IOS-XE数据路径数据包跟踪功能
目录
简介
本文档介绍如何通过数据包跟踪功能对Cisco IOS®-XE软件执行数据路径数据包跟踪。
为了在排除故障时识别错误配置、容量过载甚至普通软件漏洞等问题,有必要了解系统中数据包的情况。Cisco IOS-XE数据包跟踪功能可满足此需求。它提供用于记帐的字段安全方法,以便根据用户定义的条件类捕获每个数据包的处理详细信息。
先决条件
要求
思科建议您了解Cisco IOS-XE版本3.10及更高版本以及运行Cisco IOS-XE软件的所有平台(如Cisco 1000系列聚合服务路由器(ASR1K)、Cisco 1000V系列云)中提供的数据包跟踪功能服务路由器(CSR1000v)和Cisco 4451-X系列集成多业务路由器(ISR4451-X)。
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 思科IOS-XE软件版本3.10S(15.3(3)S)及更高版本
- ASR1K
本文档中的信息在特定实验室环境设备上创建。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解使用的任何命令的潜在影响。
参考拓扑
此图说明了用于本文档中所述示例的拓扑:
使用中的数据包跟踪
为了说明数据包跟踪功能的使用,本部分使用的示例描述了从本地工作站172.16.10.2(在ASR1K后面)到远程主机172.16.20.2(Gig0/0/1接口上ASR1K的入口方向)的互联网控制消息协议(ICMP)流量的跟踪。
您可以通过以下两个步骤跟踪ASR1K上的数据包:
- 启用平台条件调试以选择要在ASR1K上跟踪的数据包或流量。
- 启用平台数据包跟踪(路径跟踪或功能调用阵列(FIA)跟踪)。
快速入门指南
如果您已经熟悉本文档的内容,并想要一节快速了解CLI,请参阅此快速入门指南。这些只是几个示例来说明该工具的使用。请参阅后续部分,详细讨论语法,并确保使用适合您要求的配置。
- 配置平台条件:
debug platform condition ipv4 10.0.0.1/32 both --> matches in and out packets with source
or destination as 10.0.0.1/32
debug platform condition ipv4 access-list 198 egress --> (Ensure access-list 198 is
defined prior to configuring this command) - matches egress packets corresponding
to access-list 198
debug platform condition interface gig 0/0/0 ingress --> matches all ingress packets
on interface gig 0/0/0
debug platform condition mpls 10 1 ingress --> matches MPLS packets with top ingress
label 10
debug platform condition ingress --> matches all ingress packets on all interfaces
(use cautiously)配置平台条件后,使用以下CLI命令启动平台条件:
debug platform condition start
- 配置数据包跟踪:
debug platform packet-trace packet 1024 -> basic path-trace, and automatically stops
tracing packets after 1024 packets. You can use "circular" option if needed debug platform packet-trace packet 1024 fia-trace -> enables detailed fia trace, stops
tracing packets after 1024 packets debug platform packet-trace drop [code] -> if you want to trace/capture only
packets that are dropped. Refer to Drop Trace section for more details.
输入以下命令以清除跟踪缓冲区并重置packet-trace:
clear platform packet-trace statistics --> clear the packet trace buffer
清除平台条件和数据包跟踪配置的命令是:
clear platform condition all --> clears both platform conditions and the packet trace configuration
显示命令
在应用前面的命令后,验证平台条件和数据包跟踪配置,以确保满足您的需求。
show platform conditions --> shows the platform conditions configured
show platform packet-trace configuration --> shows the packet-trace configurations
show debugging --> this will show both platform conditions and platform packet-trace configured
以下是用于检查已跟踪/捕获数据包的命令:
show platform packet-trace statistics --> statistics of packets traced
show platform packet-trace summary --> summary of all the packets traced, with input and
output interfaces, processing result and reason. show platform packet-trace packet 12 -> Tracing the 12th packet, with complete path trace
or FIA trace details.
启用平台条件调试
数据包跟踪功能依赖于条件调试基础设施,以确定要跟踪的数据包。条件调试基础设施能够根据以下条件过滤流量:
- 协议
- IP地址和掩码
- 访问控制列表(ACL)
- 接口
- 流量方向(入口或出口)
这些条件定义过滤器应用于数据包的位置和时间。
对于本示例中使用的流量,为从172.16.10.2到172.16.20.2的ICMP数据包启用入口方向的平台条件调试。换句话说,选择要跟踪的流量。您可以使用多种选项来选择此流量。
ASR1000#debug platform condition ?
egress Egress only debug
feature For a specific feature
ingress Ingress only debug
interface Set interface for conditional debug
ipv4 Debug IPv4 conditions
ipv6 Debug IPv6 conditions
start Start conditional debug
stop Stop conditional debug
在本示例中,使用访问列表来定义条件,如下所示:
ASR1000#show access-list 150
Extended IP access list 150
10 permit icmp host 172.16.10.2 host 172.16.20.2
ASR1000#debug platform condition interface gig 0/0/1 ipv4
access-list 150 ingress
要开始条件调试,请输入以下命令:
ASR1000#debug platform condition start
要查看已配置的条件调试过滤器,请输入以下命令:
ASR1000#show platform conditions
Conditional Debug Global State: Start
Conditions Direction
----------------------------------------------------------------------|---------
GigabitEthernet0/0/1 & IPV4 ACL [150] ingress
Feature Condition Format Value
-----------------------|-----------------------|--------------------------------
ASR1000#
总之,到目前为止已应用此配置:
access-list 150 permit icmp host 172.16.10.2 host 172.16.20.2
debug platform condition interface gig 0/0/1 ipv4 access-list 150 ingress
debug platform condition start
启用数据包跟踪
物理接口和逻辑接口(例如隧道接口或虚拟接入接口)都支持数据包跟踪。
以下是数据包跟踪CLI语法:
ASR1000#debug platform packet-trace ?
copy Copy packet data
drop Trace drops only
inject Trace injects only
packet Packet count
punt Trace punts only
debug platform packet-trace packet
[fia-trace | summary-only]
[circular] [data-size
]
以下是此命令的关键字说明:
- pkt-num — 数据包编号指定一次维护的最大数据包数。
- summary-only — 这指定仅捕获摘要数据。默认值是捕获摘要数据和功能路径数据。
- fia-trace — 除路径数据信息外,还可以执行FIA跟踪。
- data-size — 这允许您指定路径数据缓冲区的大小,从2,048字节到16,384字节。默认值为2,048个字节。
debug platform packet-trace copy packet {in | out | both} [L2 | L3 | L4]
[size
]
以下是此命令的关键字说明:
- in/out — 指定要复制的数据包流的方向 — 入口和/或出口。
- L2/L3/L4 — 这允许您指定数据包副本开始的位置。第2层(L2)是默认位置。
- size — 这允许您指定复制的最大八位组数。默认值为64个八位组。
在本示例中,以下命令用于为使用条件调试基础设施选择的流量启用数据包跟踪:
ASR1000#debug platform packet-trace packet 16
要查看数据包跟踪配置,请输入以下命令:
ASR1000#show platform packet-trace configuration
debug platform packet-trace packet 16 data-size 2048
您还可以输入show debugging命令,以查看平台条件调试和数据包跟踪配置:
ASR1000# show debugging
IOSXE Conditional Debug Configs:
Conditional Debug Global State: Start
Conditions
Direction
----------------------------------------------------------------------|---------
GigabitEthernet0/0/1 & IPV4 ACL [150] ingress
...
IOSXE Packet Tracing Configs:
Feature Condition Format Value
-----------------------|-----------------------|--------------------------------
Feature Type Submode Level
-------|--------------|----------------------------------------------|----------
IOSXE Packet Tracing Configs:
debug platform packet-trace packet 16 data-size 2048
总之,到目前为止,已使用此配置数据来启用数据包跟踪:
debug platform packet-trace packet 16
数据包跟踪的出口条件限制
条件定义条件过滤器以及条件过滤器应用于数据包的时间。例如,debug platform condition interface g0/0/0 egress表示当数据包到达接口g0/0/0上的输出FIA时,它被识别为匹配项,因此从入口到该点丢失为止发生的任何数据包处理。
显示数据包跟踪结果
数据包跟踪提供三个特定级别的检查:
- 会计
- 每数据包摘要
- 每数据包路径数据
当从172.16.10.2发送五个ICMP请求数据包到172.16.20.2时,可以使用以下命令查看数据包跟踪结果:
ASR1000#show platform packet-trace statistics
Packets Traced: 5
Ingress 5
Inject 0
Forward 5
Punt 0
Drop 0
Consume 0
ASR1000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/1 Gi0/0/0 FWD
1 Gi0/0/1 Gi0/0/0 FWD
2 Gi0/0/1 Gi0/0/0 FWD
3 Gi0/0/1 Gi0/0/0 FWD
4 Gi0/0/1 Gi0/0/0 FWD
ASR1000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 4
Summary
Input : GigabitEthernet0/0/1
Output : GigabitEthernet0/0/0
State : FWD
Timestamp
Start : 1819281992118 ns (05/17/2014 06:42:01.207240 UTC)
Stop : 1819282095121 ns (05/17/2014 06:42:01.207343 UTC)
Path Trace
Feature: IPV4
Source : 172.16.10.2
Destination : 172.16.20.2
Protocol : 1 (ICMP)
ASR1000#
从这些输出中,您可以看到跟踪了五个数据包,您可以查看输入接口、输出接口、状态和路径跟踪。
| 州/省 | 备注 |
| FWD | 该数据包被安排/排队等待传输,通过出口接口转发到下一跳。 |
| PUNT | 数据包从转发处理器(FP)传送到路由处理器(RP)(控制平面)。 |
| 丢弃 | 数据包在FP上丢弃。运行FIA跟踪、使用全局丢弃计数器或使用数据路径调试以查找更多详细信息,原因是丢弃。 |
| 缺点 | 数据包在数据包处理期间使用,例如在ICMP ping请求或加密数据包期间使用。 |
分组跟踪统计输出中的入口和注入计数器分别对应于通过外部接口进入的分组和被视为从控制平面注入的分组。
FIA跟踪
FIA保存在转发数据包时由量子流处理器(QFP)中的数据包处理器引擎(PPE)按顺序执行的功能列表。这些功能基于计算机上应用的配置数据。因此,FIA跟踪有助于了解数据包在处理时通过系统的流。
必须应用此配置数据,才能使用FIA启用数据包跟踪:
ASR1000#debug platform packet-trace packet 16 fia-trace
显示数据包跟踪结果
输入用于启用FIA跟踪的命令后,从172.16.10.2到172.16.20.2发送五个ICMP数据包,如上一节所述。
ASR1000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/1 Gi0/0/0 FWD
1 Gi0/0/1 Gi0/0/0 FWD
2 Gi0/0/1 Gi0/0/0 FWD
3 Gi0/0/1 Gi0/0/0 FWD
4 Gi0/0/1 Gi0/0/0 FWD
ASR1000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 9
Summary
Input : GigabitEthernet0/0/1
Output : GigabitEthernet0/0/0
State : FWD
Timestamp
Start : 1819281992118 ns (05/17/2014 06:42:01.207240 UTC)
Stop : 1819282095121 ns (05/17/2014 06:42:01.207343 UTC)
Path Trace
Feature: IPV4
Source : 172.16.10.2
Destination : 172.16.20.2
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Entry : 0x8059dbe8 - DEBUG_COND_INPUT_PKT
Timestamp : 3685243309297
Feature: FIA_TRACE
Entry : 0x82011a00 - IPV4_INPUT_DST_LOOKUP_CONSUME
Timestamp : 3685243311450
Feature: FIA_TRACE
Entry : 0x82000170 - IPV4_INPUT_FOR_US_MARTIAN
Timestamp : 3685243312427
Feature: FIA_TRACE
Entry : 0x82004b68 - IPV4_OUTPUT_LOOKUP_PROCESS
Timestamp : 3685243313230
Feature: FIA_TRACE
Entry : 0x8034f210 - IPV4_INPUT_IPOPTIONS_PROCESS
Timestamp : 3685243315033
Feature: FIA_TRACE
Entry : 0x82013200 - IPV4_OUTPUT_GOTO_OUTPUT_FEATURE
Timestamp : 3685243315787
Feature: FIA_TRACE
Entry : 0x80321450 - IPV4_VFR_REFRAG
Timestamp : 3685243316980
Feature: FIA_TRACE
Entry : 0x82014700 - IPV6_INPUT_L2_REWRITE
Timestamp : 3685243317713
Feature: FIA_TRACE
Entry : 0x82000080 - IPV4_OUTPUT_FRAG
Timestamp : 3685243319223
Feature: FIA_TRACE
Entry : 0x8200e500 - IPV4_OUTPUT_DROP_POLICY
Timestamp : 3685243319950
Feature: FIA_TRACE
Entry : 0x8059aff4 - PACTRAC_OUTPUT_STATS
Timestamp : 3685243323603
Feature: FIA_TRACE
Entry : 0x82016100 - MARMOT_SPA_D_TRANSMIT_PKT
Timestamp : 3685243326183
ASR1000#
检查与接口关联的FIA
当您启用平台条件调试时,它将作为功能添加到FIA。根据添加到列表的位置,您可能需要调整平台条件,例如跟踪预封装和后封装数据包。
此输出显示FIA中在入口方向上启用的平台条件调试功能的顺序:
ASR1000#show platform hardware qfp active interface if-name GigabitEthernet 0/0/1
General interface information
Interface Name: GigabitEthernet0/0/1
Interface state: VALID
Platform interface handle: 10
QFP interface handle: 8
Rx uidb: 1021
Tx uidb: 131064
Channel: 16
Interface Relationships
BGPPA/QPPB interface configuration information
Ingress: BGPPA/QPPB not configured. flags: 0000
Egress : BGPPA not configured. flags: 0000
ipv4_input enabled.
ipv4_output enabled.
layer2_input enabled.
layer2_output enabled.
ess_ac_input enabled.
Features Bound to Interface:
2 GIC FIA state
48 PUNT INJECT DB
39 SPA/Marmot server
40 ethernet
1 IFM
31 icmp_svr
33 ipfrag_svr
34 ipreass_svr
36 ipvfr_svr
37 ipv6vfr_svr
12 CPP IPSEC
Protocol 0 - ipv4_input
FIA handle - CP:0x108d99cc DP:0x8070f400
IPV4_INPUT_DST_LOOKUP_ISSUE (M)
IPV4_INPUT_ARL_SANITY (M)
CBUG_INPUT_FIA
DEBUG_COND_INPUT_PKT
IPV4_INPUT_DST_LOOKUP_CONSUME (M)
IPV4_INPUT_FOR_US_MARTIAN (M)
IPV4_INPUT_IPSEC_CLASSIFY
IPV4_INPUT_IPSEC_COPROC_PROCESS
IPV4_INPUT_IPSEC_RERUN_JUMP
IPV4_INPUT_LOOKUP_PROCESS (M)
IPV4_INPUT_IPOPTIONS_PROCESS (M)
IPV4_INPUT_GOTO_OUTPUT_FEATURE (M)
Protocol 1 - ipv4_output
FIA handle - CP:0x108d9a34 DP:0x8070eb00
IPV4_OUTPUT_VFR
MC_OUTPUT_GEN_RECYCLE (D)
IPV4_VFR_REFRAG (M)
IPV4_OUTPUT_IPSEC_CLASSIFY
IPV4_OUTPUT_IPSEC_COPROC_PROCESS
IPV4_OUTPUT_IPSEC_RERUN_JUMP
IPV4_OUTPUT_L2_REWRITE (M)
IPV4_OUTPUT_FRAG (M)
IPV4_OUTPUT_DROP_POLICY (M)
PACTRAC_OUTPUT_STATS
MARMOT_SPA_D_TRANSMIT_PKT
DEF_IF_DROP_FIA (M)
Protocol 8 - layer2_input
FIA handle - CP:0x108d9bd4 DP:0x8070c700
LAYER2_INPUT_SIA (M)
CBUG_INPUT_FIA
DEBUG_COND_INPUT_PKT
LAYER2_INPUT_LOOKUP_PROCESS (M)
LAYER2_INPUT_GOTO_OUTPUT_FEATURE (M)
Protocol 9 - layer2_output
FIA handle - CP:0x108d9658 DP:0x80714080
LAYER2_OUTPUT_SERVICEWIRE (M)
LAYER2_OUTPUT_DROP_POLICY (M)
PACTRAC_OUTPUT_STATS
MARMOT_SPA_D_TRANSMIT_PKT
DEF_IF_DROP_FIA (M)
Protocol 14 - ess_ac_input
FIA handle - CP:0x108d9ba0 DP:0x8070cb80
PPPOE_GET_SESSION
ESS_ENTER_SWITCHING
PPPOE_HANDLE_UNCLASSIFIED_SESSION
DEF_IF_DROP_FIA (M)
QfpEth Physical Information
DPS Addr: 0x11215eb8
Submap Table Addr: 0x00000000
VLAN Ethertype: 0x8100
QOS Mode: Per Link
ASR1000#
转储跟踪的数据包
您可以按照本节所述,在跟踪数据包时复制和转储这些数据包。此示例展示如何在入口方向(172.16.10.2到172.16.20.2)复制最多2,048个字节的数据包。
以下是需要的附加命令:
ASR1000#debug platform packet-trace copy packet input size 2048
输入此命令以转储复制的数据包:
ASR1000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 14
Summary
Input : GigabitEthernet0/0/1
Output : GigabitEthernet0/0/0
State : FWD
Timestamp
Start : 1819281992118 ns (05/17/2014 06:40:01.207240 UTC)
Stop : 1819282095121 ns (05/17/2014 06:40:01.207343 UTC)
Path Trace
Feature: IPV4
Source : 172.16.10.2
Destination : 172.16.20.2
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Entry : 0x8059dbe8 - DEBUG_COND_INPUT_PKT
Timestamp : 4458180580929
<some content excluded>
Feature: FIA_TRACE
Entry : 0x82016100 - MARMOT_SPA_D_TRANSMIT_PKT
Timestamp : 4458180593896
Packet Copy In
a4934c8e 33020023 33231379 08004500 00640160 0000ff01 5f16ac10 0201ac10
01010800 1fd40024 00000000 000184d0 d980abcd abcdabcd abcdabcd abcdabcd
abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd
abcdabcd abcdabcd abcdabcd abcdabcd abcd
ASR1000#
丢弃跟踪
Cisco IOS-XE软件版本3.11及更高版本中提供丢弃跟踪。它仅对丢弃的数据包启用数据包跟踪。以下是该功能的一些亮点:
- 或者,它允许您指定特定丢弃代码的数据包保留。
- 它可在没有全局或接口条件的情况下使用,以捕获丢弃事件。
- 丢弃事件捕获意味着只跟踪丢弃本身,而不跟踪数据包的生命周期。但是,它仍允许您捕获摘要数据、元组数据和数据包,以帮助细化条件或提供下一调试步骤的线索。
以下是用于启用丢弃类型数据包跟踪的命令语法:
debug platform packet-trace drop [code
]
丢弃代码与丢弃ID相同,如show platform hardware qfp active statistics drop detail命令输出中所报告的:
ASR1000#show platform hardware qfp active statistics drop detail
--------------------------------------------------------------------------------
ID Global Drop Stats Packets Octets
--------------------------------------------------------------------------------
60 IpTtlExceeded 3 126
8 Ipv4Acl 32 3432
丢弃跟踪场景示例
在ASR1K的Gig 0/0/0接口上应用此ACL,以将流量从172.16.10.2丢弃到172.16.20.2:
access-list 199 deny ip host 172.16.10.2 host 172.16.20.2
access-list 199 permit ip any any
interface Gig 0/0/0
ip access-group 199 out
在ACL就位后,应用此丢弃跟踪配置:
debug platform condition interface Gig 0/0/1 ingress
debug platform condition start
debug platform packet-trace packet 1024 fia-trace
debug platform packet-trace drop
从172.16.10.2到172.16.20.2发送五个ICMP请求数据包。丢弃跟踪捕获ACL丢弃的这些数据包,如图所示:
ASR1000#show platform packet-trace statistics
Packets Summary
Matched 5
Traced 5
Packets Received
Ingress 5
Inject 0
Packets Processed
Forward 0
Punt 0
Drop 5
Count Code Cause
5 8 Ipv4Acl
Consume 0
ASR1000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/1 Gi0/0/0 DROP 8 (Ipv4Acl)
1 Gi0/0/1 Gi0/0/0 DROP 8 (Ipv4Acl)
2 Gi0/0/1 Gi0/0/0 DROP 8 (Ipv4Acl)
3 Gi0/0/1 Gi0/0/0 DROP 8 (Ipv4Acl)
4 Gi0/0/1 Gi0/0/0 DROP 8 (Ipv4Acl)
ASR1K#debug platform condition stop
ASR1K#show platform packet-trace packet 0
Packet: 0 CBUG ID: 140
Summary
Input : GigabitEthernet0/0/1
Output : GigabitEthernet0/0/0
State : DROP 8 (Ipv4Acl)
Timestamp
Start : 1819281992118 ns (05/17/2014 06:42:01.207240 UTC)
Stop : 1819282095121 ns (05/17/2014 06:42:01.207343 UTC)
Path Trace
Feature: IPV4
Source : 172.16.10.2
Destination : 172.16.20.2
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Entry : 0x806c7eac - DEBUG_COND_INPUT_PKT
Lapsed time: 1031 ns
Feature: FIA_TRACE
Entry : 0x82011c00 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time: 657 ns
Feature: FIA_TRACE
Entry : 0x806a2698 - IPV4_INPUT_ACL
Lapsed time: 2773 ns
Feature: FIA_TRACE
Entry : 0x82000170 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time: 1013 ns
Feature: FIA_TRACE
Entry : 0x82004500 - IPV4_OUTPUT_LOOKUP_PROCESS
Lapsed time: 2951 ns
Feature: FIA_TRACE
Entry : 0x8041771c - IPV4_INPUT_IPOPTIONS_PROCESS
Lapsed time: 373 ns
Feature: FIA_TRACE
Entry : 0x82013400 - MPLS_INPUT_GOTO_OUTPUT_FEATURE
Lapsed time: 2097 ns
Feature: FIA_TRACE
Entry : 0x803c60b8 - IPV4_MC_OUTPUT_VFR_REFRAG
Lapsed time: 373 ns
Feature: FIA_TRACE
Entry : 0x806db148 - OUTPUT_DROP
Lapsed time: 1297 ns
Feature: FIA_TRACE
Entry : 0x806a0c98 - IPV4_OUTPUT_ACL
Lapsed time: 78382 ns
ASR1000#
注入和注入跟踪
Cisco IOS-XE软件版本3.12及更高版本中添加了注入和注入数据包跟踪功能,以跟踪注入(在FP上接收并传送到控制平面的数据包)和注入(从控制平面注入到FP的数据包)数据包。
以下是从ASR1K ping相邻路由器时的punt和inject数据包跟踪的示例:
ASR1000#debug platform condition ipv4 172.16.10.2/32 both
ASR1000#debug platform condition start
ASR1000#debug platform packet-trace punt
ASR1000#debug platform packet-trace inject
ASR1000#debug platform packet-trace packet 16
ASR1000#
ASR1000#ping 172.16.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/14/15 ms
ASR1000#
现在,您可以验证punt并注入跟踪结果:
ASR1000#show platform packet-trace summary
Pkt Input Output State Reason
0 INJ.2 Gi0/0/1 FWD
1 Gi0/0/1 internal0/0/rp:0 PUNT 11 (For-us data)
2 INJ.2 Gi0/0/1 FWD
3 Gi0/0/1 internal0/0/rp:0 PUNT 11 (For-us data)
4 INJ.2 Gi0/0/1 FWD
5 Gi0/0/1 internal0/0/rp:0 PUNT 11 (For-us data)
6 INJ.2 Gi0/0/1 FWD
7 Gi0/0/1 internal0/0/rp:0 PUNT 11 (For-us data)
8 INJ.2 Gi0/0/1 FWD
9 Gi0/0/1 internal0/0/rp:0 PUNT 11 (For-us data)
ASR1000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 120
Summary
Input : INJ.2
Output : GigabitEthernet0/0/1
State : FWD
Timestamp
Start : 115612780360228 ns (05/29/2014 15:02:55.467987 UTC)
Stop : 115612780380931 ns (05/29/2014 15:02:55.468008 UTC)
Path Trace
Feature: IPV4
Source : 172.16.10.1
Destination : 172.16.10.2
Protocol : 1 (ICMP)
ASR1000#
ASR1000#show platform packet-trace packet 1
Packet: 1 CBUG ID: 121
Summary
Input : GigabitEthernet0/0/1
Output : internal0/0/rp:0
State : PUNT 11 (For-us data)
Timestamp
Start : 115612781060418 ns (05/29/2014 15:02:55.468687 UTC)
Stop : 115612781120041 ns (05/29/2014 15:02:55.468747 UTC)
Path Trace
Feature: IPV4
Source : 172.16.10.2
Destination : 172.16.10.1
Protocol : 1 (ICMP)
数据包跟踪示例
本节提供一些示例,其中数据包跟踪功能对故障排除有用。
数据包跟踪示例 — NAT
在本例中,在本地子网(172.16.10.0/24)的ASR1K(Gig0/0/0)的WAN接口上配置接口源网络地址转换(NAT)。
以下是用于跟踪从172.16.10.2到172.16.20.2的流量的平台条件和数据包跟踪配置,该流量在Gig0/0/0接口上变为转换(NAT):
debug platform condition interface Gig 0/0/1 ingress
debug platform condition start
debug platform packet-trace packet 1024 fia-trace
使用接口源NAT配置从172.16.10.2发送到172.16.20.2的5个ICMP数据包时,以下是数据包跟踪结果:
ASR1000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/1 Gi0/0/0 FWD
1 Gi0/0/1 Gi0/0/0 FWD
2 Gi0/0/1 Gi0/0/0 FWD
3 Gi0/0/1 Gi0/0/0 FWD
4 Gi0/0/1 Gi0/0/0 FWD
ASR1000#show platform packet-trace statistics
Packets Summary
Matched 5
Traced 5
Packets Received
Ingress 5
Inject 0
Packets Processed
Forward 5
Punt 0
Drop 0
Consume 0
ASR1000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 146
Summary
Input : GigabitEthernet0/0/1
Output : GigabitEthernet0/0/0
State : FWD
Timestamp
Start : 3010217805313 ns (05/17/2014 07:01:52.227836 UTC)
Stop : 3010217892847 ns (05/17/2014 07:01:52.227923 UTC)
Path Trace
Feature: IPV4
Source : 172.16.10.2
Destination : 172.16.20.2
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Entry : 0x806c7eac - DEBUG_COND_INPUT_PKT
Lapsed time: 1031 ns
Feature: FIA_TRACE
Entry : 0x82011c00 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time: 462 ns
Feature: FIA_TRACE
Entry : 0x82000170 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time: 355 ns
Feature: FIA_TRACE
Entry : 0x803c6af4 - IPV4_INPUT_VFR
Lapsed time: 266 ns
Feature: FIA_TRACE
Entry : 0x82004500 - IPV4_OUTPUT_LOOKUP_PROCESS
Lapsed time: 942 ns
Feature: FIA_TRACE
Entry : 0x8041771c - IPV4_INPUT_IPOPTIONS_PROCESS
Lapsed time: 88 ns
Feature: FIA_TRACE
Entry : 0x82013400 - MPLS_INPUT_GOTO_OUTPUT_FEATURE
Lapsed time: 568 ns
Feature: FIA_TRACE
Entry : 0x803c6900 - IPV4_OUTPUT_VFR
Lapsed time: 266 ns
Feature: NAT
Direction : IN to OUT
Action : Translate Source
Old Address : 172.16.10.2 00028
New Address : 192.168.10.1 00002
Feature: FIA_TRACE
Entry : 0x8031c248 - IPV4_NAT_OUTPUT_FIA
Lapsed time: 55697 ns
Feature: FIA_TRACE
Entry : 0x801424f8 - IPV4_OUTPUT_THREAT_DEFENSE
Lapsed time: 693 ns
Feature: FIA_TRACE
Entry : 0x803c60b8 - IPV4_MC_OUTPUT_VFR_REFRAG
Lapsed time: 88 ns
Feature: FIA_TRACE
Entry : 0x82014900 - IPV6_INPUT_L2_REWRITE
Lapsed time: 444 ns
Feature: FIA_TRACE
Entry : 0x82000080 - IPV4_OUTPUT_FRAG
Lapsed time: 88 ns
Feature: FIA_TRACE
Entry : 0x8200e600 - IPV4_OUTPUT_DROP_POLICY
Lapsed time: 1457 ns
Feature: FIA_TRACE
Entry : 0x82017980 - MARMOT_SPA_D_TRANSMIT_PKT
Lapsed time: 7431 ns
ASR1000#
数据包跟踪示例 — VPN
在本示例中,ASR1K和Cisco IOS路由器之间使用站点到站点VPN隧道,以保护在172.16.10.0/24和172.16.20.0/24(本地和远程子网)之间传输的流量。
以下是用于跟踪Gig 0/0/1接口上从172.16.10.2流到172.16.20.2的VPN流量的平台条件和数据包跟踪配置:
debug platform condition interface Gig 0/0/1 ingress
debug platform condition start
debug platform packet-trace packet 1024 fia-trace
在本例中,从172.16.10.2到172.16.20.2发送了五个ICMP数据包,这些数据包通过ASR1K和Cisco IOS路由器之间的VPN隧道进行加密,这些是数据包跟踪输出:
ASR1000#show platform packet-trace summary
Pkt Input Output State Reason
0 Gi0/0/1 Gi0/0/0 FWD
1 Gi0/0/1 Gi0/0/0 FWD
2 Gi0/0/1 Gi0/0/0 FWD
3 Gi0/0/1 Gi0/0/0 FWD
4 Gi0/0/1 Gi0/0/0 FWD
ASR1000#show platform packet-trace packet 0
Packet: 0 CBUG ID: 211
Summary
Input : GigabitEthernet0/0/1
Output : GigabitEthernet0/0/0
State : FWD
Timestamp
Start : 4636921551459 ns (05/17/2014 07:28:59.211375 UTC)
Stop : 4636921668739 ns (05/17/2014 07:28:59.211493 UTC)
Path Trace
Feature: IPV4
Source : 172.16.10.2
Destination : 172.16.20.2
Protocol : 1 (ICMP)
Feature: FIA_TRACE
Entry : 0x806c7eac - DEBUG_COND_INPUT_PKT
Lapsed time: 622 ns
Feature: FIA_TRACE
Entry : 0x82011c00 - IPV4_INPUT_DST_LOOKUP_CONSUME
Lapsed time: 462 ns
Feature: FIA_TRACE
Entry : 0x82000170 - IPV4_INPUT_FOR_US_MARTIAN
Lapsed time: 320 ns
Feature: FIA_TRACE
Entry : 0x82004500 - IPV4_OUTPUT_LOOKUP_PROCESS
Lapsed time: 1102 ns
Feature: FIA_TRACE
Entry : 0x8041771c - IPV4_INPUT_IPOPTIONS_PROCESS
Lapsed time: 88 ns
Feature: FIA_TRACE
Entry : 0x82013400 - MPLS_INPUT_GOTO_OUTPUT_FEATURE
Lapsed time: 586 ns
Feature: FIA_TRACE
Entry : 0x803c6900 - IPV4_OUTPUT_VFR
Lapsed time: 266 ns
Feature: FIA_TRACE
Entry : 0x80757914 - MC_OUTPUT_GEN_RECYCLE
Lapsed time: 195 ns
Feature: FIA_TRACE
Entry : 0x803c60b8 - IPV4_MC_OUTPUT_VFR_REFRAG
Lapsed time: 88 ns
Feature: IPSec
Result : IPSEC_RESULT_SA
Action : ENCRYPT
SA Handle : 6
Peer Addr : 192.168.20.1
Local Addr: 192.168.10.1
Feature: FIA_TRACE
Entry : 0x8043caec - IPV4_OUTPUT_IPSEC_CLASSIFY
Lapsed time: 9528 ns
Feature: FIA_TRACE
Entry : 0x8043915c - IPV4_OUTPUT_IPSEC_DOUBLE_ACL
Lapsed time: 355 ns
Feature: FIA_TRACE
Entry : 0x8043b45c - IPV4_IPSEC_FEATURE_RETURN
Lapsed time: 657 ns
Feature: FIA_TRACE
Entry : 0x8043ae28 - IPV4_OUTPUT_IPSEC_RERUN_JUMP
Lapsed time: 888 ns
Feature: FIA_TRACE
Entry : 0x80436f10 - IPV4_OUTPUT_IPSEC_POST_PROCESS
Lapsed time: 2186 ns
Feature: FIA_TRACE
Entry : 0x8043b45c - IPV4_IPSEC_FEATURE_RETURN
Lapsed time: 675 ns
Feature: FIA_TRACE
Entry : 0x82014900 - IPV6_INPUT_L2_REWRITE
Lapsed time: 1902 ns
Feature: FIA_TRACE
Entry : 0x82000080 - IPV4_OUTPUT_FRAG
Lapsed time: 71 ns
Feature: FIA_TRACE
Entry : 0x8200e600 - IPV4_OUTPUT_DROP_POLICY
Lapsed time: 1582 ns
Feature: FIA_TRACE
Entry : 0x82017980 - MARMOT_SPA_D_TRANSMIT_PKT
Lapsed time: 3964 ns
ASR1000#
性能影响
数据包跟踪缓冲区会消耗QFP DRAM,因此请注意配置所需的内存量和可用内存量。
性能影响因启用的数据包跟踪选项而异。数据包跟踪仅影响跟踪的数据包的转发性能,例如与用户配置的条件匹配的数据包。配置数据包跟踪以捕获的更精细和更详细的信息,对资源的影响就越大。
与任何故障排除一样,最好采用迭代方法,并仅在调试情况允许时启用更详细的跟踪选项。
QFP DRAM的使用情况可通过以下公式进行估计:
所需内存=(统计信息开销)+数据包数*(摘要大小+路径数据大小+复制大小)
反馈