Using the S/N/K-Series Router Debug Packet Filter to locate a Soft-forwarded Packet

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 14661 

Products
S-Series, all firmware
Matrix N-Series DFE, firmware 6.01.01.0020 and higher
K-Series, all firmware 

Discussion
The router "Debug IP/Packet" feature logs information about packets that are being processed through the router soft-path (rather than routed in hardware), and can be used to notify when frames that match a user-defined signature are processed. 

Here are the high-level options available in router configuration mode (with N-Series f/w 7.62.01.0007): 
N3(su)->router
N3(su-router)->configure
N3(su-router-config)->debug ?
ip debug ip applications
packet generic packet monitor
crypto debug crypto applications
N3(su-router-config)->debug ip ?
bgp Border Gateway Protocol
ospf Open Shortest Path First
vrrp debug vrrp
N3(su-router-config)->debug packet ?
show-statistics Show global router statistics
clear-statistics Clear global router statistics
filter Configure filters for packet monitor in current vrf
stop Stop the debug IP packet utility
restart Restart the debug IP packet utility
control Specify throttle, limit and/or verbose
N3(su-router-config)->debug crypto ?
isakmp debug isakmp
N3(su-router-config)->

One example of the use of this command set is with the 'debug packet filter' command. This can come in handy, because sometimes the host complex of the switch does not allow a hardware-based flow to occur. There could be a multitude of reasons for this, such as sending to a specific but unlearned MAC address. The lack of a hardware flow means that the MAC address will not appear in the output of certain more common commands, such as 'show mac' or 'show nodealias'. In these instances, using 'debug packet filter' on the source or destination MAC will help to discover why it's not being reported elsewhere. 

The output of these commands goes to syslog, so if Telneted or SSHed into the device, use the 'set logging here enable' (5569) command in order to make this session (but not all Telnet/SSH sessions) print syslog messages to the screen. 

This sample command sequence features output for a port which was disabled administratively (first message), then re-enabled (second message). Note that link does not drop unless the 'set forcelinkdown enable' (5277) command is active also. 
N3(su-router-config)->debug packet filter ?
vlan-in-list VLAN ID or range of IDs (1-4094)
vlan-out-list VLAN ID or range of IDs (1-4094)
port-in-list Interface selection, 'media.slot.port' format
port-out-list Interface selection, 'media.slot.port' format
src-mac 48-bit hardware address of source
dest-mac 48-bit hardware address of destination
etype ether type number in hex, ex. 800
access-list Access list to filter IPv4 or IPv6 packets
arp ARP with IP network addr to filter packets

N3(su-router-config)->debug packet filter src-mac ?
MAC address
N3(su-router-config)->debug packet filter src-mac 00-14-22-d6-b4-02 ?
vlan-in-list VLAN ID or range of IDs (1-4094)
vlan-out-list VLAN ID or range of IDs (1-4094)
port-in-list Interface selection, 'media.slot.port' format
port-out-list Interface selection, 'media.slot.port' format
dest-mac 48-bit hardware address of destination
etype ether type number in hex, ex. 800
access-list Access list to filter IPv4 or IPv6 packets
arp ARP with IP network addr to filter packets

N3(su-router-config)->set logging here enable
Logging here has been enabled for server 5.
N3(su-router-config)->debug packet filter src-mac 00-14-22-d6-b4-02

<165>May 16 19:17:06 0.0.0.0 DbgIpPkt[1][5],
RECEIVE: ARP request, on ge.1.101,
FATE: Forwarding discontinued, Discard all pkts, cause: PORT_DISABLED,
flow disallowed,
PKT-ORIG: InPort(ge.1.101) LEN(64) DA(FF:FF:FF:FF:FF:FF)
SA(00:14:22:D6:B4:02) ETYPE(0806) SIP(10.26.192.202) DIP(10.26.192.1)
.
<165>May 16 19:17:22 0.0.0.0 DbgIpPkt[1][10],
RECEIVE: on ge.1.101, vlan 1,
FATE: out port ge.1.104, vlan 1, flow allowed,
PKT-ORIG: InPort(ge.1.101) LEN(66) DA(00:11:88:05:5F:CD)
SA(00:14:22:D6:B4:02) ETYPE(0800) SIP(10.26.192.202) DIP(63.80.138.75) V ER(4)
HLEN(5) TOTALLEN(48) PROTO(6) TOS(0) TTL(128) TCP_DST(80) TCP_SRC(2052)
.
debug packet stop
N3(su-router-config)->exit
N3(su-router)->exit
N3(su)->

For more detail, please consult the Configuration Guide and CLI Reference Guide for your product and firmware version.
See also: 14495.
See also this HowTo Video which demonstrates use of the "Debug IP/Packet" feature.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.