- TrustSec Cat9300/9400 Specific Troubleshooting Information
- How to check Counters on the Cat9300/9400?
- IP Route Information With SGT:
- Check if Global Enforcement is Enabled Plus Policy and Count Information:
- Check if Enforcement is Enabled on VLANs:
- How to Check the L2IF Configuration Settings of all Interfaces?
- What ASIC and Core are an Interface Using?
- Show SGACL Usage?
- Show TCAM Resource Utilization:
- Forwarding Manager Mappings
- Forwarding Manager Port Information
- Forwarding Manager Permissions
- Forwarding Manager ACL List
- Show CPU and Memory Brief Information?
- How to monitor inline tags on the Cat9300/9400?
<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE
TrustSec Cat9300/9400 Specific Troubleshooting Information
How to check Counters on the Cat9300/9400?
Traditional counter command is supported:
Prompt-Cat9300#show cts role-based counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor
* * 0 0 3 0 0 0
0 0 0 0 0 0 0 0
2 2 0 0 0 0 0 0
5 104 0 4 0 0 0 0
Counters can also be retrieved from the Forwarding Engine Driver:
Prompt-Cat9300#show platform software fed switch active acl counters hardware | inc SGACL
Egress IPv4 SGACL Drop (0x19000053): 6 frames
Egress IPv6 SGACL Drop (0x61000054): 0 frames
Egress IPv4 SGACL Test Cell Drop (0x21000055): 0 frames
Egress IPv6 SGACL Test Cell Drop (0x66000056): 0 frames
IP Route Information With SGT:
Prompt-Cat9300#show platform software fed switch active ip route
vrf dest htm flags SGT DGID
--- ---- --- ----- --- ----
0 0.0.0.0/0 0x7f6704867a08 0x0 0 2
0 10.2.10.0/24 0x7f670473d558 0x0 0 2
0 10.1.130.0/24 0x7f670473e848 0x0 0 2
0 10.3.12.255/32 0x7f6704743e48 0x0 0 2
0 10.2.50.0/24 0x7f670473c268 0x0 0 2
Check if Global Enforcement is Enabled Plus Policy and Count Information:
Prompt-Cat9300#show platform software fed switch active sgacl detail
Check if Enforcement is Enabled on VLANs:
Prompt-Cat9300#show platform software fed switch active sgacl vlan
Enforcement enabled:
vlan0
vlan1
How to Check the L2IF Configuration Settings of all Interfaces?
Prompt-Cat9300#show platform software fed switch active sgacl port
Port Status Port-SGT Trust Propagate
-----------------------------------------------------
Gi1/0/1 Enabled 0 No No
Gi1/0/2 Enabled 0 No No
Gi1/0/3 Enabled 0 No No
Gi1/0/4 Enabled 0 No No
Gi1/0/5 Enabled 0 No No
What ASIC and Core are an Interface Using?
Prompt-Cat9300#show platform software fed switch active ifm mappings
Interface IF_ID Inst Asic Core Port SubPort Mac Cntx LPN GPN Type Active
GigabitEthernet1/0/1 0x8 1 0 1 0 0 26 6 1 1 NIF Y
GigabitEthernet1/0/2 0x9 1 0 1 1 0 6 7 2 2 NIF Y
GigabitEthernet1/0/3 0xa 1 0 1 2 0 28 8 3 3 NIF Y
GigabitEthernet1/0/4 0xb 1 0 1 3 0 27 9 4 4 NIF Y
GigabitEthernet1/0/5 0xc 1 0 1 4 0 30 10 5 5 NIF Y
~snip~
GigabitEthernet1/0/17 0x18 0 0 0 16 0 26 6 17 17 NIF Y
GigabitEthernet1/0/18 0x19 0 0 0 17 0 6 7 18 18 NIF Y
GigabitEthernet1/0/19 0x1a 0 0 0 18 0 28 8 19 19 NIF Y
Show SGACL Usage?
Prompt-Cat9300#show platform software fed switch active acl usage
########################################################
######## ##################
####### Printing Usage Infos #################
######## ##################
########################################################
##### ACE Software VMR count 136
########################################################
==================================================================================================
Feature Type ACL Type Dir Name Entries Used
SGACL IPV4 Egress V4SGACL7000 1
==================================================================================================
Feature Type ACL Type Dir Name Entries Used
SGACL_CATCHALL IPV4 Egress V4SGACL7000 1
==================================================================================================
Feature Type ACL Type Dir Name Entries Used
SGACL IPV4 Egress V4SGACL8000 1
==================================================================================================
Show TCAM Resource Utilization:
Prompt-Cat9300#show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC Instance [0]
Table Max Values Used Values
--------------------------------------------------------------------------------
Unicast MAC addresses 32768/512 13/22
IGMP and Multicast groups 8192/512 0/0
L2 Multicast groups 8192/512 0/0
Directly or indirectly connected routes 24576/8192 11/44
NAT/PAT SA address and Port 0 0
QoS Access Control Entries 5120 0
Security Access Control Entries 5120 129
Ingress Netflow ACEs 256 8
Policy Based Routing ACEs 1024 0
Egress Netflow ACEs 768 0
Input Microflow policer ACEs 0 0
Output Microflow policer ACEs 0 0
Flow SPAN ACEs 256 0
Control Plane Entries 512 206
Tunnels 512 17
Lisp Instance Mapping Entries 512 3
Input Security Associations 256 0
Output Security Associations and Policies 256 5
SGT_DGT 8192/512 3/1
CLIENT_LE 4096/256 0/0
INPUT_GROUP_LE 1024 0
OUTPUT_GROUP_LE 1024 0
Macsec SPD 256 2
For later releases (17.x), the TrustSec utilization is shown with the command below:
Prompt-Cat9300#show platform hardware fed switch active sgacl resource usage
SGACL RESOURCE DETAILS ASIC :#0
================================
Percent Thresholds
Hardware Resource MAX Used Used Upper Lower
---------------------------------------------------------------------------
CTS Cell Matrix Config : 80 70
CTS Cell Matrix Entries : 8192 6 0 Normal
CTS Cell Overflow Entries : 512 1 0
Policy Configuration : 80 70
Policy Entries : 256 6 2 Normal
DGT Config : 80 70
DGT Entries : 4096 4 0 Normal
Security ACL Configured : 80 70
Security ACL Entries : 5120 233 4 Normal
Total Percent
SGACL TCAM Entries Used Used
------------------------------------------------------------------
Output PRE SGACL : 4 1
Output SGACL : 44 9
Output SGACL DEFAULT : 3 1
Forwarding Manager Mappings
Prompt-Cat9300#show platform software cts forwarding-manager switch active F0
SGT Binding Table
Number of bindings: 5
SGT Binding Table
10.4.21.2/32
SGT Src: 2
SGT Dst: 2
10.3.25.2/32
SGT Src: 2
SGT Dst: 2
1.1.1.6/32
SGT Src: 2
SGT Dst: 2
SGT Binding Table
10.6.10.254/32
SGT Src: 2
SGT Dst: 2
10.6.12.254/32
SGT Src: 2
SGT Dst: 2
SGT Binding Table
Forwarding Manager Port Information
Prompt-Cat9300#show platform software cts forwarding-manager switch active F0 port
Forwarding Manager Interfaces CTS Information
Name ID CTS Enable Trusted Propagate SGT value
-----------------------------------------------------------------------------------
GigabitEthernet1/0/10 18 0 0 0 0
GigabitEthernet1/0/1 9 0 0 0 0
GigabitEthernet1/0/2 10 0 0 0 0
GigabitEthernet1/0/3 11 0 0 0 0
GigabitEthernet1/0/4 12 0 0 0 0
GigabitEthernet1/0/5 13 0 0 0 0
GigabitEthernet1/0/6 14 0 0 0 0
GigabitEthernet1/0/7 15 0 0 0 0
GigabitEthernet1/0/8 16 0 0 0 0
GigabitEthernet1/0/9 17 0 0 0 0
GigabitEthernet1/0/11 19 0 0 0 0
GigabitEthernet1/0/12 20 0 0 0 0
GigabitEthernet1/0/13 21 0 0 0 0
GigabitEthernet1/0/14 22 0 0 0 0
GigabitEthernet1/0/15 23 0 0 0 0
GigabitEthernet1/0/16 24 0 0 0 0
GigabitEthernet1/0/17 25 0 0 0 0
GigabitEthernet1/0/18 26 0 0 0 0
GigabitEthernet1/0/19 27 0 0 0 0
GigabitEthernet1/0/20 28 0 0 0 0
GigabitEthernet1/0/21 29 0 0 0 0
GigabitEthernet1/0/22 60 0 0 0 0
GigabitEthernet1/0/23 31 0 0 0 0
GigabitEthernet1/0/24 32 0 0 0 0
GigabitEthernet1/1/1 33 0 0 0 0
GigabitEthernet1/1/2 34 0 0 0 0
GigabitEthernet1/1/3 35 0 0 0 0
TenGigabitEthernet1/1/2 61 0 0 0 0
AppGigabitEthernet1/0/1 49 0 0 0 0
GigabitEthernet1/1/4 36 0 0 0 0
TenGigabitEthernet1/1/1 37 0 0 0 0
TenGigabitEthernet1/1/3 39 0 0 0 0
TenGigabitEthernet1/1/4 40 0 0 0 0
TenGigabitEthernet1/1/5 41 0 0 0 0
TenGigabitEthernet1/1/6 42 0 0 0 0
TenGigabitEthernet1/1/7 43 0 0 0 0
TenGigabitEthernet1/1/8 44 0 0 0 0
FortyGigabitEthernet1/1/1 45 0 0 0 0
FortyGigabitEthernet1/1/2 46 0 0 0 0
TwentyFiveGigE1/1/1 47 0 0 0 0
Forwarding Manager Interfaces CTS Information
Name ID CTS Enable Trusted Propagate SGT value
-----------------------------------------------------------------------------------
TwentyFiveGigE1/1/2 48 0 0 0 0
Vlan1 51 0 0 0 0
Vlan1021 62 0 0 0 0
Vlan1022 63 0 0 0 0
Vlan1023 64 0 0 0 0
Vlan1024 65 0 0 0 0
Vlan1025 66 0 0 0 0
Forwarding Manager Permissions
Prompt-Cat9300#show platform software cts forwarding-manager switch active F0 permissions
Forwarding Manager CTS permissions Information
sgt dgt ACL Group Name
---------------------------------------------------
9 34 V4SGACL;200
18 34 V4SGACL2100
18 36 V4SGACL2100
29 34 V4SGACL;200
31 34 V4SGACL2100
36 34 V4SGACL2100
65535 65535 V4SGACL2100
9 34 V6SGACL?200
18 34 V6SGACL3100
18 36 V6SGACL3100
29 34 V6SGACL?200
31 34 V6SGACL3100
36 34 V6SGACL3100
65535 65535 V6SGACL3100
Forwarding Manager ACL List
Prompt-Cat9300#show platform software classification switch active F0 class-group-manager class-group client acl all
QFP classification class client all group
class-group [ACL:1] sisf v6acl 0001DF9F
class-group [ACL:2] sisf v4acl 0001DF9F
class-group [ACL:3] ACL_WEBAUTH_REDIRECT
class-group [ACL:4] AutoConf-4.0-Acl-Default
class-group [ACL:5] IPV4_CRITICAL_AUTH_ACL
class-group [ACL:6] IPV4_PRE_AUTH_ACL
class-group [ACL:7] IPV6_CRITICAL_AUTH_ACL
class-group [ACL:8] IPV6_PRE_AUTH_ACL
class-group [ACL:9] IP-Adm-V4-Int-ACL-global
class-group [ACL:10] IP-Adm-V6-Int-ACL-global
class-group [ACL:11] preauth_v4
class-group [ACL:12] preauth_v6
class-group [ACL:14] implicit_permit
class-group [ACL:15] implicit_deny_v6
class-group [ACL:16] implicit_permit_v6
class-group [ACL:17] implicit_deny
class-group [ACL:18] Permit IP-00
class-group [ACL:19] Permit IP-00-ipv6
class-group [ACL:43] DenyRemoteServices-04
class-group [ACL:47] DenyRemoteServices-04-ipv6
Show CPU and Memory Brief Information?
Prompt-Cat9300#show platform software status control-processor brief
Load Average
Slot Status 1-Min 5-Min 15-Min
1-RP0 Unknown 0.06 0.12 0.10
Memory (kB)
Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
1-RP0 Healthy 7713268 2153520 (28%) 5559748 (72%) 2412960 (31%)
CPU Utilization
Slot CPU User System Nice Idle IRQ SIRQ IOwait
1-RP0 0 4.40 0.20 0.00 95.40 0.00 0.00 0.00
1 2.40 0.20 0.00 97.40 0.00 0.00 0.00
2 1.39 0.29 0.00 98.30 0.00 0.00 0.00
3 2.40 0.30 0.00 97.30 0.00 0.00 0.00
4 0.00 0.00 0.00 100.00 0.00 0.00 0.00
5 1.10 0.10 0.00 98.79 0.00 0.00 0.00
6 0.10 0.00 0.00 99.90 0.00 0.00 0.00
7 0.10 0.00 0.00 99.90 0.00 0.00 0.00
How to monitor inline tags on the Cat9300/9400?
The 'monitor capture' command is very useful here.
Prompt-Cat9300#monitor capture <name> interface g1/0/24 bothPrompt-Cat9300#monitor capture <name> match anyPrompt-Cat9300#monitor capture <name> startPrompt-Cat9300#monitor capture <name> stopCapture statistics collected at software:
Capture duration - 21 seconds
Packets received - 168
Packets dropped - 0
Packets oversized - 0Bytes dropped in asic - 0
Prompt-Cat9300#show monitor capture <name> bufferStarting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000 10.4.1.117 -> 10.5.1.108 ICMP 124 Echo (ping) reply id=0x0008, seq=44279/63404, ttl=127
2 0.108862 10.4.1.113 -> 10.5.1.109 ICMP 124 Echo (ping) reply id=0x0008, seq=26717/23912, ttl=127
3 0.110106 10.4.1.119 -> 10.5.1.102 ICMP 124 Echo (ping) reply id=0x0008, seq=28341/46446, ttl=127
Prompt-Cat9300#show monitor capture <name> buffer detailed
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
Frame 1: 124 bytes on wire (992 bits), 124 bytes captured (992 bits) on interface 0
Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)
Encapsulation type: Ethernet (1)
Arrival Time: Nov 29, 2019 17:06:04.687882000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1575047164.687882000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 124 bytes (992 bits)
Capture Length: 124 bytes (992 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:vxlan:eth:ethertype:ip:icmp:data]
Ethernet II, Src: 00:00:0c:9f:10:66 (00:00:0c:9f:10:66), Dst: 04:6c:9d:1f:88:66 (04:6c:9d:1f:88:66)
Destination: 04:6c:9d:1f:88:66 (04:6c:9d:1f:88:66)
Address: 04:6c:9d:1f:88:66 (04:6c:9d:1f:88:66)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 00:00:0c:9f:10:66 (00:00:0c:9f:10:66)
Address: 00:00:0c:9f:10:66 (00:00:0c:9f:10:66)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 1.1.1.4, Dst: 1.1.1.6
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 110
Identification: 0x0451 (1105)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 127
Protocol: UDP (17)
Header checksum: 0xf322 [validation disabled]
[Good: False]
[Bad: False]
Source: 1.1.1.4
Destination: 1.1.1.6
User Datagram Protocol, Src Port: 65283 (65283), Dst Port: 4789 (4789)
Source Port: 65283
Destination Port: 4789
Length: 90
Checksum: 0x0000 (none)
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 0]
Virtual eXtensible Local Area Network
Flags: 0x8800, GBP Extension, VXLAN Network ID (VNI)
1... .... .... .... = GBP Extension: Defined
.... .... .0.. .... = Don't Learn: False
.... 1... .... .... = VXLAN Network ID (VNI): True
.... .... .... 0... = Policy Applied: False
.000 .000 0.00 .000 = Reserved(R): False
Group Policy ID: 20
VXLAN Network Identifier (VNI): 4099
Reserved: 0
Ethernet II, Src: 00:00:0c:9f:00:00 (00:00:0c:9f:00:00), Dst: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
Destination: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
Address: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 00:00:0c:9f:00:00 (00:00:0c:9f:00:00)
Address: 00:00:0c:9f:00:00 (00:00:0c:9f:00:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.4.1.117, Dst: 10.5.1.108
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 60
Identification: 0x3b93 (15251)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 127
Protocol: ICMP (1)
Header checksum: 0xe944 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.4.1.117
Destination: 10.5.1.108
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0xa85c [correct]
Identifier (BE): 8 (0x0008)
Identifier (LE): 2048 (0x0800)
Sequence number (BE): 44279 (0xacf7)
Sequence number (LE): 63404 (0xf7ac)
Data (32 bytes)