cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

TrustSec 3850 Specific Troubleshooting Information

1311
Views
0
Helpful
0
Comments

 

 << BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE

 

 

TrustSec 3850 Specific Troubleshooting Information

 

Counters on the 3850 and 3650

 

The role-based counters command is broken on the 3850 and 3650, no data is ever displayed. This is fixed in release 16.6.1.

This is logged as DDTS CSCuu32958 (3850 "show cts role-based counters" not implemented platform limitation).

Prompt-3850#show cts role-based counters

Role-based IPv4 counters

# '-' in hardware counters field indicates sharing among cells with identical policies

From    To      SW-Denied       HW-Denied       SW-Permitted    HW-Permitted

 

To get an idea of enforcement before the fix, use the following command on the 3850 and 3650:

Prompt-3850#show platform acl counters hardware | inc SGACL

Egress IPv4 SGACL Drop           (454):           3 frames

Egress IPv6 SGACL Drop           (455):           0 frames

Egress IPv4 SGACL Cell Drop      (456):           0 frames

Egress IPv6 SGACL Cell Drop      (457):           0 frames

 

If you have a 3850 stack then use the following command where the number signifies the stack member where the uplink resides:

Prompt-3850#show platform acl counters hardware switch 1 | inc SGACL

Egress IPv4 SGACL Drop           (454):           4 frames

Egress IPv6 SGACL Drop           (455):           0 frames

Egress IPv4 SGACL Cell Drop      (456):           0 frames

Egress IPv6 SGACL Cell Drop      (457):           0 frames

In Polaris code, use the following: show platform software fed switch x acl counters hardware

 

 

How to show Device Tracking Information on the 3850?

 

Prompt-3850#show ip device tracking all

Global IP Device Tracking for clients = Enabled

Global IP Device Tracking Probe Count = 3

Global IP Device Tracking Probe Interval = 30

Global IP Device Tracking Probe Delay Interval = 0

-----------------------------------------------------------------------------------------------

  IP Address    MAC Address   Vlan  Interface           Probe-Timeout      State    Source

-----------------------------------------------------------------------------------------------

10.4.1.11       0050.5694.d054 10   GigabitEthernet1/0/2   30              ACTIVE   ARP

10.4.1.10       000c.295e.4932 10   GigabitEthernet1/0/1   30              ACTIVE   ARP

10.4.1.1        e8b7.487e.5a16 10   GigabitEthernet1/0/48  30              ACTIVE   ARP

 

Total number interfaces enabled: 3

Enabled interfaces:

  Vl10, Gi1/0/1, Gi1/0/2

 In Polaris code, use the following:

 

Prompt-3850#show device-tracking database

Binding Table has 4 entries, 2 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    Network Layer Address               Link Layer Address Interface        vlan prlvl  age   state     Time left        
L   10.4.2.254                              0000.0c9f.f45c  Vl1021         1021  0100 44548mn DOWN                        
L   10.4.1.254                              0000.0c9f.f45d  Vl1022         1022  0100 44545mn REACHABLE                   
DH4 10.4.1.112                              000c.295e.4932  Gi1/0/1        1022  0025   40s  REACHABLE  275 s(2881 s)    
ND  FE80::5456:9FBF:5C2A:ED3C               000c.295e.4932  Gi1/0/1        1022  0005    3mn REACHABLE  89 s try 0       

 

IP Route Information Can be Displayed With The SGT on the 3850:

 

Prompt-3850#show platform ip route

IP Fib entries

 

vrf   dest                                          htm          flags SGT DGID

---   ----                                          ---          ----- --------

0     0.0.0.0/32                                    0x5e887d08     0x3     0     0

0     0.0.0.0/0                                     0x591fddd8     0x3     0     0

0     240.0.0.0/4                                   0x5e8878f8     0x3     0     0

0     10.1.100.4/32                                 0x61a50da8     0x3     14    1

0     10.4.1.0/24                                   0x61a4e468     0x3     0     0

0     10.4.1.0/32                                   0x61a504b0     0x3     0     0

0     10.4.1.3/32                                   0x61a50728     0x3     2     0

0     10.4.1.1/32                                   0x61a4ec60     0x3     0     0

0     255.255.255.255/32                            0x5e887698     0x3     0     0

0     127.0.0.0/8                                   0x5e887c48     0x3     0     0

0     10.4.1.255/32                                 0x61a4ddc8     0x3     0     0

For Polaris code, use the following command: show platform software fed switch 1 ip route

 

How to Check if Global Enforcement is Enabled on the 3850?

 

Prompt-3850#show platform sgacl [detail]

Global Enforcement: On

For Polaris code, use the following command: show platform software fed switch 1 sgacl detail

 

 

How to Check if Enforcement is Enabled on the 3850 VLANs?

 

Prompt-3850#show platform sgacl vlan

Enforcement enabled:

vlan0    <----- Shows with global config of 'cts role-based enforcement'

vlan10

For Polaris code, use the following command: show platform software fed switch 1 sgacl vlan

 

 

How to Check the L2IF Configuration Settings of all Interfaces?

 

Prompt-3850#show platform sgacl port

Port            Status     Port-SGT  Trust  Propagate

-----------------------------------------------------

Gi1/0/1        Enabled         0     No      No

Gi1/0/2        Enabled         0     No      No

Gi1/0/3        Enabled         0     No      No

Gi1/0/4        Enabled         2     Yes     Yes

Gi1/0/5        Enabled         0     No      No

Gi1/0/6        Enabled         0     No      No

etc

For Polaris code, use the following command: show platform software fed switch 1 sgacl port

 

What ASIC Is An Interface Using?

 

Sometimes it's useful to determine which ASIC an interface is using for troubleshooting purposes.

 

Prompt-3850#show platform port-asic ifm mappings local-port switch 1

Mappings Table

 

LPN ASIC Port Interface    IIF-ID             Active

1   1    21   Gi1/0/1      0x0102bac000000009 Y

2   1    20   Gi1/0/2      0x01075c000000000b Y

3   1    23   Gi1/0/3      0x0105420000000012 Y

4   1    22   Gi1/0/4      0x01052c0000000014 Y

~snip~

45  0    17   Gi1/0/45     0x0107454000000066 Y

46  0    16   Gi1/0/46     0x010638c000000068 Y

47  0    19   Gi1/0/47     0x0109b9c00000006a Y

48  0    18   Gi1/0/48     0x010942400000006c Y

49  1    0    Gi1/1/1      0x010878800000006e N

50  1    1    Gi1/1/2      0x0100f08000000070 N

51  0    0    Gi1/1/3      0x0104f74000000072 N

52  0    1    Gi1/1/4      0x010168c000000074 N

53  1    0    Te1/1/1      0x0101814000000076 Y

54  1    1    Te1/1/2      0x0105440000000078 Y

55  0    0    Te1/1/3      0x0108c1800000007a Y

56  0    1    Te1/1/4      0x01091a800000007c Y

For interest, LPN = Local Port Number, IIF = Interface ID Factory

The same information can be retrieved from a 3850 running Polaris code using: show platform soft fed switch active ifm mapping

 

Check TCAM Resource Utilisation?

 

Prompt-3850#show platform hardware fed switch active fwd-asic resource tcam utilization

CAM Utilization for ASIC Instance [0]

Table                                              Max Values        Used Values

--------------------------------------------------------------------------------

Unicast MAC addresses                              32768/512          23/22 

L3 Multicast groups                                4096/512           0/7  

L2 Multicast groups                                4096/512           0/9  

Directly or indirectly connected routes            16384/7168         37/72 

QoS Access Control Entries                         2560                86

Security Access Control Entries                    3072               145

                    [N.B. Only about 1370 of these 3072 are used for SGACL]

Netflow ACEs                                        768                15

Policy Based Routing ACEs                          1024                 9

Input Microflow policer ACEs                          0                 0

Output Microflow policer ACEs                         0                 0

Flow SPAN ACEs                                      256                 9

Output Flow SPAN ACEs                               256                12

Control Plane Entries                               512               208

Tunnels                                             256                18

Lisp Instance Mapping Entries                       256                 7

Input Security Associations                         256                 4

Output Security Associations and Policies           256                 5

SGT_DGT                                            4096/512           0/1  

CLIENT_LE                                          4096/64            1/0  

INPUT_GROUP_LE                                     6144                 0

OUTPUT_GROUP_LE                                    6144                 0

Macsec SPD                                          256                 2

 

How to check/monitor inline tags on the 3850?

Polaris code supports the 'monitor capture' command, see the operation at the following link:

Link for 'monitor capture' operation 

 

 

<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE