Table Of Contents

Show Commands

show aaa accounting

show aaa authentication

show aaa groups

show aaa user default-role

show access-lists

show accounting log

show arp access-lists

show class-map type control-plane

show copp status

show cts

show cts credentials

show cts environment-data

show cts interface

show cts pacs

show cts role-based access-list

show cts role-based enable

show cts role-based policy

show cts role-based sgt-map

show cts sxp

show cts sxp connection

show dot1x

show dot1x all

show dot1x interface ethernet

show eou

show hardware rate-limit

show identity policy

show identity profile

show ip access-lists

show ip arp inspection

show ip arp inspection interface

show ip arp inspection log

show ip arp inspection statistics

show ip arp inspection vlan

show ip device tracking

show ip dhcp snooping

show ip dhcp snooping binding

show ip dhcp snooping statistics

show ip verify source

show key chain

show mac access-lists

show password strength-check

show policy-map type control-plane

show radius-server

show role

show role feature

show role feature-group

show running-config aaa

show running-config copp

show running-config cts

show running-config dhcp

show running-config dot1x

show running-config eou

show running-config port-security

show running-config radius

show running-config security

show running-config tacacs+

show ssh key

show ssh server

show startup-config aaa

show startup-config copp

show startup-config dhcp

show startup-config dot1x

show startup-config eou

show startup-config port-security

show startup-config radius

show startup-config security

show startup-config tacacs+

show tacacs-server

show telnet server

show user-account

show users

show vlan access-list

show vlan access-map

show vlan filter

Show Commands

---

This chapter describes the Cisco NX-OS security show commands.

show aaa accounting

To display AAA accounting configuration information, use the show aaa accounting command.

show aaa accounting

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the configuration of the accounting log:

switch# show aaa accounting

         default: local

show aaa authentication

To display AAA authentication configuration information, use the show aaa authentication command.

show aaa authentication [login error-enable | login mschap]

Syntax Description

login error-enable	(Optional) Displays the authentication login error message enable configuration.
login mschap	(Optional) Displays the authentication login MS-CHAP enable configuration.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the configured authentication parameters:

switch# show aaa authentication

         default: local

         console: local

         dot1x: not configured

         eou: not configured

This example shows how to display the authentication-login error-enable configuration:

switch# show aaa authentication login error-enable

disabled

This example shows how to display the authentication-login MSCHAP configuration:

switch# show aaa authentication login mschap

disabled

show aaa groups

To display AAA server group configuration, use the show aaa groups command.

show aaa groups

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display AAA group information:

switch# show aaa groups

radius

TacServer

show aaa user default-role

To display the AAA user default role configuration, use the show aaa user default-role command.

show aaa user default-role

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release	Modification
4.0(3)	This command was introduced.

Usage Guidelines

User the aaa user default-role command to configure the AAA user default role.

This command does not require a license.

Examples

This example shows how to display the AAA user default role configuration:

switch# show aaa user default-role

enabled

Related Commands

Command	Description
aaa user default-role	Enables the AAA user default role.

show access-lists

To display all IPv4 and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.

show access-lists [access-list-name] [expanded | summary]

Syntax Description

access-list-name	(Optional) Name of an ACL, which can be up to 64 alphanumeric, case-sensitive characters.
expanded	(Optional) Specifies that the contents of object groups show rather than the names of object groups only.
summary	(Optional) Specifies that the command displays information about the ACL. For more information, see the "Usage Guidelines" section.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

The device shows all ACLs unless you use the access-list-name argument to specify an ACL.

The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups. For more information about object groups, see the object-group ip address and object-group ip port commands.

The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:

•Whether per-entry statistics is configured for the ACL.

•The number of rules in the ACL configuration. This number does not reflect how many entries the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.

•The interfaces that the ACL is applied to.

•The interfaces that the ACL is active on.

The show access-lists command displays statistics for each entry in an ACL if the following conditions are both true:

•The ACL configuration contains the statistics per-entry command.

•The ACL is applied to an interface that is administratively up.

This command does not require a license.

Examples

This example shows how to use the show access-lists command without specifying an ACL name, on a device that has one IP ACL and one MAC ACL configured:

switch# show access-lists

IP access list ip-v4-filter

        10 permit ip any any

MAC access list mac-filter

        10 permit 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ip

This example shows how to use the show access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web, including per-entry statistics for the entries except for the MainLab object group:

switch# show access-lists ipv4-RandD-outbound-web

IP access list ipv4-RandD-outbound-web

        statistics per-entry

        1000 permit ahp any any [match=732]

        1005 permit tcp addrgroup MainLab any eq telnet

        1010 permit tcp any any eq www [match=820421]

This example shows how to use the show access-lists command to display an IPv4 ACL named ipv4-RandD-outbound-web. The expanded keyword causes the contents of the object group from the previous example to appear, including the per-entry statistics:

switch# show access-lists ipv4-RandD-outbound-web expanded

IP access list ipv4-RandD-outbound-web

        statistics per-entry

        1000 permit ahp any any [match=732]

        1005 permit tcp 10.52.34.4/32 any eq telnet [match=5032]

        1005 permit tcp 10.52.34.27/32 any eq telnet [match=433]

        1010 permit tcp any any eq www [match=820421]

This example shows how to use the show access-lists command with the summary keyword to display information about an IPv4 ACL named ipv4-RandD-outbound-web, such as which interfaces the ACL is applied to and active on:

switch# show access-lists ipv4-RandD-outbound-web summary

IPV4 ACL ipv4-RandD-outbound-web

        Statistics enabled

        Total ACEs Configured: 4

        Configured on interfaces:

                Ethernet2/4 - ingress (Router ACL)

        Active on interfaces:

                Ethernet2/4 - ingress (Router ACL)

Related Commands

Command	Description
ip access-list	Configures an IPv4 ACL.
mac access-list	Configures a MAC ACL.
show ip access-lists	Displays all IPv4 ACLs or a specific IPv4 ACL.
show mac access-lists	Displays all MAC ACLs or a specific MAC ACL.

show accounting log

To display the accounting log contents, use the show accounting log command.

show accounting log [size] [start-time year month day HH:MM:SS]

Syntax Description

size	(Optional) Size of the log to display in bytes. The range is from 0 to 250000.
start-time year month day HH:MM:SS	(Optional) Specifies a start time. The year argument is in yyyy format. The month is the three-letter English abbreviation. The day argument range is from 1 to 31. The HH:MM:SS argument is in the standard 24-hour format.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to display the entire accounting log:

switch# show accounting log 

Sat Feb 16 10:44:24 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime

Sat Feb 16 10:44:25 2008:update:/dev/pts/1_172.28.254.254:admin:show clock

Sat Feb 16 10:45:20 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log

file start-time 2008 Feb 16 10:44:11

Sat Feb 16 10:45:23 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting

log start-time 2008 Feb 16 10:08:57

Sat Feb 16 10:45:24 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime

Sat Feb 16 10:45:25 2008:update:/dev/pts/1_172.28.254.254:admin:show clock

Sat Feb 16 10:46:20 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log

file start-time 2008 Feb 16 10:45:11

Sat Feb 16 10:46:22 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting

This example shows how to display 400 bytes of the accounting log:

switch# show accounting log 400

Sat Feb 16 21:15:24 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log 
start-time 2008 Feb 16 18:31:21

Sat Feb 16 21:15:25 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime

Sat Feb 16 21:15:26 2008:update:/dev/pts/1_172.28.254.254:admin:show clock

This example shows how to display the accounting log starting at 16:00:00 on February 16, 2008:

switch(config)# show accounting log start-time 2008 Feb 16 16:00:00

Sat Feb 16 16:00:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file 
start-time 2008 Feb 16 15:59:16

Sat Feb 16 16:00:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log 
start-time 2008 Feb 16 12:05:16

Sat Feb 16 16:00:27 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime

Sat Feb 16 16:00:28 2008:update:/dev/pts/1_172.28.254.254:admin:show clock

Sat Feb 16 16:01:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file 
start-time 2008 Feb 16 16:00:16

Sat Feb 16 16:01:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log 
start-time 2008 Feb 16 12:05:16

Sat Feb 16 16:01:27 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime

Sat Feb 16 16:01:29 2008:update:/dev/pts/1_172.28.254.254:admin:show clock

Sat Feb 16 16:02:18 2008:update:/dev/pts/1_172.28.254.254:admin:show logging log file 
start-time 2008 Feb 16 16:01:16

Sat Feb 16 16:02:26 2008:update:/dev/pts/1_172.28.254.254:admin:show accounting log 
start-time 2008 Feb 16 12:05:16

Sat Feb 16 16:02:28 2008:update:/dev/pts/1_172.28.254.254:admin:show system uptime

Related Commands

Command	Description
clear accounting log	Clears the accounting log.

show arp access-lists

To display all ARP access control lists (ACLs) or a specific ARP ACL, use the show arp access-lists command.

show arp access-lists [access-list-name]

Syntax Description

access-list-name

(Optional) Name of an ARP ACL, which can be up to 64 alphanumeric, case-sensitive characters.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

The device shows all ARP ACLs, unless you use the access-list-name argument to specify an ACL.

This command does not require a license.

Examples

This example shows how to use the show arp access-lists command to display all ARP ACLs on a device that has two ARP ACLs:

switch# show arp access-lists

ARP access list arp-permit-all

10 permit ip any mac any

ARP access list arp-lab-subnet

10 permit request ip 10.32.143.0 255.255.255.0 mac any

This example shows how to use the show arp access-lists command to display an ARP ACL named arp-permit-all:

switch# show arp access-lists arp-permit-all

ARP access list arp-permit-all

10 permit ip any mac any

Related Commands

Command	Description
arp access-list	Configures an ARP ACL.
ip arp inspection filter	Applies an ARP ACL to a VLAN.

show class-map type control-plane

To display control plane class map information, use the show class-map type control-plane command.

show class-map type control-plane [class-map-name]

Syntax Description

class-map-name

(Optional) Name of the control plane class map.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to display control plane class map information:

switch# show class-map type control-plane

    class-map type control-plane match-any copp-system-class-critical

      match access-grp name copp-system-acl-arp

      match access-grp name copp-system-acl-msdp

    class-map type control-plane match-any copp-system-class-important

      match access-grp name copp-system-acl-gre

      match access-grp name copp-system-acl-tacas

    class-map type control-plane match-any copp-system-class-normal

      match access-grp name copp-system-acl-icmp

      match redirect dhcp-snoop

      match redirect arp-inspect

      match exception ip option

      match exception ip icmp redirect

      match exception ip icmp unreachable

show copp status

To display the control plane policing (CoPP) configuration status, use the show copp status command.

show copp status

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(2)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to display the CoPP configuration status information:

switch# show copp status

Last Config Operation: service-policy input copp-system-policy

Last Config Operation Timestamp: 21:57:58 UTC Jun  4 2008

Last Config Operation Status: Success

Policy-map attached to the control-plane: new-copp-policy

show cts

To display the global Cisco TrustSec configuration, use the show cts command.

show cts

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec global configuration:

switch# show cts

CTS Global Configuration

==============================

  CTS support           : enabled

  CTS device identity   : Device1

  CTS caching support   : disabled

  Number of CTS interfaces in

    DOT1X mode : 0

    Manual mode : 0

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts credentials

To display the Cisco TrustSec device credentials configuration, use the show cts credentials command.

show cts credentials

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec credentials configuration:

switch# show cts credentials

CTS password is defined in keystore, device-id = Device1

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts environment-data

To display the global Cisco TrustSec environment data, use the show cts environment-data command.

show cts environment-data

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

The NX-OS device downloads the Cisco TrustSec environment data from the ACS after you have configured the Cisco TrustSec credentials for the device and configured authentication, authorization, and accounting (AAA).

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec environment data:

switch# show cts environment-data

CTS Environment Data

==============================

  Current State           : CTS_ENV_DNLD_ST_ENV_DOWNLOAD_DONE

  Last Status             : CTS_ENV_SUCCESS

  Local Device SGT        : 0x0002

  Transport Type          : CTS_ENV_TRANSPORT_DIRECT

  Data loaded from cache  : FALSE

  Env Data Lifetime       : 300 seconds after last update

  Last Update Time        : Sat Jan  5 16:29:52 2008

  Server List             : ACSServerList1

     AID:74656d706f72617279 IP:10.64.65.95 Port:1812

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts interface

To display the Cisco TrustSec information for interfaces, use the show cts interface command.

show cts interface {all | ethernet slot/port}

Syntax Description

all	Displays Cisco TrustSec information for all interfaces.
interface slot/port	Displays Cisco TrustSec information for the specific interface.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec configuration for all interfaces:

switch# show cts interface all

CTS Information for Interface Ethernet2/24:

    CTS is enabled, mode:   CTS_MODE_DOT1X

    IFC state:              CTS_IFC_ST_CTS_OPEN_STATE

    Authentication Status:  CTS_AUTHC_SUCCESS

      Peer Identity:        india1

      Peer is:              CTS Capable

      802.1X role:          CTS_ROLE_AUTH

      Last Re-Authentication:

    Authorization Status:   CTS_AUTHZ_SUCCESS

      PEER SGT:             2

      Peer SGT assignment:  Trusted

      Global policy fallback access list:

    SAP Status:             CTS_SAP_SUCCESS

      Configured pairwise ciphers: GCM_ENCRYPT

      Replay protection: Enabled

      Replay protection mode: Strict

      Selected cipher: GCM_ENCRYPT

      Current receive SPI: sci:1b54c1fbff0000 an:0

      Current transmit SPI: sci:1b54c1fc000000 an:0

CTS Information for Interface Ethernet2/25:

    CTS is enabled, mode:   CTS_MODE_DOT1X

    IFC state:              CTS_IFC_ST_CTS_OPEN_STATE

    Authentication Status:  CTS_AUTHC_SUCCESS

      Peer Identity:        india1

      Peer is:              CTS Capable

      802.1X role:          CTS_ROLE_SUP

      Last Re-Authentication:

    Authorization Status:   CTS_AUTHZ_SUCCESS

      PEER SGT:             2

      Peer SGT assignment:  Trusted

      Global policy fallback access list:

    SAP Status:             CTS_SAP_SUCCESS

      Configured pairwise ciphers: GCM_ENCRYPT

      Replay protection: Enabled

      Replay protection mode: Strict

      Selected cipher: GCM_ENCRYPT

      Current receive SPI: sci:1b54c1fc000000 an:0

      Current transmit SPI: sci:1b54c1fbff0000 an:0

This example shows how to display the Cisco TrustSec configuration for a specific interface:

switch# show cts interface ethernet 2/24

CTS Information for Interface Ethernet2/24:

    CTS is enabled, mode:   CTS_MODE_DOT1X

    IFC state:              CTS_IFC_ST_CTS_OPEN_STATE

    Authentication Status:  CTS_AUTHC_SUCCESS

      Peer Identity:        india1

      Peer is:              CTS Capable

      802.1X role:          CTS_ROLE_AUTH

      Last Re-Authentication:

    Authorization Status:   CTS_AUTHZ_SUCCESS

      PEER SGT:             2

      Peer SGT assignment:  Trusted

      Global policy fallback access list:

    SAP Status:             CTS_SAP_SUCCESS

      Configured pairwise ciphers: GCM_ENCRYPT

      Replay protection: Enabled

      Replay protection mode: Strict

      Selected cipher: GCM_ENCRYPT

      Current receive SPI: sci:1b54c1fbff0000 an:0

      Current transmit SPI: sci:1b54c1fc000000 an:0

Table 1 provides information about the values displayed in the show cts interface command output.

Table 1 show cts interface Command Output Values Descriptions 

Value	Description
Authentication Status Field
CTS_AUTHC_INIT	The authentication engine is in initial state.
CTS_AUTHC_SUCCESS	The authentication is successful.
CTS_AUTHC_NO_RESPONSE	The Cisco Access Control Server (ACS) is cannot be reached. No response was received from the Cisco ACS.
CTS_AUTHC_UNAUTHORIZED	The authentication is in progress.
CTS_AUTHC_SKIPPED_CONFIG	The Cisco TrustSec configuration indicates that the device should skip the authentication process.
CTS_AUTHC_REJECT	The Cisco ACS rejected the authentication request.
Authorization Status Field
CTS_AUTHZ_INIT	The authorization engine is in the initial state.
CTS_AUTHZ_SUCCESS	The authorization was successful.
CTS_AUTHZ_REJECT	The ACS rejected the authorization request.
CTS_AUTHZ_SKIPPED_CONFIG	The Cisco TrustSec configuration indicates that the device should skip the authorization process.
CTS_AUTHZ_POL_ACQ_FAILURE	The authorization policy acquisition failed.
CTS_AUTHZ_HW_FAILURE	The hardware authorization programming failed.
CTS_AUTHZ_RBACL_FAILURE	The security group access control groups (SGACLs) failed to download and install.
CTS_AUTHZ_INCOMPLETE	The authorization is in progress
SAP Status Field
CTS_SAP_INIT	The Security Association Protocol (SAP) negotiation is in the initial state.
CTS_SAP_SUCCESS	The SAP negotiation succeeded.
CTS_SAP_FAILURE	The SAP negotiation failed.
CTS_SAP_SKIPPED_CONFIG	The Cisco TrustSec configuration indicates that the device should skip the SAP negotiation.
CTS_SAP_REKEY	The SAP rekey is in progress.
CTS_SAP_INCOMPLETE	The SAP negotiation in progress.

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts pacs

To display the Cisco TrustSec protect access credentials (PACs) provisioned by EAP-FAST, use the show cts pacs command.

show cts pacs

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec global configuration:

switch# show cts pacs

PAC Info :

==============================

  PAC Type            : unknown

  AID                 : 74656d706f72617279

  I-ID                : india1

  AID Info            : ACS Info

  Credential Lifetime : Thu Apr  3 00:36:04 2008

  PAC Opaque          : 0002008300020004000974656d706f7261727900060070000101001d

6321a2a55fa81e05cd705c714bea116907503aab89490b07fcbb2bd455b8d873f21b5b6b403eb1d8

125897d93b94669745cfe1abb0baf01a00b77aacf0bda9fbaf7dcd54528b782d8206a7751afdde42

1ff4a3db6a349c652fea81809fba4f30b1fffb7bfffaf9a6608

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts role-based access-list

To display the global Cisco TrustSec security group access control list (SGACL) configuration, use the show cts role-based access-list command.

show cts role-based access-list

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SGACL configuration:

switch# show cts role-based access-list

rbacl:test-3

        deny ip

rbacl:test-1

        deny ip

        deny icmp

        deny tcp src eq 1000 dest eq 2000

        deny udp src range 1000 2000

rbacl:test-2

        permit icmp

        permit igmp

        permit tcp src lt 2000

        permit udp dest gt 4000

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts role-based enable

To display the Cisco TrustSec security group access control list (SGACL) enable status for VLANs and Virtual Routing and Forwarding instances (VRFs), use the show cts role-based enable command.

show cts role-based enable

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SGACL enforcement status:

switch# show cts role-based enable

vlan:1

vrf:1

vrf:3

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts role-based policy

To display the global Cisco TrustSec security group access control list (SGACL) policies, use the show cts role-based policy command.

show cts role-based policy

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SGACL policies:

switch# show cts role-based policy

sgt:unknown

dgt:unknown     rbacl:test-2

        permit icmp

        permit igmp

        permit tcp src lt 2000

        permit udp dest gt 4000

sgt:1000

dgt:2000        rbacl:test-1

        deny ip

        deny icmp

        deny tcp src eq 1000 dest eq 2000

        deny udp src range 1000 2000

sgt:any

dgt:any rbacl:test-3

        deny ip

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts role-based sgt-map

To display the global Cisco TrustSec Security Group Tag (SGT) mapping configuration, use the show cts role-based sgt-map command.

show cts role-based sgt-map

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SGT mapping configuration:

switch# show cts role-based sgt-map

IP ADDRESS              SGT             VRF/VLAN        SGT CONFIGURATION

5.5.5.5                 5               vlan:10         CLI Configured

5.5.5.6                 6               vlan:10         CLI Configured

5.5.5.7                 7               vlan:10         CLI Configured

5.5.5.8                 8               vlan:10         CLI Configured

10.10.10.10             10              vrf:3           CLI Configured

10.10.10.20             20              vrf:3           CLI Configured

10.10.10.30             30              vrf:3           CLI Configured

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts sxp

To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) configuration, use the show cts sxp command.

show cts sxp

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to display the Cisco TrustSec SXP configuration:

switch# show cts sxp

CTS SXP Configuration:

SXP enabled

SXP retry timeout:60

SXP reconcile timeout:120

Related Commands

Command	Description
feature cts	Enables the Cisco TrustSec feature.

show cts sxp connection

To display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP) connections information, use the show cts sxp connection command.

show cts sxp connection

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin
network-operator
vdc-operator

Command History

Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco Trus