09-04-2018 03:39 AM - edited 02-21-2022 09:49 AM
<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE
Traditional counter command is supported:
Prompt-Cat9300#show cts role-based counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor
* * 0 0 3 0 0 0
0 0 0 0 0 0 0 0
2 2 0 0 0 0 0 0
5 104 0 4 0 0 0 0
Counters can also be retrieved from the Forwarding Engine Driver:
Prompt-Cat9300#show platform software fed switch active acl counters hardware | inc SGACL
Egress IPv4 SGACL Drop (0x19000053): 6 frames
Egress IPv6 SGACL Drop (0x61000054): 0 frames
Egress IPv4 SGACL Test Cell Drop (0x21000055): 0 frames
Egress IPv6 SGACL Test Cell Drop (0x66000056): 0 frames
Prompt-Cat9300#show platform software fed switch active ip route
vrf dest htm flags SGT DGID
--- ---- --- ----- --- ----
0 0.0.0.0/0 0x7f6704867a08 0x0 0 2
0 10.2.10.0/24 0x7f670473d558 0x0 0 2
0 10.1.130.0/24 0x7f670473e848 0x0 0 2
0 10.3.12.255/32 0x7f6704743e48 0x0 0 2
0 10.2.50.0/24 0x7f670473c268 0x0 0 2
Prompt-Cat9300#show platform software fed switch active sgacl detail
Prompt-Cat9300#show platform software fed switch active sgacl vlan
Enforcement enabled:
vlan0
vlan1
Prompt-Cat9300#show platform software fed switch active sgacl port
Port Status Port-SGT Trust Propagate
-----------------------------------------------------
Gi1/0/1 Enabled 0 No No
Gi1/0/2 Enabled 0 No No
Gi1/0/3 Enabled 0 No No
Gi1/0/4 Enabled 0 No No
Gi1/0/5 Enabled 0 No No
Prompt-Cat9300#show platform software fed switch active ifm mappings
Interface IF_ID Inst Asic Core Port SubPort Mac Cntx LPN GPN Type Active
GigabitEthernet1/0/1 0x8 1 0 1 0 0 26 6 1 1 NIF Y
GigabitEthernet1/0/2 0x9 1 0 1 1 0 6 7 2 2 NIF Y
GigabitEthernet1/0/3 0xa 1 0 1 2 0 28 8 3 3 NIF Y
GigabitEthernet1/0/4 0xb 1 0 1 3 0 27 9 4 4 NIF Y
GigabitEthernet1/0/5 0xc 1 0 1 4 0 30 10 5 5 NIF Y
~snip~
GigabitEthernet1/0/17 0x18 0 0 0 16 0 26 6 17 17 NIF Y
GigabitEthernet1/0/18 0x19 0 0 0 17 0 6 7 18 18 NIF Y
GigabitEthernet1/0/19 0x1a 0 0 0 18 0 28 8 19 19 NIF Y
Prompt-Cat9300#show platform software fed switch active acl usage
########################################################
######## ##################
####### Printing Usage Infos #################
######## ##################
########################################################
##### ACE Software VMR count 136
########################################################
==================================================================================================
Feature Type ACL Type Dir Name Entries Used
SGACL IPV4 Egress V4SGACL7000 1
==================================================================================================
Feature Type ACL Type Dir Name Entries Used
SGACL_CATCHALL IPV4 Egress V4SGACL7000 1
==================================================================================================
Feature Type ACL Type Dir Name Entries Used
SGACL IPV4 Egress V4SGACL8000 1
==================================================================================================
Prompt-Cat9300#show platform hardware fed switch active fwd-asic resource tcam utilization
CAM Utilization for ASIC Instance [0]
Table Max Values Used Values
--------------------------------------------------------------------------------
Unicast MAC addresses 32768/512 13/22
IGMP and Multicast groups 8192/512 0/0
L2 Multicast groups 8192/512 0/0
Directly or indirectly connected routes 24576/8192 11/44
NAT/PAT SA address and Port 0 0
QoS Access Control Entries 5120 0
Security Access Control Entries 5120 129
Ingress Netflow ACEs 256 8
Policy Based Routing ACEs 1024 0
Egress Netflow ACEs 768 0
Input Microflow policer ACEs 0 0
Output Microflow policer ACEs 0 0
Flow SPAN ACEs 256 0
Control Plane Entries 512 206
Tunnels 512 17
Lisp Instance Mapping Entries 512 3
Input Security Associations 256 0
Output Security Associations and Policies 256 5
SGT_DGT 8192/512 3/1
CLIENT_LE 4096/256 0/0
INPUT_GROUP_LE 1024 0
OUTPUT_GROUP_LE 1024 0
Macsec SPD 256 2
For later releases (17.x), the TrustSec utilization is shown with the command below:
Prompt-Cat9300#show platform hardware fed switch active sgacl resource usage
SGACL RESOURCE DETAILS ASIC :#0
================================
Percent Thresholds
Hardware Resource MAX Used Used Upper Lower
---------------------------------------------------------------------------
CTS Cell Matrix Config : 80 70
CTS Cell Matrix Entries : 8192 6 0 Normal
CTS Cell Overflow Entries : 512 1 0
Policy Configuration : 80 70
Policy Entries : 256 6 2 Normal
DGT Config : 80 70
DGT Entries : 4096 4 0 Normal
Security ACL Configured : 80 70
Security ACL Entries : 5120 233 4 Normal
Total Percent
SGACL TCAM Entries Used Used
------------------------------------------------------------------
Output PRE SGACL : 4 1
Output SGACL : 44 9
Output SGACL DEFAULT : 3 1
Prompt-Cat9300#show platform software cts forwarding-manager switch active F0
SGT Binding Table
Number of bindings: 5
SGT Binding Table
10.4.21.2/32
SGT Src: 2
SGT Dst: 2
10.3.25.2/32
SGT Src: 2
SGT Dst: 2
1.1.1.6/32
SGT Src: 2
SGT Dst: 2
SGT Binding Table
10.6.10.254/32
SGT Src: 2
SGT Dst: 2
10.6.12.254/32
SGT Src: 2
SGT Dst: 2
SGT Binding Table
Prompt-Cat9300#show platform software cts forwarding-manager switch active F0 port
Forwarding Manager Interfaces CTS Information
Name ID CTS Enable Trusted Propagate SGT value
-----------------------------------------------------------------------------------
GigabitEthernet1/0/10 18 0 0 0 0
GigabitEthernet1/0/1 9 0 0 0 0
GigabitEthernet1/0/2 10 0 0 0 0
GigabitEthernet1/0/3 11 0 0 0 0
GigabitEthernet1/0/4 12 0 0 0 0
GigabitEthernet1/0/5 13 0 0 0 0
GigabitEthernet1/0/6 14 0 0 0 0
GigabitEthernet1/0/7 15 0 0 0 0
GigabitEthernet1/0/8 16 0 0 0 0
GigabitEthernet1/0/9 17 0 0 0 0
GigabitEthernet1/0/11 19 0 0 0 0
GigabitEthernet1/0/12 20 0 0 0 0
GigabitEthernet1/0/13 21 0 0 0 0
GigabitEthernet1/0/14 22 0 0 0 0
GigabitEthernet1/0/15 23 0 0 0 0
GigabitEthernet1/0/16 24 0 0 0 0
GigabitEthernet1/0/17 25 0 0 0 0
GigabitEthernet1/0/18 26 0 0 0 0
GigabitEthernet1/0/19 27 0 0 0 0
GigabitEthernet1/0/20 28 0 0 0 0
GigabitEthernet1/0/21 29 0 0 0 0
GigabitEthernet1/0/22 60 0 0 0 0
GigabitEthernet1/0/23 31 0 0 0 0
GigabitEthernet1/0/24 32 0 0 0 0
GigabitEthernet1/1/1 33 0 0 0 0
GigabitEthernet1/1/2 34 0 0 0 0
GigabitEthernet1/1/3 35 0 0 0 0
TenGigabitEthernet1/1/2 61 0 0 0 0
AppGigabitEthernet1/0/1 49 0 0 0 0
GigabitEthernet1/1/4 36 0 0 0 0
TenGigabitEthernet1/1/1 37 0 0 0 0
TenGigabitEthernet1/1/3 39 0 0 0 0
TenGigabitEthernet1/1/4 40 0 0 0 0
TenGigabitEthernet1/1/5 41 0 0 0 0
TenGigabitEthernet1/1/6 42 0 0 0 0
TenGigabitEthernet1/1/7 43 0 0 0 0
TenGigabitEthernet1/1/8 44 0 0 0 0
FortyGigabitEthernet1/1/1 45 0 0 0 0
FortyGigabitEthernet1/1/2 46 0 0 0 0
TwentyFiveGigE1/1/1 47 0 0 0 0
Forwarding Manager Interfaces CTS Information
Name ID CTS Enable Trusted Propagate SGT value
-----------------------------------------------------------------------------------
TwentyFiveGigE1/1/2 48 0 0 0 0
Vlan1 51 0 0 0 0
Vlan1021 62 0 0 0 0
Vlan1022 63 0 0 0 0
Vlan1023 64 0 0 0 0
Vlan1024 65 0 0 0 0
Vlan1025 66 0 0 0 0
Prompt-Cat9300#show platform software cts forwarding-manager switch active F0 permissions
Forwarding Manager CTS permissions Information
sgt dgt ACL Group Name
---------------------------------------------------
9 34 V4SGACL;200
18 34 V4SGACL2100
18 36 V4SGACL2100
29 34 V4SGACL;200
31 34 V4SGACL2100
36 34 V4SGACL2100
65535 65535 V4SGACL2100
9 34 V6SGACL?200
18 34 V6SGACL3100
18 36 V6SGACL3100
29 34 V6SGACL?200
31 34 V6SGACL3100
36 34 V6SGACL3100
65535 65535 V6SGACL3100
Prompt-Cat9300#show platform software classification switch active F0 class-group-manager class-group client acl all
QFP classification class client all group
class-group [ACL:1] sisf v6acl 0001DF9F
class-group [ACL:2] sisf v4acl 0001DF9F
class-group [ACL:3] ACL_WEBAUTH_REDIRECT
class-group [ACL:4] AutoConf-4.0-Acl-Default
class-group [ACL:5] IPV4_CRITICAL_AUTH_ACL
class-group [ACL:6] IPV4_PRE_AUTH_ACL
class-group [ACL:7] IPV6_CRITICAL_AUTH_ACL
class-group [ACL:8] IPV6_PRE_AUTH_ACL
class-group [ACL:9] IP-Adm-V4-Int-ACL-global
class-group [ACL:10] IP-Adm-V6-Int-ACL-global
class-group [ACL:11] preauth_v4
class-group [ACL:12] preauth_v6
class-group [ACL:14] implicit_permit
class-group [ACL:15] implicit_deny_v6
class-group [ACL:16] implicit_permit_v6
class-group [ACL:17] implicit_deny
class-group [ACL:18] Permit IP-00
class-group [ACL:19] Permit IP-00-ipv6
class-group [ACL:43] DenyRemoteServices-04
class-group [ACL:47] DenyRemoteServices-04-ipv6
Prompt-Cat9300#show platform software status control-processor brief
Load Average
Slot Status 1-Min 5-Min 15-Min
1-RP0 Unknown 0.06 0.12 0.10
Memory (kB)
Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
1-RP0 Healthy 7713268 2153520 (28%) 5559748 (72%) 2412960 (31%)
CPU Utilization
Slot CPU User System Nice Idle IRQ SIRQ IOwait
1-RP0 0 4.40 0.20 0.00 95.40 0.00 0.00 0.00
1 2.40 0.20 0.00 97.40 0.00 0.00 0.00
2 1.39 0.29 0.00 98.30 0.00 0.00 0.00
3 2.40 0.30 0.00 97.30 0.00 0.00 0.00
4 0.00 0.00 0.00 100.00 0.00 0.00 0.00
5 1.10 0.10 0.00 98.79 0.00 0.00 0.00
6 0.10 0.00 0.00 99.90 0.00 0.00 0.00
7 0.10 0.00 0.00 99.90 0.00 0.00 0.00
The 'monitor capture' command is very useful here.
