Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
1
Helpful
2
Replies

ELAM not triggered by paket from outside the fabric

Go to solution
nouse4it
Level 1
Level 1

‎10-02-2023 03:01 AM - edited ‎10-02-2023 03:03 AM

Hi everybody,

maybe someone here can help me understanding this.

I try to do an ELAM on one of my Leaf Nodes (93180YC-EX) with the following settings:

 

debug platform internal tah elam asic 0
trigger init in-select 6 out-select 1
set outer ipv4 dst_ip 172.28.83.18

 

 

When I do a ping from the anycast gateway of the bridge domain, to the destination IP, the ELAM is triggered and delivers informations.

When I ping from a Workstation outside of the fabric to the destination IP, ELAM is not triggered at all.

How can I do an ELAM which is triggerd by a paket coming from outside of the fabric to a destination IP which is inside the Fabric?

Thank you!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph Young
Cisco Employee
Cisco Employee

‎10-02-2023 08:06 AM - edited ‎10-02-2023 08:07 AM

Whether the ping is coming from outside of the fabric or an internal endpoint is mostly irrelevant. You just care about whether it is hitting the switch vxlan encapsulated or not.

If vxlan encapsulated use in-select 14 or 7 and match on inner headers for tenant parameters. If not encapsulated use in-select 6 and match on outer headers like you were doing.

For your example, if its not triggering there's a few possibilities - 
1. You didn't use 'trigger reset' so your additional paramters are combining with a past trigger. Always do trigger reset. For example - 

 

 

 

debug platform internal tah elam asic 0
trigger reset
trigger init in-select 6 out-select 1
set outer ipv4 dst_ip 172.28.83.18

 

 

 

2. It is not entering the fabric on this leaf. When you ping from the anycast gateway of the leaf using the iping utility, the source ptep is encoded in the iping payload because the traffic may ingress somewhere else. When a leaf gets it, if it owns the dest IP (anycast gw) then it will inspect the iping payload and forward to the real ptep if necessary. If that were happening then it could be hitting your switch vxlan encapsulated in which case you would need to use in-select 7 or 14.

3. Someone put the datacenter microwave too close to your cables  (jkjk)

This guide goes into a lot of detail - 
https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/217995-troubleshoot-aci-intra-fabric-forwarding.html

As well as brkdcn-3900 - 
https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2023/pdf/BRKDCN-3900.pdf
(starting on slide 71)

Hope that's helpful,

Joe

View solution in original post

2 Replies 2

Go to solution
Joseph Young
Cisco Employee
Cisco Employee

‎10-02-2023 08:06 AM - edited ‎10-02-2023 08:07 AM

Whether the ping is coming from outside of the fabric or an internal endpoint is mostly irrelevant. You just care about whether it is hitting the switch vxlan encapsulated or not.

If vxlan encapsulated use in-select 14 or 7 and match on inner headers for tenant parameters. If not encapsulated use in-select 6 and match on outer headers like you were doing.

For your example, if its not triggering there's a few possibilities - 
1. You didn't use 'trigger reset' so your additional paramters are combining with a past trigger. Always do trigger reset. For example - 

 

 

 

debug platform internal tah elam asic 0
trigger reset
trigger init in-select 6 out-select 1
set outer ipv4 dst_ip 172.28.83.18

 

 

 

2. It is not entering the fabric on this leaf. When you ping from the anycast gateway of the leaf using the iping utility, the source ptep is encoded in the iping payload because the traffic may ingress somewhere else. When a leaf gets it, if it owns the dest IP (anycast gw) then it will inspect the iping payload and forward to the real ptep if necessary. If that were happening then it could be hitting your switch vxlan encapsulated in which case you would need to use in-select 7 or 14.

3. Someone put the datacenter microwave too close to your cables  (jkjk)

This guide goes into a lot of detail - 
https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/217995-troubleshoot-aci-intra-fabric-forwarding.html

As well as brkdcn-3900 - 
https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2023/pdf/BRKDCN-3900.pdf
(starting on slide 71)

Hope that's helpful,

Joe

Go to solution
nouse4it
Level 1
Level 1

‎10-05-2023 11:10 PM

Thanks Joe!

The second point you mention was causing the problem.

There is a L3Out on another Leaf, where the paket entered the fabric AND the host I was trying to monitor was connected per VPC to this same leaf. So the paket went only to this leaf and not to the leaf I was running the ELAM on.

Thank you for your help!

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License