指定された ACL の情報の表示
switch# show ip access-list acl10
ip access-list acl10 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255 (0 matches)
上記の例では、表示出力一致に、この条件を満たすインターフェイス(暗号マップではない)だけが表示されます。
switch# show crypto transform-set domain ipsec
Transform set: 1/1 {esp-3des esp-sha256-hmac}
will negotiate {tunnel}
Transform set: ipsec_default_transform_set {esp-aes 128 esp-sha1-hmac}
will negotiate {tunnel}
switch# show crypto map domain ipsec
Crypto Map “cm10” 1 ipsec
Peer = Auto Peer
IP ACL = acl10
permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
Transform-sets: 3des-md5, des-md5,
Security Association Lifetime: 4500 megabytes/3600 seconds
PFS (Y/N): N
Interface using crypto map set cm10:
GigabitEthernet4/1
Crypto Map “cm100” 1 ipsec
Peer = Auto Peer
IP ACL = acl100
permit ip 10.10.100.0 255.255.255.0 10.10.100.0 255.255.255.0
Transform-sets: 3des-md5, des-md5,
Security Association Lifetime: 4500 megabytes/3600 seconds
PFS (Y/N): N
Interface using crypto map set cm100:
GigabitEthernet4/2
switch# show crypto map domain ipsec interface gigabitethernet 4/1
Crypto Map “cm10” 1 ipsec
Peer = Auto Peer
IP ACL = acl10
permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
Transform-sets: 3des-md5, des-md5,
Security Association Lifetime: 4500 megabytes/3600 seconds
PFS (Y/N): N
Interface using crypto map set cm10:
GigabitEthernet4/1
switch# show crypto map domain ipsec tag cm100
Crypto Map “cm100” 1 ipsec
Peer = Auto Peer
IP ACL = acl100
permit ip 10.10.100.0 255.255.255.0 10.10.100.0 255.255.255.0
Transform-sets: 3des-md5, des-md5,
Security Association Lifetime: 4500 megabytes/3600 seconds
PFS (Y/N): N
Interface using crypto map set cm100:
GigabitEthernet4/2
switch# show crypto sad domain ipsec interface gigabitethernet 4/1
interface: GigabitEthernet4/1
Crypto map tag: cm10, local addr. 10.10.10.1
protected network:
local ident (addr/mask): (10.10.10.0/255.255.255.0)
remote ident (addr/mask): (10.10.10.4/255.255.255.255)
current_peer: 10.10.10.4
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.4
mode: tunnel, crypto algo: esp-3des, auth algo: esp-md5-hmac
current outbound spi: 0x30e000f (51249167), index: 0
lifetimes in seconds:: 3600
lifetimes in bytes:: 423624704
current inbound spi: 0x30e0000 (51249152), index: 0
lifetimes in seconds:: 3600
lifetimes in bytes:: 423624704
switch# show crypto sad domain ipsec
interface: GigabitEthernet4/1
Crypto map tag: cm10, local addr. 10.10.10.1
protected network:
local ident (addr/mask): (10.10.10.0/255.255.255.0)
remote ident (addr/mask): (10.10.10.4/255.255.255.255)
current_peer: 10.10.10.4
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.4
mode: tunnel, crypto algo: esp-3des, auth algo: esp-md5-hmac
current outbound spi: 0x30e000f (51249167), index: 0
lifetimes in seconds:: 3600
lifetimes in bytes:: 423624704
current inbound spi: 0x30e0000 (51249152), index: 0
lifetimes in seconds:: 3600
lifetimes in bytes:: 423624704
switch# show crypto spd domain ipsec
Policy Database for interface: GigabitEthernet4/1, direction: Both
# 0: deny udp any port eq 500 any
# 1: deny udp any any port eq 500
# 2: permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
# 63: deny ip any any
Policy Database for interface: GigabitEthernet4/2, direction: Both
# 0: deny udp any port eq 500 any <-----------------------UDP default entry
# 1: deny udp any any port eq 500 <---------------------- UDP default entry
# 3: permit ip 10.10.100.0 255.255.255.0 10.10.100.0 255.255.255.0
# 63: deny ip any any <---------------------------------------- Clear text default entry
switch# show crypto spd domain ipsec interface gigabitethernet 4/2
Policy Database for interface: GigabitEthernet3/1, direction: Both
# 0: deny udp any port eq 500 any
# 1: deny udp any any port eq 500
# 2: permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
# 127: deny ip any any
switch# show iscsi session detail
Initiator iqn.1987-05.com.cisco:01.9f39f09c7468 (ips-host16.cisco.com)
Initiator ip addr (s): 10.10.10.5
Session #1 (index 24)
Discovery session, ISID 00023d000001, Status active
Session #2 (index 25)
Target ibm1
VSAN 1, ISID 00023d000001, TSIH 0, Status active, no reservation
Type Normal, ExpCmdSN 42, MaxCmdSN 57, Barrier 0
MaxBurstSize 0, MaxConn 1, DataPDUInOrder Yes
DataSeqInOrder Yes, InitialR2T Yes, ImmediateData No
Registered LUN 0, Mapped LUN 0
Stats:
PDU: Command: 41, Response: 41
Bytes: TX: 21388, RX: 0
Number of connection: 1
Connection #1
iSCSI session is protected by IPSec -----------The iSCSI session protection status
Local IP address: 10.10.10.4, Peer IP address: 10.10.10.5
CID 0, State: Full-Feature
StatSN 43, ExpStatSN 0
MaxRecvDSLength 131072, our_MaxRecvDSLength 262144
CSG 3, NSG 3, min_pdu_size 48 (w/ data 48)
AuthMethod none, HeaderDigest None (len 0), DataDigest None (len 0)
Version Min: 0, Max: 0
FC target: Up, Reorder PDU: No, Marker send: No (int 0)
Received MaxRecvDSLen key: Yes
switch# show interface fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:50:00:0d:ec:08:6c:c0
Peer port WWN is 20:10:00:05:30:00:a7:9e
Admin port mode is auto, trunk mode is on
Port mode is TE
Port vsan is 1
Speed is 1 Gbps
Trunk vsans (admin allowed and active) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) ()
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet2/1)
Peer Information
Peer Internet address is 10.10.11.1 and port is 3225
FCIP tunnel is protected by IPSec -----------The FCIP tunnel protection status
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is 256 KBytes
IP Compression is disabled
Special Frame is disabled
Maximum number of TCP connections is 2
Time Stamp is disabled
QOS control code point is 0
QOS data code point is 0
B-port mode disabled
TCP Connection Information
2 Active TCP connections
Control connection: Local 10.10.11.2:3225, Remote 10.10.11.1:65520
Data connection: Local 10.10.11.2:3225, Remote 10.10.11.1:65522
2 Attempts for active connections, 0 close of connections
TCP Parameters
Path MTU 1400 bytes
Current retransmission timeout is 200 ms
Round trip time: Smoothed 2 ms, Variance: 1
Advertized window: Current: 124 KB, Maximum: 124 KB, Scale: 6
Peer receive window: Current: 123 KB, Maximum: 123 KB, Scale: 6
Congestion window: Current: 53 KB, Slow start threshold: 48 KB
Current Send Buffer Size: 124 KB, Requested Send Buffer Size: 0 KB
CWM Burst Size: 50 KB
5 minutes input rate 128138888 bits/sec, 16017361 bytes/sec, 7937 frames/sec
5 minutes output rate 179275536 bits/sec, 22409442 bytes/sec, 46481 frames/sec
10457037 frames input, 21095415496 bytes
308 Class F frames input, 32920 bytes
10456729 Class 2/3 frames input, 21095382576 bytes
9907495 Reass frames
0 Error frames timestamp error 0
63792101 frames output, 30250403864 bytes
472 Class F frames output, 46816 bytes
63791629 Class 2/3 frames output, 30250357048 bytes
0 Error frames
switch# show crypto global domain ipsec
IPSec global statistics:
Number of crypto map sets: 3
IKE transaction stats: 0 num, 256 max
Inbound SA stats: 0 num
Outbound SA stats: 0 num
switch# show crypto global domain ipsec interface gigabitethernet 3/1
IPSec interface statistics:
IKE transaction stats: 0 num
Inbound SA stats: 0 num, 512 max
Outbound SA stats: 0 num, 512 max
switch# show crypto global domain ipsec security-association lifetime
Security Association Lifetime: 450 gigabytes/3600 seconds