Re: traceroute on cisco ACI

muhammadm · ‎01-06-2018

Hi

Based on my test on ACI, itraceroute command on the ACI is to find multiple paths to a destination leaf from the current leaf. And the usual command "traceroute" to find the external destination is not seems to be functional. Is there any option on the ACI to do traceroute to an IP which is routed externally to the ACI fabric.

Appreciate help on this.

leaf1# show ip route vrf DOP:AD1
IP Route Table for VRF "DOP:AD1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

1.1.1.1/32, ubest/mbest: 2/0, attached, direct
*via 1.1.1.1, lo2, [1/0], 02w15d, local, local
*via 1.1.1.1, lo2, [1/0], 02w15d, direct
2.2.2.2/32, ubest/mbest: 1/0
*via 10.0.8.93%overlay-1, [1/0], 02w15d, bgp-200, internal, tag 200
10.10.10.10/32, ubest/mbest: 1/0
*via 172.168.1.3, vlan27, [110/5], 02w15d, ospf-default, intra
172.168.1.0/29, ubest/mbest: 1/0, attached, direct
*via 172.168.1.1, vlan27, [1/0], 02w15d, direct
172.168.1.1/32, ubest/mbest: 1/0, attached
*via 172.168.1.1, vlan27, [1/0], 02w15d, local, local
192.168.168.0/24, ubest/mbest: 1/0, attached, direct, pervasive
*via 10.0.232.64%overlay-1, [1/0], 02w15d, static
192.168.168.1/32, ubest/mbest: 1/0, attached, pervasive
*via 192.168.168.1, vlan25, [1/0], 02w15d, local, local
leaf1# traceroute 10.10.10.10
traceroute to 10.10.10.10 (10.10.10.10), 64 hops max
1 192.168.10.254 (192.168.10.254) 0.538ms 0.463ms 0.459ms
2 172.16.100.1 (172.16.100.1) 0.708ms 0.686ms 0.635ms
3 * * *
4 * * *

regards

Muhammad M

Manuel Velasco · ‎01-09-2018

Hi Muhammad,

When you run the traceroute command on the ACI leaf, it runs under the mgmt VRF. Unfortunately, there is not an option to specify the VRF for this command(see below)

leaf2# traceroute --help
Usage: traceroute [OPTION...] HOST
Print the route packets trace to network host.

-M, --type=METHOD use METHOD (`icmp' or `udp') for traceroute
operations
-p, --port=PORT use destination PORT port (default: 33434)
-q, --tries=NUM send NUM probe packets per hop (default: 3)
--resolve-hostnames resolve hostnames
-?, --help give this help list
--usage give a short usage message
-V, --version print program version

Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.

Report bugs to <bug-inetutils@gnu.org>.
fab1-leaf2# traceroute --usage
Usage: traceroute [-?V] [-M METHOD] [-p PORT] [-q NUM] [--type=METHOD]
[--port=PORT] [--tries=NUM] [--resolve-hostnames] [--help]
[--usage] [--version] HOST

muhammadm · ‎01-09-2018

Hi Manual Valesco,

Thanks for pitching on this, but just wondering you had any try with these options.

As I mentioned in the initial thread. I already tried with an outiside reachable IP ( learned via OSPF) but I dont see traceroute is hitting that path. ( If you missed, I already added the output there in the post)

The network : 10.10.10.10 is learned via ospf from outside next hop.

leaf1# show ip route vrf DOP:AD1
IP Route Table for VRF "DOP:AD1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

1.1.1.1/32, ubest/mbest: 2/0, attached, direct
*via 1.1.1.1, lo2, [1/0], 02w18d, local, local
*via 1.1.1.1, lo2, [1/0], 02w18d, direct
2.2.2.2/32, ubest/mbest: 1/0
*via 10.0.8.93%overlay-1, [1/0], 02w18d, bgp-200, internal, tag 200
10.10.10.10/32, ubest/mbest: 1/0
*via 172.168.1.3, vlan27, [110/5], 02w18d, ospf-default, intra
172.168.1.0/29, ubest/mbest: 1/0, attached, direct
*via 172.168.1.1, vlan27, [1/0], 02w18d, direct
172.168.1.1/32, ubest/mbest: 1/0, attached
*via 172.168.1.1, vlan27, [1/0], 02w18d, local, local
192.168.168.0/24, ubest/mbest: 1/0, attached, direct, pervasive
*via 10.0.232.64%overlay-1, [1/0], 02w18d, static
192.168.168.1/32, ubest/mbest: 1/0, attached, pervasive
*via 192.168.168.1, vlan25, [1/0], 02w18d, local, local

IP details shows it learned from vlan 27

===============================

leaf1# show ip int brief vrf DOP:AD1
IP Interface Status for VRF "DOP:AD1"(6)
Interface Address Interface Status
vlan25 192.168.168.1/24 protocol-up/link-up/admin-up
vlan27 172.168.1.1/29 protocol-up/link-up/admin-up
lo2 1.1.1.1/32 protocol-up/link-up/admin-up

leaf1#

ping to the IP is successful

=====================

leaf1# iping -V DOP:AD1 10.10.10.10
PING 10.10.10.10 (10.10.10.10) from 172.168.1.1: 56 data bytes
64 bytes from 10.10.10.10: icmp_seq=0 ttl=255 time=2.348 ms
64 bytes from 10.10.10.10: icmp_seq=1 ttl=255 time=2.065 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=255 time=2.074 ms
^C
--- 10.10.10.10 ping statistics ---
3 packets transmitted, 3 packets received, 0.00% packet loss
round-trip min/avg/max = 2.065/2.162/2.348 ms

But when you do traceroute it is not taking the destination path !!!!!!!!!!!!!!!!!

leaf1# traceroute 10.10.10.10
traceroute to 10.10.10.10 (10.10.10.10), 64 hops max
1 192.168.10.254 (192.168.10.254) 0.583ms 0.458ms 0.477ms
2 172.16.100.1 (172.16.100.1) 0.732ms 0.673ms 0.709ms
3 * * *
4 * * *
5 * * *
^C
leaf1#

As it looks like you work for Cisco, maybe you will be able to do some testing and guide on this.

regards

Muhammad M

muhammadm · ‎01-09-2018

So looks like there is NO option to do traceroute outside l3 network for non-managment VRF in ACI so far !!!!!!!!!! super WIERED

Manuel Velasco · ‎01-09-2018

Yes traceroute only works on the management vrf.

andreas.blum · ‎04-19-2023

try 'itraceroute'
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-x/cli/inxos/13x/b_ACI_Switch_Command_Ref_13x/b_ACI_Switch_Command_Ref_13x_chapter_0111.pdf

ibbyvk · ‎10-12-2023

Wow! It works on a leaf using aci-n9000-dk9.14.2.7s.bin

itraceroute external 1.2.3.4 vrf TenantName:VRFname payload 20

That worked for me but make sure you don't use CAPS at all in the command structure. I accidentally typed 'VRF' and the whole command failed. Lowercase worked.