配置Nexus 9000:Packet Tracer工具
简介
本文档介绍如何配置Cisco Nexus 9000 Packet Tracer实用程序。
先决条件
要求
Cisco 建议您具有以下主题的基础知识:
- Cisco Nexus 9000硬件架构
使用的组件
本文档中的信息基于以下软件和硬件版本:
- Cisco Nexus 9500
- 软件版本7.0(3)I2(2a)
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
Packet-tracer是Nexus 9000上的内置实用程序,可用于跟踪数据包通过交换机的路径。它可以使用命令行进行调用,并且可以配置为匹配IP地址和/或第4层属性。它不能用于匹配ARP流量。
此工具可确认流是否通过交换机。它还提供用于跟踪流量统计信息的计数器,可用于间歇性/完全数据包丢失的情况。
使用案例情景
- 仅适用于IPv4流(不支持IPv6和非IP)
- 此工具不显示wireshark显示的数据包内部详细信息。
- 间歇性丢包:Ping或其他任何实用程序都可以提供数据包丢失的确切症状
- 完全数据包丢失
支持的硬件
仅支持带有Broadcom Trident II asic的线卡/交换矩阵模块或TOR。列表如下:
- N9K-C9372TX
- N9K-C9372PX
- N9K-C9332PQ
- N9K-C9396TX
- N9K-C9396PX
- N9K-C93128TX
- N9K-C9336PQ
- N9K-X9564PX
- N9K-X9564TX
- N9K-X9636PQ
不支持的硬件
- N9K-C93180YC-EX
- N9K-X9732C-EX
- N9K-C9232C
- N9k-C9272Q
- N9k-C92160YC
注意:如果未列出特定线卡/TOR,请联系TAC
如何使用Packet Tracer
配置
Packet-tracer命令是执行级命令。
N9K-9508#test packet-tracer src_ip <src_ip> dst_ip <dst_ip> <==== provide your src and dst ip
N9K-9508#test packet-tracer start <==== Start packet tracer
N9K-9508#test packet-tracer stop <==== Stop packet tracer
N9K-9508#test packet-tracer show <==== Check for packet matches
上述命令对线路卡或交换矩阵模块上存在的每个Broadcom Trident II Asic上的触发器进行编程。当具有匹配属性的流经过这些模块时,它显示计数器命中,从而帮助识别交换机内的路径(入口模块—>一个交换矩阵模块---->出口模块)。
计数器可用于关联丢包。
背景信息
交换矩阵模块互连I/O模块插槽。所有交换矩阵模块都处于活动状态并传输流量。每个交换矩阵模块两个Broadcom Trident II ASIC (T2)实例。
问题
PACL(端口访问列表)用于查看特定物理接口是否收到我们感兴趣的流量。但是,在Nexus平台上,某些板卡没有为PACL划分的TCAM。TCAM雕刻需要重新加载模块。在这些情况下,可使用packet tracer匹配感兴趣的流量。您还可以跟踪通往交换矩阵端口和通往出口模块的数据包。因此,Packet Tracer可以让您更清楚地了解流量如何在交换机内转发。
Packet tracer使用为SPAN划分的TCAM条目。
解决方案
NS -北星ASIC
T2 - Trident II ASIC
NFE -网络转发引擎
ALE - ACI枝叶引擎
有关Nexus 9000交换机架构的详细信息,请参阅此白皮书。
注意:9500机箱上最多有六个交换矩阵模块。在上面的图片中仅显示一种交换矩阵,使其变得简单。来自模块的流量可以到达任何交换矩阵模块。
使用案例:匹配入口模块上的流量、进入交换矩阵模块的流量和进入出口模块上的T2 ASIC的流量
要匹配感兴趣的流量,需要配置以下基本步骤:
switch#test packet-tracer {<src-ip>|<dst-ip>|<src-l4-port>|<dst-l4-port>} [<protocol>] [detail-fp|detail-hg]
以下是您需要的配置:
switch#test packet-tracer src_ip <src_ip> dst_ip <dst_ip> protocol <> <==== provide your src and dst ip and protocol (protocol option 1 is for icmp)
switch#test packet-tracer start <==== Start packet tracer
switch#test packet-tracer show <==== Check for packet match statistics
您无需将其应用于任何特定接口。这些配置在T2 ASIC的所有实例上的所有LC/FM上安装过滤器ACL。
它显示流量进入的模块上的数据包计数。这与传入模块(线卡和交换矩阵)上的相关流量匹配。
以下是配置示例:
N9K-9508# test packet-tracer src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1 <=== Protocol 1 matches ICMP traffic
N9K-9508# test packet-tracer start
以下是如何解释“test packet-tracer show”的输出:
N9K-9508# test packet-tracer show
Packet-tracer stats
---------------------
Module 1: <=== Slot #. Same output will be displayed for other Linecards's and Fabric modules.
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 <==== Our filter #1
ASIC instance 0: <==== Trident ASIC instance #0
Entry 0: id = 7425, count = 0, active, fp, <==== pakcet match count on front panel port. it could be any port
Entry 1: id = 7426, count = 0, active, hg, <==== packet match count from fabric module to T2 ASIC on the linecard
ASIC instance 1:
Entry 0: id = 7425, count = 0, active, fp,
Entry 1: id = 7426, count = 0, active, hg,
Filter 2 uninstalled:
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
配置示例:
配置Packet Tracer:
N9K-9508# test packet-tracer src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1 <==== Filter to match echo traffic. Protocol 1 to match icmp traffic
N9K-9508# test packet-tracer src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1 <=== Filter to match echo reply traffic
N9K-9508# test packet-tracer start <==== Start packet tracer
N9K-9508# test packet-tracer show non-zero <==== Command to see packet statistics
Packet-tracer stats
---------------------
Module 1:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 2:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 22:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 23:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 24:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 25:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
测试:从模块1的SRC IP连接模块2的DST IP运行ping:
Router# ping 10.1.1.1 source 10.2.2.1
PING 10.1.1.1 (10.1.1.1) from 10.2.2.1: 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=253 time=0.77 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=253 time=0.43 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=253 time=0.408 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=253 time=0.398 ms
64 bytes from 10.1.1.1: icmp_seq=4 ttl=253 time=0.383 ms
--- 10.1.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.383/0.477/0.77 ms
验证:检查Packet Tracer计数:
N9K-9508# test packet-tracer show non-zero <==== Command to see packet statistics
Packet-tracer stats
---------------------
Module 1:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 5, active, fp, <===== 5 Echo packets ingress on Module 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 2:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
ASIC instance 0:
Entry 0: id = 7457, count = 5, active, fp, <===== 5 Echo reply packets ingress on Module 2
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 3:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 4:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 22:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 4, active, hg, <==== Fabric module 22 received 4 echo packets
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 23:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 1, active, hg, <==== Fabric module 23 received 1 echo packets
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 3, active, hg, <==== Fabric module 23 received 3 echo reply packets
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 24:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 2, active, hg, <==== Fabric module 23 received 2 echo reply packets
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 26:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
N9K-9508#
其他有用的命令:
test packet-tracer remove-all <===删除所有已配置的过滤器
test packet-tracer clear <filter #> <=== Clear counters for all filters or specified filter
test packet-tracer src_ip <.> dst_ip <> l4-dst-port <dst_port> | l4-src-port <src_port> | protocol <===根据L4 src_port、L4 dst_port或协议进行匹配。
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
2.0 |
15-Dec-2023 |
更新的简介、样式要求、品牌要求和校对。 |
1.0 |
16-Apr-2017 |
初始版本 |
反馈