Show Commands

This command displays SNMP access group information.

Description

Parameters

group-name

This command displays information for the specified access group.

Output

Security Access Group Output

The following table describes security access group output fields..

Table 9: Show System Security Access Group Output Fields
Label	Description
Group name	The access group name.
Security model	The security model required to access the views configured in this node.
Security level	Specifies the required authentication and privacy levels to access the views configured in this node.
Read view	Specifies the variable of the view to read the MIB objects.
Write view	Specifies the variable of the view to configure the contents of the agent.
Notify view	Specifies the variable of the view to send a trap about MIB objects.

A:ALA-4# show system security access-group

===============================================================================

Access Groups

===============================================================================

group name        security  security  read          write         notify

                  model     level     view          view          view

-------------------------------------------------------------------------------

snmp-ro           snmpv1    none      no-security                 no-security

snmp-ro           snmpv2c   none      no-security                 no-security

snmp-rw           snmpv1    none      no-security   no-security   no-security

snmp-rw           snmpv2c   none      no-security   no-security   no-security

snmp-rwa          snmpv1    none      iso           iso           iso

snmp-rwa          snmpv2c   none      iso           iso           iso

snmp-trap         snmpv1    none                                  iso

snmp-trap         snmpv2c   none                                  iso

===============================================================================

A:ALA-7#

authentication

Syntax

authentication [statistics]

Context

This command displays system login authentication configuration and statistics.

Description

Parameters

Appends login and accounting statistics to the display.

Output

Authentication Output

The following table describes system security authentication output fields.

Table 10: Show System Security Authentication Output Fields
Label	Description
Sequence	The sequence in which authentication is processed.
Server address	The IP address of the RADIUS server.
Status	Current status of the RADIUS server.
Type	The authentication type.
Timeout (secs)	The number of seconds the router waits for a response from a RADIUS server.
Single connection	Enabled Specifies a single connection to the TACACS+ server and validates everything via that connection.
Single connection	Disabled The TACACS+ protocol operation is disabled.
Retry count	Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.
Connection errors	Displays the number of times a user has attempted to login irrespective of whether the login succeeded or failed.
Accepted logins	The number of times the user has successfully logged in.
Rejected logins	The number of unsuccessful login attempts.
Sent packets	The number of packets sent.
Rejected packets	The number of packets rejected.

A:ALA-4# show system security authentication

===============================================================================

Authentication                  sequence : radius tacplus local

===============================================================================

server address   status  type    timeout(secs)  single connection  retry count

-------------------------------------------------------------------------------

10.10.10.103     up      radius  5              n/a                5

10.10.0.1        up      radius  5              n/a                5

10.10.0.2        up      radius  5              n/a                5

10.10.0.3        up      radius  5              n/a                5

-------------------------------------------------------------------------------

radius admin status  : down

tacplus admin status : up

health check         : enabled

-------------------------------------------------------------------------------

No. of Servers: 4

===============================================================================

A:ALA-4#

A:ALA-7>show>system>security# authentication statistics

===============================================================================

Authentication                  sequence : radius tacplus local

===============================================================================

server address   status  type    timeout(secs)  single connection  retry count

-------------------------------------------------------------------------------

10.10.10.103     up      radius  5              n/a                5

10.10.0.1        up      radius  5              n/a                5

10.10.0.2        up      radius  5              n/a                5

10.10.0.3        up      radius  5              n/a                5

-------------------------------------------------------------------------------

radius admin status  : down

tacplus admin status : up

health check         : enabled

-------------------------------------------------------------------------------

No. of Servers: 4

===============================================================================

Login Statistics

===============================================================================

server address      connection errors   accepted logins     rejected logins

-------------------------------------------------------------------------------

10.10.10.103        0                   0                   0

10.10.0.1           0                   0                   0

10.10.0.2           0                   0                   0

10.10.0.3           0                   0                   0

local               n/a                 1                   0

===============================================================================

Authorization Statistics (TACACS+)

===============================================================================

server address      connection errors   sent packets        rejected packets

-------------------------------------------------------------------------------

===============================================================================

Accounting Statistics

===============================================================================

server address      connection errors   sent packets        rejected packets

-------------------------------------------------------------------------------

10.10.10.103        0                   0                   0

10.10.0.1           0                   0                   0

10.10.0.2           0                   0                   0

10.10.0.3           0                   0                   0

===============================================================================

A:ALA-7#

*A:Dut-C# show system security authentication statistics

==============================================================================

Authentication                  sequence : radius tacplus local

==============================================================================

type                               status  timeout     single      retry

   server address                          (secs)      conn        count

------------------------------------------------------------------------------

------------------------------------------------------------------------------

health check         : enabled (interval 30)

===============================================================================

Login Statistics

===============================================================================

server address                                       conn   accepted  rejected

                                                     errors logins    logins

-------------------------------------------------------------------------------

local                                                n/a    4         0

===============================================================================

Authorization Statistics (TACACS+)

===============================================================================

server address                                       conn   sent      rejected

                                                     errors pkts      pkts

-------------------------------------------------------------------------------

===============================================================================

Accounting Statistics

===============================================================================

server address                                       conn   sent      rejected

                                                     errors pkts      pkts

-------------------------------------------------------------------------------

==============================================================================

communities

Syntax

communities

Context

This command displays SNMP communities.

Description

Output

Communities Output

The following table describes community output fields.

Table 11: Show Communities Output Fields
Label	Description
Community	The community string name for SNMPv1 and SNMPv2c access only.
Access	r The community string allows read-only access.
	rw The community string allows read-write access.
	rwa The community string allows read-write access.
	mgmt The unique SNMP community string assigned to the management router.
View	The view name.
Version	The SNMP version.
Group Name	The access group name.
No of Communities	The total number of configured community strings.

A:ALA-48# show system security communities

=============================================================================

Communities

=============================================================================

community           access  view                version   group name

-----------------------------------------------------------------------------

cli-readonly        r       iso                 v2c       cli-readonly

cli-readwrite       rw      iso                 v2c       cli-readwrite

public              r       no-security         v1 v2c    snmp-ro

-----------------------------------------------------------------------------

No. of Communities: 3

=============================================================================

A:ALA-48#

cpm-filter

Syntax

cpm-filter

Context

This command displays CPM filters.

Description

ip-filter

Syntax

ip-filter [entry entry-id]

Context

show>system>security>cpm-filter

Description

This command displays CPM IP filters.

Parameters

entry entry-id

Identifies a CPM filter entry as configured on this system.

Values

The following table describes CPM IP filter output fields..

Output

CPM Filter Output

Table 12: Show CPM IP Filter Output Fields
Label	Description
Entry-Id	Displays information about the specified management access filter entry
Dropped	Displays the number of dropped events.
Forwarded	Displays the number of forwarded events.
Description	Displays the CPM filter description.
Log ID	Displays the log ID where matched packets will be logged.
Src IP	Displays the source IP address(/netmask or prefix-list)
Dest. IP	Displays the destination IP address(/netmask).
Src Port	Displays the source port number (range).
Dest. Port	Displays the destination port number (range).
Protocol	Displays the Protocol field in the IP header.
Dscp	Displays the DSCP field in the IP header.
Fragment	Displays the 3-bit fragment flags or 13-bit fragment offset field.
ICMP Type	Displays the ICMP type field in the ICMP header.
ICMP Code	Displays the ICMP code field in the ICMP header.
TCP-syn	Displays the SYN flag in the TCP header.
TCP-ack	Displays the ACK flag in the TCP header
Match action	When the criteria matches, displays drop or forward packet.
Next Hop	In case match action is forward, indicates destination of the matched packet.
Dropped pkts	Indicates number of matched dropped packets
Forwarded pkts	Indicates number of matched forwarded packets.

show>system>security>cpm-filter

A:ALA-35# show system security cpm-filter ip-filter

===============================================================================

CPM IP Filters

===============================================================================

Entry-Id  Dropped   Forwarded Description

-------------------------------------------------------------------------------

101       25880     0         CPM-Filter 10.4.101.2 #101

102       25880     0         CPM-Filter 10.4.102.2 #102

103       25880     0         CPM-Filter 10.4.103.2 #103

104       25882     0         CPM-Filter 10.4.104.2 #104

105       25926     0         CPM-Filter 10.4.105.2 #105

106       25926     0         CPM-Filter 10.4.106.2 #106

107       25944     0         CPM-Filter 10.4.107.2 #107

108       25950     0         CPM-Filter 10.4.108.2 #108

109       25968     0         CPM-Filter 10.4.109.2 #109

110       25984     0         CPM-Filter 10.4.110.2 #110

111       26000     0         CPM-Filter 10.4.111.2 #111

112       26018     0         CPM-Filter 10.4.112.2 #112

113       26034     0         CPM-Filter 10.4.113.2 #113

114       26050     0         CPM-Filter 10.4.114.2 #114

115       26066     0         CPM-Filter 10.4.115.2 #115

116       26084     0         CPM-Filter 10.4.116.2 #116

===============================================================================

A:ALA-35#

A:ALA-35# show system security cpm-filter ip-filter entry 101

===============================================================================

CPM IP Filter Entry

===============================================================================

Entry Id           : 101

Description : CPM-Filter 10.4.101.2 #101

-------------------------------------------------------------------------------

Filter Entry Match Criteria :

-------------------------------------------------------------------------------

Log Id             : n/a

Src. IP            : 10.4.101.2/32      Src. Port          : 0

Dest. IP           : 10.4.101.1/32      Dest. Port         : 0

Protocol           : 6                  Dscp               : ef

ICMP Type          : Undefined          ICMP Code          : Undefined

Fragment           : True               Option-present     : Off

IP-Option          : 130/255            Multiple Option    : True

TCP-syn            : Off                TCP-ack            : True

Match action       : Drop

===============================================================================

A:ALA-35#

ipv6-filter

Syntax

ip-filter [entry entry-id]

Context

Description

Displays CPM IPv6 filters.

Parameters

entry entry-id

Identifies a CPM IPv6 filter entry as configured on this system.

Values

The following table describes CPM IPv6 filter output fields..

Output

CPM Filter Output

Table 13: Show CPM IPv6 Filter Output Fields
Label	Description
Entry-Id	Displays information about the specified management access filter entry
Dropped	Displays the number of dropped events.
Forwarded	Displays the number of forwarded events.
Description	Displays the CPM filter description.
Log ID	Log Id where matched packets will be logged.
Src IP	Displays Source IP address(/netmask)
Dest. IP	Displays Destination IP address(/netmask).
Src Port	Displays Source Port Number (range).
Dest. Port	Displays Destination Port Number (range).
next-header	Displays next-header field in the IPv6 header.
Dscp	Displays Traffic Class field in the IPv6 header.
ICMP Type	Displays ICMP type field in the icmp header.
ICMP Code	Displays ICMP code field in the icmp header.
TCP-syn	Displays the SYN flag in the TCP header.
TCP-ack	Displays the ACK flag in the TCP header
Match action	When criteria matches, displays drop or forward packet.
Next Hop	In case match action is forward, indicates destination of the matched packet.
Dropped pkts	Indicating number of matched dropped packets
Forwarded pkts	Indicating number of matched forwarded packets.

A:ALA-35# show system security cpm-filter ipv6-filter

===============================================================================

CPM IPv6 Filters

===============================================================================

Entry-Id Dropped Forwarded Description

-------------------------------------------------------------------------------

101      25880   0         CPM-Filter 11::101:2 #101

102      25880   0         CPM-Filter 11::102:2 #102

103      25880   0         CPM-Filter 11::103:2 #103

104      25880   0         CPM-Filter 11::104:2 #104

105      25880   0         CPM-Filter 11::105:2 #105

106      25880   0         CPM-Filter 11::106:2 #106

107      25880   0         CPM-Filter 11::107:2 #107

108      25880   0         CPM-Filter 11::108:2 #108

109      25880   0         CPM-Filter 11::109:2 #109

===============================================================================

A:ALA-35#

A:ALA-35# show system security cpm-filter ipv6-filter entry 101

===============================================================================

CPM IPv6 Filter Entry

===============================================================================

Entry Id : 1

Description : CPM-Filter 11::101:2 #101

-------------------------------------------------------------------------------

Filter Entry Match Criteria :

-------------------------------------------------------------------------------

Log Id : n/a

Src. IP : 11::101:2       Src. Port : 0

Dest. IP : 11::101:1      Dest. Port : 0

next-header : none        Dscp : Undefined

ICMP Type : Undefined     ICMP Code : Undefined

TCP-syn : Off             TCP-ack : Off

Match action : Drop

Dropped pkts : 25880      Forwarded pkts : 0

===============================================================================

A:ALA-35#

cpm-queue

Syntax

cpm-queue queue-id

Context

Specifies an integer value that identifies a CPM queue.

Description

Displays CPM queues.

Parameters

queue-id

Values

0, 33 — 2000

CPM queue Output

The following table describes CPM queue output fields..

Table 14: Show CPM IPv6 Filter Output Fields
Label	Description
PIR	Displays the administrative Peak Information Rate (PIR) for the queue.
CIR	Displays the amount of bandwidth committed to the queue.
CBS	Displays the amount of buffer drawn from the reserved buffer portion of the queue’s buffer pool.
MBS	Displays the maximum queue depth to which a queue can grow.

A:ALA-35# show system security cpm-queue 1001

===============================================================================

CPM Queue Entry

===============================================================================

Queue Id           : 1001

-------------------------------------------------------------------------------

Queue Parameters :

-------------------------------------------------------------------------------

PIR                : 10000000           CIR                : 1000000

CBS                : 4096               MBS                : 8192

===============================================================================

A:ALA-35#

Syntax

Context

This command enables the context to display CPU protection information.

Description

show system security cpu-protection eth-cfm-monitoring

===============================================================================

SAP's where the protection policy Eth-CFM rate limit is exceeded

===============================================================================

SAP-Id                                        Service-Id    Plcy

-------------------------------------------------------------------------------

1/1/1                                         3             100

-------------------------------------------------------------------------------

1 SAP('s) found

===============================================================================

===============================================================================

SDP's where the protection policy Eth-CFM rate limit is exceeded

===============================================================================

SDP-Id            Service-Id    Plcy

-------------------------------------------------------------------------------

1:3               3             100

-------------------------------------------------------------------------------

1 SDP('s) found

===============================================================================

show system security cpu-protection eth-cfm-monitoring service-id 3 sap-id 1/1/1

 ===============================================================================

Flows exceeding the Eth-CFM monitoring rate limit

===============================================================================

Service-Id : 3

SAP-Id     : 1/1/1

Plcy       : 100

-------------------------------------------------------------------------------

Limit  MAC-Address        Level  OpCode

  First-Time            Last-Time             Violation-Periods

-------------------------------------------------------------------------------

0      8c:8c:8c:8c:8c:8c  1      18

  03/21/2009 23:32:29   03/21/2009 23:34:39   4000000019

61234  8d:8d:8d:8d:8d:8d  2      19

  03/21/2009 23:32:39   03/21/2009 23:34:59   4000000020

61234  Aggregated         3      20

  03/21/2009 23:32:49   03/21/2009 23:35:19   4000000021

61234  8f:8f:8f:8f:8f:8f  4      21

  03/21/2009 23:32:59   03/21/2009 23:35:39   4000000022

61234  90:90:90:90:90:90  5      22

  03/21/2009 23:33:09   03/21/2009 23:35:59   4000000023

61234  91:91:91:91:91:91  6      23

  03/21/2009 23:33:19   03/21/2009 23:36:19   4000000024

61234  92:92:92:92:92:92  7      24

  03/21/2009 23:33:29   03/21/2009 23:36:39   4000000025

max    Aggregated         0      25

  03/21/2009 23:33:39   03/21/2009 23:36:59   4000000026

0      94:94:94:94:94:94  1      26

  03/21/2009 23:33:49   03/21/2009 23:37:19   4000000027

-------------------------------------------------------------------------------

9 flows(s) found

===============================================================================

show system security cpu-protection eth-cfm-monitoring service-id 3 sdp-id 1:3

===============================================================================

Flows exceeding the Eth-CFM monitoring rate limit

===============================================================================

Service-Id : 3

SDP-Id     : 1:3

Plcy       : 100

-------------------------------------------------------------------------------

Limit  MAC-Address        Level  OpCode

  First-Time            Last-Time             Violation-Periods

-------------------------------------------------------------------------------

0      8c:8c:8c:8c:8c:8c  1      18

  03/21/2009 23:32:29   03/21/2009 23:34:39   3000000019

61234  8d:8d:8d:8d:8d:8d  2      19

  03/21/2009 23:32:39   03/21/2009 23:34:59   3000000020

61234  Aggregated         3      20

  03/21/2009 23:32:49   03/21/2009 23:35:19   3000000021

61234  8f:8f:8f:8f:8f:8f  4      21

  03/21/2009 23:32:59   03/21/2009 23:35:39   3000000022

61234  90:90:90:90:90:90  5      22

  03/21/2009 23:33:09   03/21/2009 23:35:59   3000000023

61234  91:91:91:91:91:91  6      23

  03/21/2009 23:33:19   03/21/2009 23:36:19   3000000024

61234  92:92:92:92:92:92  7      24

  03/21/2009 23:33:29   03/21/2009 23:36:39   3000000025

max    Aggregated         0      25

  03/21/2009 23:33:39   03/21/2009 23:36:59   3000000026

0      94:94:94:94:94:94  1      26

  03/21/2009 23:33:49   03/21/2009 23:37:19   3000000027

-------------------------------------------------------------------------------

9 flow(s) found

===============================================================================

show system security cpu-protection excessive-sources service-id 3 sdp-id 1:3

===============================================================================

Sources exceeding the per-source rate limit

===============================================================================

Service-Id : 3

SDP-Id     : 1:3

Plcy       : 100

Limit      : 65534

-------------------------------------------------------------------------------

MAC-Address       First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

00:00:00:00:00:01 03/22/2009 00:41:59 03/22/2009 01:53:39 3000000043

00:00:00:00:00:02 03/22/2009 00:43:39 03/22/2009 01:56:59 3000000044

00:00:00:00:00:03 03/22/2009 00:45:19 03/22/2009 02:00:19 3000000045

00:00:00:00:00:04 03/22/2009 00:46:59 03/22/2009 02:03:39 3000000046

00:00:00:00:00:05 03/22/2009 00:48:39 03/22/2009 02:06:59 3000000047

-------------------------------------------------------------------------------

5 source(s) found

===============================================================================

show system security cpu-protection violators sdp

===============================================================================

SDP's where the protection policy overall rate limit is violated

===============================================================================

SDP-Id           Service-Id

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

1:1              3

  100  61234 05/01/2010 01:43:53 06/27/2010 22:37:20 3000000007

1:2              3

  255  max   05/01/2010 01:43:55 06/27/2010 22:37:23 3000000008

1:3              3

  100  61234 05/01/2010 01:43:57 06/27/2010 22:37:26 3000000009

1:4              3

  255  max   05/01/2010 01:43:59 06/27/2010 22:37:29 3000000010

1:5              3

  100  61234 05/01/2010 01:44:01 06/27/2010 22:37:32 3000000011

-------------------------------------------------------------------------------

5 SDP('s) found

===============================================================================

show system security cpu-protection excessive-sources

===============================================================================

SAP's where the protection policy per-source rate limit is exceeded

===============================================================================

SAP-Id                                       Service-Id

  Plcy Limit

-------------------------------------------------------------------------------

1/1/1                                        3

  100  65534

-------------------------------------------------------------------------------

1 SAP('s) found

===============================================================================

SDP's where the protection policy per-source rate limit is exceeded

===============================================================================

SDP-Id            Service-Id    Plcy    Limit

-------------------------------------------------------------------------------

1:3               3             100     65534

1:4               3             255     max

1:5               3             100     65534

-------------------------------------------------------------------------------

3 SDP('s) found

===============================================================================

show system security cpu-protection policy association

===============================================================================

Associations for CPU Protection policy 100

===============================================================================

Description : (Not Specified)

SAP associations

-------------------------------------------------------------------------------

Service Id  : 3                         Type   : VPLS

  SAP 1/1/1                                         mac-monitoring

  SAP 1/1/2                                         eth-cfm-monitoring aggr car

  SAP 1/1/3                                         eth-cfm-monitoring

  SAP 1/1/4

-------------------------------------------------------------------------------

Number of SAP's : 4

SDP associations

-------------------------------------------------------------------------------

Service Id  : 3                         Type   : VPLS

  SDP 1:1                eth-cfm-monitoring aggr car

  SDP 1:3                eth-cfm-monitoring aggr

  SDP 1:5                mac-monitoring

  SDP 17407:4123456789   eth-cfm-monitoring car

-------------------------------------------------------------------------------

Number of SDP's : 4

Interface associations

-------------------------------------------------------------------------------

  None

Managed SAP associations

-------------------------------------------------------------------------------

  None

Video-Interface associations

-------------------------------------------------------------------------------

  None

===============================================================================

Associations for CPU Protection policy 254

===============================================================================

Description : Default (Modifiable) CPU-Protection Policy assigned to Access

              Interfaces

SAP associations

-------------------------------------------------------------------------------

  None

SDP associations

-------------------------------------------------------------------------------

  None

Interface associations

-------------------------------------------------------------------------------

Router-Name : Base

  ies6If

Router-Name : vprn7

  vprn7If

-------------------------------------------------------------------------------

Number of interfaces : 2

Managed SAP associations

-------------------------------------------------------------------------------

  None

Video-Interface associations

-------------------------------------------------------------------------------

  None

===============================================================================

Associations for CPU Protection policy 255

===============================================================================

Description : Default (Modifiable) CPU-Protection Policy assigned to Network

              Interfaces

SAP associations

-------------------------------------------------------------------------------

  None

SDP associations

-------------------------------------------------------------------------------

Service Id  : 3                         Type   : VPLS

  SDP 1:2

  SDP 1:4                eth-cfm-monitoring

Service Id  : 6                         Type   : IES

  SDP 1:6

Service Id  : 7                         Type   : VPRN

  SDP 1:7

Service Id  : 9                         Type   : Epipe

  SDP 1:9

Service Id  : 300                       Type   : VPLS

  SDP 1:300

-------------------------------------------------------------------------------

Number of SDP's : 6

Interface associations

-------------------------------------------------------------------------------

Router-Name : Base

  system

-------------------------------------------------------------------------------

Number of interfaces : 1

Managed SAP associations

-------------------------------------------------------------------------------

  None

Video-Interface associations

-------------------------------------------------------------------------------

  None

===============================================================================

show system security cpu-protection policy 100 association

===============================================================================

Associations for CPU Protection policy 100

===============================================================================

Description : (Not Specified)

SAP associations

-------------------------------------------------------------------------------

Service Id  : 3                         Type   : VPLS

  SAP 1/1/1                                         mac-monitoring

  SAP 1/1/2                                         eth-cfm-monitoring aggr car

  SAP 1/1/3                                         eth-cfm-monitoring

  SAP 1/1/4

-------------------------------------------------------------------------------

Number of SAP's : 4

SDP associations

-------------------------------------------------------------------------------

Service Id  : 3                         Type   : VPLS

  SDP 1:1                eth-cfm-monitoring aggr car

  SDP 1:3                eth-cfm-monitoring aggr

  SDP 1:5                mac-monitoring

  SDP 17407:4123456789   eth-cfm-monitoring car

-------------------------------------------------------------------------------

Number of SDP's : 4

Interface associations

-------------------------------------------------------------------------------

  None

Managed SAP associations

-------------------------------------------------------------------------------

  None

Video-Interface associations

-------------------------------------------------------------------------------

  None

===============================================================================

A:bksim130#

show system security cpu-protection violators

 ==============================================================================

Ports where a rate limit is violated

===============================================================================

Port-Id

  Type Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

No ports found

===============================================================================

===============================================================================

Interfaces where the protection policy overall rate limit is violated

===============================================================================

Interface-Name                               Router-Name

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

No interfaces found

===============================================================================

===============================================================================

SAP's where the protection policy overall rate limit is violated

===============================================================================

SAP-Id                                       Service-Id

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

1/1/1                                        3

  100  61234 05/01/2010 01:43:41 06/27/2010 22:37:02 3000000001

-------------------------------------------------------------------------------

1 SAP('s) found

===============================================================================

===============================================================================

SDP's where the protection policy overall rate limit is violated

===============================================================================

SDP-Id           Service-Id

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

1:1              3

  100  61234 05/01/2010 01:43:41 06/27/2010 22:37:02 3000000001

1:2              3

  255  max   05/01/2010 01:43:43 06/27/2010 22:37:05 3000000002

1:3              3

  100  61234 05/01/2010 01:43:45 06/27/2010 22:37:08 3000000003

1:4              3

  255  max   05/01/2010 01:43:47 06/27/2010 22:37:11 3000000004

1:5              3

  100  61234 05/01/2010 01:43:49 06/27/2010 22:37:14 3000000005

-------------------------------------------------------------------------------

5 SDP('s) found

===============================================================================

===============================================================================

Video clients where the protection policy per-source rate limit is violated

===============================================================================

Client IP Address  Video-Interface                 Service-Id

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

No clients found

===============================================================================

eth-cfm-monitoring

Syntax

eth-cfm-monitoring [{service-id service-id sap-id sap-id} | {service-id service-id sdp-id sdp-id:vc-id}]

Context

This command displays sources exceeding their eth-cfm-monitoring rate limit.

Description

dist-cpu-protection

Syntax

dist-cpu-protection

Context

This command enables the context to display distributed CPU protection information.

Description

excessive-sources

Syntax

excessive-sources [service-id service-id sap-id sap-id]

Context

This command displays sources exceeding their per-source rate limit.

Description

Parameters

service-id service-id

Displays information for services exceeding their per-source rate limit.

sap-id sap-id

Displays information for SAPs exceeding their per-source rate limit.

policy

Syntax

policy [policy-id] association

Context

show>system>security>dist-cpu-protection

Description

This command displays CPU protection policy information.

Parameters

policy-id

Displays CPU protection policy information for the specified policy ID>

association

This keyword displays policy-id associations.

Syntax

Context

This command display all interfaces with non-zero drop counters.

Description

violators

Syntax

violators [port] [interface] [sap] [video] [sdp]

Context

This command displays all interfaces, ports or SAPs with CPU protection policy violators.

Description

Parameters

port

Displays violators associated with the port.

interface

Displays violators associated with the interface.

sap

Displays violators associated with the SAP.

video

Displays violators associated with the video entity.

sdp

Displays violators associated with the SDP.

show>system>security>cpm-filter

*A:SecuritySR7>config>sys>security>cpu-protection>policy# show system security cpu-protection violators

===============================================================================

Ports where a rate limit is violated

===============================================================================

Port-Id

  Type Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

No ports found

===============================================================================

===============================================================================

Interfaces where the protection policy overall rate limit is violated

===============================================================================

Interface-Name                               Router-Name

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

toIxia                                       Base

  255  1000  10/02/2012 18:38:23 10/02/2012 18:39:31 70

-------------------------------------------------------------------------------

1 interface(s) found

===============================================================================

===============================================================================

SAP's where the protection policy overall rate limit is violated

===============================================================================

SAP-Id                                       Service-Id

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

No SAP's found

===============================================================================

===============================================================================

SDP's where the protection policy overall rate limit is violated

===============================================================================

SDP-Id           Service-Id

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

No SDP's found

===============================================================================

===============================================================================

Video clients where the protection policy per-source rate limit is violated

===============================================================================

Client IP Address  Video-Interface                 Service-Id

  Plcy Limit First-Time          Last-Time           Violation-Periods

-------------------------------------------------------------------------------

No clients found

===============================================================================

mac-filter

Syntax

mac-filter [entry entry-id]

Context

Description

This command displays CPM MAC filters.

Parameters

entry entry-id

Displays information about the specified entry.

Values

show>system>security>management-access-filter

*B:bksim67# show system security cpm-filter mac-filter

===============================================================================

CPM Mac Filter (applied)

===============================================================================

Entry-Id  Dropped   Forwarded Description

-------------------------------------------------------------------------------

1         23002     47094

-------------------------------------------------------------------------------

Num CPM Mac filter entries: 1

===============================================================================

*B:bksim67#

mac-filter

Syntax

mac-filter [entry entry-id]

Context

Description

This command displays management access MAC filters.

Parameters

entry entry-id

Displays information about the specified entry.

Values

1 — 9999

*B:bksim67# show system security management-access-filter mac-filter

=============================================================================

Mac Management Access Filter

=============================================================================

filter type   : mac

Def. Action   : permit

Admin Status  : enabled (no shutdown)

-------------------------------------------------------------------------------

Entry              : 1                  Action             : deny

FrameType          : ethernet_II        Svc-Id             : Undefined

Src Mac            : Undefined

Dest Mac           : Undefined

Dot1p              : Undefined          Ethertype          : Disabled

DSAP               : Undefined          SSAP               : Undefined

Snap-pid           : Undefined          ESnap-oui-zero     : Undefined

cfm-opcode         : Undefined

Log                : disabled           Matches            : 0

=============================================================================

*B:bksim67#

keychain

Syntax

keychain [key-chain] [detail]

Context

This command displays keychain information.

Description

Parameters

key-chain

Specifies the keychain name to display.

Displays detailed keychain information.

*A:ALA-A# show system security keychain test

===============================================================================

Key chain:test

===============================================================================

TCP-Option number send     : 254                    Admin state   : Up

TCP-Option number receive  : 254                    Oper state    : Up

===============================================================================

*A:ALA-A#

*A:ALA-A#  show system security keychain test detail

===============================================================================

Key chain:test

===============================================================================

TCP-Option number send     : 254                    Admin state   : Up

TCP-Option number receive  : 254                    Oper state    : Up

===============================================================================

Key entries for key chain: test

===============================================================================

Id               : 0

Direction        : send-receive         Algorithm        : hmac-sha-1-96

Admin State      : Up                   Valid            : Yes

Active           : Yes                  Tolerance        : 300

Begin Time       : 2007/02/15 18:28:37  Begin Time (UTC) : 2007/02/15 17:28:37

End Time         : N/A                  End Time (UTC)   : N/A

===============================================================================

Id               : 1

Direction        : send-receive         Algorithm        : aes-128-cmac-96

Admin State      : Up                   Valid            : Yes

Active           : No                   Tolerance        : 300

Begin Time       : 2007/02/15 18:27:57  Begin Time (UTC) : 2007/02/15 17:27:57

End Time         : 2007/02/15 18:28:13  End Time (UTC)   : 2007/02/15 17:28:13

===============================================================================

Id               : 2

Direction        : send-receive         Algorithm        : aes-128-cmac-96

Admin State      : Up                   Valid            : Yes

Active           : No                   Tolerance        : 500

Begin Time       : 2007/02/15 18:28:13  Begin Time (UTC) : 2007/02/15 17:28:13

End Time         : 2007/02/15 18:28:37  End Time (UTC)   : 2007/02/15 17:28:37

===============================================================================

*A:ALA-A#

management-access-filter

Syntax

management-access-filter

Context

This commend displays management access filter information for IP and MAC filters.

Description

ip-filter

Syntax

ip-filter [entry entry-id]

Context

show>system>security>mgmt-access-filter

Description

This command displays management-access IP filters.

Parameters

entry-id

Displays information for the specified entry.

Values

1 — 9999

Output

Management Access Filter Output

The following table describes management access filter output fields.

Table 15: Show Management Access Filter Output Fields
Label	Description
Def. action	Permit Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted.
	Deny Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued.
	Deny-host-unreachble Specifies that packets not matching the configured selection criteria in the filter entries are denied.
Entry	The entry ID in a policy or filter table.
Description	A text string describing the filter.
Src IP	The source IP address used for management access filter match criteria.
Src interface	The interface name for the nexthop to which the packet should be forwarded if it hits this filter entry.
Dest port	The destination port.
Matches	The number of times a management packet has matched this filter entry.
Protocol	The IP protocol to match.
Action	The action to take for packets that match this filter entry.

*A:Dut-F# show system security management-access-filter ip-filter

=============================================================================

IPv4 Management Access Filter

=============================================================================

filter type:  : ip

Def. Action   : permit

Admin Status  : enabled (no shutdown)

-----------------------------------------------------------------------------

Entry         : 1

Src IP        : 192.168.0.0/16

Src interface : undefined

Dest port     : undefined

Protocol      : undefined

Router        : undefined

Action        : none

Log           : disabled

Matches       : 0

=============================================================================

*A:Dut-F#

ipv6-filter

Syntax

ipv6-filter [entry entry-id]

Context

show>system>security>mgmt-access-filter

Description

This command displays management-access IPv6 filters.

Parameters

entry-id

Specifies the IPv6 filter entry ID to display.

Values

1 — 9999

Output

*A:Dut-C# show system security management-access-filter ipv6-filter entry 1

=============================================================================

IPv6 Management Access Filter

=============================================================================

filter type   : ipv6

Def. Action   : permit

Admin Status  : enabled (no shutdown)

-----------------------------------------------------------------------------

Entry         : 1

Src IP        : 2001::1/128

Flow label    : undefined

Src interface : undefined

Dest port     : undefined

Next-header   : undefined

Router        : undefined

Action        : permit

Log           : enabled

Matches       : 0

=============================================================================

*A:Dut-C# s

password-options

Syntax

password-options

Context

This command displays configured password options.

Description

Output

Password Options Output

The following table describes password options output fields.

Table 16: Show Management Access Filter Output Fields
Label	Description
Password aging in days	Displays the number of days a user password is valid before the user must change their password.
Number of invalid attempts permitted per login	Displays the number of unsuccessful login attempts allowed for the specified time.
Time in minutes per login attempt	Displays the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.
Lockout period (when threshold breached)	Displays the lockout period in minutes where the user is not allowed to login.
Authentication order	Displays the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords.
Configured complexity options	Displays the complexity requirements of locally administered passwords, HMAC-MD5-96, HMAC-SHA-96 and DES-keys configured in the authentication section.
Minimum password length	Displays the minimum number of characters required for locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and DES-keys configured in the system security section.

A:ALA-7# show system security password-options

===============================================================================

Password Options

===============================================================================

Password aging in days                           : none

Number of invalid attempts permitted per login   : 3

Time in minutes per login attempt                : 5

Lockout period (when threshold breached)         : 10

Authentication order                             : radius tacplus local

Configured complexity options                    :

Minimum password length                          : 6

===============================================================================

A:ALA-7#

per-peer-queuing

Syntax

per-peer-queuing

Context

This command enables or disables CPMCFM hardware queuing per peer. TTL security only operates when per-peer-queuing is enabled.

Description

Output

Per-Peer-Queuing Output

The following table describes per-peer-queuing output fields.

Table 17: Show Per-Peer-Queuing Output Fields


Label	Description
Per Peer Queuing	Displays the status (enabled or disabled) of CPM hardware queuing per peer.
Total Num of Queues	Displays the total number of hardware queues.
Num of Queues In Use	Displays the total number of hardware queues in use.

A:ALA-48# show system security per-peer-queuing

=================================================

CPM Hardware Queuing

=================================================

Per Peer Queuing        : Enabled

Total Num of Queues     : 8192

Num of Queues In Use    : 2

=================================================

A:ALA-48# configure

profile

Syntax

profile [user-profile-name]

Context

This command displays user profile information.

Description

If the profile-name is not specified, then information for all profiles are displayed.

Parameters

user-profile-name

Displays information for the specified user profile.

Output

User Profile Output

The following table describes user profile output fields.

Table 18: Show User Profile Output Fields
Label	Description
User Profile	Displays the profile name used to deny or permit user console access to a hierarchical branch or to specific commands.
Def. action	Permit all Permits access to all commands.
	Deny Denies access to all commands.
	None No action is taken.
Entry	The entry ID in a policy or filter table.
Description	Displays the text string describing the entry.
Match Command	Displays the command or subtree commands in subordinate command levels.
Action	Permit all Commands matching the entry command match criteria are permitted.
	Deny Commands not matching the entry command match criteria are not permitted.
No. of profiles	The total number of profiles listed.

A:ALA-7# show system security profile administrative

===============================================================================

User Profile

===============================================================================

User Profile : administrative

Def. Action  : permit-all

-------------------------------------------------------------------------------

Entry        : 10

Description  :

Match Command: configure system security

Action       : permit

-------------------------------------------------------------------------------

Entry        : 20

Description  :

Match Command: show system security

Action       : permit

-------------------------------------------------------------------------------

No. of profiles:

===============================================================================

A:ALA-7#

source-address

Syntax

source-address

Context

This command displays source-address configured for applications.

Description

Output

Source Address Output

The following table describes source address output fields.

Table 19: Show Source Address Output Fields
Label	Description
Application	Displays the source-address application.
IP address Interface Name	Displays the source address IP address or interface name.
Oper status	Up The source address is operationally up.
Oper status	Down The source address is operationally down.

A:SR-7# show system security source-address

===============================================================================

Source-Address applications

===============================================================================

Application         IP address/Interface Name                    Oper status

-------------------------------------------------------------------------------

telnet              10.20.1.7                                    Up

radius              loopback1                                    Up

===============================================================================

A:SR-7#

ssh

Syntax

ssh

Context

This command displays all the SSH sessions as well as the SSH status and fingerprint.

Description

Output

SSH Options Output

The following table describes SSH output fields .


Label	Description
SSH status	SSH is enabled Displays that SSH server is enabled. SSH is disabled Displays that SSH server is disabled.
SSH Preserve Key	Enabled Displays that preserve-key is enabled. Disabled Displays that preserve-key is disabled.
SSH protocol version 1	Enabled Displays that SSH1 is enabled. Disabled Displays that SSH1 is disabled.
SSH protocol version 2	Enabled Displays that SSH2 is enabled. Disabled Displays that SSH2 is disabled.
Key fingerprint	The key fingerprint is the server’s identity. Clients trying to connect to the server verify the server's fingerprint. If the server fingerprint is not known, the client may not continue with the SSH session since the server might be spoofed.
Connection	The IP address of the connected router(s) (remote client).
Encryption	des — Data encryption using a private (secret) key. 3des — An encryption method that allows proprietary information to be transmitted over untrusted networks.
Username	The name of the user.
Number of SSH sessions	The total number of SSH sessions.

Sample output

ALA-7# show system security ssh

SSH is enabled

SSH preserve key: Enabled

SSH protocol version 1: Enabled

RSA host key finger print:c6:a9:57:cb:ee:ec:df:33:1a:cd:d2:ef:3f:b5:46:34

SSH protocol version 2: Enabled

DSA host key finger print:ab:ed:43:6a:75:90:d3:fc:42:59:17:8a:80:10:41:79

=======================================================
Connection 			Encryption 			Username
=======================================================
192.168.5.218 				3des 		admin
-------------------------------------------------------
Number of SSH sessions : 1
=======================================================

ALA-7#

A:ALA-49>config>system>security# show system security ssh

SSH is disabled

A:ALA-49>config>system>security#

user

Syntax

user [user-id] [detail]

user [user-id] lockout

Context

This command displays user registration information.

Description

If no command line options are specified, summary information for all users displays.

Parameters

user-id

Displays information for the specified user.

Default

All users

Displays detailed user information to the summary output.

lockout

Displays information about any users who are currently locked out.

Output

User Output

The following table describes user output fields.


Label	Description
User ID	The name of a system user.
Need new pwd	Y The user must change his password at the next login.
	N The user is not forced to change his password at the next login.
Cannot change pw	Y The user has the ability to change the login password.
	N The user does not have the ability to change the login password.
User permissions	Console Y - The user is authorized for console access. N- The user is not authorized for console access.
	FTP Y - The user is authorized for FTP access. N - The user is not authorized for FTP access.
	SNMP Y - The user is authorized for SNMP access. N - The user is not authorized for SNMP access.
Password expires	The number of days in which the user must change his login password.
Attempted logins	The number of times the user has attempted to login irrespective of whether the login succeeded or failed.
Failed logins	The number of unsuccessful login attempts.
Local conf	Y Password authentication is based on the local password database.
	N Password authentication is not based on the local password database.
Home directory	Specifies the local home directory for the user for both console and FTP access.
Restricted to home	Yes The user is not allowed to navigate to a directory higher in the directory tree on the home directory device.
	No The user is allowed to navigate to a directory higher in the directory tree on the home directory device.
Login exec file	Displays the user’s login exec file which executes whenever the user successfully logs in to a console session.
	profile - the security profile(s) associated with the user
	locked-out - no / yes (time remaining). Indicates the the user is currently locked-out. After the time expires, or the lockout is manually cleared, the user will be able to attempt to log into the node again.
	Remaining Login attempts - number of login attempts remaining until the user will be locked-out
	Remaining Lockout Time - The time until the lockout is automatically cleared and the user can attempt to log into the node again.

*A:Dut-C# show system security user detail

===============================================================================

Users

===============================================================================

User ID           New  User Permissions     Password    Login     Failed  Local

                  Pwd  console ftp li snmp  Expires     Attempts  Logins  Conf

-------------------------------------------------------------------------------

admin             n    y       n   n  n     never       4         0       y

-------------------------------------------------------------------------------

Number of users : 1

===============================================================================

*A:Dut-C# show system security user detail

===============================================================================

User Configuration Detail

===============================================================================

===============================================================================

user id            : admin

-------------------------------------------------------------------------------

console parameters

-------------------------------------------------------------------------------

new pw required    : no                 cannot change pw   : no

home directory     :

restricted to home : no

login exec file    :

profile            : administrative

locked-out         : yes (9:23 remaining)

-------------------------------------------------------------------------------

snmp parameters

-------------------------------------------------------------------------------

===============================================================================

*A:Node234# show system security user lockout

===============================================================================

Currently Failed Login Attempts

===============================================================================

User ID Remaining Login attempts Remaining Lockout Time (min:sec)

-------------------------------------------------------------------------------

jason123 N/A 9:56

-------------------------------------------------------------------------------

Number of users : 1

===============================================================================

view

Syntax

view [view-name] [detail]

Context

This command displays the SNMP MIB views.

Description

Parameters

view-name

Specify the name of the view to display output. If no view name is specified, the complete list of views displays.

Displays detailed view information.

Output

View Output

The following table describes show view output fields.

Table 20: Show View Output Fields


Label	Description
view name	The name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree.
oid tree	The object identifier of the ASN.1 subtree.
mask	The bit mask that defines a family of view subtrees.
permission	Indicates whether each view is included or excluded
No. of Views	Displays the total number of views.

This command displays certificate information.

A:ALA-48# show system security view

===============================================================================

Views

===============================================================================

view name         oid tree                        mask              permission

-------------------------------------------------------------------------------

iso               1                                                 included

read1             1.1.1.1                         11111111          included

write1            2.2.2.2                         11111111          included

testview          1                               11111111          included

testview          1.3.6.1.2                       11111111          excluded

mgmt-view         1.3.6.1.2.1.2                                     included

mgmt-view         1.3.6.1.2.1.4                                     included

mgmt-view         1.3.6.1.2.1.5                                     included

mgmt-view         1.3.6.1.2.1.6                                     included

mgmt-view         1.3.6.1.2.1.7                                     included

mgmt-view         1.3.6.1.2.1.31                                    included

mgmt-view         1.3.6.1.2.1.77                                    included

mgmt-view         1.3.6.1.4.1.6527.3.1.2.3.7                        included

mgmt-view         1.3.6.1.4.1.6527.3.1.2.3.11                       included

vprn-view         1.3.6.1.2.1.2                                     included

vprn-view         1.3.6.1.2.1.4                                     included

vprn-view         1.3.6.1.2.1.5                                     included

vprn-view         1.3.6.1.2.1.6                                     included

vprn-view         1.3.6.1.2.1.7                                     included

vprn-view         1.3.6.1.2.1.15                                    included

vprn-view         1.3.6.1.2.1.23                                    included

vprn-view         1.3.6.1.2.1.31                                    included

vprn-view         1.3.6.1.2.1.68                                    included

vprn-view         1.3.6.1.2.1.77                                    included

vprn-view         1.3.6.1.4.1.6527.3.1.2.3.7                        included

vprn-view         1.3.6.1.4.1.6527.3.1.2.3.11                       included

vprn-view         1.3.6.1.4.1.6527.3.1.2.20.1                       included

no-security       1                                                 included

no-security       1.3.6.1.6.3                                       excluded

no-security       1.3.6.1.6.3.10.2.1                                included

no-security       1.3.6.1.6.3.11.2.1                                included

no-security       1.3.6.1.6.3.15.1.1                                included

on-security       2                               00000000          included

-------------------------------------------------------------------------------

No. of Views: 33

===============================================================================

A:ALA-48#

certificate

Syntax

certificate

Context

show

Description

ca-profile

Syntax

ca-profile

ca-profile name [association]

Context

show>certificate

Description

This command shows certificate-authority profile information.

Parameters

name

Specifies the name of the Certificate Authority (CA) profile.

association

ocsp-cache

Syntax

ocsp-cache [entry-id]

Context

show>certificate

Description

This command displays the current cached OCSP results. The output includes the following information:

•

Certificate issuer

•

Certificate serial number

•

OCSP result

•

Cache entry expire time

Parameters

entry-id

Specifies the local cache entry identifier of the certificate that was validated by the OCSP responder.

Syntax

This command shows certificate related statistics.

Context

show>certificate

Description

users

Syntax

users

Context

show

Description

Displays console user login and connection information.

Output

Users Output

The following table describes show users output fields.

Table 21: Show Users Output Fields
Label	Description
User	The user name.
Type	The user is authorized this access type.
From	The originating IP address.
Login time	The time the user logged in.
Idle time	The amount of idle time for a specific login.
Number of users	Displays the total number of users logged in.

Sample Console Users Output

A:ALA-7# show users

===============================================================================

User              Type    From              Login time          Idle time

===============================================================================

testuser          Console     --            21FEB2007 04:58:55  0d 00:00:00  A

-------------------------------------------------------------------------------

Number of users : 1

'A' indicates user is in admin mode

===============================================================================

A:ALA-7#

Clear Commands

clear>router>authentication

Syntax

statistics [interface ip-int-name | ip-address]

Context

Description

This command clears authentication statistics.

Parameters

ip-int-name

Clears the authentication statistics for the specified interface name. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes

ip-address

Clears the authentication statistics for the specified IP address.

ip-filter

Syntax

ip-filter [entry entry-id]

Context

clear>cpm-filter

Description

This command clears IP filter statistics.

Parameters

entry entry-id

Specifies a particular CPM IP filter entry.

Values

This command clears MAC filter statistics.

mac-filter

Syntax

mac-filter [entry entry-id]

Context

clear>cpm-filter

Description

Parameters

entry entry-id

Specifies a particular CPM MAC filter entry.

Values

This command clears IPv6 filter information.

ipv6-filter

Syntax

ipv6-filter [entry entry-id]

Context

clear>cpm-filter

Description

Parameters

entry entry-id

Specifies a particular CPM IPv6 filter entry.

Values

CPU Protection Commands

Syntax

This command enables the context to clear CPU protection data.

Context

clear

Description

excessive-sources

Syntax

excessive-sources

Context

clear>cpu-protection

Description

This command clears the records of sources exceeding their per-source rate limit.

Syntax

This command clears the interface counts of packets dropped by protocol protection.

Context

clear>cpu-protection

Description

violators

Syntax

violators [port][interface][sap]

Context

clear>cpu-protection

Description

This command clears the rate limit violator record.

Parameters

port

Clears entries for ports.

interface

Clears entries for interfaces.

sap

Clears entries for SAPs.

cpm-queue

Syntax

cpm-queue queue-id

Context

clear

Description

This command clears CPM queue information.

Parameters

queue-id

Specifies the CPM queue ID.

Values

33 — 2000

radius-proxy-server

Syntax

radius-proxy-server server-name statistics

Context

clear>router

Description

This command clears RADIUS proxy server data.

Parameters

server-name

Specifies the proxy server name.

Clears statistics for the specified server.

Debug Commands

radius

Syntax

radius [detail] [hex]

no radius

Context

debug

Description

This command enables debugging for RADIUS connections.

The no form of the command disables the debugging.

Parameters