How to debug a TCAM switch on 877W?

Alex Mac · ‎02-25-2012

Hi folks,

my question is all in the subject.

Background.

I've created a BVI2 where I bridged dot11 0.2 and vlan2 in order to have wired and wireless clients in the same vlan.

Some wired client are not reachable from the lan. Wireless clients have no pbl in reaching each other.

How I narrowed down the problem:

Monitoring a MAC address that is supposed to be behind the FA2 I have noticed that it moves to vlan2 when in fact it should be behind the FA2.

Of course when "show mac-address-table" says it is behind Fa2 the ping to that MAC address works whereas when the TCAM reports it is behind vlan2 it doesn't. Once the MAC address is behind the vlan2 if I clear the mac-address-table and that mac-address is still put behinf Fa2 then the pings works again, sometime I have to perform twice the clear command before the MAC address goes back to the right location.

I'd like to understand why the router moves that MAC address from Fa2 to vlan2 and that's the reason for my question in the subject.

I don't have any problems for port Fa0 and Fa1.

"Show int fa2" doesn't show any problem/errors or the likes.

BTW even if I force that MAC address to be statically behind FA2 the ping works fine but then stops and if I do "show mac-add" the static entry for it is still there... so looks like there us something that overrides that static entry. If clear everything and I have the mac-address be behind Fa2 then everything starts to work again. I used Fa3 instead of Fa2 and I get the same results.

Knowing what happens at TCAM level and why would be really precious.

IOS: c870-advipservicesk9-mz.151-3.T1.bin

Thanks in advance,

Alessandro

johnlloyd_13 · ‎03-01-2012

hi alessandro,

is your FE2 interface configured to be under VLAN 2?

could you try issuing the "debug condition mac-address" command?

Alex Mac · ‎03-01-2012

Hi John,

thanks for your interest on this.

The interface Fa2 is under VLAN 2.

I issued the debug you gave me:

Router#debug condition mac-address 001b.fc45.2e58

Condition 4 set

and

Router#sh debug

Condition 1: interface Fa2 (1 flags triggered)

Flags: Fa2

Condition 2: interface Vl2 (1 flags triggered)

Flags: Vl2

Condition 3: interface BV2 (1 flags triggered)

Flags: BV2

Condition 4: mac-address 001b.fc45.2e58 (0 flags triggered)

I keep seeing the flap of the MAC address however I don't see any debug message.

I've notice that there is a pattern in the flaps meaning that, when I ping the host, 5 pings are successful and then 5,6 or 7 fail.

This is not strict, meaning that sometimes the succesfull pings can last for more and the series of failed ones can last for more but what I said above is true 95% of the time.

I don't think is STP because the device is attached only through port Fa2.

I see "Condition 4 set"... do I have then to enable the true debug after the conditions are set?

Many thanks,

Alex

johnlloyd_13 · ‎03-02-2012

Hi Alex,

I tried to run the same debug command on one of our 877 and it doesn't show the same symptom. The MAC address attached on the FE interface stayed on that port.

Could you post your show run (omit sensitve info) and a diagram of your network topology?

Sent from Cisco Technical Support iPhone App

Alex Mac · ‎03-02-2012

Hi John,

I'll gather it asap. Meanwhile I'd like to understand if what you suggested me to do is the really debug or just a constraint to limit the putput of a real debug command. Getting "condition set" looks like setting a constraint but not running a true debug command. I think the conditional debug is used when the amount of log lines can overwhelm the router. In my case with all the debugs I enabled I didn't get any single line that could have given to me info on what's going on my swith-side of the router.

I'm gonna collect the sh run.

Alex

Alex Mac · ‎03-25-2012

Hi all,

eventually I discovered that the command

bridge-group 2 subscriber-loop-control

was enabled on the vlan 2 interface.

After removing it everything started to work like a charm

interface Dot11Radio0.2

encapsulation dot1Q 2 native

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 spanning-disabled

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

end

interface Vlan2

description Internal VLAN

no ip address

bridge-group 2

end

interface BVI2

ip address 10.38.65.14 255.255.255.240

ip virtual-reassembly in

ip tcp adjust-mss 1350

end

bridge irb

bridge 2 route ip

My understanding that such command is needed on wireless interface but not on wired ones.

Thanks all for the help.

Alex