09-04-2018 03:31 AM - edited 11-29-2019 09:34 AM
<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE
The role-based counters command is broken on the 3850 and 3650, no data is ever displayed. This is fixed in release 16.6.1.
This is logged as DDTS CSCuu32958 (3850 "show cts role-based counters" not implemented platform limitation).
Prompt-3850#show cts role-based counters
Role-based IPv4 counters
# '-' in hardware counters field indicates sharing among cells with identical policies
From To SW-Denied HW-Denied SW-Permitted HW-Permitted
To get an idea of enforcement before the fix, use the following command on the 3850 and 3650:
Prompt-3850#show platform acl counters hardware | inc SGACL
Egress IPv4 SGACL Drop (454): 3 frames
Egress IPv6 SGACL Drop (455): 0 frames
Egress IPv4 SGACL Cell Drop (456): 0 frames
Egress IPv6 SGACL Cell Drop (457): 0 frames
If you have a 3850 stack then use the following command where the number signifies the stack member where the uplink resides:
Prompt-3850#show platform acl counters hardware switch 1 | inc SGACL
Egress IPv4 SGACL Drop (454): 4 frames
Egress IPv6 SGACL Drop (455): 0 frames
Egress IPv4 SGACL Cell Drop (456): 0 frames
Egress IPv6 SGACL Cell Drop (457): 0 frames
In Polaris code, use the following: show platform software fed switch x acl counters hardware
Prompt-3850#show ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
-----------------------------------------------------------------------------------------------
10.4.1.11 0050.5694.d054 10 GigabitEthernet1/0/2 30 ACTIVE ARP
10.4.1.10 000c.295e.4932 10 GigabitEthernet1/0/1 30 ACTIVE ARP
10.4.1.1 e8b7.487e.5a16 10 GigabitEthernet1/0/48 30 ACTIVE ARP
Total number interfaces enabled: 3
Enabled interfaces:
Vl10, Gi1/0/1, Gi1/0/2
In Polaris code, use the following:
Prompt-3850#show device-tracking database
Binding Table has 4 entries, 2 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
L 10.4.2.254 0000.0c9f.f45c Vl1021 1021 0100 44548mn DOWN
L 10.4.1.254 0000.0c9f.f45d Vl1022 1022 0100 44545mn REACHABLE
DH4 10.4.1.112 000c.295e.4932 Gi1/0/1 1022 0025 40s REACHABLE 275 s(2881 s)
ND FE80::5456:9FBF:5C2A:ED3C 000c.295e.4932 Gi1/0/1 1022 0005 3mn REACHABLE 89 s try 0
Prompt-3850#show platform ip route
IP Fib entries
vrf dest htm flags SGT DGID
--- ---- --- ----- --------
0 0.0.0.0/32 0x5e887d08 0x3 0 0
0 0.0.0.0/0 0x591fddd8 0x3 0 0
0 240.0.0.0/4 0x5e8878f8 0x3 0 0
0 10.1.100.4/32 0x61a50da8 0x3 14 1
0 10.4.1.0/24 0x61a4e468 0x3 0 0
0 10.4.1.0/32 0x61a504b0 0x3 0 0
0 10.4.1.3/32 0x61a50728 0x3 2 0
0 10.4.1.1/32 0x61a4ec60 0x3 0 0
0 255.255.255.255/32 0x5e887698 0x3 0 0
0 127.0.0.0/8 0x5e887c48 0x3 0 0
0 10.4.1.255/32 0x61a4ddc8 0x3 0 0
For Polaris code, use the following command: show platform software fed switch 1 ip route
Prompt-3850#show platform sgacl [detail]
Global Enforcement: On
For Polaris code, use the following command: show platform software fed switch 1 sgacl detail
Prompt-3850#show platform sgacl vlan
Enforcement enabled:
vlan0 <----- Shows with global config of 'cts role-based enforcement'
vlan10
For Polaris code, use the following command: show platform software fed switch 1 sgacl vlan
Prompt-3850#show platform sgacl port
Port Status Port-SGT Trust Propagate
-----------------------------------------------------
Gi1/0/1 Enabled 0 No No
Gi1/0/2 Enabled 0 No No
Gi1/0/3 Enabled 0 No No
Gi1/0/4 Enabled 2 Yes Yes
Gi1/0/5 Enabled 0 No No
Gi1/0/6 Enabled 0 No No
etc
For Polaris code, use the following command: show platform software fed switch 1 sgacl port
Sometimes it's useful to determine which ASIC an interface is using for troubleshooting purposes.
Prompt-3850#show platform port-asic ifm mappings local-port switch 1
Mappings Table
LPN ASIC Port Interface IIF-ID Active
1 1 21 Gi1/0/1 0x0102bac000000009 Y
2 1 20 Gi1/0/2 0x01075c000000000b Y
3 1 23 Gi1/0/3 0x0105420000000012 Y
4 1 22 Gi1/0/4 0x01052c0000000014 Y
~snip~
45 0 17 Gi1/0/45 0x0107454000000066 Y
46 0 16 Gi1/0/46 0x010638c000000068 Y
47 0 19 Gi1/0/47 0x0109b9c00000006a Y
48 0 18 Gi1/0/48 0x010942400000006c Y
49 1 0 Gi1/1/1 0x010878800000006e N
50 1 1 Gi1/1/2 0x0100f08000000070 N
51 0 0 Gi1/1/3 0x0104f74000000072 N
52 0 1 Gi1/1/4 0x010168c000000074 N
53 1 0 Te1/1/1 0x0101814000000076 Y
54 1 1 Te1/1/2 0x0105440000000078 Y
55 0 0 Te1/1/3 0x0108c1800000007a Y
56 0 1 Te1/1/4 0x01091a800000007c Y
For interest, LPN = Local Port Number, IIF = Interface ID Factory
The same information can be retrieved from a 3850 running Polaris code using: show platform soft fed switch active ifm mapping
Prompt-3850#show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC Instance [0]
Table Max Values Used Values
--------------------------------------------------------------------------------
Unicast MAC addresses 32768/512 23/22
L3 Multicast groups 4096/512 0/7
L2 Multicast groups 4096/512 0/9
Directly or indirectly connected routes 16384/7168 37/72
QoS Access Control Entries 2560 86
Security Access Control Entries 3072 145
[N.B. Only about 1370 of these 3072 are used for SGACL]
Netflow ACEs 768 15
Policy Based Routing ACEs 1024 9
Input Microflow policer ACEs 0 0
Output Microflow policer ACEs 0 0
Flow SPAN ACEs 256 9
Output Flow SPAN ACEs 256 12
Control Plane Entries 512 208
Tunnels 256 18
Lisp Instance Mapping Entries 256 7
Input Security Associations 256 4
Output Security Associations and Policies 256 5
SGT_DGT 4096/512 0/1
CLIENT_LE 4096/64 1/0
INPUT_GROUP_LE 6144 0
OUTPUT_GROUP_LE 6144 0
Macsec SPD 256 2
Polaris code supports the 'monitor capture' command, see the operation at the following link:
Link for 'monitor capture' operation
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: