Académique Documents
Professionnel Documents
Culture Documents
Switches
BRKCRS-3142
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Session Goals
At the end of this session, you should be able to:
Understand system resources and monitor their usage
Identify all areas of packet loss
Trace hardware packet path
Make use of newer tools
This content is based on questions we see in the field. Feedback is welcome!
3
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Agenda
Products Overview
Troubleshooting
Method
System Resources
Packet path / loss
VSS
PoE
Netflow
Tools/Tips
Appendix
4
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Products Overview
5 5
4503-E
4507R+E 4510R+E 4506-E
6 Gbps per slot
Classic supervisors
Classic line cards
e.g, SupV-10GE, 45xx line card
See the appendix for supervisor, line card, and chassis product and compatibility details.
48 Gbps per slot
+E Chassis support 12.2(53)SG4 onward
switch, Sup7L-E, 47xx line card
4507R+E, 4510R+E, 4503-E, 4506-E
24 Gbps per slot
-E Chassis support 12.2(31)SGA6 onward
Sup6-E, Sup6L-E and 46xx line card
4507R-E, 4510R-E
5
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Products Overview
6
1. Ternary Content Addressable Memory
2. Optional for Supervisor IV and V. Integrated in Supervisor V-10GE, switch, 7L-E
Intelligent Supervisors
Supervisor Engine 7-E, 7L-E, 6-E, 6L-E, V-10GE, V, IV, II-Plus-10GE,
II-Plus-TS, II-Plus
Transparent Line Cards
Wire-rate, oversubscribed, PoE
10/100, 10/100/1000, GE, 10GE
Various physical media front panel ports
Dedicated per-slot bandwidth to supervisor
Switching ASICs
Packet Processor
Forwarding Engine
Specialized Hardware
TCAM
1
s for ACLs, QoS, L3 forwarding
NetFlow
2
(NFE) for statistics gathering
6
Shared Packet
Memory
Line Card
Stub ASICs
Front Panel Ports
Supervisor
NFE
2
CPU
TCAMs
1
Packet
Processor
Forwarding
Engine
6
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Agenda
Products Overview
Troubleshooting
Method
System Resources
Packet path / loss
VSS
PoE
Netflow
Tools/Tips
Appendix
7
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Method
General Recommendations
Design with intent
ideally, create a deterministic network
engineers not traffic should control the network
Baseline, monitor against baseline, alarm and/or adjust
problems are solved faster when knowns can be eliminated
Characterize issues quickly with a plan
8
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Method
Method
1. Define Problem
2. Gather Facts
3. Consider Possibilities
4. Create Action Plan
5. Execute Action Plan
6. Observe Results
D
o
c
u
m
e
n
t
a
t
i
o
n
Symptoms? System Messages? User
Input?
When? Frequency? Impact? Scope?
Need to have a good understanding about
how the system looks like when it is healthy
Further information and examples are in
the troubleshooting section
Want to learn more? Check out CCNP Practical Studies: Troubleshooting by Donna Harrington.
CCNP TSHOOT 642-832 Official Certification Guide by Kevin Wallace.
9
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Method
Method
Category Possible Cause
Config/Design Mis-configuration
Reaching Capacity
Traffic DOS Attack
Traffic Pattern Change
Bad peer/server
Software Issue Software Limitation
Bug
Hardware Issue Hardware Limitation
Failed Hardware
Transient Hardware Issue
1. Define Problem
2. Gather Facts
3. Consider Possibilities
4. Create Action Plan
5. Execute Action Plan
6. Observe Results
D
o
c
u
m
e
n
t
a
t
i
o
n
10
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Method
Method
1. Define Problem
2. Gather Facts
3. Consider Possibilities
4. Create Action Plan
5. Execute Action Plan
6. Observe Results
D
o
c
u
m
e
n
t
a
t
i
o
n
What needs to be done to isolate each
potential root cause?
Make a change, measure results,
rollback change if problem persists
Problem solved? If not, continue
action plan
11
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Method
Before you dig deep
Top down approach
Hardware generally does what its told to do
Before you troubleshoot the platform, rule out the usual suspects
End-to-end Compare traffic at endpoints
Keep standard methods/tools for loss
measurement handy
Iperf
Security Port security issues
Actions are not always sent to syslog
Restrict modes may use CPU
802.1x, DAI, DHCP snooping/relay, IPSG, Port Security, PACL
Common
Issues
Security features
L2
L3 unicast
L3 multicast
RACL, VACL, unicast RPF, intermediary stateful inspection
spanning-tree topology, IGMP snooping
reachability, peer adjacency
rpf, L3 path construction (RP), IGMP groups
12
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Method
Caution
debug and show platform commands to follow
Excessive debug output to console may disable switch
show platform commands are intended for in-depth troubleshooting
Use debug and show platform commands only when advised by TAC
show platform CLIs are not officially supported IOS commands
Not all commands apply to all platforms.
Some are IOS-XE specific (Supervisor 7-E, 7L-E and 4500X)
13
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Agenda
Products Overview
Troubleshooting
Method
System Resources
Packet path / loss
VSS
PoE
Netflow
Tools/Tips
Appendix
14
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
System Resources
CPU
Runs IOS/IOS-XE processes
Runs 4500 platform-specific processes
Sends/Receives control traffic
Software-switches packets that cant be hardware-switch
Elevated CPU = in-use CPU, does not impact data plane
Baseline is important
15
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting CPU from show process cpu
16
CPU higher than
baseline
High iosd use on IOS-XE?
sh pr oc cpu det ai l
pr ocess i osd
No
Reference Document ID: 65591 on
http://www.cisco.com for more
details
High CPU in IOS process or
Cat4k process?
Troubleshoot features related
to the process / open TAC SR
No
Yes
High CPU traffic driven?
(K*CpuMan Review)
show pl at f or mheal t h
ios cat4k
Can the traffic be identified?
show pl at f or mcpu packet st at
No
Yes
Stop / alter traffic source,
open TAC SR if more detail
needed
moni t or sessi on 1 sour ce cpu
OR
debug pl at f or mpacket al l buf f er
show pl at f or mcpu packet buf f er
No Yes
IOS-XE
IOS
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting CPU: Narrowing Down Process
swi t ch# show process cpu sort
Cor e 0: CPU ut i l i zat i on f or f i ve seconds: 99%; one mi nut e: 16%; f i ve mi nut es: 7%
Cor e 1: CPU ut i l i zat i on f or f i ve seconds: 3%; one mi nut e: 69%; f i ve mi nut es: 33%
PI D Runt i me( ms) I nvoked uSecs 5Sec 1Mi n 5Mi n TTY Pr ocess
8590 3186391 38863326 176 51. 20 42. 52 20. 34 0 i osd
11969 3138594 13447334 23 0. 08 0. 07 0. 05 0 f f m
8448 207801 20750735 10 0. 04 0. 14 0. 27 0 cl i _agent
10684 428406 20858613 20 0. 04 0. 01 0. 01 0 l i censed
11241 3603017 26001138 138 0. 04 0. 04 0. 04 0 cpumemd
swi t ch# show proc cpu detail process iosd sort
Cor e 0: CPU ut i l i zat i on f or f i ve seconds: 99%; one mi nut e: 62%; f i ve mi nut es: 22%
Cor e 1: CPU ut i l i zat i on f or f i ve seconds: 2%; one mi nut e: 38%; f i ve mi nut es: 43%
PI D T C TI D Runt i me( ms) I nvoked uSecs 5Sec 1Mi n 5Mi n TTY Pr ocess
( %) ( %) ( %)
8590 L 3346604 3886415 176 51. 12 50. 36 32. 75 0 i osd
8590 L 0 8590 3561989 2098956 0 49. 88 49. 04 30. 82 0 i osd
8590 L 1 12314 4076156 1787406 0 1. 24 1. 32 1. 91 0 i osd
8590 L 0 12315 3425 52685 0 0. 00 0. 02 0. 06 0 i osd
24 I 376348 695349 0 77. 00 75. 77 43. 55 0 ARP I nput
85 I 534349 8127080 0 18. 77 18. 77 12. 66 0 Cat 4k Mgmt Hi Pr i
7 I 2083841 1110797 0 1. 11 0. 33 0. 22 0 Check heaps
86 I 744497 5671481 0 1. 11 1. 22 2. 22 0 Cat 4k Mgmt LoPr i
Dual Core
17
IOS-XE processes
Traditional IOS
processes indented
Catalyst-4k Specific
Management Processes
17
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting CPU: Packet-Driven CPU
swi t ch# show platform health
Swi t ch# show platform cpu packet statistics
( conf i g) # monitor session 1 source cpu rx
( conf i g) # monitor session 1 destination interface Gi1/48
K5CpuMan Over Target
Recent flood of packets with IP Options
(not HW routable)
If port is available, get a full capture from CPU
18
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting CPU: SPAN not available?
swi t ch# debug platform packet all buffer
pl at f or mpacket debuggi ng i s on
Swi t ch# show platform cpu packet buffered
Tot al Recei ved Packet s Buf f er ed: 1024
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I ndex 0:
3 days 23: 23: 18: 54927 - RxVl an: 1006, RxPor t : Gi 1/ 1
Pr i or i t y: Nor mal , Tag: No Tag, Event : 11, Fl ags: 0x40, Si ze: 64
Et h: Sr c 00: 00: 0B: 00: 00: 00 Dst 00: 22: 90: E0: D6: FF Type/ Len 0x0800
I p: ver : I pVer si on4 l en: 24 t os: 0 t ot Len: 46 i d: 0 f r agOf f set : 0 t t l : 64 pr ot o: t cp
sr c: 10. 10. 10. 100 dst : 172. 16. 100. 100 hasI pOpt i ons f i r st Fr agment l ast Fr agment
Remai ni ng dat a:
0: 0x0 0x64 0x0 0x64 0x0 0x0 0x0 0x0 0x0 0x0
10: 0x0 0x0 0x50 0x0 0x0 0x0 0x8A 0x37 0x0 0x0
20: 0x0 0x1 0xB5 0x77 0x6A 0x7E
This debug does not require significant CPU overhead
Be sure to use buffer and not log
Newer versions provide human-readable event
Decode on older versions with:
swi t ch# show pl at f or msof t war e cpu event s | i Code| 11
CPU Event Code PE- Q
1 2 I p Opt i on 11 17
19
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting CPU: Common Punt Reasons
Common Cause Recommended Solution
Same interface forwarding no ip redirect, or alter topology
ACL logging disable ACL logging, use ACL matching stats or netflow
ACL deny causing switch to send
ICMP unreachable
no ip unreachables
2
Forwarding/Feature exception (out of
TCAM/adj space)
reduce TCAM usage
resize TCAM region (TCAM2/3)
SW-supported feature (i.e.GRE) disable the feature or reduce the amount of traffic
IP packets with TTL<2, IP options disable the offending traffic, regulate source with Control Plane Policing
1
Unexpected control/data traffic Control Plane Policing
1
1.CoPP supported on all legacy supervisors starting 12.2(31)SG, SUP6-E/6L-E /4900M/4948E on 12.2(50)SG , all Sup7E/7L-E/4500X
2.Must be configured on all the L3 interfaces of the switch
20
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
System Resources
Memory
Leak vs Large Usage
Large usage goes away when condition is no longer present
Leak never decreases
Establish baseline
Collect multiple iterations over recorded interval
Correlate increase with any known activity
21
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Memory: Large Usage
swi t ch# sh authentication session | count Runn
Number of l i nes whi ch mat ch r egexp = 239
swi t ch# sh proc mem detail proc iosd sort | i Hold|Auth Manager
PI D TTY Al l ocat ed Fr eed Hol di ng Get buf s Ret buf s Pr ocess
113 0 870624 125992 837216 0 0 Aut h Manager
swi t ch( conf i g) # int ra gi 1/1 - 48 , gi 2/1 - 48 , gi 3/1 - 48 , gi 4/1 - 48
swi t ch( conf i g- i f - r ange) # shut
swi t ch( conf i g- i f - r ange) # int ra gi 7/1 - 48 , gi 8/1 - 48 , gi 9/1 - 48 , gi 10/1 - 48
swi t ch( conf i g- i f - r ange) # shut
swi t ch( conf i g- i f - r ange) # end
swi t ch# sh authentication session | count Runn
Number of l i nes whi ch mat ch r egexp = 0
swi t ch# sh proc mem detail proc iosd sort | i Auth Manager
147 0 1434488 601760 514088 0 0 Aut h Manager
300Kb not leaked, simply used
22
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Memory
swi t ch# show proc mem sort
Syst emmemor y : 2011604K t ot al , 765920K used, 1245684K f r ee, 85548K ker nel r eser ved
Lowest ( b) : 710864896
PI D Text Dat a St ack Dynami c RSS Tot al Pr ocess
10137 69308 800424 88 236 958000 1017272 i osd
5498 1140 233600 88 2492 40332 309140 f f m
swi t ch# show proc mem detail proc iosd sort
Pr ocessor Pool Tot al : 805306368 Used: 645097888 Fr ee: 160208480
I / O Pool Tot al : 20971520 Used: 361576 Fr ee: 20609944
Cr i t i cal Pool Tot al : 4087852 Used: 40 Fr ee: 4087812
Cr i t i cal Pool Tot al : 106460 Used: 40 Fr ee: 106420
PI D TTY Al l ocat ed Fr eed Hol di ng Get buf s Ret buf s Pr ocess
153 0 1461539184 749742680 307884712 14266252 0 Aut h Manager
0 0 304511544 14111208 272960272 0 0 *I ni t *
185 0 887586464 301222848 31368752 0 0 CDP Pr ot ocol
swi t ch# show proc mem detail proc iosd task 153
Pr ocess I D: 153
Pr ocess Name: Aut h Manager
Tot al Memor y Hel d: 307882352 byt es
Pr ocessor memor y Hol di ng = 307882352 byt es
pc = 0x16FCD45C, si ze = 291258544, count = 4441
pc = 0x16FCF828, si ze = 9378512, count = 143
For Classic IOS, use:
show pr ocess memsor t
show pr ocess mem<pi d>
Auth Manager holding too much
Collect process memory
breakdown for TAC
23
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
System Resources
TCAM
Check TCAM usage for ACLs, security, L3 routes, PBR, DHCP Snoop, IPSG,
WCCPv2
%C4K_HWACLMAN- 4- ACLHWPROGERR: I nput VOI P_FROM_CE_I Pv6 - har dwar e TCAM l i mi t ,
qos bei ng di sabl ed on r el evant i nt er f ace
%C4K_HWACLMAN- 4- ACLHWPROGERR: I nput Secur i t y: 101 - har dwar e TCAM l i mi t , some
packet pr ocessi ng wi l l be sof t war e swi t ched
C4K_HWACLMAN- 4- ACLHWPROGERRREASON: I nput ( 75/ Nor mal , 1/ Nor mal ) I nval i d Acl -
based Feat ur e - har dwar e TCAM pol i cer s exceeded
24
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Monitoring TCAM
swi t ch# show platform hardware acl statistics utilization brief
CAM Ut i l i zat i on St at i st i cs
- - - - - - - - - - - - - - - - - - - - - - - - - -
Used Fr ee Tot al
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I nput Secur i t y ( 160) 42 ( 2 %) 2006 ( 98 %) 2048
I nput Secur i t y ( 320) 66 ( 3 %) 1982 ( 97 %) 2048
I nput Qos ( 160) 15 ( 0 %) 2033 ( 100%) 2048
I nput Qos ( 320) 14 ( 0 %) 2034 ( 100%) 2048
I nput For war di ng ( 160) 2 ( 0 %) 2046 ( 100%) 2048
I nput Unal l ocat ed ( 160) 0 ( 0 %) 55296 ( 100%) 55296
swi t ch# show platform hardware qos policer utilization
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Pol i cer ut i l i zat i on summar y:
Di r ect i on Assi gned Used Fr ee
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I nput 2048 ( 12. 5%) 4 ( 0. 1%) 2044 ( 99. 8%)
Out put 2048 ( 12. 5%) 1 ( 0. 0%) 2047 ( 99. 9%)
Fr ee 12288( 75. 0%) 0 ( 0. 0%) 12288( 100. 0%)
Low utilization
25
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
System Resources
Queue Memory
Reserved queue memory for each linecard, exceeding this eats into global pool
When global pool exhausted, the above message appears
Options:
decrease queue depths on a per port basis
combine classes under the same queue
%C4K_HWPORTMAN- 3- TXQUEALLOCFAI LED: Fai l ed t o al l ocat e t he needed
queue ent r i es f or Gi 6/ 13
26
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Monitoring Queue Memory
Entry Sup6-E/6L-E/7L-E Sup7E
Total queue memory 512K 1M
Free Reserve: global pool 100K 100K
CPU, recirc, drop queues 20K 40K
Queue entries per slot
1
x =400K/ nSlots
2
X =860K/nSlots
Queue entries per port on a line card y =x / nPorts
3
y =x/nPorts
Queue entries per class transmit queue z =y/nTxQs
4
z =y/nTxQs
1. In a redundant chassis, two supervisor slots are treated as one
2. nSlots number of Slots
3. nPorts number of Ports in a line card
4. nTxQs number of transmit queues in use
27
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Monitoring Queue Memory
swi t ch# show platform software qm
Dr op por t Tx Queue al l ocat i ons ( Si ze: 8184, Base: 0x019008)
Tx Queue al l ocat i ons f or r eci r c por t s ( Si ze: 24576, Base: 0x01D1D0)
CPU Subpor t Tx Queue al l ocat i ons ( Tot al Si ze: 8656)
Over r unPacket s : 0
Al i gnment Er r or Packet s : 0
FcsEr r or Packet s : 0
Symbol Er r or Packet s : 0
I nval i dOver si zePacket s : 0
I pv4Hdr ChecksumEr r or Packet s : 0
I pv4Hdr Er r or Packet s : 0
I pv6Hdr Er r or Packet s : 0
swi t ch# show platform software interface gigabitEthernet 1/1 statistics
Super por t 8( Gi 1/ 1- 6) Non- Zer o Sof t war e St at i st i cs
RxSequenceEr r or s : 255
RxSymbol Er r or s : 255
Note: counters may increment during plug / unplug
Platform commands can narrow down stub
ASIC vs packet processor
35
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Troubleshooting Packet Loss / Path
Layer 1 Issues
( conf i g) # logging event link-status global
( conf i g- i f ) # logging event link-status
swi t ch# show platform software interface all | inc downs:|PimPhyport
Gal Gl mPor t ( 0: N/ 21) , Act i ve? : t r ue, Pi mPhypor t Name : Gi 1/ 22, EpmPor t Man Name : EpmPor t Man( 0: N/ 21)
Name( EpmPor t Man( 0: N/ 21) ) , Pi mPhypor t name( Gi 1/ 22 )
#l i nk downs: 41712
swi t ch# show platform software interface gi1/1 mii
- - - - - Por t Vl anHashTabl e - - - - -
I ndex Par t i al Aggpor t Vl anI d FwdVl anI d Di r Sr cMi ssCt r l TxDr opEn Vl anTagSt r i pEnOnTx
1568 8 100 200 Rx Sr cMi ssCopyToCpu - Fal se
3188 8 100 200 Tx - Fal se Fal se
All ports on an Etherchannel share an Aggport
Vlan mapping in use
Mapping information used in many platform CLI outputs
47
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Input Mapping / L2 Lookup
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
Confirm if routing features are enabled on a vlan
swi t ch# show platform hardware rxvlan-map-table vlan 902
Vl an 902:
l 2LookupI d: 902
sr cMi ssI gnor ed: 0
i pv4Uni cast En: 1
i pv4Mul t i cast En: 1
i pv6Uni cast En: 0
i pv6Mul t i cast En: 0
I ndex Mac Addr ess Vl an Type Si ngl ePor t / Ret I ndex/ Adj I ndex
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
63248 001E. F73F. F5BF 902 Si ngl ePor t Cpu aggpor t ( 4) ND Rout er Addr
IPv4 unicast and multicast routing enabled
SVI MAC present in MAC
table (for unicast routing)
Note: all SVI use the same MAC address on 4k
48
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: L2 Lookup
STP state check
SA Learning
swi t ch# show span int gi 7/48 state | i VLAN0002
VLAN0002 f or war di ng
swi t ch# show platform hardware stp vlan 2 | i Gi7/48
Gi 7/ 48 ( 375) For war di ng
swi t ch( conf i g) # no mac address-table learning vlan 100
swi t ch# show platform hardware rxvlan-map-table vlan 100 | i srcMiss
sr cMi ssI gnor ed: 1
swi t ch# show mac add int gi 1/46 | i 902
902 0000. 0500. 0000 dynami c i p, i px, assi gned, ot her Gi gabi t Et her net 1/ 46
902 f f f f . f f f f . f f f f syst emGi 1/ 46, Gi 7/ 48, Swi t ch
swi t ch# show plat hard mac add 0000.0500.0000 | i 0500|Index
I ndex Mac Addr ess Vl an Type Si ngl ePor t / Ret I ndex/ Adj I ndex
27760 0000. 0500. 0000 902 Si ngl ePor t Gi 1/ 46( 53) ND Sr cOr Dst F
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
no copies will be sent to CPU for MAC source address learning
HW matches SW
49
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: L2 Lookup
SA Lookup: port security
swi t ch# show run int gi 3/19
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
unknown unicasts will be flooded to these ports
Multicast traffic to 0100.5e01.0101 replicated
here, unless overridden by L3/ACL
Note since 15.0(2)SG / 3.2.0SG Broadcast is a
per-vlan ffff.ffff.ffff entry instead of a floodset
52
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: L2 vs L3 vs ACL
What HW programming will direct the packet?
swi t ch# show platform hardware ip fwdsel summary
L2Val ue == ot her ( por t / RET) ( 0) :
I C
L3 0 1 2 3
0 l 2 i c i c i c
1 l 3 i c i c i c
2 l 3 l 3 i c i c
3 l 3 l 3 l 3 i c
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
Fwdsel relevant to ACL (ic) only when there is a
redirect action
Example:
L3 entry present, FwdSel=2
ACL redirect entry present, FwdSel=2
Winner =ACL (ic)
L3 Entry
ACL Entry
L2 entry floodset
Depends on fwdsel
> >
53
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Input Classification
SVI and ACL statistics require hardware resources
Not enabled by default
swi t ch# show run
i nt er f ace Vl an902
i p addr ess 92. 92. 92. 1 255. 255. 255. 0
counter
Act I dx: 249 St at sI dx: 0 FwdI dx: ( Cpu, Cpu: t r ue, CpuEvent : 1, Por t : 6)
swi t ch# show platform hardware acl input actions 249
I dx: 249
FwdSel : 2
L3Act i on: 2
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
Installed automatically when PIM is
enabled on the SVI
Matches local sources >TTL=1
Redirects to CPU for S,G setup (if
not overridden by L3 entry)
Compare FwdSel with L3 entries
L3Action: (0 =permit, 1 =drop, 2 =redirect)
55
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Input Classification
ACL examples: local multicast sources, static ACL, PBR, PACL
swi t ch# show platform hardware acl input entries static
swi t ch# show platform hardware acl input entries start 2 end 2 all
I P Sr c : 0. 0. 0. 0 / 0. 0. 0. 0
I P Dst : 224. 0. 0. 0 / 240. 0. 0. 0
I P Pr ot ocol : i gmp / I pPr ot ocol Mask
Act I dx: 252 St at sI dx: 0 FwdI dx: ( Cpu, Cpu: t r ue, CpuEvent : 1, Por t : 3)
swi t ch# show platform hardware acl input actions 252
FwdSel : 3
L2Act i on: 2
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
Watch for increment
Hit does not mean packet count
IGMP sent to 224/4
will go to CPU
if FwdSel wins over L3
L2Action: (0 =permit, 1 =drop, 2 =redirect)
56
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Input Classification
ACL examples: local multicast sources, static ACL, PBR, PACL
swi t ch# show platform hardware acl input entries vlan 901 all
FwdSel : 2
L3Act i on: 2
swi t ch# show platform hardware ip adjacency entry 8
000008: vl an: 192 por t : Po1 ( 417) si ze: 1 i f aI d: 20
f wdCt r l : 5 cpucode: 3 si f act 4: FwdToCpu si f act 6: FwdToCpu
sa: 00: 1E: F7: 3F: F5: BF da: 00: 0C: 29: 6D: 1A: ED r wFmt : Uni cast
packet s: 0 byt es: 0
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
Packets sourced from 1.1.1.1/32
will be redirected to adjacency 8 (Po1)
If FwdSel wins over L3
Note: PBR ACLs are removed if
adjacency becomes unavailable
57
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Input Classification
ACL examples: local multicast sources, static ACL, PBR, PACL
Note: packets classified as non-IP, IPv4, IPv6 (cannot MAC ACL on an IP packet)
swi t ch# show ip access deny
Ext ended I P access l i st deny
10 deny i p any any ( 1056 mat ches)
swi t ch# show ip int gi 1/2
I nbound access l i st i s deny
swi t ch# show plat hard acl inp entr int gi 1/2 all
I P Sr c : 0. 0. 0. 0 / 0. 0. 0. 0
I P Dst : 0. 0. 0. 0 / 0. 0. 0. 0
I P Pr ot ocol : I pPr ot ocol Nul l / I pPr ot ocol Nul l
FwdSel : 0
L2Act i on: 1
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
All IPv4 traffic will be dropped
Fwdsel doesnt matter
L2Action: (0 =permit, 1 =drop, 2 =redirect)
58
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Input Classification / Policing
Order of operations
f l ow r ecor d mi cr of l ow
mat ch i pv4 sour ce addr ess
cl ass- map mat ch- al l mi cr of l ow
mat ch f l ow r ecor d mi cr of l ow
pol i cy- map i ngr ess
cl ass voi ce- si gnal l i ng
set dscp cs3
pol i ce ci r 32000 bc 8000
conf or m- act i on t r ansmi t
exceed- act i on set - dscp- t r ansmi t cs1
exceed- act i on set - cos- t r ansmi t 1
cl ass mi cr of l ow
pol i ce ci r 100000
conf or m- act i on t r ansmi t
exceed- act i on dr op
cl ass cl ass- def aul t
set dscp def aul t
set cos 0
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
Unconditional Marking
Microflow policing
Flexible Netflow
Class-map matching FNF
Policer
Normal policer
Conditional Marking
Classification
Ingress
Classification
Ingress Policing
Ingress Marking
Unconditional
Ingress Marking
Conditional
Forwarding
59
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Input Classification / Policing
Monitoring ingress Qos
swi t ch# show policy-map interface gigabitEthernet 1/46
Gi gabi t Et her net 1/ 46
Ser vi ce- pol i cy i nput : i ngr ess
Cl ass- map: voi ce- si gnal l i ng ( mat ch- al l )
28283457437 packet s
Mat ch: dscp ef ( 46)
QoS Set
dscp cs3
pol i ce:
ci r 32000 bps, bc 8000 byt es
conf or med 76128704 byt es; act i ons:
t r ansmi t
exceeded 1810581188160 byt es; act i ons:
set - dscp- t r ansmi t cs1
set - cos- t r ansmi t 1
conf or med 32000 bps, exceed 761238000 bps
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
Class-map stats are shared across interfaces with the
same policy map
Ensure counters increment
Classification displays using the packet counts
Policing displays using bytes
60
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Forwarding Lookup
L3 unicast destination lookups, multicast (*,G) / (S,G) lookups, urpf lookups
swi t ch# show ip route 192.168.200.200
Rout i ng ent r y f or 192. 168. 200. 0/ 24
Known vi a " st at i c" , di st ance 1, met r i c 0
Rout i ng Descr i pt or Bl ocks:
* 192. 168. 100. 100
Rout e met r i c i s 0, t r af f i c shar e count i s 1
swi t ch# show ip arp | i 192.168.100.100
I nt er net 192. 168. 100. 100 0 000c. 296d. 1aed ARPA Vl an192
swi t ch# show mac address dynamic | i 000c.296d.1aed
192 000c. 296d. 1aed dynami c i p, i px, assi gned, ot her Por t - channel 1
swi t ch# show platform hardware ip route ipv4 network 192.168.200.0 255.255.255.0
Bl ock: 0 En: t r ue Ent r yMap: LSB Wi dt h: 80- Bi t Type: Dst
( 91. 91. 91. 100, 239. 1. 1. 1) , 00: 08: 11/ 00: 01: 32, f l ags: J T
I ncomi ng i nt er f ace: Vl an901, RPF nbr 0. 0. 0. 0
Out goi ng i nt er f ace l i st :
Vl an902, For war d/ Spar se, 00: 07: 49/ 00: 02: 53
swi t ch# show platform hardware ip route ipv4 host 239.1.1.1
008194: v4 91. 91. 91. 100/ 32 239. 1. 1. 1/ 32 - - > vr f : Gl obal Rout i ng Tabl e ( 0)
adj St at s: t r ue f wdSel : 3 mr pf : 901 ( FwdToCpu) f wdI dx: 0 t s: 0
r et I ndex: 49150 r et Ts: 0
Vl an: 901 Br i dgeOnl y: Y Gi 1/ 46( 53)
Vl an: 901 Br i dgeOnl y: Y Gi 7/ 1( 328)
Vl an: 901 Br i dgeOnl y: Y Po1( 417)
Vl an: 902 Br i dgeOnl y: N Gi 1/ 46( 53)
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
BridgeOnly =Y, packet will be bridged (to Gi1/46 vlan 901)
BridgeOnly =N, packet will be routed (to Gi1/46 vlan 902)
Packets matching the (S,G) NOT ingressing
mrpf vlan will fail rpf check, punt to CPU
63
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Forwarding Lookup
Quiz scenario:
Switch configured for multicast routing, sparse mode
No RP address is configured
A local multicast source starts
IM
L2
IC
NF
IP
FL
OC
OP
OM
QM
Why does the new
source stream to the
CPU?
Answer:
Vlan local source ACL punts traffic to the CPU
No S,G is ever created to override the ACL (via fwdsel)
64
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Packet Loss / Path: Forwarding Lookup
L3 unicast destination lookups, multicast (*,G) / (S,G) lookups, urpf lookups
swi t ch# show run int vl 901
i nt er f ace Vl an901
i p addr ess 91. 91. 91. 1 255. 255. 255. 0
i p ver i f y uni cast sour ce r eachabl e- vi a r x al l ow- def aul t
swi t ch# show platform hardware ip route ipv4 network 91.91.91.0 255.255.255.0
14 0 ( 0. 0) 0 ( 0. 0)
15 1 ( 0. 0) 15 ( 0. 0)
16 8191 ( 99. 9) 131056 ( 99. 9)
Tot al Used 8192 ( 100. 0) 131071 ( 99. 9)
Tot al Fr ee N/ A 1 ( 0. 0)
Unaccount ed packet s:
User conf i gur ed f l ow moni t or cache l i mi t r eached:
4419746531
I Pv6 ent r y t abl e f ul l : 0
Hash Col l osi ons: 176000251
Flow Hash Table Buckets 8K
Entries per bucket 16
Total hash table entries 128K
Approx. total usable space 108K
%C4K_HWFLOWMAN-5-
FLOWUNACCOUNTEDPACKETS: Flow stats for
46444030 packets are not accounted due to hardware
hash collisions or full hardware flow table
All 16-entry buckets are
full =constant collisions
92
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Agenda
Products Overview
Troubleshooting
Method
Packet path / loss
VSS
PoE
System Resources
Netflow
Tools/Tips
Appendix
93
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Tools: Wireshark
Wireshark Best Practices
Do not display directly to console without a buffer, file or a duration limit
Write to PCAP file on storage, display on switch or using laptop Wireshark GUI
Only the core filter is implemented in hardware as ACLs. Use a restricted filter to avoid high CPU
Available on Sup7E, Sup7L-E, 4500X
Onboard full packet capture, filter, decode / display
Up to 8 instances supported
94
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Tools: Wireshark
Forwarding
Engine
IOS-XE
Ring Buffer
Console
File
Core Filter
Display
Filter
Display
Filter
Capture
Filter
swi t ch# monitor capture mycap int gi 1/46 in match ipv4 protocol tcp 10.1.1.1/32 any file location
bootflash:mycap.pcap limit duration 3
swi t ch# monitor capture mycap start
*Apr 15 17: 56: 24. 291: %BUFCAP- 6- ENABLE: Capt ur e Poi nt mycap enabl ed.
*Apr 15 17: 56: 27. 720: %BUFCAP- 6- DI SABLE_ASYNC: Capt ur e Poi nt mycap di sabl ed. Reason : Wi r eshar k sessi on
ended
swi t ch# show monitor capture file bootflash:mycap.pcap display-filter "ip.ttl == 100
1 0. 000000 10. 1. 1. 1 - > 91. 91. 91. 100 TCP [ TCP Zer oWi ndow] 0 > 0 [ <None>] Seq=1 Wi n=0 Len=2
95
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Tools: Wireshark
Troubleshooting Steps Commands
Create a monitor monitor capture mycap <interface | vlan | control-plane>
Add core filter monitor capture mycap [access-list <acl>| match <in-line match CLI>]
Display monitor details show monitor capture
Start/stop a monitor session monitor capture mycap start | stop
Display a pcap file show monitor capture file <filename>
Display a pcap file in detail show monitor capture file <filename>detailed
Display a pcap file with filter show monitor capture file <filename>display-filter filter-detail
Check if wireshark is running show proc cpu | inc dumpcap
96
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Tools: Embedded Event Manager
Extremely versatile tool for monitoring, automating, working around issues
(a) What do I want to detect? (b) What do I want to do after that?
event manager appl et hi gh- cpu
event snmp oi d 1. 3. 6. 1. 4. 1. 9. 9. 109. 1. 1. 1. 1. 10. 1 get - t ype exact ent r y- op ge ent r y- val 80" pol l - i nt er val 10
act i on 1. 0 sysl og msg " HI GH_CPU! CPU i s at : $_snmp_oi d_val
act i on 2. 0 cl i command " enabl e"
act i on 2. 1 cl i command " show pr ocess cpu | r edi r ect boot f l ash: cpu. t xt "
act i on 2. 2 cl i command " conf i gur e t er mi nal "
act i on 2. 3 cl i command " event manager schedul er suspend
%HA_EM-6-LOG: TEST: HIGH_CPU! CPU is at: 99
event manager appl et i nt er f ace- f l appi ng
event sysl og pat t er n " . *UPDOWN. *Gi gabi t Et her net 1/ 1. *" occur s 4
act i on 1. 0 sysl og msg Gi gabi t Et her net I nt er f ace 1/ 1 changed st at e 4 t i mes
act i on 2. 0 cl i command " enabl e"
act i on 2. 2 cl i command " conf i gur e t er mi nal "
act i on 2. 3 cl i command i nt er f ace Gi gabi t Et her net 1/ 1
act i on 2. 4 cl i command shut down
Collect process CPU usage when CPU is high
Bring an interface down when it flaps too frequently
97
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Embedded Event Manager / Netflow Integration
1. Packets with TTL=1 sent to the switch (TTL=1 streams can cause high CPU)
2. NetFlow Engine collects the flow capturing the TTL value:
%HA_EM-6-LOG: ttl: Flow Monitor ttl reported Low TTL for 10.10.10.3 10.10.10.4
3. EEM triggers a syslog when flow is detected:
swi t ch# sh runn flow record ttl
mat ch i pv4 t t l
mat ch i pv4 pr ot ocol
mat ch i pv4 sour ce addr ess
mat ch i pv4 dest i nat i on addr ess
col l ect count er byt es
col l ect count er packet s
col l ect t i mest amp sys- upt i me f i r st
col l ect t i mest amp sys- upt i me l ast
swi t ch# sh runn flow monitor ttl
Cur r ent conf i gur at i on:
f l ow moni t or t t l
r ecor d t t l
cache t i meout act i ve 40
swi t ch# sh runn int gi 6/1
no swi t chpor t
i p f l ow moni t or t t l i nput
i p addr ess 10. 10. 10. 2 255. 255. 255. 254
swi t ch(conf i g) # event manager applet ttl
event nf monitor-name "ttl"
event-type create event1 entry-value "2"
field ipv4 ttl entry-op lt
action 1.0 syslog msg
"Flow Monitor $_nf_monitor_name reported Low TTL
for $_nf_source_address $_nf_dest_address"
check show f l ow moni t or t t l cache f or mat r ecor d for IP TTL: 1
98
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Tips: Crashes
Enhanced crashdump features in 15.0(2)SG2 / 3.2.2SG and higher
except i on cor edump highly recommended on IOS-XE
Classic IOS full core in 15.1(1)SG2 onwards
On IOS-XE, collect all files in crashinfo: and kinfo:
99
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Tips: Miscellaneous
Enable NTP to troubleshoot across switches
Include date and time for debug and log messages
ser vi ce t i mest amps [ debug, l og] msec l ocal t i me show- t i mezone
Automatically output time and CPU utilization with each command (exec mode)
t er mi nal exec pr ompt t i mest amp
When logging the console, add comments and prefix with ! to avoid error messages
swi t ch#! ! ! show modul e af t er peer r el oad
swi t ch# show modul e
100
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Tips: Make Life Easier
Search Bug Toolkit for known issues
Output Interpreter to decode command output
System Message Guide for mitigation recommendations
Smart Call Home in 12.2(52)SG
Catalyst 4000 Troubleshooting TechNotes
Catalyst 4500 Configuration Guide and Release Notes
NetPro discussion groups on http://www.cisco.com
101
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Tips: Platform Control Plane Enhancements
Common Drop Event
Reason
First
Available
Control Packet Data
Plane Qos
12.2(54)SG Per-interface qos policies can drop control packets
Control Packet
Enhancements
15.0(2)SG /
3.2.0SG
Many static ACLs matching control traffic removed
CPU now included in special control floodsets on a per-vlan basis
access- l i st har dwar e capt ur e mode now controls only IGMP ACLs
CPU queue rate limits 15.1(1)SG /
3.3.0SG
DBL (per-flow rate limits) are applied to some CPU queues
Improved areas include:
port security / dot1x violate mode
non-RPF multicast (fast drop)
Drops appear as DblDrop in show pl at f or msof t war e dr op- por t
show pl at f or msof t war e i p mf i b f ast dr op deprecated
102
2013 Cisco and/or its affiliates. All rights reserved. BRKCRS-3142 Cisco Public
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
Complete Your Online Session Evaluation
Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
Receive 20 Cisco Daily Challenge
points for each session evaluation
you complete.
Complete your session evaluation
online now through either the mobile
app or internet kiosk stations.
103