10-02-2023 03:01 AM - edited 10-02-2023 03:03 AM
Hi everybody,
maybe someone here can help me understanding this.
I try to do an ELAM on one of my Leaf Nodes (93180YC-EX) with the following settings:
debug platform internal tah elam asic 0
trigger init in-select 6 out-select 1
set outer ipv4 dst_ip 172.28.83.18
When I do a ping from the anycast gateway of the bridge domain, to the destination IP, the ELAM is triggered and delivers informations.
When I ping from a Workstation outside of the fabric to the destination IP, ELAM is not triggered at all.
How can I do an ELAM which is triggerd by a paket coming from outside of the fabric to a destination IP which is inside the Fabric?
Thank you!
Solved! Go to Solution.
10-02-2023 08:06 AM - edited 10-02-2023 08:07 AM
Whether the ping is coming from outside of the fabric or an internal endpoint is mostly irrelevant. You just care about whether it is hitting the switch vxlan encapsulated or not.
If vxlan encapsulated use in-select 14 or 7 and match on inner headers for tenant parameters. If not encapsulated use in-select 6 and match on outer headers like you were doing.
For your example, if its not triggering there's a few possibilities -
1. You didn't use 'trigger reset' so your additional paramters are combining with a past trigger. Always do trigger reset. For example -
debug platform internal tah elam asic 0
trigger reset
trigger init in-select 6 out-select 1
set outer ipv4 dst_ip 172.28.83.18
2. It is not entering the fabric on this leaf. When you ping from the anycast gateway of the leaf using the iping utility, the source ptep is encoded in the iping payload because the traffic may ingress somewhere else. When a leaf gets it, if it owns the dest IP (anycast gw) then it will inspect the iping payload and forward to the real ptep if necessary. If that were happening then it could be hitting your switch vxlan encapsulated in which case you would need to use in-select 7 or 14.
3. Someone put the datacenter microwave too close to your cables
This guide goes into a lot of detail -
https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/217995-troubleshoot-aci-intra-fabric-forwarding.html
As well as brkdcn-3900 -
https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2023/pdf/BRKDCN-3900.pdf
(starting on slide 71)
Hope that's helpful,
Joe
10-02-2023 08:06 AM - edited 10-02-2023 08:07 AM
Whether the ping is coming from outside of the fabric or an internal endpoint is mostly irrelevant. You just care about whether it is hitting the switch vxlan encapsulated or not.
If vxlan encapsulated use in-select 14 or 7 and match on inner headers for tenant parameters. If not encapsulated use in-select 6 and match on outer headers like you were doing.
For your example, if its not triggering there's a few possibilities -
1. You didn't use 'trigger reset' so your additional paramters are combining with a past trigger. Always do trigger reset. For example -
debug platform internal tah elam asic 0
trigger reset
trigger init in-select 6 out-select 1
set outer ipv4 dst_ip 172.28.83.18
2. It is not entering the fabric on this leaf. When you ping from the anycast gateway of the leaf using the iping utility, the source ptep is encoded in the iping payload because the traffic may ingress somewhere else. When a leaf gets it, if it owns the dest IP (anycast gw) then it will inspect the iping payload and forward to the real ptep if necessary. If that were happening then it could be hitting your switch vxlan encapsulated in which case you would need to use in-select 7 or 14.
3. Someone put the datacenter microwave too close to your cables
This guide goes into a lot of detail -
https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/217995-troubleshoot-aci-intra-fabric-forwarding.html
As well as brkdcn-3900 -
https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2023/pdf/BRKDCN-3900.pdf
(starting on slide 71)
Hope that's helpful,
Joe
10-05-2023 11:10 PM
Thanks Joe!
The second point you mention was causing the problem.
There is a L3Out on another Leaf, where the paket entered the fabric AND the host I was trying to monitor was connected per VPC to this same leaf. So the paket went only to this leaf and not to the leaf I was running the ELAM on.
Thank you for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide