Судьба пакета. Cisco IOS XE
- 14.03.2017
- 1045
Автор
Сергей Калашников, CCIE
Технический директор
Диагностику многих проблем на маршрутизаторе Cisco с операционной системой IOS XE можно начать с Packet Trace. Это трассировка обработки пакета внутри маршрутизатора, появившаяся не так давно. Ранее такой функционала был доступен только на межсетевых экранах ASA. Кто использовал packet-tracer на ASA, согласится – очень удобный инструмент. Теперь его аналог появился и на современных маршрутизаторах (ISR 4000, ASR, CSR).
Заметку я построю на живых примерах. Так проще получить представление о IOS-XE Packet Trace. Детали всегда можно найти на сайте вендора. Жаль, что там пока не много информации на этот счёт. По ходу нашего погружения вы поймёте, о чём я.
В качестве подопытного имеем маршрутизатор ISR 4000 (про специфику работы ISR 4000 и IOS XE я уже писал на сайте). На нём настроен ряд технологий: статическая маршрутизация, PfR, PBR, трансляция адресов (NAT), межсетевой экран ZFW, ACL на интерфейсах, Flexible NetFlow, NBAR2, IPSec, GRE, VTI и прочее. Всё это сделает трассировку более насыщенной и приближённой к реальной эксплуатации.
Есть множество технологий и у каждой свой метод отладки. Чтобы не тратить время и сразу определить, где искать причину проблемы, как раз и пригодится Packet Trace.
Наблюдать будем за ICMP пакетом (echo request), отправленным с адреса 192.168.20.8 на 8.8.8.8.
Активация трассировки состоит из двух частей. Для начала запускаем условный отладчик (conditional debug). Именно в нём мы указываем, какие пакеты нас интересуют. В нашем случае это трафик, описываемый ACL 199 и поступающий на маршрутизатор через интерфейс GigabitEthernet0/0/0:
access-list 199 permit icmp host 192.168.20.8 host 8.8.8.8
debug platform condition interf GigabitEthernet0/0/0 ipv4 access-list 199 ingress
debug platform condition start
Условный отладчик используется не только для работы packet trace. Этот инструмент позволяет эффективно фильтровать лог-сообщения и сообщения отладчика (debug) на этапе их генерации. Мы можем задать условия и видеть записи, касающиеся только того, что нам нужно.
Далее включаем непосредственно packet trace. Указываем буфер и глубину трассировки. Минимально – 16 пакетов. Глубина: базовая (path-trace) или расширенная (fia-trace). В случае расширенной мы получим детальный вывод работы всех функций внутри процесса QFP. Именно он отвечает за передачу пакетов (datapath).
debug platform packet-trace packet 16 fia-trace
debug platform packet-trace enable
По сравнению с ASA packet-tracer синтаксис, конечно, не такой удобный.
ASA packet-tracer может сам генерировать пакеты для дальнейшей трассировки. IOS-XE Packet Trace этого делать не умеет. Для его работы, необходимо, чтобы пакет откуда-нибудь пришёл.
Команды для чистки хвостов. Пригодятся, когда со всем закончим.
no debug platform packet-trace enable
clear platform packet-trace statistics
clear platform condition all
Всё настроено. Запускаем пинг, чтобы нужный нам пакет прошёл через маршрутизатор.
Смотрим общий вывод по пакетам, попавшим в packet trace.
cbs-4000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/0 Gi0/0/1.5 FWD
Он у нас один. Пришёл через интерфейс Gi0/0/0 и был передан дальше (состояние FWD) через Gi0/0/1.5.
Смотрим трассировку его обработки
cbs-4000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 8
Summary
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
State : FWD
Timestamp
Start : 6495209991683323 ns (02/18/2017 11:59:43.176192 UTC)
Stop : 6495209991814307 ns (02/18/2017 11:59:43.176323 UTC)
Path Trace
Feature: IPV4 <=================
Input : GigabitEthernet0/0/0 <=================
Output : GigabitEthernet0/0/0 <=================
Source : 192.168.20.8 <=================
Destination : 8.8.8.8 <=================
Protocol : 1 (ICMP) <=================
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT
Lapsed time : 4960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
Lapsed time : 5280 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time : 1600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4a140 - IPV4_INPUT_ACL
Lapsed time : 40160 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time : 1440 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 236
cft_bucket_number : 566799
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8 <=================
tuple.dst_ip : 8.8.8.8 <=================
tuple.src_port : 61609 <=================
tuple.dst_port : 161 <=================
tuple.vrfid : 0
tuple.l4_protocol : ICMP <=================
tuple.l3_protocol : IPV4 <=================
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 236
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
Lapsed time : 226240 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
Lapsed time : 66880 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS
Lapsed time : 2560 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000084
input vrf_idx : 0
calling feature : FNF
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 236
cft_bucket_number : 566799
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 61609
tuple.dst_port : 161
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 236
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
Lapsed time : 21120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
Lapsed time : 119520 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e8c - IPV4_INPUT_VFR
Lapsed time : 1280 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
Lapsed time : 3840 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000080
input vrf_idx : 0
calling feature : CENT
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 236
cft_bucket_number : 566799
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 61609
tuple.dst_port : 161
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 236
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
Lapsed time : 40640 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7ff70 - IPV4_INPUT_PBR <=================
Lapsed time : 34720 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS <=================
Lapsed time : 2560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0 <=================
Output : GigabitEthernet0/0/1.5 <=================
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <=================
Lapsed time : 4160 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
Lapsed time : 1280 ns
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
Lapsed time : 218880 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
Lapsed time : 2560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
Lapsed time : 4480 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e98 - IPV4_OUTPUT_VFR
Lapsed time : 1920 ns
Feature: ZBFW <=================
Action : Fwd <=================
Zone-pair name : in-out1 <=================
Class-map name : CM-FW_in-out <=================
Input interface : GigabitEthernet0/0/0 <=================
Egress interface: GigabitEthernet0/0/1.5 <=================
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT
Lapsed time : 721760 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
Lapsed time : 3680 ns
Feature: NAT <=================
Direction : IN to OUT <=================
Action : Translate Source <=================
Old Address : 192.168.20.8 00001 <=================
New Address : 87.87.87.87 00033 <=================
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
Lapsed time : 54880 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
Lapsed time : 1600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e9c - IPV4_VFR_REFRAG
Lapsed time : 960 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Output
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 238
cft_bucket_number : 566799
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 87.87.87.87
tuple.dst_ip : 8.8.8.8
tuple.src_port : 61609
tuple.dst_port : 161
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 238
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
Lapsed time : 137600 ns
Feature: IPSec <=================
Result : IPSEC_RESULT_DENY <=================
Action : SEND_CLEAR <=================
SA Handle : 0
Peer Addr : 8.8.8.8 <=================
Local Addr: 87.87.87.87 <=================
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
Lapsed time : 50560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
Lapsed time : 7040 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
Lapsed time : 7040 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
Lapsed time : 13600 ns
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
Lapsed time : 112800 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
Lapsed time : 41440 ns
Объём трассировки напрямую зависит от настроенных функций. Если бы у нас была только маршрутизация, данных было бы существенно меньше.
Часть названий понятна. Но присутствуют этапы, декодировать которые достаточно непросто. Документация вендора пока в этом плане не сильно помогает.
Выделим наиболее интересные моменты
1. Информация, идентифицирующая наш поток (flow) данных:
Feature: CFT
…
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 61609
tuple.dst_port : 161
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
Данные хранят в таблице CFT (Common Flow Table). Их используют технологии, которые оперируют в своей работе информацией о каждом потоке (Netflow, NBAR, PfR и пр.). Таблица CFT необходима, чтобы не хранить избыточную информацию.
2. Определение исходящего интерфейса:
Когда пакет только попал на маршрутизатор, исходящий интерфейс не определён. Подставляется входящий:
Feature: IPV4
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Source : 192.168.20.8
Destination : 8.8.8.8
Protocol : 1 (ICMP)
После того как определено, куда дальше слать пакет (выполнена функция маршрутизации), исходящий интерфейс меняется:
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
Lapsed time : 4160 ns
3. Данные об обработке пакета межсетевым экраном ZFW:
Feature: ZBFW
Action : Fwd
Zone-pair name : in-out1
Class-map name : CM-FW_in-out
Input interface : GigabitEthernet0/0/0
Egress interface: GigabitEthernet0/0/1.5
Мы сразу видим, между какими зонами проходил пакет, и в какой класс он попал. Это достаточно удобно, так как конфигурация ZFW зачастую очень запутана.
4. Информация о трансляции адресов:
Feature: NAT
Direction : IN to OUT
Action : Translate Source
Old Address : 192.168.20.8 00001
New Address : 87.87.87.87 00033
Адрес назначения в пакете был заменён на 87.87.87.87.
5. Так как на нашем маршрутизаторе настроен IPSec, будет отмечено, попал ли в него пакет:
Feature: IPSec
Result : IPSEC_RESULT_DENY
Action : SEND_CLEAR
SA Handle : 0
Peer Addr : 8.8.8.8
Local Addr: 87.87.87.87
Нет, не попал.
В трейсах представлено достаточно много дополнительной информации. Например, IPV4_INPUT_PBR сигнализирует о том, что пакет прошёл через PBR. Но информации, был ли применен PBR или пакет передан на обработку стандартным правилам маршрутизации, в этом разделе мы не найдём. В нашем случае пакет не попал под правила PBR. Запись IPV4_INPUT_TCP_ADJUST_MSS говорит о том, что на интерфейсе настроена команда ip tcp adjust-mss. При этом, как и в предыдущем примере, никаких деталей мы не получаем.
Большая часть информации, выводимой устройством, не представляет интереса. Однако ситуация будет меняться, когда с пакетом что-то пойдёт не так.
Ситуация №1. Пакет отброшен ACL на входном интерфейсе
cbs-4000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/0 Gi0/0/0 DROP 8 (Ipv4Acl)
Пакет был отброшен (DROP), так как сработал ACL (Ipv4Acl).
Трассировка обработки пакета
cbs-4000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 35
Summary
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
State : DROP 8 (Ipv4Acl)
Timestamp
Start : 6515970748260480 ns (02/18/2017 17:45:43.568889 UTC)
Stop : 6515970748313558 ns (02/18/2017 17:45:43.568942 UTC)
Path Trace
Feature: IPV4
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Source : 192.168.20.8
Destination : 8.8.8.8
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT
Lapsed time : 6560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
Lapsed time : 5920 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time : 1440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d8375c - STILE_LEGACY_DROP_EXT
Lapsed time : 3680 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7b554 - INGRESS_MMA_LOOKUP_DROP_EXT
Lapsed time : 63040 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6e0f8 - INPUT_DROP_FNF_AOR_EXT
Lapsed time : 8320 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6dc44 - INPUT_FNF_DROP_EXT
Lapsed time : 324800 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6e6c8 - INPUT_DROP_FNF_AOR_RELEASE_EXT
Lapsed time : 8320 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81128ebc - INPUT_DROP_EXT <=================
Lapsed time : 1920 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4a140 - IPV4_INPUT_ACL <=================
Lapsed time : 794240 ns
INPUT_DROP_EXT и IPV4_INPUT_ACL сообщают, что пакет был отброшен именно на входящем интерфейсе. Трейсы получились короткими, как жизнь пакета.
Ситуация №2. Пакет отброшен ACL на исходящем интерфейсе
cbs-4000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/0 Gi0/0/1.5 DROP 8 (Ipv4Acl)
И снова пакет не был передан (DROP) из-за ACL (Ipv4Acl). Теперь, правда, в качестве исходящего интерфейса фигурирует Gi0/0/1.5.
Трассировка обработки пакета
cbs-4000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 33
Summary
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
State : DROP 8 (Ipv4Acl)
Timestamp
Start : 6515547984424423 ns (02/18/2017 17:38:40.479689 UTC)
Stop : 6515547984571057 ns (02/18/2017 17:38:40.479835 UTC)
Path Trace
Feature: IPV4
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Source : 192.168.20.8
Destination : 8.8.8.8
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT
Lapsed time : 8320 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
Lapsed time : 4320 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time : 3520 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4a140 - IPV4_INPUT_ACL
Lapsed time : 43360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time : 1280 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 5
cft_bucket_number : 1591662
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 443
tuple.dst_port : 57521
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 5
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
Lapsed time : 222240 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
Lapsed time : 67200 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS
Lapsed time : 2240 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000084
input vrf_idx : 0
calling feature : FNF
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 5
cft_bucket_number : 1591662
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 443
tuple.dst_port : 57521
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 5
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
Lapsed time : 22080 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
Lapsed time : 136320 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e8c - IPV4_INPUT_VFR
Lapsed time : 1280 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
Lapsed time : 2560 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000080
input vrf_idx : 0
calling feature : CENT
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 5
cft_bucket_number : 1591662
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 443
tuple.dst_port : 57521
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 5
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
Lapsed time : 40160 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7ff70 - IPV4_INPUT_PBR
Lapsed time : 39520 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
Lapsed time : 4320 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
Lapsed time : 1920 ns
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
Lapsed time : 274240 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
Lapsed time : 2400 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
Lapsed time : 2880 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e98 - IPV4_OUTPUT_VFR
Lapsed time : 1600 ns
Feature: ZBFW
Action : Fwd
Zone-pair name : in-out1
Class-map name : CM-FW_in-out
Input interface : GigabitEthernet0/0/0
Egress interface: GigabitEthernet0/0/1.5
