cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
AMA event- Migrating Existing Networks to Cisco ACI

Datacenter troubleshooting guide - day 3

322
Views
0
Helpful
0
Comments
Cisco Employee

“Datacenter troubleshooting guide” – a blog by  Gilles Dufour.

Day 3 – Looking at DP info

Last week, we had a look at the command show np 1 access-list trace vlan.

This command is quite important for many reasons.

Today we will look more into it.

But first, let's talk about the ACE design.

An ACE is composed of a Control Plane (CP) and a Data Plane (DP).

The CP is responsible for all the administration tasks, like managing the configuration, sending probes, keeping the stats,...

The routing/switching and loadbalancing is done by the data plane (DP).

Therefore, when you configure a new policy to loadbalance a new service, you enter the configuration at CP level.  This configuration is processed by the ACL-MERGE function from CP and it is then push down to DP.

When you do a 'show run' or a 'show service-policy' you look at information inside the CP.

But when you enter a command that often starts with show np, you look at information from the DP itself.

Most of the time, what you have configured at CP level is reflected at DP level.

But it may occur that the acl-merge process fails for some reason and therefore you end up with different configurations between CP and DP.

This is why it is important to look at DP info.

Going back to our  command show np 1 access-list trace, this is a DP command.

It will retrieve the  actions that DP will perform on your traffic.

We have seen last week the "vserver" action which is the loadbalancing one.

But there are other possible actions.

For example, if you configure a parameter-map to change the idle timeout.

switch/Admin(config)# policy-map multi-match SLB
switch/Admin(config-pmap)# class VIP-122-80
switch/Admin(config-pmap-c)# connection advanced-options TIMEOUT-IDLE__10_CONN

switch/Admin# show np 1 access-list trace vlan  20 in pro 6 source 192.168.20.45 0 des 192.168.20.122 80

--------------

Context ID: 0

<… ignore first part …>

action node 0x449f040
Action Leaf-node
version+aceid 0x2f8 (version 0 ace_id 760 dirty no)
action_flag 0x2 (permit yes log no punt_to_cp no capture no bridge no)
path ID 0x0
src nat 0x0 dst nat 0x0 vserver 0x51 fixup 0x0
TCP conn 0x51 AAA 0x0 Websense 0x0 QOS Policer 0x0

A new action is now visible under "TCP conn".

The parameter-map with id 81 (0x51) will be associated to this traffic.

To find out more about that parameter-map,  we won't use the show cfgmgr internal table command as we did before.

Instead, we will look at this object inside DP itself.

switch/Admin(config-pmap-c)# do show np 1 me-stats "-n 81"
Conn Policy Entry at Index: 81
-------------------------------
MSS Max: 1460  MSS Min: 0
FIN Timeout: 3600 secs  Rx Buf Share: 32768
Timewait: NONE  Nagle: Disabled
EmbryTO:   5 secs  Tx Buf Share: 32768
Rnd intial Seq: yes  Slow Strt Disabled: 1
Enque Limit: 36
SYN retry Cnt: 4  WS Factor: 0
Client Keep-Alive: 1  ACK Delay TO: 200 ms
SACK enable: 1  Timestamp enable: 1
Wind Scale Enable: 1  SYN Data Allow: 0
Server Reuse Enable: 0 Wan Opt RTT:   65535

IP Opt MIN Allow: 0  IP Opt MAX Allow: 0
IP Opt Min Clear: 0  IP Opt Max Clear: 0
IP Opt Min Deny: 0  IP Max Deny: 0
IP Opt Min Cnt: 0  IP Opt Max Cnt: 0
TCP Opt Min Clear: 1  TCP _opt Max Clear: 255
TCP Opt Min Deny: 0  TCP Opt Max Deny: 0
Norm TTL: 0  Norm TOS: 0
Norm Class: 0  Norm Hop: 0
IP Len Min: 0  IP Len Max: 0
IP Len Min Deny: 0  IP Len Max Deny: 0
Reserve Bits: 0  IP TS Action: 0 IP Rec RT Action: 0
IP Strict RT act: 0 IP Loose RT Action: 0
IP Security: 0  IP Stream: 0
IP Dont Frag: 0  Exceed MSS: 1
Chksum V: 1  TTL Ev Pr: 0
Urg: 0  Win Var: 0
TTL Norm val: 0  Class Norm Val: 0
Hop Norm Val: 0  Max Connections: 0
Inactivity TO: 4294967295 secs Unidirectional: 0
Reassemble TO: 60 secs
Conn Max: 4294967295

Let's see another action.

This time, we configure source natting.

switch/Admin(config-pmap-c)# nat dynamic 1 vlan 40

Let's check one more time the actions that we have at DP level after this new config addition.

switch/Admin(config-pmap-c)# do show np 1 access-list trace vlan 20 in pro 6 source 192.168.20.45 0 des 192.168.20.122 80

--------------

Context ID: 0

<… ignore first part …>

action_flag 0x2 (permit yes log no punt_to_cp no capture no bridge no)

path ID 0x0

src nat 0x1a dst nat 0x0 vserver 0x51 fixup 0x0

TCP conn 0x51 AAA 0x0 Websense 0x0 QOS Policer 0x0

Syslog Info 0

Hitcount 0

Syslog info:

We can see that we have another action - src nat.

We can check the cfgmgr internal table and verify that this object exist

switch/Admin(config-pmap-c)# do sho cfgmgr internal table nat

Nat-Id  Ref Count  Ctx-Id  Flags
---------------------------------------------------------------------------
26      2          0      ADDED, UPDATED, DATA_VALID,

Not very useful.

More interesting is to get the interface id with the command :

switch/Admin(config-pmap-c)# do show np 1 interface iflookup
First burnt-in MAC: 00:30:f2:75:f3:f1
Last  burnt-in MAC: 00:30:f2:75:f3:f7
No of burnt-in MACs: 7
Hostid: 2
Shared vlan macs currently in use (offset from 2048): 0-7
Vlan-vmac indexes currently in use: 0-3
Flags:  Valid shared bridged ftstatus ssl-test normalization icmp-guard switch-m
ode ftvlan remove-eth-pad no-of-lifs

Vlan   ifid matchid ctxt primary vvind ftgrp ttl optact df ma_idx   Flags
----   ---- ------- ---- ------- ----- ----- --- ------ -- ------   -----
1      1    1       0    1       1     100   0   2      0  512      1101000000
10     2    2       0    10      0     100   0   2      0  512      1001000000
20     5    5       0    20      2     100   0   2      0  4608     1101010000
30     3    3       0    30      0     100   0   2      0  512      1011000000
40     6    6       0    40      3     100   0   2      0  12800    1101110000
60     9    9       0    60      0     100   0   2      0  8704     1001100000
77     13   13      0    77      0     100   0   2      0  512      1001000100
330    4    4       0    330     0     100   0   2      0  512      1011000000

With the interface id (6) and the src nat action id 26 (0x1a), we can now check what natpool is going to be used by DP

switch/Admin(config-pmap-c)# do show np 1 nat src-nat 26 6

        ID:9 mapped_if:6 policy_id:26 ixp_hint:in IXP1 type:DYNAMIC nat_pool_id:
27
                ID:27 PAT:0 ixp_binding:in IXP1
                lower:172.16.40.1 upper:172.16.40.254 Bitmap-ID:70
                Level 1 Bitmap: 0x1
                Level 2 Bitmap:

We can verify it does match my configuration

interface vlan 40
  ip address 192.168.40.121 255.255.255.0
  alias 192.168.40.124 255.255.255.0
  peer ip address 192.168.40.123 255.255.255.0
  access-group input PERMIT-ANY
  nat-pool 1 172.16.40.1 172.16.40.254 netmask 255.255.255.0

Next week, we will look into our first layer 7 rule and how to troubleshoot common issues.

Gilles Dufour

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards