RouteLeakNexus 9000 - Packet Tracer

Nexus 9000 – Packet Tracer

Packet-tracer is a built in utility on the Nexus 9000 that’s used to trace the path of a packet transiting the switch. This is extremely useful in terms of troubleshooting as this tool can confirm whether or not a specific traffic flow is traversing the switch. It’s also useful to pinpoint packet loss as it displays counters to track flow statistics. Note that this can’t be used for ARP traffic, IPv6 and non-IP based flow at the time of this post.

We will be working with the following setup today.

Here, we have daisy-chained three N9Ks and each N9K has a loopback address per the diagram above.

Packet-tracer commands are EXEC level commands.

N9K-9508#test packet-tracer src_ip <src_ip> dst_ip <dst_ip> <==== provide your src and dst ip 
N9K-9508#test packet-tracer start <==== Start packet tracer
N9K-9508#test packet-tracer stop <==== Start packet tracer
N9K-9508#test packet-tracer show <==== Check for packet matches

Let's dive into the CLI.

Here we're going to SSH to N9K1 from N9K3 and run our trace. Let's first configure packet tracer on N9K2.

N9K2# test packet-tracer src-ip 23.1.1.3 dst-ip 12.1.1.1 protocol 22
N9K2# 
N9K2# test packet-tracer start

Notice here how we do not need to specify an exit interface. That’s because the configurations installs filter ACL across all LCs and FMs. The second line starts the capture. Let’s now SSH from N9K3.

N9K3# ssh admin@12.1.1.1 
User Access Verification
Password: 

Cisco NX-OS Software
Copyright (c) 2002-2017, Cisco Systems, Inc. All rights reserved.
NX-OSv9K software ("NX-OSv9K Software") and related documentation,
files or other reference materials ("Documentation") are
the proprietary property and confidential information of Cisco
Systems, Inc. ("Cisco") and are protected, without limitation,
pursuant to United States and International copyright and trademark
laws in the applicable jurisdiction which provide civil and criminal
penalties for copying or distribution without Cisco's authorization.

Any use or disclosure, in whole or in part, of the NX-OSv9K Software
or Documentation to any third party for any purposes is expressly
prohibited except as otherwise authorized by Cisco in writing.
The copyrights to certain works contained herein are owned by other
third parties and are used and distributed under license. Some parts
of this software may be covered under the GNU Public License or the
GNU Lesser General Public License. A copy of each such license is
available at
http://www.gnu.org/licenses/gpl.html and
http://www.gnu.org/licenses/lgpl.html
***************************************************************************
*  NX-OSv9K is strictly limited to use for evaluation, demonstration      *
*  and NX-OS education. Any use or disclosure, in whole or in part of     *
*  the NX-OSv9K Software or Documentation to any third party for any      *
*  purposes is expressly prohibited except as otherwise authorized by     *
*  Cisco in writing.                                                      *
***************************************************************************
N9K1#

Very good. Let’s check if in fact the ssh flow session passes through N9K2.

N9K2# test packet-tracer show

 Packet-tracer stats
---------------------

Module 1:
Filter 1 installed:  src-ip 23.1.1.3 dst-ip 12.1.1.1 protocol 1 
Filter 2 installed:  src-ip 23.1.1.3 dst-ip 12.1.1.1 protocol 22 
Filter 3 uninstalled:
Filter 4 uninstalled:
Filter 5 uninstalled:

Here we can clearly see that the traffic is in fact making it to N9K2. The first filter referenced ICMP traffic which I configured earlier (Protocol 1).

This is a useful tool because even if the packets are being dropped by an ACL for instance, this helps determine whether or not the packets are reaching the router incoming interface. This helps narrow down a fault quickly.

That’s all I wanted to show you today.

Classification: ADVANCED SERVICES

Posted On: 2019/02/27

M	T	W	T	F	S	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Nexus 9000 – Packet Tracer

Leave a Reply