Masoud

arumugasamy · ‎12-08-2015

switch 3850 - how to troubleshoot the packets traversing the switch from one vlan to another vlan.

When I created the access-list and use the debud ip packet detail acl then I can not see the traversing traffic. source going to destination via the switch not the source accessing the switch itself.

Do we need to disable the fast switching (enable process switching) then do the debug.

Pls help me with the cmds

Thanks

Masoud Pourshabanian · ‎12-08-2015

Hello,

Yes, you need to disable fast switching, but it should be temporary, because it reduces your device performance.

The command is

no ip route-cache

The better way to inspect the traffic is using wireshark in your network.

Masoud

arumugasamy · ‎12-08-2015

Masoud

I need to trace the packets from vlan 101 to vlan 99 in 3850 switch. I can ping the vlan 99 SVI from the PC in 101 vlan but I can not ping the other end ASA firewall inside IP address in the same vlan 99. example :

ping 172.21.17.10 --------------- SVI 99 vlan of switch 3850 --- OK

ping 172.21.17.14 ----------------ASA inside interface IP connected to the same vlan 99.Not ok

ASA # debug icmp trace shows 172.21.17.14 sending the reply but the client behind the vlan 101 not getting it. It happend to only 2 IP addresses in the vlan 101 (172.21.11.111 and 172.21.11.121)

This IP address (172.21.11.111, 172.21.11.121 in vlan 101) configured on POS (Point of sale machines) was working some time before but suddently now not ping out of core switch.We can ping other vlan SVI IP and other vlan PCs but not reaching out of Core switch. Today plaining to reboot the 3850 switch suspect bugs in the 3850.

Note : I last day during troubleshooting the issue, disable the fast switching on both vlan 101 and 99 SVI interface then

Created the acl source 172.21.11.111 and dst 172.21.17.14

then debug ip packet detail acl

debug ip icmp

debug ip routing

in the 3850

but I can not see the packets in switch console.

Ganesh Hariharan · ‎12-08-2015

Hello,

For troubleshooting purpose such as debugging and packet-level tracing, you will need to disable fast switching. Disabling fast switching causes the device to fall back to process switching the packets. If fast switching is running, you might only see the first packet to each destination in the output of any packet-level debugging commands.

There would be degrade in perfomance as turning off fast switching increases system overhead because the packets will be process switched by the system's CPU.

no ip route-cache

Hope it Helpss..

-GI

arumugasamy · ‎12-08-2015

Ganesh,

I need to trace the packets from vlan 101 to vlan 99 in 3850 switch. I can ping the vlan 99 SVI from the PC in 101 vlan but I can not ping the other end ASA firewall inside IP address in the same vlan 99. example :

ping 172.21.17.10 --------------- SVI 99 vlan of switch 3850 --- OK

ping 172.21.17.14 ----------------ASA inside interface IP connected to the same vlan 99.Not ok

ASA # debug icmp trace shows 172.21.17.14 sending the reply but the client behind the vlan 101 not getting it. It happend to only 2 IP addresses in the vlan 101 (172.21.11.111 and 172.21.11.121)

This IP address (172.21.11.111, 172.21.11.121 in vlan 101) configured on POS (Point of sale machines) was working some time before but suddently now not ping out of core switch.We can ping other vlan SVI IP and other vlan PCs but not reaching out of Core switch. Today plaining to reboot the 3850 switch suspect bugs in the 3850.

Note : I last day during troubleshooting the issue, disable the fast switching on both vlan 101 and 99 SVI interface then

Created the acl source 172.21.11.111 and dst 172.21.17.14

then debug ip packet detail acl

debug ip icmp

debug ip routing

in the 3850

but I can not see the packets in switch console.