firewall

Displays wireless firewall information, such as Dynamic Host Configuration Protocol (DHCP) snoop table entries, denial of service statistics, active session summaries, etc.

Note

This command is not available in the USER EXEC mode.

Supported on the following devices:

Access Points: AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

show firewall [dhcp|flows|neighbors]

show firewall dhcp snoop-table {on <DEVICE-NAME>}

show firewall flows {filter|management|on|stats|wireless-client}

show firewall flows {filter} {(dir|dst port <1-65535>|ether|flow-type|icmp|
icmpv6|igmp|ip|ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}

show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|
wireless-client <MAC>|on <DEVICE-NAME>}

show firewall neighbors snoop-table {on <DEVICE-NAME>}

Parameters

show firewall dhcp snoop-table {on <DEVICE-NAME>}


firewall dhcp snoop-table {on <DEVICE-NAME>}	Displays DHCP snoop table entries snoop-table – Displays DHCP snoop table entries DHCP snooping acts as a firewall between non-trusted hosts and the DHCP server. Snoop table entries contain MAC address, IP address, lease time, binding type, and interface information of non-trusted interfaces.
on <DEVICE-NAME>	The following keyword is common to the ‘DHCP snoop table‘ and ‘DoS stats‘ parameters: on <DEVICE-NAME> – Optional. Displays snoop table entries, or DoS stats on a specified device <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.

show firewall flows {filter} {(dir|dst|ether|flow-type|icmp|icmpv6|igmp|ip|
ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}


firewall flows	Notifies a session has been established
filter	Optional. Defines additional firewall flow filter parameters
dir [wired-wired\| wired-wireless\| wireless-wired\| wireless-wireless]	Optional. Matches the packet flow direction wired-wired – Wired to wired flows wired-wireless – Wired to wireless flows wireless-wired – Wireless to wired flows wireless-wireless – Wireless to wireless flows
dst port <1-65535>	Optional. Matches the destination port with the specified port port <1-65535> – Specifies the destination port number from 1 - 65535
ether [dst <MAC>\| host <MAC>\| src <MAC>\| vlan <1-4094>]	Optional. Displays Ethernet filter options dst <MAC> – Matches only the destination MAC address host <MAC> – Matches flows containing the specified MAC address src <MAC> – Matches only the source MAC address vlan <1-4094> – Matches the VLAN number of the traffic with the specified value. Specify a value from 1- 4094.
flow-type [bridged\|natted\|routed\| wired\|wireless]	Optional. Matches the traffic flow type bridged – Bridged flows natted – Natted flows routed – Routed flows wired – Flows belonging to wired hosts wireless – Flows containing a mobile unit
icmp {code\|type}	Optional. Matches flows with the specified Internet Control Message Protocol (ICMP) version 4 code and type code – Matches flows with the specified ICMPv4 code type – Matches flows with the specified ICMPv4 type
icmpv6 {code\|type}	Optional. Matches flows with the specified ICMP version 6 code and type code – Optional. Matches flows with the specified ICMPv6 code type – Optional. Matches flows with the specified ICMPv6 type
igmp	Optional. Matches Internet Group Management Protocol (IGMP) flows
ip [dst <IP>\| host <IP>\| proto <0-254>\| src <IP>]	Optional. Filters firewall flows based on the IPv4 parameters passed dst <IP> – Matches destination IP address host <IP> – Matches flows containing IPv4 address proto <0-254> – Matches the IPv4 protocol number with the specified number src <IPv4> – Matches source IP address
ipv6 [dst <IPv6>\| host <IPv6>\| proto <0-254>\| src <IPv6>]	Optional. Filters firewall flows based on the IPv6 parameters passed dst <IPv6> – Matches destination IPv6 address host <IPv6> – Matches flows containing IPv6 address proto <0-254> – Matches the IPv6 protocol number with the specified number src <IPv6> – Matches source IPv6 address
max-idle <1-4294967295>	Optional. Filters firewall flows idle for at least the specified duration. Specify a max-idle value from 1 - 4294967295 bytes.
min-bytes <1-4294967295>	Optional. Filters firewall flows with at least the specified number of bytes. Specify a min-bytes value from 1 - 4294967295 bytes.
min-idle <1-4294967295>	Optional. Filters firewall flows idle for at least the specified duration. Specify a min-idle value from 1 - 4294967295 bytes.
min-pkts <1-4294967295>	Optional. Filters firewall flows with at least the given number of packets. Specify a min-bytes value from 1 - 4294967295 bytes.
not	Optional. Negates the filter expression selected
port <1-65535>	Optional. Matches either the source or destination port. Specify a port from 1 - 65535.
src <1-65535>	Optional. Matches only the source port with the specified port. Specify a port from 1 - 65535.
tcp	Optional. Matches TCP flows
udp	Optional. Matches UDP flows

show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|
wireless-client <MAC>|on <DEVICE-NAME>}


firewall flows	Notifies a session has been established
management {on <DEVICE-NAME>}	Optional. Displays management traffic firewall flows on <DEVICE-NAME> – Optional. Displays firewall flows on a specified device <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
stats {on <DEVICE-NAME>}	Optional. Displays active session summary on <DEVICE-NAME> – Optional. Displays active session summary on a specified device <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
wireless-client <MAC>	Optional. Displays wireless clients firewall flows <MAC> – Specify the MAC address of the wireless client.
on <DEVICE-NAME>	Optional. Displays all firewall flows on a specified device <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.

show firewall neighbors snoop-table {on <DEVICE-NAME>}


firewall neighbors snoop-table	Displays IPv6 neighbors snoop table entries
on <DEVICE-NAME>	Optional. Displays IPv6 neighbors snoop table entries on a specified device <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.

Examples

nx9500-6C8809(config)#show fi
file-sync  firewall   file
nx9500-6C8809(config)#show firewall dhcp snoop-table
Snoop Binding <192.168.13.24, 00-15-70-81-74-2D, Vlan 1>
Type switch-SVI, Touched 427779 seconds ago
-------------------------------------------------------------------------------
nx9500-6C8809(config)#

nx9500-6C8809(config)#show firewall dos stats
--------------------------------------------------------------------------------
            ATTACK TYPE                 COUNT             LAST OCCURENCE
--------------------------------------------------------------------------------
  udp-short-hdr                      0             Never
  multicast-icmpv6                   0             Never
  icmp-router-solicit                0             Never
  tcp-xmas-scan                      0             Never
  ascend                             0             Never
  twinge                             0             Never
  tcp-post-syn                       0             Never
  land                               0             Never
  broadcast-multicast-icmp           0             Never
  ftp-bounce                         0             Never
  spoof                              0             Never
  source-route                       0             Never
  tcp-null-scan                      0             Never
  tcp-fin-scan                       0             Never
  ipv6-hop-limit-zero                0             Never
  tcp-bad-sequence                   97            0 days 02:24:32 ago
  fraggle                            0             Never
  router-advt                        0             Never
  snork                              0             Never
  raguard                            0             Never
--More--
nx9500-6C8809(config)#

nx9500-6C8809(config)#show firewall flows management
========== Flow# 1 Summary ==========
Forward:
IPv4 Vlan 1, TCP 192.168.13.10 port 1646 > 192.168.13.24 port 22
 00-02-B3-28-D1-55 > 00-15-70-81-74-2D, ingress port up1
 Egress port: <local>, Egress interface: vlan1, Next hop: <local> (00-15-70-81-74-2D)
 1170 packets, 99960 bytes, last packet 0 seconds ago
Reverse:
IPv4 Vlan 1, TCP 192.168.13.24 port 22 > 192.168.13.10 port 1646
 00-15-70-81-74-2D > 00-02-B3-28-D1-55, ingress port local
 Egress port: up1, Egress interface: vlan1, Next hop: 192.168.13.10 (00-02-B3-28-D1-55)
 873 packets, 98797 bytes, last packet 0 seconds ago
TCP state: Established
Flow times out in 1 hour 30 minutes

nx9500-6C8809(config)#

nx9500-6C8809(config)#show firewall flows stats
Active Flows       2
TCP/IPv4 flows     2
UDP/IPv4 flows     0
DHCP/IPv4 flows    0
ICMP/IPv4 flows    0
IPsec/IPv4 flows   0
TCP/IPv6 flows     0
UDP/IPv6 flows     0
DHCP/IPv6 flows    0
ICMP/IPv6 flows    0
IPsec/IPv6 flows   0
L3/Unknown flows   0
nx9500-6C8809(config)#