12-28-2017 08:22 AM - edited 03-01-2019 08:41 AM
To all experts;
I like to know if I can use Ethanalyzer to troubleshoot a DHCP problem, the DHCP client and server are running in a VMware machine, I am not clear if the DHCP traffic can be by visible by Ethanalyzer if it is, I appreciate if you can suggest the traffic filter that I should use. I forgot to mentioned the client and server are running on different VRFs and in order to communicate between the VRFs the traffic goes thru a firewall, I can ping and traceroute the DHCP server from the DHCP client.
Thanks;
Solved! Go to Solution.
12-29-2017 12:10 PM
Juan,
You can use "source vlan X" in your monitor session; however, note that when a VLAN is set as the source, you will only see traffic in one direction (ingress only.) My recommendation to you would be to set the source interfaces as the physical interfaces where you know the Client and Server's traffic would be ingressing/egressing.
Since the SPAN session is destined to the SUP, I'd also recommend you stop the monitor session once you are finished - It is rate limited to 50 pps nonetheless but it is best practice to not send traffic to the SUP if not needed.
To answer your other question, "sup-eth0" is the SUP inband interface. This is what allows to replicate data-plane traffic to the SUP so you can review it with Ethanalyzer.
Hope that helps!
- Andrea
12-29-2017 06:44 AM
Hi there,
Ethanalyzer is typically for control-plane traffic only (traffic destined to/from the switch). Since your DHCP Server and Clients are hosted on VMs, traffic between them would technically be classified as data-plane (traffic traversing the switch). However; there are a couple of "tricks" on some Nexus 9000 models that you can use to mirror or SPAN data-plane traffic and see it represented in Ethanalyzer.
Could you share a "show module" from your Nexus 9000? Once I see what model and NX-OS you are running, I'd be able to best advice you.
Thanks!
- Andrea
12-29-2017 08:12 AM
Hi Andrea;
Thanks for your reply to my question, here is the display of the "show module"
Mod Ports Module-Type Model Status
--- ----- ------------------------------------- --------------------- ---------
1 54 48x10/25G + 6x40/100G Ethernet Module N9K-C93180YC-EX active *
Mod Sw Hw Slot
--- ---------------- ------ ----
1 7.0(3)I4(5) 2.0 NA
Mod MAC-Address(es) Serial-Num
--- -------------------------------------- ----------
1 f8-0b-cb-53-20-40 to f8-0b-cb-53-20-8f FDO21050JBH
Mod Online Diag Status
--- ------------------
1 Pass
* this terminal session
Thanks;
Juan
12-29-2017 09:07 AM
Hi Juan,
For the Nexus 93180YC-EX, there's a built-in option to replicate data-plane traffic and view it in Ethanalyzer - Here's an example configuration:
monitor session 1 description Support Example source interface port-channel1 both destination interface sup-eth0
With the above, I can then see traffic traversing to/from Po1 with Ethanalyzer. The filter you are looking for DHCP is "bootp".
ethanalyzer local interface inband mirror display-filter bootp limit-c 0
You can of course add more criteria to the display-filter so the capture isn't as noisy; for example:
ethanalyzer local interface inband mirror display-filter "bootp && ip.addr==1.1.1.1" limit-c 0
Note:
SPAN packets to the CPU are rate limited and are dropped in the inband path. You can change the rate limit using the hardware rate-limiter span command. You can analyze SPAN copies on the supervisor using the ethanalyzer local interface inband mirror detail command.
Hope that helps.
- Andrea
12-29-2017 11:20 AM
Hi Andrea;
Thank you for your prompt response.
I have a couple of questions, can I use VLAN xx on the monitor session instead a physical interface? our DCHP client and server are defined as part of a VLAN interface. is Port-channel1 in your sample is the connection to the DHCP server?
My other question is: do I need to stop the monitor session or will it be Okay to keep the monitor configuration on the Nexus?
Thanks again;
Juan
12-29-2017 11:27 AM
Hi Andrea;
I am sorry, I forgot to ask, how is interface sup-eth0 use?
Thanks;
Juan
12-29-2017 12:10 PM
Juan,
You can use "source vlan X" in your monitor session; however, note that when a VLAN is set as the source, you will only see traffic in one direction (ingress only.) My recommendation to you would be to set the source interfaces as the physical interfaces where you know the Client and Server's traffic would be ingressing/egressing.
Since the SPAN session is destined to the SUP, I'd also recommend you stop the monitor session once you are finished - It is rate limited to 50 pps nonetheless but it is best practice to not send traffic to the SUP if not needed.
To answer your other question, "sup-eth0" is the SUP inband interface. This is what allows to replicate data-plane traffic to the SUP so you can review it with Ethanalyzer.
Hope that helps!
- Andrea
12-29-2017 01:16 PM
Thank Andrea, I really appreciate your expertise on this subject matter and your prompt replies.
05-08-2024 06:26 AM
Hi community, allow me to re-open this old thread.
The workaround to capture DHCP packets on N9k is not working for me. I created the monitor session for ports where the DHCP server are connected to, with destinatio SUP, and then enabled the ethanalyzer with mirror feature but I do not see them coming, and if anything is shown, I only receive DHCP Discoveries.
05-08-2024 06:28 AM
Make new post it is better
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide