Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5885
Views
37
Helpful
9
Replies

Nexus 9000 Ethanalyzer DHCP

Go to solution
larriegj1
Level 1
Level 1

‎12-28-2017 08:22 AM - edited ‎03-01-2019 08:41 AM

To all experts;

 

I like to know if I can use Ethanalyzer to troubleshoot a DHCP problem, the DHCP client and server are running in a VMware machine, I am not clear if the DHCP traffic can be by visible by Ethanalyzer if it is, I appreciate if you can suggest the traffic filter that I should use. I forgot to mentioned the client and server are running on different VRFs and in order to communicate between the VRFs the traffic goes thru a firewall, I can ping and traceroute the DHCP server from the DHCP client.

 

Thanks;

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrea Testino
Cisco Employee
Cisco Employee
In response to larriegj1

‎12-29-2017 12:10 PM

Juan,

 

You can use "source vlan X" in your monitor session; however, note that when a VLAN is set as the source, you will only see traffic in one direction (ingress only.) My recommendation to you would be to set the source interfaces as the physical interfaces where you know the Client and Server's traffic would be ingressing/egressing.

 

Since the SPAN session is destined to the SUP, I'd also recommend you stop the monitor session once you are finished - It is rate limited to 50 pps nonetheless but it is best practice to not send traffic to the SUP if not needed.

 

To answer your other question, "sup-eth0" is the SUP inband interface. This is what allows to replicate data-plane traffic to the SUP so you can review it with Ethanalyzer.

 

Hope that helps!

 

- Andrea

- Andrea, CCIE #56739 R&S

View solution in original post

9 Replies 9

Go to solution
Andrea Testino
Cisco Employee
Cisco Employee

‎12-29-2017 06:44 AM

Hi there,

 

Ethanalyzer is typically for control-plane traffic only (traffic destined to/from the switch). Since your DHCP Server and Clients are hosted on VMs, traffic between them would technically be classified as data-plane (traffic traversing the switch). However; there are a couple of "tricks" on some Nexus 9000 models that you can use to mirror or SPAN data-plane traffic and see it represented in Ethanalyzer. 

 

Could you share a "show module" from your Nexus 9000? Once I see what model and NX-OS you are running, I'd be able to best advice you.

 

Thanks!

 

- Andrea

- Andrea, CCIE #56739 R&S

Go to solution
larriegj1
Level 1
Level 1
In response to Andrea Testino

‎12-29-2017 08:12 AM

Hi Andrea;

 

Thanks for your reply to my question, here is the display of the "show module"

Mod Ports             Module-Type                       Model          Status
--- ----- ------------------------------------- --------------------- ---------
1    54   48x10/25G + 6x40/100G Ethernet Module N9K-C93180YC-EX       active * 

Mod  Sw                Hw     Slot
---  ----------------  ------ ----
1    7.0(3)I4(5)       2.0    NA 


Mod  MAC-Address(es)                         Serial-Num
---  --------------------------------------  ----------
1    f8-0b-cb-53-20-40 to f8-0b-cb-53-20-8f  FDO21050JBH

Mod  Online Diag Status
---  ------------------
1    Pass

* this terminal session

 

 

Thanks;

 

Juan

0 Helpful

Go to solution
Andrea Testino
Cisco Employee
Cisco Employee
In response to larriegj1

‎12-29-2017 09:07 AM

Hi Juan,

 

For the Nexus 93180YC-EX, there's a built-in option to replicate data-plane traffic and view it in Ethanalyzer - Here's an example configuration:

 

monitor session 1 
  description Support Example
  source interface port-channel1 both
  destination interface sup-eth0

With the above, I can then see traffic traversing to/from Po1 with Ethanalyzer. The filter you are looking for DHCP is "bootp".

 

ethanalyzer local interface inband mirror display-filter bootp limit-c 0

You can of course add more criteria to the display-filter so the capture isn't as noisy; for example:

 

ethanalyzer local interface inband mirror display-filter "bootp && ip.addr==1.1.1.1" limit-c 0

Note: 

  • SPAN packets to the CPU are rate limited and are dropped in the inband path. You can change the rate limit using the hardware rate-limiter span command. You can analyze SPAN copies on the supervisor using the ethanalyzer local interface inband mirror detail command.

Hope that helps. 

 

- Andrea

- Andrea, CCIE #56739 R&S

Go to solution
larriegj1
Level 1
Level 1
In response to Andrea Testino

‎12-29-2017 11:20 AM

Hi Andrea;

 

Thank you for your prompt response.

 

I have a couple of questions, can I use VLAN xx on the monitor session instead a physical interface? our DCHP client and server are defined as part of a VLAN interface.  is Port-channel1 in your sample is the connection to the DHCP server?

 

My other question is: do I need to stop the monitor session or will it be Okay to keep the monitor configuration on the Nexus?

 

Thanks again;

 

Juan

0 Helpful

Go to solution
larriegj1
Level 1
Level 1
In response to larriegj1

‎12-29-2017 11:27 AM

Hi Andrea;

 

I am sorry, I forgot to ask, how is interface sup-eth0 use?

 

Thanks;

 

Juan

0 Helpful

Go to solution
Andrea Testino
Cisco Employee
Cisco Employee
In response to larriegj1

‎12-29-2017 12:10 PM

Juan,

 

You can use "source vlan X" in your monitor session; however, note that when a VLAN is set as the source, you will only see traffic in one direction (ingress only.) My recommendation to you would be to set the source interfaces as the physical interfaces where you know the Client and Server's traffic would be ingressing/egressing.

 

Since the SPAN session is destined to the SUP, I'd also recommend you stop the monitor session once you are finished - It is rate limited to 50 pps nonetheless but it is best practice to not send traffic to the SUP if not needed.

 

To answer your other question, "sup-eth0" is the SUP inband interface. This is what allows to replicate data-plane traffic to the SUP so you can review it with Ethanalyzer.

 

Hope that helps!

 

- Andrea

- Andrea, CCIE #56739 R&S

Go to solution
larriegj1
Level 1
Level 1

‎12-29-2017 01:16 PM

Thank Andrea, I really appreciate your expertise on this subject matter and your prompt replies.

0 Helpful

Go to solution
JPavonM
VIP
VIP

‎05-08-2024 06:26 AM

Hi community, allow me to re-open this old thread.

The workaround to capture DHCP packets on N9k is not working for me. I created the monitor session for ports where the DHCP server are connected to, with destinatio SUP, and then enabled the ethanalyzer with mirror feature but I do not see them coming, and if anything is shown, I only receive DHCP Discoveries.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to JPavonM

‎05-08-2024 06:28 AM

Make new post it is better 

MHM

0 Helpful
Customers Also Viewed These Support Documents