This guide describes how to configure a number of services on ESR service routers to ensure communication between offices. Let's look at specific commands for viewing operational information that may be useful when monitoring and debugging the created network layout.
Viewing operational information about modem status
The "show cellular status modem" command displays the status of connected modems. The "show cellular status modem 1" command displays detailed information about the status of the configured modem "1":
esr# show cellular status modem
Number USB port Manufacturer Model Current state Inteface Link
device state
------ -------- ------------ ---------- ------------- --------------- -----
1 3-1 huawei E8372 connected modem1 Up
esr#
esr# show cellular status modem 1
Device '1' status information:
USB device: 3-1
Inteface: modem1
Link state: Up
Mode: stick
Manufacturer: huawei
Model: E8372
Revision: 21.329.63.00.778
IMEI: 866649043430427
Status SIM lock: --
Status unlock retries: sim-pin (3) sim-pin2 (3) sim-puk (10) sim-puk2 (10)
Current state: connected
Access tech: UMTS
Signal level: 54
Support modes:
allowed 2G; preferred none;
allowed 3G; preferred none;
allowed 4G; preferred none;
allowed 2G 3G 4G; preferred none;
Allowed modes: 2G 3G 4G
Preferred modes: none
Type IP: IPv4
Operator name: MegaFon
Registration: home
--------------------------------------------------------------------------------
esr# |
Viewing operational information about IPsec tunnels
The "show security ike proposal" command displays the sets of configured encryption algorithms used in constructing IKE protocol sessions. Specifying the name of the set will display more detailed information about its contents:
RT-HUB-1# show security ike proposal Name Enc. alg. DH Auth. alg. ------------ ---------------- -- ---------- DMVPN_IKE_PR aes256 19 sha2-256 OP_1 RT-HUB-1# |
RT-HUB-1# show security ike proposal DMVPN_IKE_PROP_1 Description: DMVPN | IKE proposal #1 Encryption algorithm: aes256 Diffie-Hellman group: 19 Authentication algorithm: sha2-256 RT-HUB-1# |
The "show security ike policy" command displays the IKE policies configured. Specifying the policy name will display more detailed information about its contents:
RT-HUB-1# show security ike policy
Name Description Mode Auth. Proposal
method
-------------------- ------------------- ---------- ------- -----------------------------------
DMVPN_IKE_POL DMVPN | IKE policy main keyring DMVPN_IKE_PROP_1
RT-HUB-1#
|
RT-HUB-1# show security ike policy DMVPN_IKE_POL
Description: DMVPN | IKE policy
Mode: main
Authentication method: keyring
Lifetime seconds: 86400s
Proposal:
DMVPN_IKE_PROP_1
RT-HUB-1# |
The "show security ike gateway" command displays the configured IKE security gateways. Specifying the name of a security gateway will display more detailed information about its settings:
RT-HUB-1# show security ike gateway Name Description IKE Policy ---------------- ------------------------------ ----------------------------------- DMVPN_IKE_GW DMVPN | IKE gateway DMVPN_IKE_POL RT-HUB-1# |
RT-HUB-1# show security ike gateway DMVPN_IKE_GW
Description: DMVPN | IKE gateway
IKE Policy: DMVPN_IKE_POL
IKE Version: v2-only
Mode: policy-based
Binding interface: --
IKE Dead Peer Detection:
Action: clear
Interval: 40
Timeout: 160
RT-HUB-1#
|
The "show security ipsec proposal" command displays the sets of configured encryption algorithms used when constructing AH or ESP protocol sessions. Specifying the name of the set will display more detailed information about its contents:
RT-HUB-1# show security ipsec proposal Name Prot Enc. alg. Auth. alg. PFS dh-group --------------------- ---- ---------------- ---------- ------------ DMVPN_IPSEC_PROP_1 esp aes256 sha2-256 19 RT-HUB-1# |
RT-HUB-1# show security ipsec proposal DMVPN_IPSEC_PROP_1 Description: DMVPN | IPsec proposal #1 Protocol: esp Encryption algorithm: aes256 Authentication algorithm: sha2-256 PFS dh-group: 19 RT-HUB-1# |
The "show security ipsec policy" command displays the policies configured for the AH or ESP protocol session. Specifying the policy name will display more detailed information about its contents:
RT-HUB-1# show security ipsec policy
Name Description Proposal
-------------------- ------------------- -----------------------------------
DMVPN_IPSEC_POL DMVPN | IPsec DMVPN_IPSEC_PROP_1
policy
RT-HUB-1#
|
RT-HUB-1# show security ipsec policy DMVPN_IPSEC_POL
Description: DMVPN | IPsec policy
Lifetime seconds: 28800s
Lifetime packets: --
Lifetime kilobytes: 4608000
Proposal:
DMVPN_IPSEC_PROP_1
RT-HUB-1# |
The "show security ipsec vpn configuration" command displays the configured VPN profiles. Specifying the name of a VPN profile will display more detailed information about its settings:
RT-HUB-1# show security ipsec vpn configuration Name Description State ---------------- ------------------------------ -------- DMVPN_IPSEC_VPN DMVPN | IPsec VPN profile Enabled RT-HUB-1# |
RT-HUB-1# show security ipsec vpn configuration DMVPN_IPSEC_VPN
VRF: ISP_1
Description: DMVPN | IPsec VPN profile
State: Enabled
IKE:
Establish tunnel: route
IPsec policy: DMVPN_IPSEC_POL
IKE gateway: DMVPN_IKE_GW
IKE DSCP: 63
IKE idle-time: 0s
IKE rekeying: Enabled
Margin time: 3600s
Margin kilobytes: 86400
Margin packets: 0
Randomization: 100%
RT-HUB-1#
|
The command "show security ipsec vpn status" displays active IPsec tunnels. Specifying the name of a VPN profile will display more detailed information about IPsec tunnels created on the basis of this VPN profile. To display active tunnels in VRF, the appropriate modifier must be added:
RT-HUB-1# show security ipsec vpn status vrf ISP_1 Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- DMVPN_IPSEC_VPN 10.0.0.2 203.0.115.2 0x060c25afd64b4af9 0xe098c56c4fbcc90d Established DMVPN_IPSEC_VPN 10.0.0.2 203.0.114.2 0x7be4dd13b45a79de 0x7cc308ff27b8bb02 Established DMVPN_IPSEC_VPN 10.0.0.2 203.0.114.130 0x933d1a3ef9ecdd68 0xa23c893323d42ee1 Established RT-HUB-1# |
RT-HUB-1# show security ipsec vpn status vrf ISP_1 DMVPN_IPSEC_VPN
Currently active IKE SA:
Name: DMVPN_IPSEC_VPN
State: Established
Version: v2-only
Unique ID: 60
Local host: 10.0.0.2
Remote host: 203.0.115.2
Role: Responder
Initiator spi: 0x060c25afd64b4af9
Responder spi: 0xe098c56c4fbcc90d
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 19
Established (d,h:m:s): 00,02:58:39 ago
Rekey time (d,h:m:s): 00,00:00:00
Reauthentication time (d,h:m:s): 00,19:33:51
Child IPsec SAs:
Name: DMVPN_IPSEC_VPN-161
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time (d,h:m:s): 00,03:20:28
Life time (d,h:m:s): 00,05:01:21
Established (d,h:m:s): 00,02:58:39 ago
Traffic statistics:
Input bytes: 819517
Output bytes: 822697
Input packets: 13507
Output packets: 13509
-------------------------------------------------------------
Currently active IKE SA:
Name: DMVPN_IPSEC_VPN
State: Established
Version: v2-only
Unique ID: 62
Local host: 10.0.0.2
Remote host: 203.0.114.2
Role: Responder
Initiator spi: 0x7be4dd13b45a79de
Responder spi: 0x7cc308ff27b8bb02
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 19
Established (d,h:m:s): 00,02:55:31 ago
Rekey time (d,h:m:s): 00,00:00:00
Reauthentication time (d,h:m:s): 00,19:52:09
Child IPsec SAs:
Name: DMVPN_IPSEC_VPN-163
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time (d,h:m:s): 00,03:27:35
Life time (d,h:m:s): 00,05:04:29
Established (d,h:m:s): 00,02:55:31 ago
Traffic statistics:
Input bytes: 809459
Output bytes: 810061
Input packets: 13312
Output packets: 13281
-------------------------------------------------------------
Currently active IKE SA:
Name: DMVPN_IPSEC_VPN
State: Established
Version: v2-only
Unique ID: 63
Local host: 10.0.0.2
Remote host: 203.0.114.130
Role: Responder
Initiator spi: 0x933d1a3ef9ecdd68
Responder spi: 0xa23c893323d42ee1
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 19
Established (d,h:m:s): 00,01:09:08 ago
Rekey time (d,h:m:s): 00,00:00:00
Reauthentication time (d,h:m:s): 00,21:39:03
Child IPsec SAs:
Name: DMVPN_IPSEC_VPN-164
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time (d,h:m:s): 00,04:56:06
Life time (d,h:m:s): 00,06:50:52
Established (d,h:m:s): 00,01:09:08 ago
Traffic statistics:
Input bytes: 315018
Output bytes: 315097
Input packets: 5206
Output packets: 5200
-------------------------------------------------------------
RT-HUB-1# |
The "show security ipsec vpn authentication" command displays traffic selectors that should be tunneled and the authentication mechanism used for active IPsec tunnels. To display information about IPsec tunnels in VRF, the appropriate modifier must be added:
RT-HUB-1# show security ipsec vpn authentication vrf ISP_1 DMVPN_IPSEC_VPN Local host Remote host Local subnet Remote subnet Authentication State --------------- --------------- ------------------- ------------------- ----------------------------------------- ----------- 10.0.0.2 203.0.115.2 10.0.0.2/32 203.0.115.2/32 Pre-shared key Established 10.0.0.2 203.0.114.2 10.0.0.2/32 203.0.114.2/32 Pre-shared key Established 10.0.0.2 203.0.114.130 10.0.0.2/32 203.0.114.130/32 Pre-shared key Established RT-HUB-1# |
Viewing operational information about GRE tunnels
The "show tunnels status" command with the "gre" modifier displays the status of configured GRE tunnels. Specifying a GRE tunnel number will display more detailed information about it:
RT-OFFICE-1# show tunnels status gre
Tunnel Admin Link MTU Local IP Remote IP Last change
state state (d,h:m:s)
---------------- ----- ----- ------ ---------------- ---------------- -------------
gre 11 Up Up 1400 203.0.114.2 -- 00,03:21:16
gre 12 Up Up 1400 203.0.114.2 -- 00,03:21:16
RT-OFFICE-1# |
RT-OFFICE-1# show tunnels status gre 11 Tunnel 'gre 11' status information: Description: DMVPN | Cloud 1 Administrative state: Up Operational state: Up Supports broadcast: No Supports multicast: Yes MTU: 1400 Last change (d,h:m:s):00,03:23:41 RT-OFFICE-1# |
The "show tunnels configuration" command with the "gre" modifier displays the parameters of the configured GRE tunnels. Specifying the GRE tunnel number will display more detailed information about it:
RT-OFFICE-1# show tunnels configuration gre Tunnel State Description ---------------- -------- ------------------------------ gre 11 Enabled DMVPN | Cloud 1 gre 12 Enabled DMVPN | Cloud 2 RT-OFFICE-1# |
RT-OFFICE-1# show tunnels configuration gre 11
State: Enabled
Description: DMVPN | Cloud 1
Mode: ip
Bridge group: --
VRF: --
Local interface: gigabitethernet 1/0/1
Remote address: --
Calculates checksums for outgoing GRE packets: No
Requires that all input GRE packets were checksum: No
key: 1000
TTL: 64
DSCP: Inherit
MTU: 1400
Path MTU discovery: Enabled
Don't fragment bit suppression: Disabled
Security zone: DMVPN_NET
Multipoint mode: Enabled
Keepalive:
State: Disabled
Timeout: 10
Retries: 6
Destination address: --
RT-OFFICE-1# |
The "show tunnels counters" command with the "gre" modifier displays counters of the configured GRE tunnels. Specifying the GRE tunnel number will display more detailed statistics about the tunnel:
RT-OFFICE-1# show tunnels counters gre Tunnel Packets recv Bytes recv Errors recv MC recv ---------------- -------------- -------------- -------------- -------------- gre 11 16906 935037 0 0 gre 12 15604 820817 0 0 Tunnel Packets sent Bytes sent Errors sent ---------------- -------------- -------------- -------------- gre 11 16964 935255 0 gre 12 15638 821396 0 RT-OFFICE-1# |
RT-OFFICE-1# show tunnels counters gre 11
Tunnel 'gre 11' counters:
Packets received: 16906
Bytes received: 935037
Dropped on receive: 0
Receive errors: 0
Multicasts received: 0
Receive length errors: 0
Receive buffer overflow errors: 0
Receive CRC errors: 0
Receive frame errors: 0
Receive FIFO errors: 0
Receive missed errors: 0
Receive compressed: 0
Packets transmitted: 16964
Bytes transmitted: 935255
Dropped on transmit: 0
Transmit errors: 0
Transmit aborted errors: 0
Transmit carrier errors: 0
Transmit FIFO errors: 0
Transmit heartbeat errors: 0
Transmit window errors: 0
Transmit comressed: 0
Collisions: 0
RT-OFFICE-1# |
Viewing operational information about the NHRP protocol
The "show ip nhrp peers" command displays information about known NHRP neighbors. Specifying the "detailed" modifier will display more detailed information about NHRP neighbors:
RT-OFFICE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
172.16.1.1 203.0.113.4 gre 11 -- 00,00:00:50 static RULCN
172.16.2.1 203.0.113.132 gre 12 -- 00,00:00:50 static RULCN
RT-OFFICE-1# |
RT-OFFICE-1# show ip nhrp peers detailed Tunnel: gre 11 Type: static Tunnel address: 172.16.1.1 NBMA address: 203.0.113.4 NAT-OA address: 10.0.0.2 Flags: nhs, used, lower-up, connected, nat Created (d,h:m:s): 00,00:00:52 Expire (h:m:s): -- Re-registration in (h:m:s): 00:02:28 IPsec protection: Disabled Group: -- QoS policy output: -- Tunnel: gre 12 Type: static Tunnel address: 172.16.2.1 NBMA address: 203.0.113.132 NAT-OA address: 10.0.0.10 Flags: nhs, used, lower-up, connected, nat Created (d,h:m:s): 00,00:00:52 Expire (h:m:s): -- Re-registration in (h:m:s): 00:02:28 IPsec protection: Disabled Group: -- QoS policy output: -- RT-OFFICE-1# |
The "show ip nhrp peers" command displays information about created temporary routes to local networks behind a remote NHRP neighbor. These routes may appear in the DMVPN third phase when constructing Spoke-to-Spoke tunnels:
RT-OFFICE-1# show ip nhrp shortcut-routes
Network Nexthop Tunnel Expire Created
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- --------------
192.168.12.0/24 172.16.1.12 gre 11 00:09:39 00,00:00:20
192.168.13.0/24 172.16.1.13 gre 11 00:09:52 00,00:00:07
RT-OFFICE-1# |
The "show ip route" command with the "nhrp" modifier displays all routes added as a result of the NHRP protocol operation:
RT-OFFICE-1# show ip route nhrp H * 172.16.1.1/32 [20/0] dev gre 11 [nhrp 06:34:49] H * 172.16.2.1/32 [20/0] dev gre 12 [nhrp 06:34:49] H * 172.16.1.13/32 [20/0] dev gre 11 [nhrp 10:16:43] H * 192.168.12.0/24 [20/0] via 172.16.1.12 on gre 11 [nhrp 10:16:29] H * 192.168.13.0/24 [20/0] via 172.16.1.13 on gre 11 [nhrp 10:16:43] H * 172.16.1.12/32 [20/0] dev gre 11 [nhrp 10:16:29] RT-OFFICE-1# |
Viewing operational information about the BGP protocol
The "show bgp summary" command displays brief information about established BGP neighbors, as well as the amount of advertised and received routing information:
RT-HUB-1# show bgp summary
2025-06-10 10:35:44
BGP router identifier 10.0.0.19, local AS number 65001
BGP activity 5/12 prefixes
Neighbor AS MsgRcvd MsgSent Up/Down St/PfxRcd
(d,h:m:s)
---------------------- ------------- ---------- ---------- ---------- ------------
10.0.0.18 65500 2137 2179 01,06:56:47 1
10.0.0.17 65500 2114 2154 01,06:44:22 1
172.16.1.13 65000 285 283 00,04:04:03 1
172.16.1.12 65000 281 282 00,04:03:52 1
172.16.1.11 65000 276 276 00,04:00:43 1
RT-HUB-1# |
The "show bgp neighbors" command displays detailed information about BGP neighbors:
RT-HUB-1# show bgp neighbors
BGP neighbor is 10.0.0.17
Description: DMZ | RT-GW-1
BGP state: Established
Type: Static neighbor
Neighbor address: 10.0.0.17
Neighbor AS: 65500
Neighbor ID: 10.0.0.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 10.0.0.19
Weight: 0
Hold timer: 111/180
Keepalive timer: 12/60
Peer group: DMVPN_LAN
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Outgoing route-map: DMVPN_LAN_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 01,06:44:34
BFD address: 10.0.0.17
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
BGP neighbor is 10.0.0.18
Description: DMZ | RT-GW-2
BGP state: Established
Type: Static neighbor
Neighbor address: 10.0.0.18
Neighbor AS: 65500
Neighbor ID: 10.0.0.9
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 10.0.0.19
Weight: 0
Hold timer: 100/180
Keepalive timer: 52/60
Peer group: DMVPN_LAN
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Outgoing route-map: DMVPN_LAN_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 01,06:56:59
BFD address: 10.0.0.18
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
BGP neighbor is 172.16.1.13
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 172.16.1.0/24
Neighbor address: 172.16.1.13
Neighbor AS: 65000
Neighbor ID: 172.16.1.13
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 172.16.1.1
Weight: 0
Hold timer: 157/180
Keepalive timer: 19/60
Peer group: DMVPN_NET_1
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: Yes
Default information originate: No
Outgoing route-map: DMVPN_NET_1_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,04:04:15
BFD address: 172.16.1.13
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
BGP neighbor is 172.16.1.12
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 172.16.1.0/24
Neighbor address: 172.16.1.12
Neighbor AS: 65000
Neighbor ID: 172.16.1.12
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 172.16.1.1
Weight: 0
Hold timer: 94/180
Keepalive timer: 4/60
Peer group: DMVPN_NET_1
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: Yes
Default information originate: No
Outgoing route-map: DMVPN_NET_1_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,04:04:04
BFD address: 172.16.1.12
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
BGP neighbor is 172.16.1.11
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 172.16.1.0/24
Neighbor address: 172.16.1.11
Neighbor AS: 65000
Neighbor ID: 172.16.1.11
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 172.16.1.1
Weight: 0
Hold timer: 123/180
Keepalive timer: 32/60
Peer group: DMVPN_NET_1
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: Yes
Default information originate: No
Outgoing route-map: DMVPN_NET_1_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,04:00:55
BFD address: 172.16.1.11
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
RT-HUB-1# |
The "show bgp ipv4 unicast" command displays the RIB status of the BGP protocol:
RT-HUB-1# show bgp ipv4 unicast
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 0.0.0.0/0 10.0.0.17 100 100 0 65500 i
* u 0.0.0.0/0 10.0.0.18 200 100 0 65500 i
*> u 192.168.11.0/24 172.16.1.11 -- 100 0 65000 i
*> u 192.168.12.0/24 172.16.1.12 -- 100 0 65000 i
*> u 192.168.13.0/24 172.16.1.13 -- 100 0 65000 i
RT-HUB-1# |
The command "show bgp ipv4 unicast neighbor <IP-ADDRESS> routes" displays the routes received from the BGP neighbor:
RT-HUB-1# show bgp ipv4 unicast neighbor 172.16.1.11 routes
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 192.168.11.0/24 172.16.1.11 -- 100 0 65000 i
RT-HUB-1# |
The command "show bgp ipv4 unicast neighbor <IP-ADDRESS> advertise-routes" displays the routes advertised to the BGP neighbor:
RT-HUB-1# show bgp ipv4 unicast neighbor 172.16.1.11 advertise-routes
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 0.0.0.0/0 172.16.1.1 100 -- -- 65001 i
RT-HUB-1# |
The "show ip route" command with the "bgp" modifier displays all routes added as a result of the BGP protocol operation:
RT-HUB-1# show ip route bgp B * 0.0.0.0/0 [170] via 10.0.0.17 on po1.300 [bgp65001 2025-06-09] (AS65500i) B 0.0.0.0/0 [170] via 10.0.0.18 on po1.300 [bgp65001 2025-06-09] (AS65500i) B * 192.168.11.0/24 [170] via 172.16.1.11 on gre 10 [bgp65001 06:35:01] (AS65000i) B * 192.168.12.0/24 [170] via 172.16.1.12 on gre 10 [bgp65001 06:31:52] (AS65000i) B * 192.168.13.0/24 [170] via 172.16.1.13 on gre 10 [bgp65001 06:31:41] (AS65000i) RT-HUB-1# |
Viewing operational information about the BFD protocol
The “show bfd neighbors” command displays the current BFD neighbors. Specifying the IP address of a BFD neighbor will display more detailed information about it:
RT-HUB-1# show bfd neighbors Neighbor Discriminator State Interface --------------------------------------- ------------- --------- ---------------- 10.0.0.18 1981074375 Up po1.300 172.16.1.13 1317697778 Up gre 10 172.16.1.12 2842746174 Up gre 10 172.16.1.11 4248109158 Up gre 10 10.0.0.17 4277650140 Up po1.300 RT-HUB-1# |
RT-HUB-1# show bfd neighbors 172.16.1.11
Neighbor address: 172.16.1.11
Local address: 172.16.1.1
Interface: gre 10
Remote discriminator: 4248109158
Local discriminator: 2527420142
State: Up
Session type: Control
Session mode: Single-hop
Local diagnostic code: No Diagnostic
Remote diagnostic code: No Diagnostic
Minimal Tx Interval: 1000 ms
Minimal Rx Interval: 1000 ms
Multiplier: 8
Actual Tx Interval: 1000 ms
Actual Detection Interval: 8000 ms
Number of transmitted packets: 17983
Number of received packets: 17971
Uptime (d,h:m:s): 00,04:07:20
Client: BGP
Last received packet:
Desired Min Tx Interval: 1000 ms
Required Min Rx Interval: 1000 ms
Multiplier: 8
RT-HUB-1# |
Viewing operational information about the status of the Zone-Based Firewall
The "show security zone" command displays a list of configured security zones:
RT-GW-1# show security zone Zone name Interfaces ------------- ------------------------------------------ UNTRUSTED gi1/0/1 MGMT po1.250 CUSTOMER po1.100 DMVPN_ISP_1 po1.210 DMVPN_LAN po1.300 RT-GW-1# |
The "show security zone-pair" command displays a list of configured security zone pairs:
RT-GW-1# show security zone-pair From zone To zone VRF Description ------------- ------------- -------------------------------- ------------------------------------------- MGMT self -- -- CUSTOMER self -- -- CUSTOMER UNTRUSTED -- -- DMVPN_ISP_1 self -- -- UNTRUSTED DMVPN_ISP_1 -- -- DMVPN_ISP_1 UNTRUSTED -- -- DMVPN_LAN self -- -- DMVPN_LAN CUSTOMER -- -- CUSTOMER DMVPN_LAN -- -- DMVPN_LAN UNTRUSTED -- -- RT-GW-1# |
The command "show security zone-pair configuration <LEFT> <RIGHT>" displays a list of firewall rules for the specified pair of security zones:
RT-GW-1# show security zone-pair configuration DMVPN_LAN self
Order: 10
Description: Permit | ICMP | From ANY | To ANY
Matching pattern:
Protocol: ICMP(1)
Fragment: --
IP options: --
Source MAC: any
Destination MAC: any
ICMP type: any
ICMP code: any
Source address: any
Destination address: any
Destination NAT: --
Application: --
Action: Permit
Status: Enabled
--------------------------------------------------------------------------------
Order: 20
Description: Permit | BGP | From ANY | To ANY
Matching pattern:
Protocol: TCP(6)
Fragment: --
IP options: --
Source MAC: any
Destination MAC: any
Source address: any
Source port: any
Destination address: any
Destination port: 179
Destination NAT: --
Application: --
Action: Permit
Status: Enabled
--------------------------------------------------------------------------------
Order: 30
Description: Permit | BFD | From ANY | To ANY
Matching pattern:
Protocol: UDP(17)
Fragment: --
IP options: --
Source MAC: any
Destination MAC: any
Source address: any
Source port: any
Destination address: any
Destination port: 3784
Destination NAT: --
Application: --
Action: Permit
Status: Enabled
--------------------------------------------------------------------------------
RT-GW-1# |
The "show ip firewall counters" command displays statistics on firewall rule activations:
RT-GW-1# show ip firewall counters
Zone-pair Rule Action Pkts Bytes Description
------------------------------ ---------- --------------- ---------- ---------- --------------------
CUSTOMER/UNTRUSTED 10 permit 1 92 Permit | ANY | From
CUSTOMER | To ISP-1
CUSTOMER/self 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
CUSTOMER/self 20 permit 1 40 Permit | VRRP |
From ANY | To ANY
DMVPN_ISP_1/UNTRUSTED 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
DMVPN_ISP_1/UNTRUSTED 20 permit 58 27086 Permit | IKE/IPsec
| From RT-HUB-1 |
To ISP-1
DMVPN_ISP_1/self 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
DMVPN_LAN/self 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
DMVPN_LAN/self 20 permit 151 9060 Permit | BGP | From
ANY | To ANY
DMVPN_LAN/self 30 permit 271569 14121588 Permit | BFD | From
ANY | To ANY
MGMT/self 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
UNTRUSTED/DMVPN_ISP_1 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
UNTRUSTED/DMVPN_ISP_1 20 permit 59 13788 Permit | IKE/IPsec
| From ISP-1 | To
RT-HUB-1
any/any default deny 3 252 --
CUSTOMER/DMVPN_LAN 10 permit 28 2576 Permit | ANY | From
CUSTOMER | To DMVPN
Cloud
DMVPN_LAN/CUSTOMER 10 permit 18 1656 Permit | ANY | From
DMVPN Cloud | To
CUSTOMER
DMVPN_LAN/UNTRUSTED 10 permit 14 1288 Permit | ANY | From
DMVPN Cloud | To
ISP-1
RT-GW-1# |
The "show ip firewall sessions" command displays a list of network sessions tracked by firewall:
RT-GW-1# show ip firewall sessions
Codes: E - expected, U - unreplied,
A - assured, C - confirmed
Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
tcp 99 10.0.0.19:54300 10.0.0.17:179 10.0.0.19:54300 10.0.0.17:179 -- -- AC
udp 179 203.0.114.130:4500 10.0.0.2:4500 203.0.114.130:4500 203.0.113.4:4500 -- -- AC
tcp 113 10.0.0.20:52247 10.0.0.17:179 10.0.0.20:52247 10.0.0.17:179 -- -- AC
udp 179 203.0.115.2:5064 10.0.0.2:4500 203.0.115.2:5064 203.0.113.4:4500 -- -- AC
icmp 22 203.0.113.2 8.8.4.4 203.0.113.2 8.8.4.4 -- -- C
udp 29 10.0.0.19:49171 10.0.0.17:3784 10.0.0.19:49171 10.0.0.17:3784 -- -- UC
udp 28 10.0.0.17:49152 10.0.0.20:3784 10.0.0.17:49152 10.0.0.20:3784 -- -- UC
udp 29 10.0.0.17:49152 10.0.0.19:3784 10.0.0.17:49152 10.0.0.19:3784 -- -- UC
vrrp 59 10.100.0.253 224.0.0.18 10.100.0.253 224.0.0.18 -- -- UC
udp 29 10.0.0.20:49163 10.0.0.17:3784 10.0.0.20:49163 10.0.0.17:3784 -- -- UC
udp 179 203.0.114.2:4500 10.0.0.2:4500 203.0.114.2:4500 203.0.113.4:4500 -- -- AC
icmp 24 203.0.113.2 77.88.44.242 203.0.113.2 77.88.44.242 -- -- C
RT-GW-1# |
Viewing operational information about the NAT status
The "show ip nat proxy-arp" command displays a list of interfaces on which the ARP proxy function is enabled and the IP addresses for which it will be triggered:
RT-GW-1# show ip nat proxy-arp Interface IP address range ----------- --------------------------------------------- gi1/0/1 203.0.113.3, 203.0.113.4 RT-GW-1# |
The "show ip nat source pools" command displays a list of configured pools of IP addresses and ports used in Source NAT rules:
RT-GW-1# show ip nat source pools
Name IP address Port Description Persi
range stent
--------------------- ----------------- ------- ----------- -----
CUSTOMER_PUBLIC_IP 203.0.113.3 - -- No
RT-GW-1# |
The "show ip nat source rulesets" command displays a list of configured Source NAT rulesets. Specifying a ruleset name will display a list of Source NAT rules it contains:
RT-GW-1# show ip nat source rulesets Name To Description -------------------------------- ------------------ ----------------- SNAT zone 'UNTRUSTED' -- RT-GW-1# |
RT-GW-1# show ip nat source rulesets SNAT
Description: --
VRF: --
To: zone 'UNTRUSTED'
Rules:
------
Order: 10
Description: Source | CUSTOMER
Matching pattern:
Protocol: any
Source address: 10.100.0.0/24
Destination address: any
Action: pool CUSTOMER_PUBLIC_IP
Status: Enabled
--------------------------------------------------------------------------------
Order: 20
Description: Static | RT-HUB-1
Matching pattern:
Protocol: any
Source address: 10.0.0.2/32
Destination address: any
Action: netmap 203.0.113.4/32
Status: Enabled
--------------------------------------------------------------------------------
Order: 30
Description: Source | DMVPN Cloud
Matching pattern:
Protocol: any
Source address: 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24
Destination address: any
Action: pool CUSTOMER_PUBLIC_IP
Status: Enabled
--------------------------------------------------------------------------------
RT-GW-1# |
The "show ip nat translations" command displays a list of currently tracked NAT sessions:
RT-GW-1# show ip nat translations Prot Inside source Inside destination Outside source Outside destination Pkts Bytes ---- --------------------- --------------------- --------------------- --------------------- ---------- ---------- udp 203.0.114.130:4500 10.0.0.2:4500 203.0.114.130:4500 203.0.113.4:4500 -- -- udp 203.0.115.2:5064 10.0.0.2:4500 203.0.115.2:5064 203.0.113.4:4500 -- -- udp 203.0.114.2:4500 10.0.0.2:4500 203.0.114.2:4500 203.0.113.4:4500 -- -- RT-GW-1# |