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT
Lapsed time : 989760 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
Lapsed time : 2720 ns
Feature: NAT
Direction : IN to OUT
Action : Translate Source
Old Address : 192.168.20.8 00001
New Address : 87.87.87.87 00036
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
Lapsed time : 36800 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
Lapsed time : 3200 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e9c - IPV4_VFR_REFRAG
Lapsed time : 1120 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Output
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 7
cft_bucket_number : 1591662
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 87.87.87.87
tuple.dst_ip : 8.8.8.8
tuple.src_port : 443
tuple.dst_port : 57521
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 7
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
Lapsed time : 141920 ns
Feature: IPSec
Result : IPSEC_RESULT_DENY
Action : SEND_CLEAR
SA Handle : 0
Peer Addr : 8.8.8.8
Local Addr: 87.87.87.87
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
Lapsed time : 46080 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
Lapsed time : 2560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81128eb8 - OUTPUT_DROP_EXT <=================
Lapsed time : 3360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d4a144 - IPV4_OUTPUT_ACL <=================
Lapsed time : 121760 ns
В трейсах в самом конце мы обнаружим информацию о судьбе пакета: OUTPUT_DROP_EXT и IPV4_OUTPUT_ACL. Пакет практически вырвался из лап маршрутизатора, о чём свидетельствует прохождение большинства стадий обработки.
Ситуация №3. Пакет отброшен межсетевым экраном
cbs-4000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/0 Gi0/0/1.5 DROP 184 (FirewallPolicy)
Пакет отброшен (DROP). Причина – политики межсетевого экрана (FirewallPolicy).
Трассировка обработки пакета
cbs-4000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 36
Summary
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
State : DROP 184 (FirewallPolicy)
Timestamp
Start : 6516783739710881 ns (02/18/2017 17:59:16.560339 UTC)
Stop : 6516783739809427 ns (02/18/2017 17:59:16.560438 UTC)
Path Trace
Feature: IPV4
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Source : 192.168.20.8
Destination : 8.8.8.8
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT
Lapsed time : 8800 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
Lapsed time : 5440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time : 1600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4a140 - IPV4_INPUT_ACL
Lapsed time : 47360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time : 1440 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 135
cft_bucket_number : 875224
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 56789
tuple.dst_port : 514
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 135
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
Lapsed time : 202560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
Lapsed time : 63360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS
Lapsed time : 4640 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000084
input vrf_idx : 0
calling feature : FNF
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 135
cft_bucket_number : 875224
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 56789
tuple.dst_port : 514
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 135
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
Lapsed time : 20640 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
Lapsed time : 127360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e8c - IPV4_INPUT_VFR
Lapsed time : 1440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
Lapsed time : 2720 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000080
input vrf_idx : 0
calling feature : CENT
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 135
cft_bucket_number : 875224
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 56789
tuple.dst_port : 514
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 135
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
Lapsed time : 43840 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7ff70 - IPV4_INPUT_PBR
Lapsed time : 37120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
Lapsed time : 1280 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
Lapsed time : 4800 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
Lapsed time : 1760 ns
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
Lapsed time : 255680 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
Lapsed time : 2240 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
Lapsed time : 4160 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e98 - IPV4_OUTPUT_VFR
Lapsed time : 1760 ns
Feature: ZBFW <=================
Action : Drop <=================
Reason : ICMP policy drop:classify result <=================
Zone-pair name : in-out1 <=================
Class-map name : class-default <=================
Input interface : GigabitEthernet0/0/0 <=================
Egress interface: GigabitEthernet0/0/1.5 <=================
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x81128eb8 - OUTPUT_DROP_EXT <=================
Lapsed time : 640 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT <=================
Lapsed time : 639200 ns
Наличие сообщений OUTPUT_DROP_EXT и IPV4_OUTPUT_INSPECT показывает, что пакет отброшен политиками инспектирования, которое выполняется как раз МСЭ. Детали находим в информации по ZFW:
Feature: ZBFW
Action : Drop
Reason : ICMP policy drop:classify result
Zone-pair name : in-out1
Class-map name : class-default
Input interface : GigabitEthernet0/0/0
Egress interface: GigabitEthernet0/0/1.5
Reason сообщает о том, что пакет был классифицирован, как ICMP. Класс, в который попал пакет и где он был отброшен, - class-default.
Ситуация №4. Пакет маршрутизируется правилами PBR
cbs-4000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/0 Gi0/0/1.6 FWD
Пакет передан (FWD). Теперь исходящий интерфейс Gi0/0/1.6.
Трассировка обработки пакета
cbs-4000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 36
Summary
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
State : FWD
Timestamp
Start : 6517659109765260 ns (02/18/2017 18:13:51.930393 UTC)
Stop : 6517659109927732 ns (02/18/2017 18:13:51.930556 UTC)
Path Trace
Feature: IPV4
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Source : 192.168.20.8
Destination : 8.8.8.8
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT
Lapsed time : 10400 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
Lapsed time : 5440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time : 1600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4a140 - IPV4_INPUT_ACL
Lapsed time : 265600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time : 3680 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 69
cft_bucket_number : 2000178
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 57521
tuple.dst_port : 443
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 69
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
Lapsed time : 223360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
Lapsed time : 85440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS
Lapsed time : 3040 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000084
input vrf_idx : 0
calling feature : FNF
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 69
cft_bucket_number : 2000178
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 57521
tuple.dst_port : 443
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 69
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
Lapsed time : 19680 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
Lapsed time : 153600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e8c - IPV4_INPUT_VFR
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
Lapsed time : 2560 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000080
input vrf_idx : 0
calling feature : CENT
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 69
cft_bucket_number : 2000178
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 57521
tuple.dst_port : 443
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 69
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
Lapsed time : 49600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7ff70 - IPV4_INPUT_PBR <=================
Lapsed time : 69760 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
Lapsed time : 1440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0 <=================
Output : GigabitEthernet0/0/1.6 <=================
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
Lapsed time : 7840 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
Lapsed time : 1600 ns
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
Lapsed time : 280480 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
Lapsed time : 3840 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
Lapsed time : 3840 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x81131e98 - IPV4_OUTPUT_VFR
Lapsed time : 5440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS
Lapsed time : 1280 ns
Feature: ZBFW
Action : Fwd
Zone-pair name : in-out2
Class-map name : CM-FW_in-out
Input interface : GigabitEthernet0/0/0
Egress interface: GigabitEthernet0/0/1.6
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT
Lapsed time : 789120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
Lapsed time : 11200 ns
Feature: NAT
Direction : IN to OUT
Action : Translate Source
Old Address : 192.168.20.8
New Address : 62.62.62.62
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
Lapsed time : 38400 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
Lapsed time : 4000 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x81131e9c - IPV4_VFR_REFRAG
Lapsed time : 800 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Output
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 71
cft_bucket_number : 2000178
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 62.62.62.62
tuple.dst_ip : 8.8.8.8
tuple.src_port : 57521
tuple.dst_port : 443
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 71
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
Lapsed time : 140160 ns
Feature: IPSec
Result : IPSEC_RESULT_DENY
Action : SEND_CLEAR
SA Handle : 0
Peer Addr : 8.8.8.8
Local Addr: 62.62.62.62
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
Lapsed time : 66400 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
Lapsed time : 3840 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
Lapsed time : 13440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG
Lapsed time : 2240 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
Lapsed time : 18720 ns
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
Lapsed time : 113440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.6
Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
Lapsed time : 43680 ns
Если мы сравним трассировку пакета при маршрутизации стандартными правилами (статическая маршрутизация) и при маршрутизации правилами PBR, мы не увидим разницы. Изменятся только исходящий интерфейс, и адрес, подставляемый в NAT’е.
Ситуация №5. Пакет передаётся через VTI интерфейс
В этом примере пингуем адрес 172.28.0.1.
cbs-4000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/0 Gi0/0/1.5 FWD
Пакет передан (FWD). Исходящий интерфейс Gi0/0/1.5.
Трассировка обработки пакета
cbs-4000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 50
Summary
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1.5
State : FWD
Timestamp
Start : 6665377802839987 ns (02/20/2017 11:15:48.257340 UTC)
Stop : 6665377803172303 ns (02/20/2017 11:15:48.257673 UTC)
Path Trace
Feature: IPV4
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Source : 192.168.20.8
Destination : 172.28.0.1
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT
Lapsed time : 5600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
Lapsed time : 4160 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time : 3040 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4a140 - IPV4_INPUT_ACL
Lapsed time : 19840 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time : 1280 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 186
cft_bucket_number : 407373
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 172.28.0.1
tuple.src_port : 6603
tuple.dst_port : 443
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 186
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
Lapsed time : 296480 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
Lapsed time : 43040 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS
Lapsed time : 2560 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000084
input vrf_idx : 0
calling feature : FNF
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 186
cft_bucket_number : 407373
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 172.28.0.1
tuple.src_port : 6603
tuple.dst_port : 443
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 186
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
Lapsed time : 20160 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
Lapsed time : 134400 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e8c - IPV4_INPUT_VFR
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
Lapsed time : 3840 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000080
input vrf_idx : 0
calling feature : CENT
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 186
cft_bucket_number : 407373
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 172.28.0.1
tuple.src_port : 6603
tuple.dst_port : 443
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 186
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
Lapsed time : 45440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7ff70 - IPV4_INPUT_PBR
Lapsed time : 14080 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
Lapsed time : 1280 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0 <=================
Output : Tunnel1 <=================
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <=================
Lapsed time : 5920 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
Lapsed time : 1600 ns
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: OCE_TRACE
Type : OCE_ADJ_IPV4
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
Lapsed time : 245440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
Lapsed time : 1760 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
Lapsed time : 4160 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x81131e98 - IPV4_OUTPUT_VFR
Lapsed time : 3040 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS
Lapsed time : 1280 ns
Feature: ZBFW <=================
Action : Fwd <=================
Zone-pair name : N/A <=================
Class-map name : N/A <=================
Input interface : GigabitEthernet0/0/0 <=================
Egress interface: Tunnel1 <=================
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT
Lapsed time : 30080 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
Lapsed time : 2560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
Lapsed time : 1600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x81131e9c - IPV4_VFR_REFRAG
Lapsed time : 800 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
Lapsed time : 7360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG
Lapsed time : 640 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d6e1b8 - IPV4_TUNNEL_OUTPUT_FNF_AOR
Lapsed time : 3520 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d6d8e4 - IPV4_TUNNEL_OUTPUT_FNF_FINAL
Lapsed time : 1440 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x80d6e640 - IPV4_TUNNEL_OUTPUT_FNF_AOR_RELEASE
Lapsed time : 800 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d86ce8 - IPV4_TUNNEL_OUTPUT_FINAL
Lapsed time : 20640 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d86d30 - IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT <=================
Lapsed time : 7200 ns
Feature: IPSec <=================
Result : IPSEC_RESULT_SA <=================
Action : ENCRYPT <=================
SA Handle : 98 <=================
Peer Addr : 188.188.188.188 <=================
Local Addr: 87.87.87.87 <=================
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY_EXT
Lapsed time : 44480 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d7641c - IPV4_OUTPUT_IPSEC_DOUBLE_ACL_EXT
Lapsed time : 11200 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
Lapsed time : 4960 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x8113ac50 - IPV4_OUTPUT_IPSEC_INLINE_FRAG_CHK_EXT
Lapsed time : 7680 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d7635c - IPV4_OUTPUT_IPSEC_TUNNEL_RERUN_JUMP_EXT
Lapsed time : 4480 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d764ac - IPV4_OUTPUT_IPSEC_POST_PROCESS_EXT
Lapsed time : 12160 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
Lapsed time : 1600 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
Lapsed time : 1440 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d86cec - IPV4_TUNNEL_GOTO_OUTPUT
Lapsed time : 11680 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d86d98 - IPV4_TUNNEL_FW_CHECK_EXT
Lapsed time : 15040 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x81131e60 - IPV4_INPUT_DST_LOOKUP_ISSUE_EXT
Lapsed time : 8480 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x81131eb8 - IPV4_INPUT_ARL_EXT
Lapsed time : 5760 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x81131e6c - IPV4_INTERNAL_DST_LOOKUP_CONSUME_EXT
Lapsed time : 2880 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : Tunnel1
Entry : 0x80d86dc8 - IPV4_TUNNEL_ENCAP_FOR_US_EXT
Lapsed time : 5600 ns
Feature: FIA_TRACE
Input : Tunnel1 <=================
Output : GigabitEthernet0/0/1.5 <=================
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <=================
Lapsed time : 4000 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x81131f20 - IPV4_TUNNEL_ENCAP_GOTO_OUTPUT_FEATURE_EXT
Lapsed time : 11520 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e98 - IPV4_OUTPUT_VFR
Lapsed time : 1440 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT
Lapsed time : 5120 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
Lapsed time : 2240 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
Lapsed time : 6400 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
Lapsed time : 1440 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e9c - IPV4_VFR_REFRAG
Lapsed time : 800 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Output
triplet.vrf_idx : 0
triplet.network_start : 0x01004104
triplet.triplet_flags : 0x00000000
triplet.counter : 186
cft_bucket_number : 407373
cft_l3_payload_size : 100
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 87.87.87.87
tuple.dst_ip : 188.188.188.188
tuple.src_port : 6603
tuple.dst_port : 443
tuple.vrfid : 0
tuple.l4_protocol : 50
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 186
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ipsec
Classification ID: [CANA-L7:9]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
Lapsed time : 138080 ns
Feature: IPSec <=================
Result : IPSEC_RESULT_DENY <=================
Action : SEND_CLEAR <=================
SA Handle : 0
Peer Addr : 188.188.188.188 <=================
Local Addr: 87.87.87.87 <=================
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
Lapsed time : 27840 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
Lapsed time : 2880 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
Lapsed time : 7520 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG
Lapsed time : 16800 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x8111ea94 - L2_REWRITE_AFTER_FRAG_WITHOUT_CLIP_EXT
Lapsed time : 11520 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
Lapsed time : 12000 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
Lapsed time : 108320 ns
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
Lapsed time : 49120 ns
Трейсы изменились, так как маршрутизация пакета усложнилась. Сначала он передаётся на туннельный интерфейс:
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : Tunnel1
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
Lapsed time : 5920 ns
Далее срабатывают правила межсетевого экрана. Так как у нас входящий и туннельный интерфейсы находятся в одной зоне, проверки трафика не происходит (мы не попадаем ни в один из zone-pair):
Feature: ZBFW
Action : Fwd
Zone-pair name : N/A
Class-map name : N/A
Input interface : GigabitEthernet0/0/0
Egress interface: Tunnel1
После того как пакет попал в туннельный интерфейс, его необходимо зашифровать.
IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT
Feature: IPSec
Result : IPSEC_RESULT_SA
Action : ENCRYPT
SA Handle : 98
Peer Addr : 188.188.188.188
Local Addr: 87.87.87.87
Ещё раз происходит маршрутизация пакета, уже зашифрованного.
Feature: FIA_TRACE
Input : Tunnel1
Output : GigabitEthernet0/0/1.5
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT
Lapsed time : 4000 ns
Пакет проходит через внешний интерфейс, где настроен IPSec (висит crypto-map). Хоть пакет уже зашифрован, система проверяет не попадает ли он в IPSec на исходящем интерфейсе.
Feature: IPSec
Result : IPSEC_RESULT_DENY
Action : SEND_CLEAR
SA Handle : 0
Peer Addr : 188.188.188.188
Local Addr: 87.87.87.87
Ситуация №6. Пакет передаётся на несуществующий next-hop (или отказавший)
cbs-4000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/0 internal0/0/rp:0 PUNT 10 (Incomplete adjacency)
Статус PUNT означает, что пакет не может быть обработан CEF'ом и передаётся на обработку процессором (process switching). Причина – маршрутизатор не обнаружил нужной записи в таблице adjacency для передачи пакета на соседний next-hop (Incomplete adjacency). Что логично, так как его нет.
Трассировка обработки пакета
cbs-4000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 55
Summary
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
State : PUNT 10 (Incomplete adjacency)
Timestamp
Start : 6668916530895154 ns (02/20/2017 12:14:46.985396 UTC)
Stop : 6668916530979351 ns (02/20/2017 12:14:46.985480 UTC)
Path Trace
Feature: IPV4
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Source : 192.168.20.8
Destination : 8.8.8.8
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT
Lapsed time : 9760 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
Lapsed time : 5920 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time : 3200 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4a140 - IPV4_INPUT_ACL
Lapsed time : 15040 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
Lapsed time : 960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time : 1440 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x0000008c
input vrf_idx : 0
calling feature : STILE
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 74
cft_bucket_number : 769995
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 443
tuple.dst_port : 55391
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 74
returned cft_error : 14
returned fid : 0x00000000
Feature: NBAR
Packet number in flow: N/A
Classification state: Final
Classification name: ping
Classification ID: [CANA-L7:479]
Number of matched sub-classifications: 0
Number of extracted fields: 0
Is PA (split) packet: False
TPH-MQC bitmask value: 0x0
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
Lapsed time : 252800 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
Lapsed time : 48960 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS
Lapsed time : 4000 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000084
input vrf_idx : 0
calling feature : FNF
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 74
cft_bucket_number : 769995
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.8
tuple.src_port : 443
tuple.dst_port : 55391
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 74
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
Lapsed time : 20640 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
Lapsed time : 127520 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x81131e8c - IPV4_INPUT_VFR
Lapsed time : 1280 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
Lapsed time : 2560 ns
Feature: CFT
API : cft_handle_pkt
packet capabilities : 0x00000080
input vrf_idx : 0
calling feature : CENT
direction : Input
triplet.vrf_idx : 0
triplet.network_start : 0x01003f8e
triplet.triplet_flags : 0x00000000
triplet.counter : 74
cft_bucket_number : 769995
cft_l3_payload_size : 40
cft_pkt_ind_flags : 0x00000000
cft_pkt_ind_valid : 0x00000931
tuple.src_ip : 192.168.20.8
tuple.dst_ip : 8.8.8.7
tuple.src_port : 443
tuple.dst_port : 55391
tuple.vrfid : 0
tuple.l4_protocol : ICMP
tuple.l3_protocol : IPV4
pkt_sb_state : 0
pkt_sb.num_flows : 0
pkt_sb.tuple_epoch : 74
returned cft_error : 14
returned fid : 0x00000000
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
Lapsed time : 39360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d7ff70 - IPV4_INPUT_PBR
Lapsed time : 43680 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/0
Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
Lapsed time : 1120 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0 <=================
Output : GigabitEthernet0/0/1 <=================
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <=================
Lapsed time : 135360 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0 <=================
Output : internal0/0/rp:0 <=================
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <=================
Lapsed time : 30240 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL_EXT
Lapsed time : 8640 ns
Feature: OCE_TRACE
Type : OCE_ADJ_PUNT
Feature: OCE_TRACE
Type : OCE_ADJ_PUNT
Feature: OCE_TRACE
Type : OCE_ADJ_PUNT
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL_EXT
Lapsed time : 277600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE_EXT
Lapsed time : 6720 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS_EXT
Lapsed time : 2560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE_EXT
Lapsed time : 11200 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x81131ef4 - IPV4_INTERNAL_ARL_SANITY_EXT
Lapsed time : 10560 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT_EXT
Lapsed time : 12160 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE_EXT
Lapsed time : 1600 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x81131e9c - IPV4_VFR_REFRAG_EXT
Lapsed time : 2240 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY_EXT
Lapsed time : 24320 ns
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0 <=================
Output : internal0/0/rp:0 <=================
Entry : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT <=================
Lapsed time : 137440 ns
Для пакета определён исходящий интерфейс:
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : GigabitEthernet0/0/1
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
Lapsed time : 135360 ns
Но так как в CEF нет нужных записей, он отправляется на обработку процессором (internal0/0/rp:0):
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT
Lapsed time : 30240 ns
Запись, свидетельствующая о факте передаче пакета процессору (INTERNAL_TRANSMIT):
Feature: FIA_TRACE
Input : GigabitEthernet0/0/0
Output : internal0/0/rp:0
Entry : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT
Lapsed time : 137440 ns
Packet Trace предоставляет нам данные по обработке пакета в QFP. Это значит, что как только пакет попал в распоряжение ЦПУ, наши трейсы больше не помогут. В этом случае можно попробовать использовать debug ip packet. Но с этим отладчиком нужно быть очень аккуратными.
Заключение
Приведенные примеры наглядно демонстрируют, что IOS XE Packet Trace во многих ситуациях позволит нам достаточно оперативно понять, где засахарилось. Дальше, владея такой информацией, можно уже более детально разбираться с проблемой, жонглируя различными вариациями команд show и debug.
При диагностике не стоит забывать ещё об одном средстве – захвате пакетов (packet capture). На IOS XE этот функционал сделали более удобным по сравнению с обычным IOS.
Packet capture
Активация захвата пакетов:
monitor capture CAP access-list 199
monitor capture CAP interface GigabitEthernet0/0/0 in
monitor capture CAP start
Выключение, выгрузка дампа на внешний ПК, деактивация:
monitor capture CAP stop
monitor capture CAP export tftp://10.0.0.1/CAP.pcap
no monitor capture CAP
- IP Routing on Cisco IOS, IOS XE, and IOS XR: An Essential Guide to Understanding and Implementing IP Routing Protocols
- Подключение к провайдеру телефонной связи: проблемы и решения
- Настройка и просмотр статистики о вызовах и их качестве в Cisco Unified Communications Manager (CUCM)
- Как защититься от подделки писем в электронной почте (Email spoofing, Forged email)?
- Работа дешифрации NGFW: расшифровка SSL трафика
- Rapid STP