New and Changed Commands Reference

cable-modem dhcp-proxy

clear crypto engine accelerator counter

crypto engine accelerator

debug cable-modem mac messages dynsrv

ip address docsis

ip http cable-monitor

show controllers cable-modem qos

show crypto engine accelerator ring

show crypto engine accelerator sa-database

show crypto engine accelerator statistic

show crypto engine brief

show crypto engine configuration

show crypto engine connections

Commands Reserved for DOCSIS Use

New and Changed Commands Reference

This appendix describes the cable-specific commands that have been added or changed for the Cisco uBR905 cable access router in the Cisco IOS 12.1 T software releases. These commands are in addition to the commands that are supported in Cisco IOS Release 12.1(1). For a description of the commands in these previous releases, see the command reference documentation for Cisco IOS Release 12.1, available on CCO and the Documentation CD-ROM.

Note To locate the documentation for the "related commands" mentioned in this chapter, use the Cisco IOS Release 12.1 command reference master index that is available on CCO and the Documentation CD-ROM.

The commands in this appendix are listed alphabetically:

cable-modem dhcp-proxy—Allows a DHCP server to assign an IP address to the router's Ethernet interface or to a NAT address pool.
clear crypto engine accelerator counter—Resets the statistical and error counters for the Cisco uBR905 router's onboard hardware accelerator for IPsec encryption to zero.
crypto engine accelerator—Enables or disables the Cisco uBR905 router's onboard hardware accelerator for IPsec encryption.
debug cable-modem mac messages dynsrv—Displays debug messages about the dynamic service MAC-layer messages that are sent and received when voice calls are made using the dynamic SID feature.
ip address docsis—Specifies that the cable interface obtains its IP address from a DHCP server during power-on provisioning.
ip http cable-monitor—Enables the Cable Monitor, a web-based diagnostic tool.
show controllers cable-modem qos—Displays the Quality of Service (QoS) configuration for the Cisco uBR905 cable access router.
show crypto engine accelerator ring—Displays the contents of the control, transmit, and receive packet rings used by the Cisco uBR905 cable access router's hardware accelerator.
show crypto engine accelerator sa-database—Displays the contents of the security associations (SA) database for the Cisco uBR905 cable access router's hardware accelerator.
show crypto engine accelerator statistic—Displays the current statistics and error counters for the Cisco uBR905 cable access router's hardware accelerator.
show crypto engine brief—Displays a summary of the version and run-time configuration for the Cisco uBR905 cable access router's hardware accelerator.
show crypto engine configuration—Displays the version, status, configuration, and run-time statistics for the Cisco uBR905 cable access router's hardware accelerator.
show crypto engine connections—Displays the status for all current connections maintained by the Cisco uBR905 cable access router's hardware accelerator.

In Cisco IOS Release 12.1(2)T and greater, certain commands used on other cable access routers were reserved for DOCSIS use and are no longer available in the CLI. See "Commands Reserved for DOCSIS Use" section.

Note This appendix does not describe new commands that are not specific to the Cisco uBR905 cable access router. For a description of these other commands, see the New Features in Cisco IOS Release 12.1 T section on CCO and the Documentation CD-ROM.

cable-modem dhcp-proxy

To configure the Cisco uBR905 cable access router so that it configures its Ethernet interface or Network Address Translation (NAT) address pool with an IP address supplied by the DHCP server, use the cable-modem dhcp-proxy cable interface configuration command. To disable this feature (so that you can then manually assign an IP address to the Ethernet interface or NAT address pool), use the no cable-modem dhcp-proxy cable interface configuration command.

cable-modem dhcp-proxy {interface ethernet number | nat pool-name}

no cable-modem dhcp-proxy {interface ethernet number | nat pool-name}

Note This command should be used only when the Cisco uBR905 router is configured for routing, not when it is configured for DOCSIS bridging.

Syntax Description

interface ethernet number

The Ethernet interface to be assigned the static IP address from the DHCP server. (Because the Cisco uBR905 router has only one Ethernet interface, the only allowable number is 0).

nat pool-name

The name of the NAT pool to be created using the IP address and subnet mask supplied by the DHCP server. (This is equivalent to giving the ip nat pool pool-name start-ip end-ip netmask subnet command, using the IP address and subnet mask supplied by the DHCP server.)

interface ethernet number	The Ethernet interface to be assigned the static IP address from the DHCP server. (Because the Cisco uBR905 router has only one Ethernet interface, the only allowable number is 0).
nat pool-name	The name of the NAT pool to be created using the IP address and subnet mask supplied by the DHCP server. (This is equivalent to giving the ip nat pool pool-name start-ip end-ip netmask subnet command, using the IP address and subnet mask supplied by the DHCP server.)

Defaults

No default behavior or values.

Command Modes

Interface configuration (cable interface only)

Command History

Release Modification

12.1(1)T

This command was introduced for the Cisco uBR924 router.

12.1(3)XL

This command was introduced for the Cisco uBR905 router.

Release	Modification
12.1(1)T	This command was introduced for the Cisco uBR924 router.
12.1(3)XL	This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command is useful in two situations:

When the Cisco uBR905 cable access router is configured for routing mode, an IP address must be assigned to its Ethernet interface. Without the cable-modem dhcp-proxy command, this IP address must be a static IP address assigned either by using a Cisco IOS configuration file, or by manually entering the necessary interface configuration CLI commands. The cable-modem dhcp-proxy command allows a DHCP server to assign an IP address to the Ethernet interface.
When NAT is used, an inside global address pool must be created on the Ethernet interface. Without the cable-modem dhcp-proxy command, this must be done by specifying a static IP address in the ip nat pool pool-name start-ip end-ip netmask subnet command. The cable-modem dhcp-proxy command allows a DHCP server to assign an IP address that automatically creates the NAT address pool.

When using this option, you must also use the following NAT configuration commands:

Use the ip nat inside interface command to configure the Ethernet interface as the "inside" interface.
Use the ip nat outside interface command to configure the cable interface as the "outside" interface.
Specify the overload option with the ip nat global configuration command because the NAT pool created by the cable-modem dhcp-proxy command contains only one IP address.

After configuring the Cisco uBR905 cable access router with the cable-modem dhcp-proxy command, reboot the router. During the DOCSIS provisioning process, the router sends a DHCP client request to obtain an IP address for the cable interface.

The router then sends a proxy DHCP request to the DHCP server using the Ethernet interface's MAC address. The DHCP server replies with a second IP address that the router assigns to either the Ethernet interface or to the NAT pool, depending on which option was used in the cable-modem dhcp-proxy command.

Note When replying to the proxy request for the Ethernet interface, the DHCP server should assign an IP address on the same network as the CPE devices that are attached to the router's Ethernet interface.

Examples

The following example configures the Cisco uBR905 cable access router so that it makes a proxy DHCP request to obtain an IP address for its Ethernet interface:

uBR905(config)# int c0 
uBR905(config-if)# cable-modem dhcp-proxy interface Ethernet 0

The following example creates a NAT address pool with the IP address assigned by the DHCP server; this IP address must be in the network attached to the Ethernet address (which in this case is 192.168.100.0).

uBR905(config)# ip nat inside source list 1 pool net-208 overload 
uBR905(config)# interface cable0 
uBR905(config-if)# ip nat outside 
uBR905(config-if)# no cable compliant bridge 
uBR905(config-if)# cable-modem dhcp-proxy nat net-208 
uBR905(config-if)# exit 
uBR905(config)# interface ethernet0 
uBR905(config-if)# ip address 192.168.100.94 255.255.255.0 
uBR905(config-if)# ip nat inside 
uBR905(config-if)# exit 
uBR905(config)# access-list 1 permit 192.168.100.0 0.0.0.255 
uBR905(config)#

Related Commands

None.

clear crypto engine accelerator counter

To reset the Cisco uBR905 router's hardware accelerator's statistical and error counters, use the clear crypto engine accelerator counter privileged EXEC command.

clear crypto engine accelerator counter

Syntax Description

This command has no keywords or arguments.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC.

Command History

Release Modification

12.1(3)XL

This command was introduced for the Cisco uBR905 router.

Release	Modification
12.1(3)XL	This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command resets the statistical and error counters for the Cisco uBR905 router's hardware accelerator to zero.

Examples

The following example clears the Cisco uBR905 router's statistical and error counters to zero:

uBR905# clear crypto engine accelerator counter 
uBR905#

Related Commands

Command Description

show crypto engine accelerator sa-database

Prints the active (in-use) entries in the crypto engine security association (SA) database.

show crypto engine accelerator statistic

Print out the current run-time statistics and error counters for the crypto engine.

show crypto engine configuration

Print out the version and configuration information for the crypto engine.

show crypto engine brief

Print out a summary of the configuration information for the crypto engine.

show crypto engine connections

Print out a list of the current connections maintained by the crypto engine.

Command	Description
show crypto engine accelerator sa-database	Prints the active (in-use) entries in the crypto engine security association (SA) database.
show crypto engine accelerator statistic	Print out the current run-time statistics and error counters for the crypto engine.
show crypto engine configuration	Print out the version and configuration information for the crypto engine.
show crypto engine brief	Print out a summary of the configuration information for the crypto engine.
show crypto engine connections	Print out a list of the current connections maintained by the crypto engine.

crypto engine accelerator

To enable the use of the Cisco uBR905 router's onboard hardware accelerator for IPsec encryption, use the crypto engine accelerator global configuration command. To disable the use of the onboard hardware IPsec accelerator (and thereby perform IPsec encryption/decryption in software), use the no crypto engine accelerator global configuration command.

crypto engine accelerator

no crypto engine accelerator

Syntax Description

This command has no keywords or arguments.

Defaults

The hardware accelerator for IPsec encryption is enabled by default.

Command Modes

Global configuration.

Command History

Release Modification

12.1(3)T

This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.

12.1(3)XL

This command was introduced for the Cisco uBR905 router.

Release	Modification
12.1(3)T	This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.
12.1(3)XL	This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command is not normally needed for typical operations because the Cisco uBR905 router's onboard hardware accelerator for IPsec encryption is enabled by default. The hardware accelerator should not be disabled except on instruction from Cisco TAC personnel.

Examples

The following example enables the Cisco uBR905 router's onboard hardware accelerator for IPsec encryption. This is normally needed only after the accelerator has been disabled for testing or debugging purposes.

uBR905# crypto engine accelerator 
uBR905#

The following example disables the Cisco uBR905 router's onboard hardware accelerator. If IPsec encryption is configured, all current connections are brought down. Future encryption will be performed by the Cisco IOS software, which has the same functionality as the hardware accelerator, but performance is significantly slower.

uBR905# no crypto engine accelerator 
 Warning! all current connections will be torn down.
 Do you want to continue? [yes/no]: y 
 ...Crypto accelerator in slot 0 disabled
 ...switching to SW IPsec crypto engine
uBR905#

Related Commands

Command Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator crypto engine to zero.

crypto ipsec

Defines the IPsec security associations and transformation sets.

crypto isakmp

Enables and defines the IKE protocol and its parameters.

crypto key

Generates and exchanges keys for a cryptographic session.

crypto map

Creates and modifies a crypto map for a session.

debug crypto engine accelerator control

Prints each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Prints information about each packet sent for encryption and decryption.

show crypto engine accelerator ring control

Prints the contents of command ring, which queues the control commands that are being sent to the crypto engine.

show crypto engine accelerator ring packet

Prints the contents of the transmit packet ring, which contains the packets being sent to the crypto engine for encryption and decryption.

show crypto engine accelerator sa-database

Prints the active (in-use) entries in the crypto engine security association (SA) database.

show crypto engine accelerator statistic

Print out the current run-time statistics and error counters for the crypto engine.

show crypto engine configuration

Print out the version and configuration information for the crypto engine.

show crypto engine brief

Print out a summary of the configuration information for the crypto engine.

show crypto engine connections

Print out a list of the current connections maintained by the crypto engine.

Command	Description
clear crypto engine accelerator counter	Resets the statistical and error counters for the hardware accelerator crypto engine to zero.
crypto ipsec	Defines the IPsec security associations and transformation sets.
crypto isakmp	Enables and defines the IKE protocol and its parameters.
crypto key	Generates and exchanges keys for a cryptographic session.
crypto map	Creates and modifies a crypto map for a session.
debug crypto engine accelerator control	Prints each control command as it is given to the crypto engine.
debug crypto engine accelerator packet	Prints information about each packet sent for encryption and decryption.
show crypto engine accelerator ring control	Prints the contents of command ring, which queues the control commands that are being sent to the crypto engine.
show crypto engine accelerator ring packet	Prints the contents of the transmit packet ring, which contains the packets being sent to the crypto engine for encryption and decryption.
show crypto engine accelerator sa-database	Prints the active (in-use) entries in the crypto engine security association (SA) database.
show crypto engine accelerator statistic	Print out the current run-time statistics and error counters for the crypto engine.
show crypto engine configuration	Print out the version and configuration information for the crypto engine.
show crypto engine brief	Print out a summary of the configuration information for the crypto engine.
show crypto engine connections	Print out a list of the current connections maintained by the crypto engine.

debug cable-modem mac messages dynsrv

To display debug messages for the dynamic service MAC-layer messages that are generated when voice calls are made using the dynamic SID feature, use the debug cable-modem mac messages dynsrv Privileged EXEC command. To turn off debug messages related to the dynamic service MAC-layer messages, use the no debug cable-modem mac messages dynsrv Privileged EXEC command.

debug cable-modem mac messages dynsrv

no debug cable-modem mac messages dynsrv

Syntax Description

This command has no keywords or arguments.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC

Command History

Release Modification

12.0(7)XR and 12.1(1)T

This command was introduced for the Cisco uBR924 router.

12.1(3)T

This command was introduced for the Cisco uBR910 DSU.

12.1(3)XL

This command was introduced for the Cisco uBR905 router.

Release	Modification
12.0(7)XR and 12.1(1)T	This command was introduced for the Cisco uBR924 router.
12.1(3)T	This command was introduced for the Cisco uBR910 DSU.
12.1(3)XL	This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command begins the display of debug messages that show the dynamic service MAC messages that are generated when a voice call is made using the dynamic SID feature. Dynamic SIDs use the following DOCSIS MAC-layer messages to create a new SID when a voice call is made, and to delete it when the call is over:

DSA-REQ—Dynamic Service Addition Request, sent to establish a new service flow.
DSA-RSP—Dynamic Service Addition Response, sent in reply to DSA-REQ to confirm or deny the new service flow.
DSA-ACK—Dynamic Service Addition Acknowledge, sent in reply to DSA-RSP to acknowledge the creation of the service flow.
DSD-REQ—Dynamic Service Deletion Request, sent to delete an existing service flow when it is no longer needed (for example, when a voice call has ended).
DSD-RSP—Dynamic Service Deletion Response, sent in response to DSD-REQ to delete an existing service flow.

Note Dynamic Services are described in the DOCSIS 1.1 specification (SP-RFIv1.1-I03-991105 or later revision).

Examples

The following example enables the display of debug messages related to dynamic service operations:

uBR905# debug cable-modem mac messages dynsrv 
uBR905#

The following example turns off the display of debug messages related to dynamic service operations:

uBR905# no debug cable-modem mac messages dynsrv 
uBR905#

The following are examples of the types of debug messages that are displayed when a voice call is made. This example shows that dynamic SID 52 is created for this particular call.

DSA-REQ TLV's: 
--------------
US Flow Scheduler(24):
 Unsolicited Grant Size               - 19:2:89
 Nominal Grant Interval               - 20:4:20000
Created New Dynamic Service State, Transaction_id = 3
 
DSA-REQ MESSAGE TLVS
--------------------
C2000026 00010010  07DF6854 00507366
23270014 00000301  0F000003 180A1302
00591404 00004E20  
 
   597.721 CMAC_LOG_DSA_REQ_MESSAGE_EVENT 
 
DSA-REQ MESSAGE
---------------
  FRAME HEADER
    FC                        - 0xC2 == MAC Management
    MAC_PARM                  - 0x00
    LEN                       - 0x26
  MAC MANAGEMENT MESSAGE HEADER
    DA                        - 0010.abcd.ef00
    SA                        - 0050.abcd.ef00
    msg LEN                   - 14  
    DSAP                      - 0
    SSAP                      - 0
    control                   - 03
    version                   - 01
    type                      - 0F == DSA-REQ
    RSVD                      - 0
  Transaction ID              - 3
 
   597.725 CMAC_LOG_DSA_RSP_MSG_RCVD 
 
DSA-RSP MESSAGE
---------------
  FRAME HEADER
    FC                        - 0xC2 == MAC Management
    MAC_PARM                  - 0x00
    LEN                       - 0x26
  MAC MANAGEMENT MESSAGE HEADER
    DA                        - 0050.abcd.ef00
    SA                        - 0010.abcd.ef00
    msg LEN                   - 14  
    DSAP                      - 0
    SSAP                      - 0
    control                   - 03
    version                   - 01
    type                      - 10 == DSA-RSP
    RSVD                      - 0
  Transaction ID              - 3
  Response                    - 0 == DSA-RSP-OK
  SID                         - 52
 
Adding sid = 52 to sid_index = 1
   597.729 CMAC_LOG_QOS_ADD_FLOW_SID                   52

Related Commands

Command Description

debug cable-modem mac messages

Displays debug messages for other types of MAC-layer messages, including MAP messages, upstream request messages, and sync messages.

show controllers cable-modem number qos

Displays current statistics for each primary, secondary, and dynamic SID.

Command	Description
debug cable-modem mac messages	Displays debug messages for other types of MAC-layer messages, including MAP messages, upstream request messages, and sync messages.
show controllers cable-modem number qos	Displays current statistics for each primary, secondary, and dynamic SID.

Caution The debug commands are primarily intended for use in controlled test and troubleshooting situations with a limited volume of traffic. You should use caution when enabling debug messages because sending these messages to the console consumes system resources. Turning on too many types of debug messages can adversely affect the router's network performance, depending on what messages are being displayed and the type of traffic that is occurring.

ip address docsis

To specify that the Cisco uBR905 cable access router should use the DHCP protocol, as required by the DOCSIS specification, to assign an IP address for its cable interface, use the ip address docsis interface configuration command. To disable the use of DHCP, use the no ip address docsis interface configuration command.

ip address docsis

no ip address docsis

Note Using the no ip address docsis command prevents the cable access router from operating in DOCSIS networks. This command should be used only in lab or test networks.

Syntax Description

There are no key words or arguments for this command.

Defaults

The cable access router uses the DHCP protocol, as required by the DOCSIS specification, to assign an IP address to its cable interface during system power-on.

Command Modes

Global configuration

Command History

Release Modification

12.1(3)XL

This command is introduced for the Cisco uBR905 cable access router.

Release	Modification
12.1(3)XL	This command is introduced for the Cisco uBR905 cable access router.

Usage Guidelines

The ip address docsis command configures the Cisco uBR905 cable access router so that it obtains its IP address from a DHCP server at system power-on, which is a requirement for DOCSIS operation. The ip address docsis command can be specified only for the cable interface, and no other ip address commands are allowed for the cable interface.

Manually specifying the ip address docsis command is not normally required because the Cisco uBR905 cable access router defaults to this configuration.

Note Earlier Cisco IOS software releases for cable access routers used either the ip address negotiated and ip address dhcp commands to specify that the cable interface should obtain its IP address from a DHCP server. These commands should no longer be used to configure the cable interface.

Examples

The following example configures the cable access router so that it follows the DOCSIS specification by obtaining the IP address for its cable interface from a DHCP server:

ubr924(config)# int c0 
ubr924(config-if)# ip address docsis 
ubr924(config-if)# exit 
ubr924(config)#

Related Commands

Command Description

cable dhcp-proxy

Specifies that DHCP should be used to assign an IP address to the Cisco uBR905 cable access router's Ethernet interface.

ip address negotiated

Specifies the use of the PPP/IPCP protocol to obtain an IP address for a serial interface at system power-on.

ip address dhcp

Specifies the use of the DHCP protocol to obtain an IP address for any interface except the cable interface at system power-on.

Command	Description
cable dhcp-proxy	Specifies that DHCP should be used to assign an IP address to the Cisco uBR905 cable access router's Ethernet interface.
ip address negotiated	Specifies the use of the PPP/IPCP protocol to obtain an IP address for a serial interface at system power-on.
ip address dhcp	Specifies the use of the DHCP protocol to obtain an IP address for any interface except the cable interface at system power-on.

ip http cable-monitor

To enable the Cisco uBR905 cable access router's onboard Cable Monitor web server, use the ip http cable-monitor global configuration command. To disable the Cable Monitor and turn off all access to the onboard Cisco web server, use the no ip http cable-monitor global configuration command.

ip http cable-monitor {basic | advance} [URL-IP-address URL-mask]

no ip http cable-monitor

Syntax Description

basic

Displays only the basic status and performance pages.

advance

Displays all status and diagnostic pages.

Note The Cable Monitor should not be used in advanced mode without first implementing a secure password strategy on the Cisco uBR905 cable access router. Enabling the Cable Monitor in advanced mode without setting an encrypted enabled password can provide information that allows remote users to change the router's configuration.

URL-IP-address

Specifies the IP address for the Cable Monitor. This parameter, along with the URL-mask parameter, also defines the network that provides the IP address pool used by the temporary DHCP server when the cable interface goes down.

URL-mask

Specifies the subnet mask for the Cable Monitor. This parameter, along with the URL-IP-address parameter, also defines the network that provides the IP address pool used by the temporary DHCP server when the cable interface goes down.

Defaults

For URL-IP-address, 192.168.100.1

For URL-mask, 255.255.255.0

Command Modes

Global configuration

Command History

Release Modification

12.1(1)T

This command was introduced for the Cisco uBR924 router.

12.1(3)T

This command was introduced for the Cisco uBR910 DSU.

12.1(3)XL

This command was introduced for the Cisco uBR905 router.

Release	Modification
12.1(1)T	This command was introduced for the Cisco uBR924 router.
12.1(3)T	This command was introduced for the Cisco uBR910 DSU.
12.1(3)XL	This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command enables the Cable Monitor, which is an onboard web server that displays current status, troubleshooting, and performance information. The Cable Monitor can be accessed in two ways:

When the Cisco uBR905 cable access router has established connectivity with the CMTS over the cable interface, a service technician can use a web browser to remotely access the router and display the desired information.
When the cable network is not operational and the Cisco uBR905 cable access router is not online, the subscriber can access the tool with a PC connected to the router's Ethernet ports. Technicians can then prompt the user for the information they need to determine the source of the problem.

Enabling the Cable Monitor also enables the Cisco web server that is onboard the Cisco uBR905 cable access router (which is the equivalent to giving the ip http server command). However, when the Cable Monitor is enabled, all other access, including CLI access, to the onboard web server is automatically disabled.

Disabling the Cable Monitor using the no ip http cable-monitor command also automatically disables the Cisco web server (which is the equivalent of giving the no ip http server command).

The URL-IP-address and URL-mask parameters also specify that the class C private network 192.168.100.0 is the default address pool for the temporary DHCP server that activates when the cable interface goes down.

For more detailed information on using the Cable Monitor, see "Using the Cable Monitor Tool" in the Cisco uBR905 Software Configuration Guide, available on CCO and the Documentation CD-ROM.

Examples

The following example enables the Cable Monitor for advanced mode, in which all status and diagnostic pages are displayed:

uBR905(config)# ip http cable-monitor advance 
uBR905(config)#

The following example disables both the Cable Monitor and the Cisco web server, preventing all web server access to the Cisco uBR905 cable access router:

uBR905(config)# no ip http cable-monitor 
uBR905(config)#

Related Commands

Command Description

ip http port

Configures the TCP port number for the router's HTTP web server (the default is the well-known web server port of 80).

ip http server

Enables and disables the router's HTTP web server.

Command	Description
ip http port	Configures the TCP port number for the router's HTTP web server (the default is the well-known web server port of 80).
ip http server	Enables and disables the router's HTTP web server.

Note The ip http command also supports two options, access-class and authentication, that should not be used when the Cable Monitor is enabled.

show controllers cable-modem qos

To display detailed information about the Quality of Service (QoS) configuration for the Cisco uBR905 cable access router, use the show controllers cable-modem qos privileged EXEC command.

show controllers cable-modem number qos

Syntax Description

number

Cable interface number inside the Cisco uBR905 router (should always be 0 to indicate the first and only cable interface).

number	Cable interface number inside the Cisco uBR905 router (should always be 0 to indicate the first and only cable interface).

Defaults

No default behavior or values.

Command Modes

Privileged EXEC

Release	Modification
12.0(7)XR and 12.1(1)T	This command was introduced for the Cisco uBR924 router.
12.1(3)T	This command was introduced for the Cisco uBR910 DSU.
12.1(3)XL	This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command displays the four possible stream queues, the SID associated with each queue (if the queue is currently in use), and whether the SID is the primary SID, a secondary (static) SID, or a dynamic (on demand) SID. The display also shows the packets and bytes that have been transmitted and received on each stream.

Examples

The following example displays the current QoS statistics for each of the router's four queues:

uBR905# show controllers cable-modem 0 qos
 
Queue   SID     SID     SFID    TX      TX              RX      RX
                Type            Pkts    Bytes           Pkts    Bytes
 
0       2       Primary 0       11377   2721985         12320   983969
1       52      Dynamic 52      116     13608           105     14300
2       0       NA      0       0       0               0       0
3       0       NA      0       0       0               0       0
 
uBR905#

Table D-1 describes significant fields shown in this display.

Table D-1: show controllers cable-modem qos Field Descriptions

Field Description

Queue

One of the four possible service flow queues that exist in the Cisco uBR905 router.

SID

Service Identifier, a 14-bit integer assigned by the CMTS to each active upstream service flow.

SID Type

The type of SID:

Primary—Service flow used for best-effort data traffic and MAC maintenance messages.

Secondary—Secondary static service flows that are created at power-on provisioning for voice calls when dynamic SIDs are not active.

Dynamic—Secondary service flows that are created for on demand voice calls when using dynamic SIDs.

SFID

Service Flow Identifier, a 32-bit integer assigned by the CMTS to each service flow on the Cisco uBR905 router.

TX Pkts

The number of packets the Cisco uBR905 router has transmitted on this service flow.

TX Bytes

The number of bytes the Cisco uBR905 router has transmitted on this service flow.

RX Pkts

The number of packets the Cisco uBR905 router has received on this service flow.

RX Bytes

The number of bytes the Cisco uBR905 router has received on this service flow.

Field	Description
Queue	One of the four possible service flow queues that exist in the Cisco uBR905 router.
SID	Service Identifier, a 14-bit integer assigned by the CMTS to each active upstream service flow.
SID Type	The type of SID: Primary—Service flow used for best-effort data traffic and MAC maintenance messages. Secondary—Secondary static service flows that are created at power-on provisioning for voice calls when dynamic SIDs are not active. Dynamic—Secondary service flows that are created for on demand voice calls when using dynamic SIDs.
SFID	Service Flow Identifier, a 32-bit integer assigned by the CMTS to each service flow on the Cisco uBR905 router.
TX Pkts	The number of packets the Cisco uBR905 router has transmitted on this service flow.
TX Bytes	The number of bytes the Cisco uBR905 router has transmitted on this service flow.
RX Pkts	The number of packets the Cisco uBR905 router has received on this service flow.
RX Bytes	The number of bytes the Cisco uBR905 router has received on this service flow.

Related Commands

Command Description

show controllers cable-modem number mac

Displays MAC-layer statistics showing the MAC error log, the other MAC log data, the number of MAC-layer resets, and the current MAC state.

Command	Description
show controllers cable-modem number mac	Displays MAC-layer statistics showing the MAC error log, the other MAC log data, the number of MAC-layer resets, and the current MAC state.

show crypto engine accelerator ring

To display the contents and status of the control command, transmit packet, and receive packet rings used by the hardware accelerator crypto engine, use the show crypto engine accelerator ring Privileged EXEC command.

show crypto engine accelerator ring [ control | packet | pool ]

Syntax Description

control

Prints out the number of control commands that are queued for execution by the hardware accelerator crypto engine.

packet

Prints out the contents and status information for the transmit packet rings that are used by the hardware accelerator crypto engine.

pool

Prints out the contents and status information for the receive packet rings that are used by the hardware accelerator crypto engine.

control	Prints out the number of control commands that are queued for execution by the hardware accelerator crypto engine.
packet	Prints out the contents and status information for the transmit packet rings that are used by the hardware accelerator crypto engine.
pool	Prints out the contents and status information for the receive packet rings that are used by the hardware accelerator crypto engine.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC.

Command History

Release Modification

12.1(3)XL

This command was introduced and enhanced for the Cisco uBR905 router.

Release	Modification
12.1(3)XL	This command was introduced and enhanced for the Cisco uBR905 router.

Usage Guidelines

This command displays the version, current status, configuration, and run-time statistics for the hardware accelerator that performs IPsec encryption/decryption for the Cisco uBR905 router.

Examples

The following example displays the number of control commands that are waiting to be executed by the Cisco uBR905 router's hardware accelerator.

uBR905# show crypto engine accelerator ring control
 
control commands queued = 1 
 
uBR905#

The following truncated example displays typical contents of the transmit rings that are used by the Cisco uBR905 router's hardware accelerator.

uBR905# show crypto engine accelerator ring packet 
 
Contents of the high priority transmit descriptor ring:
              status      id_no      handle     particle length    pkt length
          0:  0x00A0      0x0000     0x0011         0x05DC          0x0000
          1:  0x00A0      0x0001     0x0012         0x05B5          0x8712
          2:  0x00A0      0x0002     0x0011         0x05DC          0x0000
          3:  0x00A0      0x0003     0x0012         0x05B6          0x8714
          4:  0x00A0      0x0004     0x0011         0x05DC          0x0000
          5:  0x00A0      0x0005     0x0012         0x05B7          0x8716
          6:  0x00A0      0x0006     0x0011         0x05E4          0x0000
          7:  0x00A0      0x0007     0x0012         0x05B8          0x8718
          8:  0x00A0      0x0008     0x0011         0x05E4          0x0000
          9:  0x00A0      0x0009     0x0012         0x05B9          0x871A
         10:  0x00A0      0x000A     0x0011         0x05E4          0x0000
. . . 
        123:  0x00A0      0x007B     0x0012         0x05B2          0x870C
        124:  0x00A0      0x007C     0x0011         0x05DC          0x0000
        125:  0x00A0      0x007D     0x0012         0x05B3          0x870E
        126:  0x00A0      0x007E     0x0011         0x05DC          0x0000
        127:  0x00A0      0x007F     0x0012         0x05B4          0x8710
                 Head = 59     Tail = 59     Taken = 59                     
 
Address of descriptors and some contents of high priority tx shdw ring:
                 packet         particle      serial #    handle
          0:   0x80D6D844      0x00000000     0x0000      0x0011
          1:   0x80D1FF24      0x00000000     0x0001      0x0012
          2:   0x80D6A0F4      0x00000000     0x0002      0x0011
          3:   0x80D1FF24      0x00000000     0x0003      0x0012          
          4:   0x80D6CD34      0x00000000     0x0004      0x0011
          5:   0x80D1FF24      0x00000000     0x0005      0x0012
          6:   0x80D22834      0x00000000     0x0006      0x0011
          7:   0x80D1FF24      0x00000000     0x0007      0x0012
          8:   0x80D22834      0x00000000     0x0008      0x0011
          9:   0x80D1FF24      0x00000000     0x0009      0x0012
         10:   0x80D22834      0x00000000     0x000A      0x0011
. . . 
        123:   0x80D1FF24      0x00000000     0x007B      0x0012
        124:   0x80D68AD4      0x00000000     0x007C      0x0011
        125:   0x80D1FF24      0x00000000     0x007D      0x0012
        126:   0x80D69E30      0x00000000     0x007E      0x0011
        127:   0x80D1FF24      0x00000000     0x007F      0x0012
                 Head = 59     Tail = 59     Taken = 59                
 
uBR905#

The following example shows the command that displays the contents of the receive rings that are used by the Cisco uBR905 router's hardware accelerator.

uBR905# show crypto engine accelerator ring pool 
 
There are no receive pool and shadow rings 
 
uBR905#

Related Commands

Command Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator crypto engine to zero.

crypto engine accelerator

Enables or disables the onboard hardware accelerator crypto engine.

debug crypto engine accelerator control

Prints each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Prints information about each packet sent for encryption and decryption.

show crypto engine accelerator sa-database

Prints the active (in-use) entries in the crypto engine security association (SA) database.

show crypto engine accelerator statistic

Print out the current run-time statistics and error counters for the crypto engine.

show crypto engine brief

Print out a summary of the configuration information for the crypto engine.

show crypto engine configuration

Print out the version and configuration information for the crypto engine.

show crypto engine connections

Print out a list of the current connections maintained by the crypto engine.

Command	Description
clear crypto engine accelerator counter	Resets the statistical and error counters for the hardware accelerator crypto engine to zero.
crypto engine accelerator	Enables or disables the onboard hardware accelerator crypto engine.
debug crypto engine accelerator control	Prints each control command as it is given to the crypto engine.
debug crypto engine accelerator packet	Prints information about each packet sent for encryption and decryption.
show crypto engine accelerator sa-database	Prints the active (in-use) entries in the crypto engine security association (SA) database.
show crypto engine accelerator statistic	Print out the current run-time statistics and error counters for the crypto engine.
show crypto engine brief	Print out a summary of the configuration information for the crypto engine.
show crypto engine configuration	Print out the version and configuration information for the crypto engine.
show crypto engine connections	Print out a list of the current connections maintained by the crypto engine.

Note For information about these additional commands, see the IP Security and Encryption section in the Cisco IOS Release 12.1 Security Command Reference .

show crypto engine accelerator sa-database

To display the current contents of the hardware accelerator's security association (SA) database, use the show crypto engine accelerator sa-database Privileged EXEC command.

show crypto engine accelerator sa-database

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC.

Command History

Release Modification

12.1(3)XL

This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command displays the contents of the database that contains the security associations used by the Cisco uBR905 cable access router.

Examples

The following example displays the security associations database for the Cisco uBR905 router's hardware accelerator.

uBR905# show crypto engine accelerator sa-database 
Hornet14:2010#show cry eng acc sa-database
Flow Summary
        Index   Algorithms
        001      transport inbound  esp-des
        002      transport outbound esp-des
        003      transport inbound  esp-md5-hmac esp-3des ah-md5-hmac
        004      transport outbound esp-md5-hmac esp-3des ah-md5-hmac
        005      transport inbound  esp-md5-hmac esp-3des ah-md5-hmac
        006      transport outbound esp-md5-hmac esp-3des ah-md5-hmac
        007      transport inbound  esp-md5-hmac esp-3des ah-md5-hmac
        008      transport outbound esp-md5-hmac esp-3des ah-md5-hmac
        009      transport inbound  esp-md5-hmac esp-3des ah-md5-hmac
        010      transport outbound esp-md5-hmac esp-3des ah-md5-hmac
        011      tunnel inbound  esp-3des
        012      tunnel outbound esp-3des
        013      tunnel inbound  esp-3des ah-sha-hmac
        014      tunnel outbound esp-3des ah-sha-hmac
        015      tunnel inbound  esp-des
        016      tunnel outbound esp-des
        017      tunnel inbound  esp-des ah-md5-hmac
        018      tunnel outbound esp-des ah-md5-hmac
        019      tunnel inbound  esp-des ah-md5-hmac
        020      tunnel outbound esp-des ah-md5-hmac
        036      tunnel inbound  esp-des ah-sha-hmac
        037      tunnel outbound esp-des ah-sha-hmac
        038      tunnel inbound  esp-md5-hmac esp-3des ah-md5-hmac
        039      tunnel outbound esp-md5-hmac esp-3des ah-md5-hmac
SA Summary:
        Index   DH-Index        Algorithms
        001     007             DES SHA
        002     001(deleted)    DES SHA
        003     001(deleted)    DES SHA
        004     001(deleted)    DES SHA
        012     001(deleted)    DES SHA
        016     001(deleted)    DES SHA
        017     004(deleted)    DES SHA
        018     002(deleted)    DES SHA
        019     009(deleted)    DES SHA
DH Summary
        Index Group Config
        007    001  Shared Secret
 
uBR905#

Table D-2 explains each field.

Table D-2: show crypto engine accelerator sa-database Field Descriptions

Field Description

Flow Summary

Flow Index

Unique identifier for the flow.

Flow Algorithm

The Flow Algorithm field displays the transformation set for each SA:

Mode

tunnel—Original IP packet is encrypted and encapsulated

transport—Only the data portion of the IP packet is encrypted and encapsulated

Direction

inbound—Encryption is performed on incoming packets

outbound—Encryption is performed on outgoing packets

Encapsulating Security Protocol (ESP) Transform

esp-des—56-bit DES encryption

esp-3des—168-bit 3DES encryption

esp-null—No encryption algorithm (used only for test)

ESP Authentication Transform

esp-md5-hmac—MD5 (HMAC variant)

esp-sha-hmac—SHA (HMAC variant)

Authentication Header (AH) Transform

ah-md5-hmac—MD5 (HMAC variant)

ah-sha-hmac—SHA (HMAC variant)

SA Summary

SA Index

Unique identifier for the SA.

SA DH-Index

Unique identifier for the Diffie-Hellman group used in this SA. If the connection is not currently active, the text "(deleted)" follows the index number.

SA Algorithms

The transform al set for this SA:

Encryption: DES or 3DES

Authentication: MD5 or SHA

DH Summary

DH Index

Unique DH index.

DH Group

Identifies the DH group.

DH Config

The type of keys:

Shared Secret—Keys were pre-shared.

Valid Pub/Priv—Keys were negotiated.

Related Commands

Command Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator crypto engine to zero.

crypto engine accelerator

Enables or disables the onboard hardware accelerator crypto engine.

debug crypto engine accelerator control

Prints each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Prints information about each packet sent for encryption and decryption.

show crypto engine accelerator ring control

Prints the contents of command ring, which queues the control commands that are being sent to the crypto engine.

show crypto engine accelerator ring packet

Prints the contents of the transmit packet ring, which contains the packets being sent to the crypto engine for encryption and decryption.

show crypto engine accelerator statistic

Print out the current run-time statistics and error counters for the crypto engine.

show crypto engine brief

Print out a summary of the configuration information for the crypto engine.

show crypto engine configuration

Print out the version and configuration information for the crypto engine.

show crypto engine connections

Print out a list of the current connections maintained by the crypto engine.

Note For information about these additional commands, see the IP Security and Encryption section in the Cisco IOS Release 12.1 Security Command Reference .

show crypto engine accelerator statistic

To display the statistics and error counters for the Cisco uBR905 router's onboard hardware accelerator for IPsec encryption, use the show crypto engine accelerator statistic Privileged EXEC command.

show crypto engine accelerator statistic

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC.

Command History

Release Modification

12.1(1)XC

This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.

12.1(3)XL

This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command displays the run-time statistics and error counters for the hardware accelerator engine that performs IPsec encryption/decryption for the Cisco uBR905 router.

Examples

The following example is a typical display of the current statistics and error counters for the Cisco uBR905 router's hardware accelerator.

uBR905# show crypto engine accelerator statistics 
 
  HIFN79xx:
         ds: 0x80D92A64        idb:0x80D6F39C
         Statistics for Virtual Private Network (VPN) Module: 
               1292 packets in                      1292 packets out
                  2 paks/sec in                        2 paks/sec out
                  6 Kbits/sec in                       6 Kbits/sec out
         rx_no_endp:     0   rx_hi_discards:  0     fw_failure:        0 
         invalid_sa:     0   invalid_flow:    0 
         fw_qs_filled:   0   fw_resource_lock:0     lotx_full_err:     0 
         null_ip_error:  0   pad_size_error:  0     out_bound_dh_acc:  0 
         esp_auth_fail:  0   ah_auth_failure: 0     crypto_pad_error:  0 
         ah_prot_absent: 0   ah_seq_failure:  0     ah_spi_failure:    0 
         esp_prot_absent:0   esp_seq_fail:    0     esp_spi_failure:   0 
         obound_sa_acc:  0   invalid_sa:      0     out_bound_sa_flow: 0 
         invalid_dh:     0   bad_keygroup:    0     out_of_memory:     0 
         no_sh_secret:   0   no_skeys:        0     invalid_cmd:       0 
         dsp_coproc_err: 0   comp_unsupported:0     pak_too_big:       0 
         pak_mp_length_spec_fault: 0 
         tx_lo_queue_size_max 2  cmd_unimplemented: 0 
         tx_lo_count 60
         15124 seconds since last clear of counters
         Interrupts: Notify = 0, Reflected = 1292, Spurious = 0
         packet_loop_max: 2  packet_loop_limit: 512
uBR905#

Related Commands

Command Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator crypto engine to zero.

crypto engine accelerator

Enables or disables the onboard hardware accelerator crypto engine.

debug crypto engine accelerator control

Prints each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Prints information about each packet sent for encryption and decryption.

show crypto engine accelerator ring control

Prints the contents of command ring, which queues the control commands that are being sent to the crypto engine.

show crypto engine accelerator ring packet

Prints the contents of the transmit packet ring, which contains the packets being sent to the crypto engine for encryption and decryption.

show crypto engine accelerator sa-database

Prints the active (in-use) entries in the crypto engine security association (SA) database.

show crypto engine brief

Print out a summary of the configuration information for the crypto engine.

show crypto engine configuration

Print out the version and configuration information for the crypto engine.

show crypto engine connections

Print out a list of the current connections maintained by the crypto engine.

Note For information about these additional commands, see the IP Security and Encryption section in the Cisco IOS Release 12.1 Security Command Reference .

show crypto engine brief

To display the version, capabilities, and other information for the Cisco uBR905 router's onboard hardware accelerator engine, use the show crypto engine brief Privileged EXEC command.

show crypto engine brief

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Privilege d EXEC.

Command History

Release Modification

11.2

This command was introduced for the Cisco 7200, RSP7000, and 7500 series routers.

12.1(3)XL

This command was introduced for the Cisco uBR905 router.

Usage Guidelines

This command displays the version, capabilities, and other information for the hardware accelerator engine that performs IPsec encryption/decryption for the Cisco uBR905 router.

Examples

The following example shows the typical display for the show crypto engine brief command:

uBR905# show crypto engine brief 
 
        crypto engine name:  unknown
        crypto engine type:  ISA/ISM
 
              hifn chip id:  8
              hifn rev    :  0
              hifn api rev:  0.22.0
 
               Compression:  No
                     3 DES:  Yes
           Privileged Mode:  0x0000
     Maximum buffer length:  4096
          Maximum DH index:  0010
          Maximum SA index:  0020
        Maximum Flow index:  0040
      Maximum RSA key size:  0256
 
        crypto engine name:  unknown
        crypto engine type:  software
             serial number:  00000000
       crypto engine state:  installed
     crypto engine in slot:  N/A
 
uBR905#

Table D-3 explains each field.

Table D-3: show crypto engine brief Field Descriptions

Field Description

crypto engine name

Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command. If no name has been assigned, this field shows `unknown'.

crypto engine type

The type of encryption engine running, always `ISA/ISM' and `software' for the Cisco uBR905 cable access router.

hifn chip id, rev, and api rev

Identifies the hardware accelerator, the revision of its onboard firmware, and the revision of the software application layer.

Compression

Identifies whether packets are compressed as well as encrypted.

3DES

Identifies whether Triple DES (3DES) 168-bit encryption is supported.

crypto engine state

The current run-time state of the crypto engine:

installed—Indicates that the crypto engine is present but is not configured for encryption.

dss key generated—Indicates that the crypto engine has DSS keys already generated.

crypto firmware version

Version number of the crypto library running on the router.

crypto engine in slot

The chassis slot number containing the crypto engine. This is always N/A for the Cisco uBR905 cable access router because the engine is not in a slot but is permanently onboard the router.

Related Commands

Command Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator crypto engine to zero.

crypto engine accelerator

Enables or disables the onboard hardware accelerator crypto engine.

debug crypto engine accelerator control

Prints each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Prints information about each packet sent for encryption and decryption.

show crypto engine accelerator ring control

Prints the contents of command ring, which queues the control commands that are being sent to the crypto engine.

show crypto engine accelerator ring packet

Prints the contents of the transmit packet ring, which contains the packets being sent to the crypto engine for encryption and decryption.

show crypto engine accelerator sa-database

Prints the active (in-use) entries in the crypto engine security association (SA) database.

show crypto engine accelerator statistic

Print out the current run-time statistics and error counters for the crypto engine.

show crypto engine configuration

Print out the version and configuration information for the crypto engine.

show crypto engine connections

Print out a list of the current connections maintained by the crypto engine.

Note For information about these additional commands, see the IP Security and Encryption section in the Cisco IOS Release 12.1 Security Command Reference .

show crypto engine configuration

To display the configuration information for the Cisco uBR905 router's onboard hardware accelerator engine, use the show crypto engine configuration Privileged EXEC command.

show crypto engine configuration

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC.

Usage Guidelines

This command displays the version, capabilities, and other information for the hardware accelerator engine that performs IPsec encryption/decryption for the Cisco uBR905 router.

Examples

The following example shows the typical display for the show crypto engine configuration command:

uBR905# show crypto engine configuration 
 
show crypto engine configuration
 
        crypto engine name:  unknown
        crypto engine type:  ISA/ISM
 
              hifn chip id:  8
              hifn rev    :  0
              hifn api rev:  0.22.0
 
               Compression:  No
                     3 DES:  Yes
           Privileged Mode:  0x0000
     Maximum buffer length:  4096
          Maximum DH index:  0010
          Maximum SA index:  0020
        Maximum Flow index:  0040
      Maximum RSA key size:  0256
 
   Crypto Adjacency Counts:
                Lock Count:  0
              Unlock Count:  0 
 
uBR905#

Table D-4 explains each field.

Table D-4: show crypto engine configuration Field Descriptions

Field Description

crypto engine name

Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command. If no name has been assigned, this field shows `unknown'.

crypto engine type

Type of encryption engine running, always `ISA/ISM' and `software' for the Cisco uBR905 cable access router.

hifn chip id, rev, and api rev

Identifies the hardware accelerator, the revision of its onboard firmware, and the revision of the software application layer.

Compression

Identifies whether packets are compressed as well as encrypted.

3DES

Identifies whether Triple DES (3DES) 168-bit encryption is supported.

Maximum buffer length

Maximum size of the data buffer for each connection.

Maximum DH index, SA index, and Flow index

Maximum size of each index that is supported per connection.

Maximum RSA key size

Maximum size of the RSA encryption key that is supported.

Lock Count

Number of connections that have requested access to the crypto engine and are waiting for processing time.

Unlock Count

Number of connections that have finished encryption processing and are waiting to release the crypto engine.

Related Commands

Command Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator crypto engine to zero.

crypto engine accelerator

Enables or disables the onboard hardware accelerator crypto engine.

debug crypto engine accelerator control

Prints each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Prints information about each packet sent for encryption and decryption.

show crypto engine accelerator ring control

Prints the contents of command ring, which queues the control commands that are being sent to the crypto engine.

show crypto engine accelerator ring packet

Prints the contents of the transmit packet ring, which contains the packets being sent to the crypto engine for encryption and decryption.

show crypto engine accelerator sa-database

Prints the active (in-use) entries in the crypto engine security association (SA) database.

show crypto engine accelerator statistic

Print out the current run-time statistics and error counters for the crypto engine.

show crypto engine brief

Print out a summary of the configuration information for the crypto engine.

show crypto engine connections

Print out a list of the current connections maintained by the crypto engine.

Note For information about these additional commands, see the IP Security and Encryption section in the Cisco IOS Release 12.1 Security Command Reference .

show crypto engine connections

To display the configuration information for the Cisco uBR905 router's onboard hardware accelerator engine, use the show crypto engine configuration privileged EXEC command.

show crypto engine connections [ active | dh | dropped-packet | flow ]

Syntax Description

active

Prints out the configuration information for each active session.

dh

Prints out the Diffie-Hellman connection status.

dropped-packet

Prints out the number of packets that the crypto engine has dropped.

flow

Prints out the definition for each flow that has been defined.

Defaults

No default behavior or values.

Command Modes

Privileged EXEC.

Usage Guidelines

This command displays the version, capabilities, and other information for the hardware accelerator engine that performs IPsec encryption/decryption for the Cisco uBR905 router.

Examples

The following example shows the typical display for the show crypto engine connections active command:

uBR905# show crypto engine connections active  
 
   ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
    1 <none>          <none>          set    HMAC_MD5+DES_56_CB        0        0
 2068 cable-modem0    192.168.100.9   set    HMAC_MD5                  0     2484
 2069 cable-modem0    192.168.100.9   set    HMAC_MD5               2618        0
 2070 cable-modem0    192.168.100.9   set    3DES_56_CBC               0     2484
 2071 cable-modem0    192.168.100.9   set    3DES_56_CBC            2618        0
 2072 cable-modem0    192.168.100.9   set    HMAC_MD5                  0      232
 2073 cable-modem0    192.168.100.9   set    HMAC_MD5                 94        0
 2074 cable-modem0    192.168.100.9   set    3DES_56_CBC               0      232
 2075 cable-modem0    192.168.100.9   set    3DES_56_CBC              94        0
ubr905#

Table D-5 explains each field.

Table D-5: show crypto engine connections active Field Description

Field Description

ID

Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. These connection numbers correspond to the table entry numbers.

Interface

Interface involved in the encrypted session connection.

IP-Address

IP address of the interface.

State

Current state of the connection:

alloc—the connection is requesting resources.

set—an active connection (normal state).

Algorithm

The encryption algorithms used for this connection. If this field says "NONE," this connection is still being allocated and has not yet requested an algorithm.

Encrypt

Total number of encrypted outbound IP packets.

Decrypt

Total number of encrypted outbound IP packets.

The following example shows the typical display for the show crypto engine connections dh command:

uBR905# show crypto engine connections dh  
 
Conn            ID           Status
0               0               1
0               14              1
0               0               1
0               0               1
0               18              1
uBR905#

Table D-6 explains each field.

Table D-6: show crypto engine connections dh Field Description

Field Description

Conn

Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. These connection numbers correspond to the table entry numbers.

ID

Identifies the Diffie-Hellman group.

Status

Identifies the Diffie-Hellman status:

1—768-bit Diffie-Hellman prime modulus group

2—1024-bit Diffie-Hellman prime modulus group

The following example shows the typical display for the show crypto engine connections dropped-packet command:

uBR905# show crypto engine connections dropped-packet  
 
Interface     IP-Address      Drop Count
Ethernet0/0   192.168.100.165  4
 
uBR905#

Table D-7 explains each field.

Table D-7: show crypto engine connections dropped-packet Field Description

Field Description

Interface

Interface involved in the encrypted session connection.

IP-Address

IP address of the interface.

Drop Count

Total number of dropped packets since the last reset of the Cisco uBR905 cable access router.

The following example shows the typical display for the show crypto engine connections flow command:

uBR905# show crypto engine connections flow  
 
 flow_id  ah_conn_id  esp_conn_id  comp_spi
     3       0          0           0
     4       0          0           0
     7       0          0           0
     8       0          0           0
     9       0          0           0
     10      0          0           0
     11      0          0           0
     12      0          0           0
     13      0          0           0
     14      0          0           0
     36      0          0           0
     37      0          0           0
     38      0          0           0
     39      0          0           0
 
uBR905#

Table D-8 explains each field.

Table D-8: show crypto engine connections flow Field Description

Field Description

flow_id

Unique identifier for this flow.

ah_conn_id

Unique identifier for the flow's Authentication Header.

esp_conn_id

Unique Identifier for the flow's Encapsulating Security Protocol (ESP).

comp_spi

Security Parameter Index (SPI)—An arbitrary number that unique identifies the flow's security association.

Related Commands

Command Description

clear crypto engine accelerator counter

Resets the statistical and error counters for the hardware accelerator crypto engine to zero.

crypto engine accelerator

Enables or disables the onboard hardware accelerator crypto engine.

debug crypto engine accelerator control

Prints each control command as it is given to the crypto engine.

debug crypto engine accelerator packet

Prints information about each packet sent for encryption and decryption.

show crypto engine accelerator ring control

Prints the contents of command ring, which queues the control commands that are being sent to the crypto engine.

show crypto engine accelerator ring packet

Prints the contents of the transmit packet ring, which contains the packets being sent to the crypto engine for encryption and decryption.

show crypto engine accelerator sa-database

Prints the active (in-use) entries in the crypto engine security association (SA) database.

show crypto engine accelerator statistic

Print out the current run-time statistics and error counters for the crypto engine.

show crypto engine brief

Print out a summary of the configuration information for the crypto engine.

show crypto engine configuration

Print out the version and configuration information for the crypto engine.

Note For information about these additional commands, see the IP Security and Encryption section in the Cisco IOS Release 12.1 Security Command Reference .

Commands Reserved for DOCSIS Use

In Cisco IOS Release 12.1(2)T and later releases, the following commands were removed from the CLI:

[no] cable-modem downstream saved channel
[no] cable-modem fast-search
[no] cable-modem downstream symbol rate
[no] cable-modem transmit-power
[no] cable-modem upstream preamble qpsk

In Cisco IOS Release 12.1(2)T and later, these commands are now reserved exclusively for DOCSIS use. These commands can appear in the router's Cisco IOS configuration file, but they cannot be given through the router's CLI.

Field	Description
Flow Summary
Flow Index	Unique identifier for the flow.
Flow Algorithm	The Flow Algorithm field displays the transformation set for each SA: Mode tunnel—Original IP packet is encrypted and encapsulated transport—Only the data portion of the IP packet is encrypted and encapsulated Direction inbound—Encryption is performed on incoming packets outbound—Encryption is performed on outgoing packets Encapsulating Security Protocol (ESP) Transform esp-des—56-bit DES encryption esp-3des—168-bit 3DES encryption esp-null—No encryption algorithm (used only for test) ESP Authentication Transform esp-md5-hmac—MD5 (HMAC variant) esp-sha-hmac—SHA (HMAC variant) Authentication Header (AH) Transform ah-md5-hmac—MD5 (HMAC variant) ah-sha-hmac—SHA (HMAC variant)
SA Summary
SA Index	Unique identifier for the SA.
SA DH-Index	Unique identifier for the Diffie-Hellman group used in this SA. If the connection is not currently active, the text "(deleted)" follows the index number.
SA Algorithms	The transform al set for this SA: Encryption: DES or 3DES Authentication: MD5 or SHA
DH Summary
DH Index	Unique DH index.
DH Group	Identifies the DH group.
DH Config	The type of keys: Shared Secret—Keys were pre-shared. Valid Pub/Priv—Keys were negotiated.

Release	Modification
12.1(1)XC	This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.
12.1(3)XL	This command was introduced for the Cisco uBR905 router.

Release	Modification
11.2	This command was introduced for the Cisco 7200, RSP7000, and 7500 series routers.
12.1(3)XL	This command was introduced for the Cisco uBR905 router.

Field	Description
crypto engine name	Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command. If no name has been assigned, this field shows `unknown'.
crypto engine type	The type of encryption engine running, always `ISA/ISM' and `software' for the Cisco uBR905 cable access router.
hifn chip id, rev, and api rev	Identifies the hardware accelerator, the revision of its onboard firmware, and the revision of the software application layer.
Compression	Identifies whether packets are compressed as well as encrypted.
3DES	Identifies whether Triple DES (3DES) 168-bit encryption is supported.
crypto engine state	The current run-time state of the crypto engine: installed—Indicates that the crypto engine is present but is not configured for encryption. dss key generated—Indicates that the crypto engine has DSS keys already generated.
crypto firmware version	Version number of the crypto library running on the router.
crypto engine in slot	The chassis slot number containing the crypto engine. This is always N/A for the Cisco uBR905 cable access router because the engine is not in a slot but is permanently onboard the router.

active	Prints out the configuration information for each active session.
dh	Prints out the Diffie-Hellman connection status.
dropped-packet	Prints out the number of packets that the crypto engine has dropped.
flow	Prints out the definition for each flow that has been defined.

Field	Description
ID	Identifies the connection by its number. Each active encrypted session connection is identified by a positive number from 1 to 299. These connection numbers correspond to the table entry numbers.
Interface	Interface involved in the encrypted session connection.
IP-Address	IP address of the interface.
State	Current state of the connection: alloc—the connection is requesting resources. set—an active connection (normal state).
Algorithm	The encryption algorithms used for this connection. If this field says "NONE," this connection is still being allocated and has not yet requested an algorithm.
Encrypt	Total number of encrypted outbound IP packets.
Decrypt	Total number of encrypted outbound IP packets.

Field	Description
flow_id	Unique identifier for this flow.
ah_conn_id	Unique identifier for the flow's Authentication Header.
esp_conn_id	Unique Identifier for the flow's Encapsulating Security Protocol (ESP).
comp_spi	Security Parameter Index (SPI)—An arbitrary number that unique identifies the flow's security association.

Table of Contents

New and Changed Commands Reference