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-8
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-7
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-6
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-5
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-4
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-3
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-2
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-1
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
Role: priv-0
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
10 permit command traceroute6 *
9 permit command traceroute *
8 permit command telnet6 *
7 permit command telnet *
6 permit command ping6 *
5 permit command ping *
4 permit command ssh6 *
3 permit command ssh *
2 permit command enable *
Role: default-role
Description: This is a system defined role and applies to all users.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
5 permit command feature environment
4 permit command feature hardware
3 permit command feature module
2 permit command feature snmp
1 permit command feature system
Role: priv-15
Description: This is a system defined privilege role.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit read-write
Role: MyRole
Description: new role
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 deny command pwd
switch#
|
|
---|---|
role name |
Configures user roles. |
To display the user role features, use the show role feature command.
show role feature [detail | name feature-name]
Displays a list of user role feature names.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the user role features:
switch# show role feature
In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:
aaa (AAA service related commands)
arp (ARP protocol related commands)
cdp (Cisco Discovery Protocol related commands)
l3vm (Layer 3 virtualization related commands)
ping (Network reachability test commands)
snmp (SNMP related commands)
radius (Radius configuration and show commands)
syslog (Syslog related commands)
tacacs (TACACS configuration and show commands)
install (Software install related commands)
license (License related commands)
callhome (Callhome configuration and show commands)
platform (Platform configuration and show commands)
access-list (IP access list related commands)
svi (Interface VLAN related commands)
vlan (Virtual LAN related commands)
eth-span (Ethernet SPAN related commands)
ethanalyzer (Ethernet Analyzer)
spanning-tree (Spanning Tree protocol related commands)
acl (FC ACL related commands)
sfm (ISCSI flow related commands)
fcns (Fibre Channel Name Server related commands)
fcsp (Fibre Channel Security Protocol related commands)
fdmi (FDMI related commands)
fspf (Fabric Shortest Path First protocol related commands)
rlir (Registered Link Incident Report related commands)
rscn (Registered State Change Notification related commands)
span (SPAN session relate commands)
vsan (VSAN configuration and show commands)
wwnm (WorldWide Name related commands)
zone (Zone related commands)
fcanalyzer (FC analyzer related commands)
switch#
This example shows how to display detailed information all the user role features:
switch# show role feature detail
In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:
aaa (AAA service related commands)
show aaa *
config t ; aaa *
aaa *
clear aaa *
debug aaa *
show accounting *
config t ; accounting *
accounting *
clear accounting *
debug accounting *
arp (ARP protocol related commands)
show ip arp *
config t; ip arp *
clear ip arp *
debug ip arp *
debug-filter ip arp *
cdp (Cisco Discovery Protocol related commands)
show cdp *
config t ; cdp *
cdp *
clear cdp *
debug cdp *
l3vm (Layer 3 virtualization related commands)
show vrf *
config t ; vrf *
routing-context vrf *
ping (Network reachability test commands)
show ping *
config t ; ping *
ping *
clear ping *
debug ping *
show ping6 *
config t ; ping6 *
ping6 *
clear ping6 *
debug ping6 *
show traceroute *
config t ; traceroute *
--More--
switch#
This example shows how to display detailed information for a specific user role feature named arp:
switch# show role feature name arp
In Cisco NX-OS Release 5.0(2)N1(1), this command displays the following output:
arp (ARP protocol related commands)
show ip arp *
config t; ip arp *
clear ip arp *
debug ip arp *
debug-filter ip arp *
switch#
|
|
---|---|
role feature-group |
Configures feature groups for user roles. |
rule |
Configures rules for user roles. |
To display the user role feature groups, use the show role feature-group command.
show role feature-group [detail | name group-name]
detail |
(Optional) Displays detailed information for all feature groups. |
name group-name |
(Optional) Displays detailed information for a specific feature group. |
Displays a list of user role feature groups.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the user role feature groups:
switch# show role feature-group
This example shows how to display detailed information about all the user role feature groups:
switch# show role feature-group detail
This example shows how to display information for a specific user role feature group:
switch# show role feature-group name SecGroup
|
|
---|---|
role feature-group |
Configures feature groups for user roles. |
rule |
Configures rules for user roles. |
To display the log of configuration rollbacks on the switch, use the show rollback log command.
show rollback log {exec | verify}
exec |
Displays the rollback execution log. |
verify |
Displays the rollback verify log. |
None
EXEC mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
If the rollback log is empty, the following message appears:
ERROR: Log Not Available
This example shows how to display the rollback execution log:
switch# show rolback log exec
--------------------------------------------------------------------------------
time: Mon, 06:16:02 06 Sep 2010
Status: success
--------------------------------------------------------------------------------
time: Mon, 07:58:36 06 Sep 2010
Status: success
--------------------------------------------------------------------------------
time: Mon, 09:48:58 06 Sep 2010
Status: success
switch#
This example shows how to display the rollback verification log:
switch# show rollback log verify
--------------------------------------------------------------------------------
time: Mon, 09:48:56 06 Sep 2010
Status: success
--------------------------------------------------------------------------------
time: Mon, 09:48:58 06 Sep 2010
Status: success
switch#
|
|
---|---|
rollback |
Restores the active configuration to the checkpoint state. |
To display authentication, authorization, and accounting (AAA) configuration information in the running configuration, use the show running-config aaa command.
show running-config aaa [all]
all |
(Optional) Displays configured and default information. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the configured AAA information in the running configuration:
switch# show running-config aaa
To display the access control list (ACL) configuration in the running configuration, use the show running-config aclmgr command.
show running-config aclmgr [all]
all |
(Optional) Displays configured and default information. |
None
Any command mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
This example shows how to display the ACL running configuration:
switch# show running-config aclmgr
!Command: show running-config aclmgr
!Time: Tue Aug 31 05:01:56 2010
version 5.0(2)N1(1)
ip access-list BulkData
10 deny ip any any
ip access-list CriticalData
10 deny ip any any
ip access-list Scavenger
10 deny ip any any
mac access-list acl-mac
10 permit any any
ip access-list denyv4
20 deny ip 10.10.10.0/24 10.20.10.0/24 fragments
30 permit udp 10.10.10.0/24 10.20.10.0/24 lt 400
40 permit icmp any any router-advertisement
60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
70 permit igmp any any host-report
80 deny tcp any any rst
90 deny tcp any any ack
100 permit tcp any any fin
110 permit tcp any gt 300 any lt 400
130 deny tcp any range 200 300 any lt 600
140 deny tcp any range 200 300 any lt 600
ip access-list dot
statistics per-entry
10 permit ip 20.1.1.1 255.255.255.0 20.10.1.1 255.255.255.0 precedence flash-o
verride
:
<snip>
:
vlan access-map vacl-mac
match mac address acl-mac
action forward
statistics per-entry
vlan filter vacl-mac vlan-list 300
interface Ethernet1/1
ipv6 port traffic-filter denv6 in
interface Ethernet1/2
ip port access-group voice in
interface Ethernet1/9
ipv6 port traffic-filter denv6 in
interface Ethernet1/10
ipv6 port traffic-filter denv6 in
line vty
access-class myACList in
access-class myACList out
ipv6 access-class myI6List out
switch#
This example shows how to display only the VTY running configuration:
switch# show running-config aclmgr | begin vty
line vty
access-class myACList in
access-class myACList out
ipv6 access-class myI6List out
switch#
To display the Address Resolution Protocol (ARP) configuration in the running configuration, use the show running-config arp command.
show running-config arp [all]
all |
(Optional) Displays configured and default information. |
None
Any command mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
This example shows how to display the ARP configuration:
switch# show running-config arp
!Command: show running-config arp
!Time: Mon Aug 23 07:33:15 2010
version 5.0(2)N1(1)
ip arp timeout 2100
ip arp event-history errors size medium
interface Vlan10
ip arp 10.193.131.37 00C0.4F00.0000
switch#
This example shows how to display the ARP configuration with the default information:
switch# show running-config arp all
!Command: show running-config arp all
!Time: Mon Aug 23 07:33:52 2010
version 5.0(2)N1(1)
ip arp timeout 1500
ip arp event-history cli size small
ip arp event-history snmp size small
ip arp event-history client-errors size small
ip arp event-history client-event size small
ip arp event-history lcache-errors size small
ip arp event-history lcache size small
ip arp event-history errors size small
ip arp event-history ha size small
ip arp event-history event size small
ip arp event-history packet size small
interface Vlan10
ip arp 10.193.131.37 00C0.4F00.0000
ip arp gratuitous update
ip arp gratuitous request
switch#
To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the running configuration, use the show running-config dhcp command.
show running-config dhcp [all]
all |
(Optional) Displays configured and default information. |
None
Any command mode
|
|
---|---|
5.0(2)N2(1) |
This command was introduced. |
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
This example shows how to display the DHCP snooping configuration:
switch# show running-config dhcp
!Command: show running-config dhcp
!Time: Mon Aug 23 09:09:11 2010
version 5.0(2)N1(1)
feature dhcp
ip dhcp snooping
ip dhcp snooping information option
service dhcp
ip dhcp relay
ip dhcp relay information option
ip arp inspection filter arp-acl-01 vlan 15,37-48
switch#
This example shows how to display the DHCP snooping configuration with the default information:
switch# show running-config dhcp all
!Command: show running-config dhcp all
!Time: Mon Aug 23 09:10:11 2010
version 5.0(2)N1(1)
feature dhcp
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping verify mac-address
service dhcp
ip dhcp relay
ip dhcp relay information option
no ip dhcp relay sub-option type cisco
no ip dhcp relay information option vpn
no ip arp inspection validate src-mac dst-mac ip
ip arp inspection log-buffer entries 32
no ip dhcp packet strict-validation
interface port-channel23
no ip dhcp snooping trust
no ip arp inspection trust
no ip verify source dhcp-snooping-vlan
interface port-channel67
no ip dhcp snooping trust
no ip arp inspection trust
no ip verify source dhcp-snooping-vlan
interface port-channel150
no ip dhcp snooping trust
no ip arp inspection trust
no ip verify source dhcp-snooping-vlan
interface port-channel400
no ip dhcp snooping trust
no ip arp inspection trust
no ip verify source dhcp-snooping-vlan
<--output truncated-->
switch#
This example shows how to display the DHCP snooping configuration and the IP Source Guard information on a switch that runs Cisco NX-OS Release 5.0(3)N1(1):
switch# show running-config dhcp
!Command: show running-config dhcp
!Time: Sat Apr 19 06:18:33 2008
version 5.0(3)N1(1)
feature dhcp
ip dhcp snooping
ip dhcp snooping information option
interface Ethernet1/2
ip dhcp snooping trust
ip verify source dhcp-snooping-vlan
interface Ethernet1/5
ip verify source dhcp-snooping-vlan
ip source binding 10.0.0.7 002f.23bd.0014 vlan 5 interface Ethernet1/2
ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface Ethernet1/5
switch#
To display RADIUS server information in the running configuration, use the show running-config radius command.
show running-config radius [all]
all |
(Optional) Displays default RADIUS configuration information. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display information for RADIUS in the running configuration:
switch# show running-config radius
In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:
!Command: show running-config radius
!Time: Wed Aug 25 10:25:41 2010
version 5.0(2)N1(1)
radius-server host 192.168.1.1 key 7 "KkwyCet" authentication accounting
aaa group server radius r1
server 192.168.1.1
switch#
|
|
---|---|
show radius-server |
Displays RADIUS information. |
To display user account, Secure Shell (SSH) server, and Telnet server information in the running configuration, use the show running-config security command.
show running-config security [all]
all |
(Optional) Displays default user account, SSH server, and Telnet server configuration information. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display user account, SSH server, and Telnet server information in the running configuration:
switch# show running-config security
In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:
!Command: show running-config security
!Time: Wed Aug 25 10:27:20 2010
version 5.0(2)N1(1)
feature telnet
username admin password 5 $1$eKzwPRms$5QB0PxpkXdp6ZKkME/vSS1 role network-admin
username praveena password 5 $1$9w6ZnM/R$Pg5OfsV/vkOaAGW.f.RyP. role network-op
erator
username install password 5 ! role network-admin
username user1 password 5 ! role priv-5
no password strength-check
switch#
To display the Secure Shell (SSH) server key, use the show ssh key command.
show ssh key
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This command is available only when SSH is enabled using the ssh server enable command.
This example shows how to display the SSH server key:
switch# show ssh key
In Cisco NX-OS Release 5.0(2)N1(1), the following output is displayed:
**************************************
rsa Keys generated:Mon Aug 2 22:49:27 2010
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0iACA1fHAeIaY6PD5fSBLqGX3MIn+k72qhdvLNib7dL7
8CRQVS1AlQiDDTrvyIfRZ5yHMDQndvcmRfkJzluSCW2FP8vokZ66aXFk8TBTFc5Bn3NUiUyPZyhPtFD2
LaHBCkxl0MxEP+nmPJ6Qf6mBzZVAIdLw8Nd64ZwqVHHjeFc=
bitcount:1024
fingerprint:
bb:bf:a4:c0:22:3b:70:15:e4:2b:2b:bb:08:41:82:d4
**************************************
could not retrieve dsa key information
**************************************
switch#
|
|
---|---|
ssh server key |
Configures the SSH server key. |
To display the Secure Shell (SSH) server status, use the show ssh server command.
show ssh server
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the SSH server status:
switch# show ssh server
ssh version 2 is enabled
switch#
|
|
---|---|
ssh server enable |
Enables the SSH server. |
To display authentication, authorization, and accounting (AAA) configuration information in the startup configuration, use the show startup-config aaa command.
show startup-config aaa
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the AAA information in the startup configuration:
switch# show startup-config aaa
|
|
---|---|
show running-config aaa |
Displays AAA configuration information in the running configuration. |
To display the access control list (ACL) configuration in the startup configuration, use the show startup-config aclmgr command.
show startup-config aclmgr [all]
all |
(Optional) Displays configured and default information. |
None
Any command mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
This example shows how to display the ACL startup configuration:
switch# show startup-config aclmgr
!Command: show startup-config aclmgr
!Time: Tue Aug 31 05:01:58 2010
version 5.0(2)N1(1)
ip access-list BulkData
10 deny ip any any
ip access-list CriticalData
10 deny ip any any
ip access-list Scavenger
10 deny ip any any
mac access-list acl-mac
10 permit any any
ip access-list denyv4
20 deny ip 10.10.10.0/24 10.20.10.0/24 fragments
30 permit udp 10.10.10.0/24 10.20.10.0/24 lt 400
40 permit icmp any any router-advertisement
60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
70 permit igmp any any host-report
80 deny tcp any any rst
90 deny tcp any any ack
100 permit tcp any any fin
110 permit tcp any gt 300 any lt 400
130 deny tcp any range 200 300 any lt 600
140 deny tcp any range 200 300 any lt 600
:
<snip>
:
vlan access-map vacl-mac
match mac address acl-mac
action forward
statistics per-entry
vlan filter vacl-mac vlan-list 300
interface Ethernet1/1
ipv6 port traffic-filter denv6 in
interface Ethernet1/2
ip port access-group voice in
interface Ethernet1/9
ipv6 port traffic-filter denv6 in
interface Ethernet1/10
ipv6 port traffic-filter denv6 in
line vty
access-class myACList in
access-class myACList out
ipv6 access-class myI6List out
switch#
This example shows how to display only the VTY startup configuration:
switch# show startup-config aclmgr | begin vty
line vty
access-class myACList in
access-class myACList out
ipv6 access-class myI6List out
switch#
To display the Address Resolution Protocol (ARP) configuration in the startup configuration, use the show startup-config arp command.
show startup-config arp [all]
all |
(Optional) Displays configured and default information. |
None
Any command mode
|
|
---|---|
5.0(2)N1(1) |
This command was introduced. |
This example shows how to display the ARP startup configuration:
switch# show startup-config arp
!Command: show running-config arp
!Time: Mon Aug 23 07:33:15 2010
version 5.0(2)N1(1)
ip arp timeout 2100
ip arp event-history errors size medium
interface Vlan10
ip arp 10.193.131.37 00C0.4F00.0000
switch#
To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the startup configuration, use the show running-config dhcp command.
show running-config dhcp [all]
all |
(Optional) Displays configured and default information. |
None
Any command mode
|
|
---|---|
5.0(2)N2(1) |
This command was introduced. |
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
This example shows how to display the DHCP snooping configuration in the startup configuration file:
switch# show startup-config dhcp
!Command: show startup-config dhcp
!Time: Mon Aug 23 09:09:14 2010
version 5.0(2)N1(1)
feature dhcp
ip dhcp snooping
ip dhcp snooping information option
service dhcp
ip dhcp relay
ip dhcp relay information option
ip arp inspection filter arp-acl-01 vlan 15,37-48
switch#
To display RADIUS configuration information in the startup configuration, use the show startup-config radius command.
show startup-config radius
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the RADIUS information in the startup configuration:
switch# show startup-config radius
|
|
---|---|
show running-config radius |
Displays RADIUS server information in the running configuration. |
To display user account, Secure Shell (SSH) server, and Telnet server configuration information in the startup configuration, use the show startup-config security command.
show startup-config security
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration:
switch# show startup-config security
|
|
---|---|
show running-config security |
Displays user account, Secure Shell (SSH) server, and Telnet server information in the running configuration. |
To display TACACS+ server information, use the show tacacs-server command.
show tacacs-server [hostname | ip4-address | ip6-address] [directed-request | groups | sorted | statistics]
Displays the global TACACS+ server configuration.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys.
You must use the feature tacacs+ command before you can display TACACS+ information.
This example shows how to display information for all TACACS+ servers:
switch# show tacacs-server
This example shows how to display information for a specified TACACS+ server:
switch# show tacacs-server 192.168.2.2
This example shows how to display the TACACS+ directed request configuration:
switch# show tacacs-server directed-request
This example shows how to display information for TACACS+ server groups:
switch# show tacacs-server groups
This example shows how to display information for a specified TACACS+ server group:
switch# show tacacs-server groups TacServer
This example shows how to display sorted information for all TACACS+ servers:
switch# show tacacs-server sorted
This example shows how to display statistics for a specified TACACS+ server:
switch# show tacacs-server statistics 192.168.2.2
|
|
---|---|
show running-config tacacs+ |
Displays the TACACS+ information in the running configuration file. |
To display the Telnet server status, use the show telnet server command.
show telnet server
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the Telnet server status:
switch# show telnet server
|
|
---|---|
telnet server enable |
Enables the Telnet server. |
To display information about the user accounts on the switch, use the show user-account command.
show user-account [name]
name |
(Optional) Information about the specified user account only. |
Displays information about all the user accounts defined on the switch.
EXEC mode
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display information about all the user accounts defined on the switch:
switch# show user-account
user:admin
this user account has no expiry date
roles:network-admin
user:mable
this user account has no expiry date
roles:network-operator
user:install
this user account has no expiry date
roles:network-admin
no password set. Local login not allowed
Remote login through RADIUS/TACACS+ is possible
user:user1
this user account has no expiry date
roles:priv-5
no password set. Local login not allowed
Remote login through RADIUS/TACACS+ is possible
switch#
This example shows how to display information about a specific user account:
switch# show user-account admin
user:admin
this user account has no expiry date
roles:network-admin
switch#
|
|
---|---|
username |
Configures a user account. |
To display the users currently logged on the switch, use the show users command.
show users
This command has no arguments or keywords.
None
EXEC mode
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display all the users currently logged on the switch:
switch# show users
NAME LINE TIME IDLE PID COMMENT
admin ttyS0 Aug 24 22:19 10:41 4681
admin pts/0 Aug 25 03:39 . 8890 (72.163.177.191) *
switch#
|
|
---|---|
clear user |
Logs out a specific user. |
username |
Creates and configures a user account. |
To display the contents of the IPv4 access control list (ACL) or MAC ACL associated with a specific VLAN access map, use the show vlan access-list command.
show vlan access-list map-name
map-name |
VLAN access list to show. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
For the specified VLAN access map, the switch displays the access map name and the contents of the ACL associated with the map.
This example shows how to display the contents of the ACL associated with the specified VLAN access map:
switch# show vlan access-list vlan1map
To display all VLAN access maps or a VLAN access map, use the show vlan access-map command.
show vlan access-map [map-name]
map-name |
(Optional) VLAN access map to show. |
The switch shows all VLAN access maps, unless you use the map-name argument to select a specific access map.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
For each VLAN access map displayed, the switch shows the access map name, the ACL specified by the match command, and the action specified by the action command.
Use the show vlan filter command to see which VLANs have a VLAN access map applied to them.
This example shows how to display a specific VLAN access map:
switch# show vlan access-map vlan1map
This example shows how to display all VLAN access maps:
switch# show vlan access-map
Vlan access-map vacl-mac
match mac: acl-mac
action: forward
statistics per-entry
switch#
To display information about instances of the vlan filter command, including the VLAN access map and the VLAN IDs affected by the command, use the show vlan filter command.
show vlan filter [access-map map-name | vlan vlan-id]
All instances of VLAN access maps applied to a VLAN are displayed, unless you use the access-map keyword and specify an access map or you use the vlan keyword and specify a VLAN ID.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display all VLAN access map information on the switch:
switch# show vlan filter
vlan map vacl-mac:
Configured on VLANs: 300
switch#