firewall

Displays wireless firewall information, such as Dynamic Host Configuration Protocol (DHCP) snoop table entries, denial of service statistics, active session summaries, etc.
Note

Note

This command is not available in the USER EXEC mode.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

show firewall [dhcp|flows|neighbors]
show firewall dhcp snoop-table {on <DEVICE-NAME>}
show firewall flows {filter|management|on|stats|wireless-client}
show firewall flows {filter} {(dir|dst port <1-65535>|ether|flow-type|icmp|
icmpv6|igmp|ip|ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}
show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|
wireless-client <MAC>|on <DEVICE-NAME>}
show firewall neighbors snoop-table {on <DEVICE-NAME>}

Parameters

show firewall dhcp snoop-table {on <DEVICE-NAME>}
firewall dhcp snoop-table {on <DEVICE-NAME>} Displays DHCP snoop table entries
  • snoop-table – Displays DHCP snoop table entries

DHCP snooping acts as a firewall between non-trusted hosts and the DHCP server. Snoop table entries contain MAC address, IP address, lease time, binding type, and interface information of non-trusted interfaces.

on <DEVICE-NAME> The following keyword is common to the ‘DHCP snoop table‘ and ‘DoS stats‘ parameters:
  • on <DEVICE-NAME> – Optional. Displays snoop table entries, or DoS stats on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
show firewall flows {filter} {(dir|dst|ether|flow-type|icmp|icmpv6|igmp|ip|
ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}
firewall flows Notifies a session has been established
filter Optional. Defines additional firewall flow filter parameters
dir [wired-wired| wired-wireless| wireless-wired| wireless-wireless] Optional. Matches the packet flow direction
  • wired-wired – Wired to wired flows
  • wired-wireless – Wired to wireless flows
  • wireless-wired – Wireless to wired flows
  • wireless-wireless – Wireless to wireless flows
dst port <1-65535> Optional. Matches the destination port with the specified port
  • port <1-65535> – Specifies the destination port number from 1 - 65535
ether [dst <MAC>| host <MAC>| src <MAC>| vlan <1-4094>] Optional. Displays Ethernet filter options
  • dst <MAC> – Matches only the destination MAC address
  • host <MAC> – Matches flows containing the specified MAC address
  • src <MAC> – Matches only the source MAC address
  • vlan <1-4094> – Matches the VLAN number of the traffic with the specified value. Specify a value from 1- 4094.
flow-type [bridged|natted|routed| wired|wireless] Optional. Matches the traffic flow type
  • bridged – Bridged flows
  • natted – Natted flows
  • routed – Routed flows
  • wired – Flows belonging to wired hosts
  • wireless – Flows containing a mobile unit
icmp {code|type} Optional. Matches flows with the specified Internet Control Message Protocol (ICMP) version 4 code and type
  • code – Matches flows with the specified ICMPv4 code
  • type – Matches flows with the specified ICMPv4 type
icmpv6 {code|type} Optional. Matches flows with the specified ICMP version 6 code and type
  • code – Optional. Matches flows with the specified ICMPv6 code
  • type – Optional. Matches flows with the specified ICMPv6 type
igmp Optional. Matches Internet Group Management Protocol (IGMP) flows
ip [dst <IP>| host <IP>| proto <0-254>| src <IP>] Optional. Filters firewall flows based on the IPv4 parameters passed
  • dst <IP> – Matches destination IP address
  • host <IP> – Matches flows containing IPv4 address
  • proto <0-254> – Matches the IPv4 protocol number with the specified number
  • src <IPv4> – Matches source IP address
ipv6 [dst <IPv6>| host <IPv6>| proto <0-254>| src <IPv6>] Optional. Filters firewall flows based on the IPv6 parameters passed
  • dst <IPv6> – Matches destination IPv6 address
  • host <IPv6> – Matches flows containing IPv6 address
  • proto <0-254> – Matches the IPv6 protocol number with the specified number
  • src <IPv6> – Matches source IPv6 address
max-idle <1-4294967295> Optional. Filters firewall flows idle for at least the specified duration. Specify a max-idle value from 1 - 4294967295 bytes.
min-bytes <1-4294967295> Optional. Filters firewall flows with at least the specified number of bytes. Specify a min-bytes value from 1 - 4294967295 bytes.
min-idle <1-4294967295> Optional. Filters firewall flows idle for at least the specified duration. Specify a min-idle value from 1 - 4294967295 bytes.
min-pkts <1-4294967295> Optional. Filters firewall flows with at least the given number of packets. Specify a min-bytes value from 1 - 4294967295 bytes.
not Optional. Negates the filter expression selected
port <1-65535> Optional. Matches either the source or destination port. Specify a port from 1 - 65535.
src <1-65535> Optional. Matches only the source port with the specified port. Specify a port from 1 - 65535.
tcp Optional. Matches TCP flows
udp Optional. Matches UDP flows
show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|
wireless-client <MAC>|on <DEVICE-NAME>}
firewall flows Notifies a session has been established
management {on <DEVICE-NAME>} Optional. Displays management traffic firewall flows
  • on <DEVICE-NAME> – Optional. Displays firewall flows on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
stats {on <DEVICE-NAME>} Optional. Displays active session summary
  • on <DEVICE-NAME> – Optional. Displays active session summary on a specified device
    • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
wireless-client <MAC> Optional. Displays wireless clients firewall flows
  • <MAC> – Specify the MAC address of the wireless client.
on <DEVICE-NAME> Optional. Displays all firewall flows on a specified device
  • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
show firewall neighbors snoop-table {on <DEVICE-NAME>}
firewall neighbors snoop-table Displays IPv6 neighbors snoop table entries
on <DEVICE-NAME> Optional. Displays IPv6 neighbors snoop table entries on a specified device
  • <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.

Examples

nx9500-6C8809(config)#show fi
file-sync  firewall   file
nx9500-6C8809(config)#show firewall dhcp snoop-table
Snoop Binding <192.168.13.24, 00-15-70-81-74-2D, Vlan 1>
Type switch-SVI, Touched 427779 seconds ago
-------------------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show firewall dos stats
--------------------------------------------------------------------------------
            ATTACK TYPE                 COUNT             LAST OCCURENCE
--------------------------------------------------------------------------------
  udp-short-hdr                      0             Never
  multicast-icmpv6                   0             Never
  icmp-router-solicit                0             Never
  tcp-xmas-scan                      0             Never
  ascend                             0             Never
  twinge                             0             Never
  tcp-post-syn                       0             Never
  land                               0             Never
  broadcast-multicast-icmp           0             Never
  ftp-bounce                         0             Never
  spoof                              0             Never
  source-route                       0             Never
  tcp-null-scan                      0             Never
  tcp-fin-scan                       0             Never
  ipv6-hop-limit-zero                0             Never
  tcp-bad-sequence                   97            0 days 02:24:32 ago
  fraggle                            0             Never
  router-advt                        0             Never
  snork                              0             Never
  raguard                            0             Never
--More--
nx9500-6C8809(config)#
nx9500-6C8809(config)#show firewall flows management
========== Flow# 1 Summary ==========
Forward:
IPv4 Vlan 1, TCP 192.168.13.10 port 1646 > 192.168.13.24 port 22
 00-02-B3-28-D1-55 > 00-15-70-81-74-2D, ingress port up1
 Egress port: <local>, Egress interface: vlan1, Next hop: <local> (00-15-70-81-74-2D)
 1170 packets, 99960 bytes, last packet 0 seconds ago
Reverse:
IPv4 Vlan 1, TCP 192.168.13.24 port 22 > 192.168.13.10 port 1646
 00-15-70-81-74-2D > 00-02-B3-28-D1-55, ingress port local
 Egress port: up1, Egress interface: vlan1, Next hop: 192.168.13.10 (00-02-B3-28-D1-55)
 873 packets, 98797 bytes, last packet 0 seconds ago
TCP state: Established
Flow times out in 1 hour 30 minutes

nx9500-6C8809(config)#
nx9500-6C8809(config)#show firewall flows stats
Active Flows       2
TCP/IPv4 flows     2
UDP/IPv4 flows     0
DHCP/IPv4 flows    0
ICMP/IPv4 flows    0
IPsec/IPv4 flows   0
TCP/IPv6 flows     0
UDP/IPv6 flows     0
DHCP/IPv6 flows    0
ICMP/IPv6 flows    0
IPsec/IPv6 flows   0
L3/Unknown flows   0
nx9500-6C8809(config)#