Prompt-Cat9300#monitor capture <name> interface g1/0/24 bothPrompt-Cat9300#monitor capture <name> match anyPrompt-Cat9300#monitor capture <name> startPrompt-Cat9300#monitor capture <name> stopCapture statistics collected at software:
Capture duration - 21 seconds
Packets received - 168
Packets dropped - 0
Packets oversized - 0Bytes dropped in asic - 0
Prompt-Cat9300#show monitor capture <name> bufferStarting the packet display ........ Press Ctrl + Shift + 6 to exit
1 0.000000 10.4.1.117 -> 10.5.1.108 ICMP 124 Echo (ping) reply id=0x0008, seq=44279/63404, ttl=127
2 0.108862 10.4.1.113 -> 10.5.1.109 ICMP 124 Echo (ping) reply id=0x0008, seq=26717/23912, ttl=127
3 0.110106 10.4.1.119 -> 10.5.1.102 ICMP 124 Echo (ping) reply id=0x0008, seq=28341/46446, ttl=127
Prompt-Cat9300#show monitor capture <name> buffer detailed
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
Frame 1: 124 bytes on wire (992 bits), 124 bytes captured (992 bits) on interface 0
Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)
Encapsulation type: Ethernet (1)
Arrival Time: Nov 29, 2019 17:06:04.687882000 UTC
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1575047164.687882000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 124 bytes (992 bits)
Capture Length: 124 bytes (992 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:vxlan:eth:ethertype:ip:icmp:data]
Ethernet II, Src: 00:00:0c:9f:10:66 (00:00:0c:9f:10:66), Dst: 04:6c:9d:1f:88:66 (04:6c:9d:1f:88:66)
Destination: 04:6c:9d:1f:88:66 (04:6c:9d:1f:88:66)
Address: 04:6c:9d:1f:88:66 (04:6c:9d:1f:88:66)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 00:00:0c:9f:10:66 (00:00:0c:9f:10:66)
Address: 00:00:0c:9f:10:66 (00:00:0c:9f:10:66)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 1.1.1.4, Dst: 1.1.1.6
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 110
Identification: 0x0451 (1105)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 127
Protocol: UDP (17)
Header checksum: 0xf322 [validation disabled]
[Good: False]
[Bad: False]
Source: 1.1.1.4
Destination: 1.1.1.6
User Datagram Protocol, Src Port: 65283 (65283), Dst Port: 4789 (4789)
Source Port: 65283
Destination Port: 4789
Length: 90
Checksum: 0x0000 (none)
[Good Checksum: False]
[Bad Checksum: False]
[Stream index: 0]
Virtual eXtensible Local Area Network
Flags: 0x8800, GBP Extension, VXLAN Network ID (VNI)
1... .... .... .... = GBP Extension: Defined
.... .... .0.. .... = Don't Learn: False
.... 1... .... .... = VXLAN Network ID (VNI): True
.... .... .... 0... = Policy Applied: False
.000 .000 0.00 .000 = Reserved(R): False
Group Policy ID: 20
VXLAN Network Identifier (VNI): 4099
Reserved: 0
Ethernet II, Src: 00:00:0c:9f:00:00 (00:00:0c:9f:00:00), Dst: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
Destination: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
Address: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 00:00:0c:9f:00:00 (00:00:0c:9f:00:00)
Address: 00:00:0c:9f:00:00 (00:00:0c:9f:00:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.4.1.117, Dst: 10.5.1.108
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 60
Identification: 0x3b93 (15251)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 127
Protocol: ICMP (1)
Header checksum: 0xe944 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.4.1.117
Destination: 10.5.1.108
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0xa85c [correct]
Identifier (BE): 8 (0x0008)
Identifier (LE): 2048 (0x0800)
Sequence number (BE): 44279 (0xacf7)
Sequence number (LE): 63404 (0xf7ac)
Data (32 bytes)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: