Troubleshooting with a NETDR capture on a sup720/6500
A netdr capture is preformed on the MSFC CPU controller. This is the closest location you can capture a packet on the MSFC in order to determine why traffic is being punted to the SP OR RP CPU on the MSFC. With a Sup720 or Sup32 it allows one to capture packets on the RP or SP inband. The netdr command can be used to capture both Tx and Rx packets in the software-switching path.
Cat6500#debug netdr capture ?
acl (11) Capture packets matching an acl
and-filter (3) Apply filters in an and function: all must match
destination-ip-address (10) Capture all packets matching ip dst address
dstindex (7) Capture all packets matching destination index
ethertype (8) Capture all packets matching ethertype
interface (4) Capture packets related to this interface
or-filter (3) Apply filters in an or function: only one must match
rx (2) Capture incoming packets only
source-ip-address (9) Capture all packets matching ip src address
srcindex (6) Capture all packets matching source index
tx (2) Capture outgoing packets only
vlan (5) Capture packets matching this vlan number
·Using the continuous option, the switch will capture packets on the RP-inband continuously fill the entire capture buffer (4096 packets) and then start to overwrite the buffer in a FIFO fashion.
·The tx and rx options will capture packets coming from the MSFC and going to the MSFC respectively.
·The and-filter and the or-filter specify that an and or an or will be applied respectively to all of the options that follow. For example, if you use the syntax below, then both option #1 and option #2 must match for the packet to be captured. Similarly, if the or-filter is used either option #1 or option #2 or both must match for the packet to be captuered.
odebug netdr and-filter option#1option#2
·The interface option is used to capture packets to or from the specified interface. The interface can be either an SVI or a L3 interface on the switch.
·The vlan option is used to capture all packets in the specified VLAN. The VLAN specified can also be one of the internal VLANs associated with a L3 interface.
·The srcindex and dstindex options are used to capture all packets matching the source ltl and destination ltl indices respectively. Note that the interface option above only allows the capture of packets to or from a L3 interface (SVI or physical). Using the srcindex or dstindex options allows the capture of Tx or Rx packets on a given L2 interface. The srcindex and dstindex options work with either L2 or L3 interface indices.
·The ethertype option allows the capture of all packets matching the specified ethertype.
·The source-ip-address and destination-ip-address options allow the capture of all packets matching the specified source or destination IP address respectively.
Example of Netdr and Interpreting the data:
Below is an example of capturing traffic destined to 10.100.101.10 sourced from 10.10.10.2 going to the RP CPU:
6500-2#debug netdr cap rx and-filter source-ip-address 10.10.10.2 destination-ip-address 10.100.101.10
You can also look at ingress location of this traffic by taking the source index/ltl index.
The LTL (local target logic) is used by the sup720 forwarding engine in order to distinguish locations to forward a packet. These indexes could be pointed towards a specific port or to an internal location on the switch. In the example below you will use this index to determine ingress port of the traffic above.
Below is an example of how to determine the source of a packet based on the source LTL index of 0xC0 that is seen in the capture above.
6500-2#remote command switch test mcast ltl index c0
index 0xC0 contain ports 4/1
We can see this index is used for port 4/1. We now know this traffic is coming from port 4/1, which was also confirmed based on the port where the MAC is learned.
Determining the source of this traffic via LTL can be very useful when determining the source of the traffic during bridging loop, if multiple types of traffic are being flooded/sent to the CPU, but sent from the same port. You can analyze the netdr information and look to see if it is coming from the same source index.
You can also determine where the traffic is being sent looking at the destination index. In this case we can see that the traffic is being sent to the destination index of 0x380, which is the RP CPU:
4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1107GS80
In the above case we can see that module 2 is the supervisor with R indicating this is the RP CPU.
If the packet that is captured has the flood bit set in the netdr capture, this traffic is being flooded to all ports within the vlan. In order to see what ports are included within this index you will need to change the destination index to seen in the netdr to account for this bit being set. The change that will be performed is to add 8 to the beginning of the destination index (which means the first bit in the LTL is set). The following is an example of an ARP request broadcast frame, which is flooded to the CPU and to all ports in a vlan. I will also show how you can interpret this data.
6500-2#sh netdr cap A total of 1 packets have been captured The capture buffer wrapped 0 times Total capture capacity: 4096 packets
In the above example the destination index is set to 0x400A and the flood bit is set to 1, both are sent to red. In this case in order to see where this packet would be sent we need to add 8 to first value in the index. For example, the index 0x400A would be changed 0xC00A, which signifies that the flood bit is set when looking up this index. Also, If an index of 0xC12 would become 0x8C12, when the index is only 3 Hex values.
With the two cases above this packet would be flooded in vlan 10 (A = 10) and vlan 3090 (c12= 3090). The rest of the Index after the flood bit is a reprsentation of the Vlan.
We can look at this information from the example netdr above with the following command:
6500-2#remote command switch test mcast ltl index C00A
index 0xC00A contain ports 2/R,, 4/1
If we do not adjust this index when the flood bit is set the index will be listed as “empty”, which can be seen below:
6500-2#remote command switch test mcast ltl index 400A
index 0x400A contain ports * empty *
If you need still assistance with interpreting this information, please open Cisco TAC case.