配置Nexus 9000:Packet Tracer工具
簡介
本文檔介紹如何配置Cisco Nexus 9000 Packet Tracer實用程式。
必要條件
需求
思科建議您瞭解以下主題的基本知識:
- Cisco Nexus 9000硬體架構
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco Nexus 9500
- 軟體版本7.0(3)I2(2a)
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
Packet Tracer是Nexus 9000上的內建實用程式,可用於跟蹤資料包透過交換機的路徑。它可以使用命令列呼叫,並且可以配置為匹配IP地址和/或第4層屬性。它不能用於匹配ARP流量。
此工具可確認流是否透過交換機。它還提供一個用於跟蹤流量統計資料的計數器,該計數器可用於間歇性/完全資料包丟失的情況。
使用案例案例
- 僅適用於IPv4流(不支援IPv6和非IP)
- 此工具不顯示wireshark顯示的資料包內部詳細資訊。
- 間歇性資料包丟失:Ping或任何其他實用程式可以提供資料包丟失的確切症狀
- 完全資料包丟失
支援的硬體
僅支援使用Broadcom Trident II asic的線卡/光纖模組或TOR。清單如下:
- N9K-C9372TX
- N9K-C9372PX
- N9K-C9332PQ
- N9K-C9396TX
- N9K-C9396PX
- N9K-C93128TX
- N9K-C9336PQ
- N9K-X9564PX
- N9K-X9564TX
- N9K-X9636PQ
不支援的硬體
- N9K-C93180YC-EX
- N9K-X9732C-EX
- N9K-C9232C
- N9k-C9272Q
- N9k-C92160YC
注意:如果未列出特定板卡/TOR,請聯絡TAC
如何使用Packet Tracer
組態
Packet Tracer命令是執行級命令。
N9K-9508#test packet-tracer src_ip <src_ip> dst_ip <dst_ip> <==== provide your src and dst ip
N9K-9508#test packet-tracer start <==== Start packet tracer
N9K-9508#test packet-tracer stop <==== Stop packet tracer
N9K-9508#test packet-tracer show <==== Check for packet matches
上述命令對線路卡或交換矩陣模組上存在的每個Broadcom Trident II Asic上的觸發器進行程式設計。當具有匹配屬性的流透過這些模組時,它會顯示所命中的計數器,從而幫助標識交換機內的路徑(入口模組—>交換矩陣模組之一---->出口模組)。
這些計數器可用於關聯丟棄。
背景資訊
交換矩陣模組互連I/O模組插槽。所有交換矩陣模組都處於活動狀態並傳輸流量。每個交換矩陣模組兩個Broadcom Trident II ASIC (T2)例項。
問題
PACL (Port Access-list)用於檢視特定物理介面是否收到我們感興趣的流量。但是,在Nexus平台上,某些板卡沒有為PACL劃分的TCAM。TCAM雕刻需要重新載入模組。在這些情況下,使用Packet Tracer匹配相關的流量。您還可以跟蹤通往交換矩陣埠和通往出口模組的資料包。因此,Packet Tracer可以讓您更清楚地瞭解流量在交換機中的轉發方式。
Packet Tracer使用為SPAN劃分的TCAM條目。
解決方案
NS -北星ASIC
T2 -三叉戟二ASIC
NFE -網路轉發引擎
ALE - ACI枝葉引擎
有關Nexus 9000交換機體系結構的詳細資訊,請參閱此白皮書。
註:9500機箱上最多有六個交換矩陣模組。在上一張圖片中只顯示一個結構以簡化操作。來自模組的流量可能衝擊任何交換矩陣模組。
使用案例:匹配入口模組上的流量、交換矩陣模組上的流量入口和出口模組上的流量入口T2 ASIC
以下是需要配置以匹配感興趣流量的基本步驟:
switch#test packet-tracer {<src-ip>|<dst-ip>|<src-l4-port>|<dst-l4-port>} [<protocol>] [detail-fp|detail-hg]
以下是您需要的配置:
switch#test packet-tracer src_ip <src_ip> dst_ip <dst_ip> protocol <> <==== provide your src and dst ip and protocol (protocol option 1 is for icmp)
switch#test packet-tracer start <==== Start packet tracer
switch#test packet-tracer show <==== Check for packet match statistics
您不需要將其套用至任何特定介面。這些配置在T2 ASIC的所有例項上跨所有LC/FM安裝過濾器ACL。
它顯示流量進入的模組上的資料包計數。這與我們在模組(包括板卡和交換矩陣)上感興趣的資料流傳入相匹配。
以下是組態範例:
N9K-9508# test packet-tracer src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1 <=== Protocol 1 matches ICMP traffic
N9K-9508# test packet-tracer start
以下是如何解釋「test packet-tracer show」的輸出:
N9K-9508# test packet-tracer show
Packet-tracer stats
---------------------
Module 1: <=== Slot #. Same output will be displayed for other Linecards's and Fabric modules.
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 <==== Our filter #1
ASIC instance 0: <==== Trident ASIC instance #0
Entry 0: id = 7425, count = 0, active, fp, <==== pakcet match count on front panel port. it could be any port
Entry 1: id = 7426, count = 0, active, hg, <==== packet match count from fabric module to T2 ASIC on the linecard
ASIC instance 1:
Entry 0: id = 7425, count = 0, active, fp,
Entry 1: id = 7426, count = 0, active, hg,
Filter 2 uninstalled:
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
配置示例:
配置Packet Tracer:
N9K-9508# test packet-tracer src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1 <==== Filter to match echo traffic. Protocol 1 to match icmp traffic
N9K-9508# test packet-tracer src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1 <=== Filter to match echo reply traffic
N9K-9508# test packet-tracer start <==== Start packet tracer
N9K-9508# test packet-tracer show non-zero <==== Command to see packet statistics
Packet-tracer stats
---------------------
Module 1:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 2:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 22:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 23:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 24:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 25:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
測試:從模組1的SRC IP Connected Off運行對模組2的DST IP Connected Off的ping:
Router# ping 10.1.1.1 source 10.2.2.1
PING 10.1.1.1 (10.1.1.1) from 10.2.2.1: 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=253 time=0.77 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=253 time=0.43 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=253 time=0.408 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=253 time=0.398 ms
64 bytes from 10.1.1.1: icmp_seq=4 ttl=253 time=0.383 ms
--- 10.1.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.383/0.477/0.77 ms
驗證:檢查Packet Tracer計數:
N9K-9508# test packet-tracer show non-zero <==== Command to see packet statistics
Packet-tracer stats
---------------------
Module 1:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 5, active, fp, <===== 5 Echo packets ingress on Module 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 2:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
ASIC instance 0:
Entry 0: id = 7457, count = 5, active, fp, <===== 5 Echo reply packets ingress on Module 2
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 3:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 4:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 22:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 4, active, hg, <==== Fabric module 22 received 4 echo packets
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 23:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 1, active, hg, <==== Fabric module 23 received 1 echo packets
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 3, active, hg, <==== Fabric module 23 received 3 echo reply packets
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 24:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
ASIC instance 0:
Entry 0: id = 7425, count = 2, active, hg, <==== Fabric module 23 received 2 echo reply packets
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
Module 26:
Filter 1 installed: src-ip 10.1.1.1 dst-ip 10.2.2.1 protocol 1
Filter 2 installed: src-ip 10.2.2.1 dst-ip 10.1.1.1 protocol 1
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:
N9K-9508#
其他有用的命令:
test packet-tracer remove-all <===刪除所有已配置的過濾器
test packet tracer clear <filter #> <=== Clear counters for all filters or specified filter
test packet-tracer src_ip <.> dst_ip <> l4-dst-port <dst_port> | l4-src-port <src_port> | protocol <===根據L4 src_port、L4 dst_port或協定進行匹配。
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
2.0 |
15-Dec-2023 |
更新的簡介、樣式需求、品牌需求與校對。 |
1.0 |
16-Apr-2017 |
初始版本 |
意見