- Cisco Community
- Technology and Support
- Security
- Security Knowledge Base
- TrustSec 3850 Specific Troubleshooting Information
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
09-04-2018 03:31 AM - edited 11-29-2019 09:34 AM
- TrustSec 3850 Specific Troubleshooting Information
- Counters on the 3850 and 3650
- How to show Device Tracking Information on the 3850?
- IP Route Information Can be Displayed With The SGT on the 3850:
- How to Check if Global Enforcement is Enabled on the 3850?
- How to Check if Enforcement is Enabled on the 3850 VLANs?
- How to Check the L2IF Configuration Settings of all Interfaces?
- What ASIC Is An Interface Using?
- Check TCAM Resource Utilisation?
- How to check/monitor inline tags on the 3850?
<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE
TrustSec 3850 Specific Troubleshooting Information
Counters on the 3850 and 3650
The role-based counters command is broken on the 3850 and 3650, no data is ever displayed. This is fixed in release 16.6.1.
This is logged as DDTS CSCuu32958 (3850 "show cts role-based counters" not implemented platform limitation).
Prompt-3850#show cts role-based counters
Role-based IPv4 counters
# '-' in hardware counters field indicates sharing among cells with identical policies
From To SW-Denied HW-Denied SW-Permitted HW-Permitted
To get an idea of enforcement before the fix, use the following command on the 3850 and 3650:
Prompt-3850#show platform acl counters hardware | inc SGACL
Egress IPv4 SGACL Drop (454): 3 frames
Egress IPv6 SGACL Drop (455): 0 frames
Egress IPv4 SGACL Cell Drop (456): 0 frames
Egress IPv6 SGACL Cell Drop (457): 0 frames
If you have a 3850 stack then use the following command where the number signifies the stack member where the uplink resides:
Prompt-3850#show platform acl counters hardware switch 1 | inc SGACL
Egress IPv4 SGACL Drop (454): 4 frames
Egress IPv6 SGACL Drop (455): 0 frames
Egress IPv4 SGACL Cell Drop (456): 0 frames
Egress IPv6 SGACL Cell Drop (457): 0 frames
In Polaris code, use the following: show platform software fed switch x acl counters hardware
How to show Device Tracking Information on the 3850?
Prompt-3850#show ip device tracking all
Global IP Device Tracking for clients = Enabled
Global IP Device Tracking Probe Count = 3
Global IP Device Tracking Probe Interval = 30
Global IP Device Tracking Probe Delay Interval = 0
-----------------------------------------------------------------------------------------------
IP Address MAC Address Vlan Interface Probe-Timeout State Source
-----------------------------------------------------------------------------------------------
10.4.1.11 0050.5694.d054 10 GigabitEthernet1/0/2 30 ACTIVE ARP
10.4.1.10 000c.295e.4932 10 GigabitEthernet1/0/1 30 ACTIVE ARP
10.4.1.1 e8b7.487e.5a16 10 GigabitEthernet1/0/48 30 ACTIVE ARP
Total number interfaces enabled: 3
Enabled interfaces:
Vl10, Gi1/0/1, Gi1/0/2
In Polaris code, use the following:
Prompt-3850#show device-tracking database
Binding Table has 4 entries, 2 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
L 10.4.2.254 0000.0c9f.f45c Vl1021 1021 0100 44548mn DOWN
L 10.4.1.254 0000.0c9f.f45d Vl1022 1022 0100 44545mn REACHABLE
DH4 10.4.1.112 000c.295e.4932 Gi1/0/1 1022 0025 40s REACHABLE 275 s(2881 s)
ND FE80::5456:9FBF:5C2A:ED3C 000c.295e.4932 Gi1/0/1 1022 0005 3mn REACHABLE 89 s try 0
IP Route Information Can be Displayed With The SGT on the 3850:
Prompt-3850#show platform ip route
IP Fib entries
vrf dest htm flags SGT DGID
--- ---- --- ----- --------
0 0.0.0.0/32 0x5e887d08 0x3 0 0
0 0.0.0.0/0 0x591fddd8 0x3 0 0
0 240.0.0.0/4 0x5e8878f8 0x3 0 0
0 10.1.100.4/32 0x61a50da8 0x3 14 1
0 10.4.1.0/24 0x61a4e468 0x3 0 0
0 10.4.1.0/32 0x61a504b0 0x3 0 0
0 10.4.1.3/32 0x61a50728 0x3 2 0
0 10.4.1.1/32 0x61a4ec60 0x3 0 0
0 255.255.255.255/32 0x5e887698 0x3 0 0
0 127.0.0.0/8 0x5e887c48 0x3 0 0
0 10.4.1.255/32 0x61a4ddc8 0x3 0 0
For Polaris code, use the following command: show platform software fed switch 1 ip route
How to Check if Global Enforcement is Enabled on the 3850?
Prompt-3850#show platform sgacl [detail]
Global Enforcement: On
For Polaris code, use the following command: show platform software fed switch 1 sgacl detail
How to Check if Enforcement is Enabled on the 3850 VLANs?
Prompt-3850#show platform sgacl vlan
Enforcement enabled:
vlan0 <----- Shows with global config of 'cts role-based enforcement'
vlan10
For Polaris code, use the following command: show platform software fed switch 1 sgacl vlan
How to Check the L2IF Configuration Settings of all Interfaces?
Prompt-3850#show platform sgacl port
Port Status Port-SGT Trust Propagate
-----------------------------------------------------
Gi1/0/1 Enabled 0 No No
Gi1/0/2 Enabled 0 No No
Gi1/0/3 Enabled 0 No No
Gi1/0/4 Enabled 2 Yes Yes
Gi1/0/5 Enabled 0 No No
Gi1/0/6 Enabled 0 No No
etc
For Polaris code, use the following command: show platform software fed switch 1 sgacl port
What ASIC Is An Interface Using?
Sometimes it's useful to determine which ASIC an interface is using for troubleshooting purposes.
Prompt-3850#show platform port-asic ifm mappings local-port switch 1
Mappings Table
LPN ASIC Port Interface IIF-ID Active
1 1 21 Gi1/0/1 0x0102bac000000009 Y
2 1 20 Gi1/0/2 0x01075c000000000b Y
3 1 23 Gi1/0/3 0x0105420000000012 Y
4 1 22 Gi1/0/4 0x01052c0000000014 Y
~snip~
45 0 17 Gi1/0/45 0x0107454000000066 Y
46 0 16 Gi1/0/46 0x010638c000000068 Y
47 0 19 Gi1/0/47 0x0109b9c00000006a Y
48 0 18 Gi1/0/48 0x010942400000006c Y
49 1 0 Gi1/1/1 0x010878800000006e N
50 1 1 Gi1/1/2 0x0100f08000000070 N
51 0 0 Gi1/1/3 0x0104f74000000072 N
52 0 1 Gi1/1/4 0x010168c000000074 N
53 1 0 Te1/1/1 0x0101814000000076 Y
54 1 1 Te1/1/2 0x0105440000000078 Y
55 0 0 Te1/1/3 0x0108c1800000007a Y
56 0 1 Te1/1/4 0x01091a800000007c Y
For interest, LPN = Local Port Number, IIF = Interface ID Factory
The same information can be retrieved from a 3850 running Polaris code using: show platform soft fed switch active ifm mapping
Check TCAM Resource Utilisation?
Prompt-3850#show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC Instance [0]
Table Max Values Used Values
--------------------------------------------------------------------------------
Unicast MAC addresses 32768/512 23/22
L3 Multicast groups 4096/512 0/7
L2 Multicast groups 4096/512 0/9
Directly or indirectly connected routes 16384/7168 37/72
QoS Access Control Entries 2560 86
Security Access Control Entries 3072 145
[N.B. Only about 1370 of these 3072 are used for SGACL]
Netflow ACEs 768 15
Policy Based Routing ACEs 1024 9
Input Microflow policer ACEs 0 0
Output Microflow policer ACEs 0 0
Flow SPAN ACEs 256 9
Output Flow SPAN ACEs 256 12
Control Plane Entries 512 208
Tunnels 256 18
Lisp Instance Mapping Entries 256 7
Input Security Associations 256 4
Output Security Associations and Policies 256 5
SGT_DGT 4096/512 0/1
CLIENT_LE 4096/64 1/0
INPUT_GROUP_LE 6144 0
OUTPUT_GROUP_LE 6144 0
Macsec SPD 256 2
How to check/monitor inline tags on the 3850?
Polaris code supports the 'monitor capture' command, see the operation at the following link:
Link for 'monitor capture' operation
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: