Professional Documents
Culture Documents
1. Introduction.
2. Overview of customer network.
3. Problem 1: Voice quality issues.
4. Problem 2: Statistics collection failure.
5. Problem 3: IPv6 connectivity loss.
6. Problem 4: Wireless deployment in office B.
7. Conclusion.
Introduction
Goal of this Session
Impact:
Medium users are not able to perfrom day-to-day conversations
Scope :
Issue limited to HQ and Office B communication
System health check
Complex commands, require architecture knowledge:
show platform software process list RP active summary
show process
Use show <something> platform to show processes from the underlying operating system.
QFP Memory Utilization ASR1K# show platform hardware qfp active infrastructure exmem
statistics
ASR1K# show platform hardware qfp active infrastructure exmem statistics user
...
10 279092 284672 CEF
40 36441494 36458496 NAT
ESP FECP Chassis Manager
RP
CPU
Chassis Manager
IOS
Forwarding Manager
SIP
IOCP SPA
SPA
Driver Chassis
SPA
Driver Manager
Driver
Linux Kernel
1
0000: 01005E00 0002001B 2BF69280 080046C0 ..^.....+.....F. Excellent tool but insufficient in many cases
0010: 00200000 00000102 44170000 0000E000 . ......D.......
0020: 00019404 00001700 E8FF0000 0000 ..............
2 http://www.cisco.com/en/US/docs/ios-
0000: 01005E00 0002001B 2BF68680 080045C0 ..^.....+.....E.
0010: 00300000 00000111 CFDB091D 0003E000 .0.............. xml/ios/epc/configuration/xe-3s/asr1000/nm-packet-capture-
0020: 000207C1 07C1001C 88B50000 08030A6E ...............n xe.html
0030: 1D006369 73636F00 0000091D 0001 ..example.......
IOS 3.10
Thread 1
Thread 2
Thread 3
Thread 4
MQC Classify NAT
JTAG Ctrl PPE6 PPE7 PPE8 PPEN
NAT Encaps Output ACL
IP Unicast
PBR Statistics and final action will be NAT
Dispatcher Crypto
collected (matched packets dropped,
Packet Buffer punted to RP, forwarded to output Encaps
interface )PPE2
Crypto Thread 3 Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
Optionally, FIA actions can logged per packet
System can capture several packets flows
RPs RPs ESP RPs SIPs Packet flows can be reviewed in show commands
Packet-Trace: Details
Designed to address the challenge with troubleshooting datapath
issues in live high-scale environment
Packet-trace provides visibility into the treatment of packets of an IOS-XE
platform to troubleshoot, diagnose, or gain a deeper understanding of the
actions taken on a packet during packet processing.
Integrated platform condition debugging (debug platform condition), making it
a viable option even under heavy traffic situations seen in production
environments.
Three specific levels of inspection are provided by packet-trace. Each level
adds a deeper look into the packet processing at the expense of some packet
processing overhead. Packet Trace is supported on the
ASR1000, ISR4000, and CSR1000V,
introduced in XE3.10
Packet-Trace: Accounting
Accounting keeps track of all interesting packets that enter
and leave the packet processor. There are three count groups:
Summary counts
Packets Matched packets that matched conditions
Packets Traced packets that were traced
Arrival counts
Ingress packets entering via external interfaces
Inject* number of packets seen as injected from control plane
Departure counts
Forward number of packets scheduled/queued for delivery
Punt* number of packets punted to control plane
Drop* number of packets specifically dropped by packet processing
Consume number of packets consumed (e.g. ping request)
Packet-Trace: Summary Data
When enabled, summary data is collected for a specified
number of packets and includes:
Packet number (pactrac specific packet number)
Input interface
Output interface
Final packet state and any punt/drop/inject codes
Packet-trace will only affect the performance of packets traced (i.e. those
matched by the user provided conditions)
Packet Trace: Memory impact
Packet trace buffers consume QFP DRAM, so be mindful of the amount of memory that a
configuration requires and the amount of memory that is available.
The QFP DRAM usage can be estimated with this formula:
memory needed = (stats overhead) + num of pkts * (summary size + path data size
+ copy size)
You can check the current data-plane DRAM memory consumption by using the show
platform hardware qfp active infrastructure exmem statistics command.
Note: While the stats overhead and summary size are fixed at 2 KB and 128 B, respectively, the path
data size and copy size are user-configurable.
Configuring Packet Tracing (Part 1)
debug platform packet-trace copy packet {in | out | both} [L2 | L3 | L4] [size num-bytes ]
Needs to be done first to enable packet tracing
Enable and
Define Define Start/Stop,
Buffer Condition View
Criteria
Review Data
show platform packet-trace summary
show platform packet-trace packet all
show platform packet-trace packet 5
Verify/Clear Configuration
show platform packet-trace configuration
clear platform condition all
Cisco ASR1000 Packet Flow
Reset / Pwr Ctrl Packet Buffer Part Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Boot Flash
(OBFL,) FECP PPE1 PPE2 PPE3 PPE4 PPE5
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
2 Gb/slot
Flash
NIM
Cisco ISR 4300 Series Architecture
CP/SP Cores Data Plane Cores
IOS
FPGE
Service Container
Multigigabit ISC
Fabric
ISR-WAAS SM-X
KVM - Hypervisor
Service Plane
(control plane CPU) NIM Note:4321 uses 2DP, 1CP & 1SC cores
ISR4K# debug platform packet-trace enable
Please remember to turn on 'debug platform condition start' for packet-trace to work
ASR1K-2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ASR1K-2(config)#interface Gig0/0/3
ASR1K-2(config-if)#no service-policy output DROP_af21
ASR1K-2(config-if)#end
Packet Trace Office B summary, no drops
ASR1K-2#debug platform condition stop
46
Packet trace new features IOSd trace
Details of a packet that has been traced.
Feature: FIA_TRACE
Input : GigabitEthernet1
Output : <unknown>
Entry : 0x813a5558 - IPV4_INPUT_FOR_US_MARTIAN
Feature: IPV4_INPUT_LOOKUP_PROCESS_EXT
Input : GigabitEthernet3
Output : internal0/0/rp:0
Entry : Input - 0x812fcd58
New features Trace logs
Trace logs are now generated and saved in binary instead of text
(much faster, compressed message using errors codes instead of plain text)
Tools: SPAN on IA
{SPAN on IA} vs {SPAN on VSS}
FEX-101#configure terminal
FEX-101(config)#monitor session 1 source interface gi1/0/1
FEX-101(config)#monitor session 1 destination interface gi1/0/2
VS
FEX 101
FEX 101
CONCLUSION:
no issue found related to the source
Checking resources and ASIC drops on IA
2 FEX Uplink
1
Ingress interface
of FEX Client
Checking resources and ASIC drops on IA
6880VSS#show interface Gig 101/1/0/1
GigabitEthernet101/1/0/1 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is c472.9585.b903 (bia c472.9585.b903)
MTU 9216 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 232/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseT
input flow-control is off, output flow-control is unsupported
Clock mode is auto
ARP type: ARPA, ARP Timeout 04:00:00 Egress direction
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 912282000 bits/sec, 532883 packets/sec
5 minute output rate 4524545 bits/sec, 2232 packets/sec
951705714 packets input, 203665020228 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
Ingress 517057 packets output, 823232202 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
Ingress direction
interface 0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
of FEX Client 0 output buffer failures, 0 output buffers swapped out
Checking resources and ASIC drops on IA
Gig 101/1/0/1 <-> (on FEX) Gig 1/0/1
1 1 0 [0 1 2 3 4 5 6 7 ] Separate verification
3 Packets dropped on Receive:
for both VSS
BPDU packets: 0 physical
Egress interfaces
direction
queue thresh dropped [cos-map]
------------------------------------------------------------------
1 1 0 [0 1 2 3 4 5 6 7 ]
1 1 0 [0 1 2 3 4 5 6 7 ]
10.1.117.1/25
ELAM IPv4 Example
Sup2T(config)# service internal
Sup2T# show platform capture elam asic eureka slot 5 10.1.117.231/25
Assigned asic_desc=eu50
Sup2T# show platform capture elam trigger master eu50 dbus dbi ingress
ipv4 if ip_sa=10.1.117.231 ip_da=10.1.117.1
10.1.117.1/25
ELAM IPv4 Example
Sup2T# show platform capture elam data 10.1.117.231/25
Sup2T# show platform hardware ltl index 0x102
(some output omitted)
DBUS data: LTL index 0x102 contain ports :
VLAN ............................ [12] = 10 =========================================
SRC_INDEX ....................... [19] = 0x102 Gi5/3 <----- packet received on Gi5/3
L3_PROTOCOL ..................... [4] = 0 [IPV4]
L3_PT ........................... [8] = 1 [ICMP] Gi5/3 (VLAN 10)
IP_TTL .......................... [8] = 255
Sup2T# show platform hardware ltl index 0x101
IP_SA ........................... = 10.1.117.231
IP_DA ........................... = 10.1.117.1 LTL index 0x101 contain ports :
=========================================
RBUS data: Gi5/2 <----- packet sent out Gi5/2
FLOOD ........................... [1] = 0
DEST_INDEX ...................... [19] = 0x101
VLAN ............................ [12] = 20 Packet received on VLAN 10 with a TTL of Gi5/2
255 (VLAN 20)
IP_TTL .......................... [8] = 254 and routed out VLAN 20 with a TTL of 254
REWRITE_INFO
i0 - replace bytes from ofs 0 to ofs 11 with seq '00 00 0C 07 AC CA B4
14 89 61 37 80'.
10.10.10.10
6880#show platform capture elam asic eureka slot 5
Assigned asic_desc=eu50
6880#show platform capture elam trigger master eu50 dbus dbi ingress ipv4 if
ip_sa=20.20.20.20 ip_da=10.10.10.10 Vlan 10
Te 1/5/2
6880VSS#show platform capture elam start
cap_commands: Default ELAM RBI PB1 added to list
Te 1/5/4
6880#show platform capture elam status
VSS
ELAM Mode: local
ID# Role ASIC Slot Inst Ver ELAM Status
Te 2/5/4
1
----- ---- ------- ---- ---- --- --------- ------ Te 1/5/6 Te 2/5/6
20.20.20.20
RBUS data:
SEQ_NUM ......................... [5] = 0x8
DEST_INDEX ...................... [19] = 0x1101 [Te1/5/2]
VLAN ............................ [12] = 1012
RBH ............................. [3] = b000 Only Egress interface
REWRITE_INFO
i0 - no rewrite.
ELAM problematic traffic
66880VSS#show platform capture elam data
DBUS data:
SEQ_NUM ......................... [5] = 0x15
VLAN ............................ [12] = 30 [HW BD: 30]
SRC_INDEX ....................... [19] = 0x2032
[Po101[Te1/5/6,Te2/5/6],Gi101/1/0/3] Conclusion:
LEN ............................. [16] = 196
FORMAT .......................... [2] = 0 [IP]
Voice trafic from the
L3_PT ........................... [8] = 17 [UDP] problematic transmision is
DMAC ............................ = 84b8.02e1.e5c0
SMAC ............................ = 0000.0060.dd19 software forwarded
IP_SA ........................... = 30.30.30.30
IP_DA ........................... = 40.40.40.40
RBUS data:
SEQ_NUM ......................... [5] = 0x15 What does the index
FLOOD ........................... [1] = 0 380 mean ?
DEST_INDEX ...................... [19] = 0x380
Confirmation
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
6880VSS#debug netdr capture rx l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
6880VSS#show netdr captured-packets
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
A total of 4096 packets have been captured l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
The capture buffer wrapped 0 times l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
Total capture capacity: 4096 packets l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
------- dump of incoming inband packet ------- l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, l2idb
timestamp 08:25:47.010
Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
dbus info: src_vlan 0x1E(30), src_indx 0x2032(8242), len 0xD0(208)
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x1380(4992),
l2idbCoS 5
Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
cap1 0, cap2 0 l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
05820800 001E0000 20320000 D0080000 1E000404 20000400 00000010 l2idb Gi101/1/0/3, l3idb Vl30,
1380B989 routine inband_process_rx_packet, timestamp 08:25:47.010
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
destmac 84.B8.02.E1.E5.C0, srcmac 00.00.00.60.DD.19, shim ethertype CCF0
l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
earl 8 shim header IS present: l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
version 0, control 64(0x40), lif 30(0x1E), mark_enable 1, l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
feature_index 0, group_id 0(0x0), acos 46(0x2E), l2idb Gi101/1/0/3, l3idb Vl30, routine inband_process_rx_packet, timestamp 08:25:47.010
ttl 14, dti 4, dti_value 508(0x1FC)
100003C8 00BB8080 01FC
ethertype 0800 Not just a single packet but
protocol ip: version 0x04, hlen 0x05, tos 0xB8, totlen 178, identifier 0
df 0, mf 0, fo 0, ttl 64, src 30.30.30.30, dst 40.40.40.40 entire stream is CPU
udp src 800, dst 1678 len 158 checksum 0xA469 Source and Destination processed
IPs match our voice
- traffic
Feature Manager
Feature Manager
- Features are enabled by the ASICs advanced logic
- Feature Manager handles configuration of features, can efficiently allocate available hardware resources to them
- Resolve conflicts
NMS
System
FEX101
3850-4
SVI features list
6880VSS# show fm fie interface vlan 30
<...>
<...>
<...>
inbound label: 3
Feature PBR - Policy Based Routing:
-----------------------------------------------------------------------------
FM_FEATURE_PBR i/f: Vl30 rmap: TEST
Punt to CPU
=============================================================================
----------------------------------------------------
Seq. No: 10 Seq. Result : FM_RESULT_BRIDGE
----------------------------------------------------
1 V 0.0.0.0 30.30.30.0 0 0 0 ----- 0 -----
M 0.0.0.0 255.255.255.0 0 0 0 00000 0 0
PERMIT_RESULT
Route-map misconfiguration
6880VSS# show running-config interface vlan 30
interface Vlan30
ip address 30.30.30.1 255.255.255.0
ip access-group 103 in
ip flow monitor netflow-original input
ip flow monitor netflow-original output
ip policy route-map TEST
Set clause is
route-map TEST, permit, sequence 10
Match clauses: missing
ip address (access-lists): 130
Set clauses:
Policy routing matches: 5735647324 packets, 1101244286208 bytes
Set the next
6880VSS#conf term hop
route-map TEST permit 10
set ip next-hop 10.10.10.10
SVI feature manager, after fix
6880VSS# show fm interface vlan 30
<...>
inbound label: 51
Feature PBR - Policy Based Routing:
redirect
=============================================================================
----------------------------------------------------
Seq. No: 10 Seq. Result : FM_RESULT_ADJREDIRECT
----------------------------------------------------
1 V 0.0.0.0 30.30.30.0 0 0 0 ----- 0 -----
M 0.0.0.0 255.255.255.0 0 0 0 00000 0 0
PERMIT_RESULT Adjacency: 0x20346354
Problem #2.
Monitoring systems have issues with
statistics collection from 3850 switches.
Problem #2
Problem definition:
Centralized monitoring system has problems with statistic collection
from 3850 switches located in HQ
Impact:
Low
Scope :
Only NMS systems seems to be effected
Login or ping to 3850 switch is not working:
6880VSS# ping 10.10.55.8 repeat 10
33 33 00 00 00 16 d4 c9 ef f1 d4 65 81 00 03 44
86 dd 60 00 00 00 00 24 00 01 fe 80 00 00 00 00
Solutions:
1. Find this MAC by checking MAC address table and block it.
2. Enable MLD snooping. When MLD snooping is enabled, a per-VLAN IPv6 multicast
address table is constructed in software and hardware. The switch then performs IPv6
multicast-address based bridging in hardware, avoiding to be processed by software.
3850-1#config terminal
3850-1(config)# end
Normal CPU utilization
3850-1# sh processes cpu sorted | e 0.00
Core 0: CPU utilization for five seconds: 6%; one minute: 8%; five minutes: 8%
Core 1: CPU utilization for five seconds: 0%; one minute: 2%; five minutes: 1%
Core 2: CPU utilization for five seconds: 0%; one minute: 4%; five minutes: 3%
Core 3: CPU utilization for five seconds: 6%; one minute: 2%; five minutes: 3%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
6106 1547872 35097160 166 1.59 1.54 1.51 1088 fed
8979 3282850 34676914 94 0.60 0.74 0.72 0 iosd
6108 1792550 2978488 601 0.36 0.37 0.37 0 stack-mgr
<...>
Impact:
High software developers are unable to perform basic operations
Scope :
Problems are related to Office A, as only there IPv6 protocol is
enabled.
Ipv6 connectivity problem
Working fine
Not working
Verify IPv6 forwarding path
2001:dead:beef:2::/64
WAN
ISR420-1#ping
ipv62001:420:1101:1::a
ISR4420-1 Type escape sequence to abort.
3650-1
Sending 5, 100-byte ICMP Echos to 2001:420:1101:1::a,
timeout is 2 seconds
C:\Users\admin>ping ipv6.cisco.com !!!!!
Pinging ipv6.cisco.com [2001:420:1101:1::a] with 32 Success rate is 100 percent (5/5), round-trip min/avg/max
bytes of data: Request timed out. = 25/26/31 ms
Request timed out.
Request timed out.
Request timed out.
However it is also
receiving
unexpected RA
with
prefix
bad::/64
and with route
information for
::/0
2002::/3
FC00::/7
Router Theft: role (and session hijacking!)
Attacker tricks victim into accepting itself as default router
Based on rogue Router Advertisements
Many variants: preference, timing, final RA, etc.
R X
A C
X
RIB
RA Source = LLR, preference=medium
::0/0 LLR
Session via R
RA Source = LLC, Destination=ALL-NODES,
preference=high
::0/0 LLC
Session
Most frequent issue seen via link
on the C
DoS attack: denial of address resolution
(one packet)
Attacker responds to all Resolution Requests
A B
X
MAC B
MACFAKE
Solution ? IPv6 First Hop Security
FHS features can be classified in three feature categories as follows:
Core:
RA Guard blocks unauthorized Router Advertisements (RAs)
DHCP Guard blocks unauthorized DHCP servers
IPv6 Snooping analyzes control/data switch traffic, detects IP address, and stores/updates them in a binding table.
Advanced:
Source/Prefix Guard validates source address or a prefix of IPv6 traffic sourced from the link
Destination Guard validates the destination address of IPv6 traffic reaching the link
Each FH feature provides commands to attach policies to targets: box, vlan, port
vlan configuration 100
ipv6 nd raguard attach-policy host
ipv6 snooping
interface e 0/0
ipv6 nd raguard attach-policy router
Packets are processed by the lowest-level matching policy for each feature
Packets received on e0/0 are processed by policy ra-guard router AND policy snooping default
Packets received on any other port of vlan 100 are processed by policy ra-guard host AND policy
snooping default
How to block rouge RA
Port ACL: blocks all ICMPv6 RA from hosts
interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
RA
access-group mode prefer port
ipv6 nd raguard
access-group mode prefer port
RA
ipv6 nd raguard policy HOST Port Not
device-role host Authorized RA
!
If we want to know which
port is sending the rouge
ipv6 snooping logging packet drop
RA we can follow the src
!
mac or enable additional
logging
3560-1#
*Oct 31 14:35:08.077: %SISF-4-PAK_DROP: Message dropped A=FE80::250:56FF:FE84:C17A G=- V=1 I=Gi1/0/4 P=NDP::RA
Reason=Message unauthorized on port
*Oct 31 14:35:13.077: %SISF-4-PAK_DROP: Message dropped A=FE80::250:56FF:FE84:C17A G=- V=1 I=Gi1/0/4 P=NDP::RA
Reason=Message unauthorized on port
*Oct 31 14:35:18.078: %SISF-4-PAK_DROP: Message dropped A=FE80::250:56FF:FE84:C17A G=- V=1 I=Gi1/0/4 P=NDP::RA
Reason=Message unauthorized on port
*Oct 31 14:35:23.078: %SISF-4-PAK_DROP: Message dropped A=FE80::250:56FF:FE84:C17A G=- V=1 I=Gi1/0/4 P=NDP::RA
Reason=Message unauthorized
The toolbox
Vulnerability Attack tool Mitigation Where Security level Deployability
thc, si6,..
Router Role theft fake_router6 Increase legal router preference Router Weak Low
flood_router6 Manual default gateway configuration Host Very Strong Medium-Low
redir6 SeND Router Authorization Host Very Strong Low
Host isolation (PVLAN) Switch Very Strong Medium
Port Access Lists (PACL) Switch Medium Medium-High
RA guard Switch Medium-Strong Medium-High
Router Identity theft/ Address Theft parasite6 Static ND cache entry Host Very Strong Low
SeND CGA Host Very Strong Low
Binding Guard (IPv6 snooping) Switch Strong High
DoS: denial of address initialization dos-new-IPv6 Binding Guard (IPv6 snooping) Switch Strong High
SeND CGA Very Strong Medium
DoS: denial of address assignment denial6 DHCP guard Switch Strong High
fake_advertiser6 DHCP authentication Host Strong Low
DoS: denial of address configuration thcping6 RA guard Switch Medium-Strong Medium-High
dos-new-IPv6 PACL Switch Medium Medium
DoS: denial of Address Resolution (1pkt) frag6 Binding Guard Switch Medium-Strong Medium-High
DoS: denial of Address Resolution (flood) scan6 Destination Guard Router Strong Medium
dos-new-IPv6 RACL Router Medium Medium-Low
DoS: denial of Link Operations (flood) dos-new-IPv6 ND control Router Weak Low
flood_advertise6 Binding Guard control Switch Very Strong Very High
Misdirecting responses syn6_flood Source Guard, Prefix Guard Switch Very Strong Very High
ACL Router Very Strong Low
uRPF Router Weak Low
IPv6 First Hop Security Platform Support
Wireless
LAN
Catalyst 6500 Catalyst Catalyst ASR1000 Catalyst Controller Nexus
Feature/Platform Series 4500 Series 2K/3K Series Router
7600 Router
3850 (Flex 7500, 3k/5k/6k/7k
5508, 2500,
WISM-2)
NX-OS 7.2
IPv6 Snooping 15.0(1)SY1 15.1(2)SG 15.0.(2)SE XE 3.9.0S 15.2(4)S 15.0(1)EX 7.2
NX-OS 7.2
DHCPv6 Guard 15.2(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2
Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped
Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release
Problem #4.
Wireless deployment in office B.
Problem #4
Problem definition:
End customer is planning to deploy converged access in office B,
however the wireless functionality is not available
Impact:
High not able to proceed with POC
Scope :
Limited to Office B
Wireless configuration is not accepted
Unable to apply
wireless configuration
4507-1#show mod
Chassis Type : WS-C4507R+E
1) supervisor-bootup ---------------> .
2) linecard-online-diag ------------> .
3) stub-rx-errors ------------------> .
4) supervisor-rx-errors ------------> .
CLI Analyzer - Tool that
uses collective knowledge
of Cisco TAC
CLI Analyzer
What is it?
The Cisco CLI Analyzer is TAC powered SSH client with Advanced tools supporting ASA, IOS, IOS-XE, IOS-XR and
NX-OS software.
Software Bugs
Docs TAC
Errors
Support Experience Simplified
Engineer Integrated Business
Workflows Outcomes
Cisco
CLI Analyzer
Save Money
TAC Tools
Software
Integrated TAC
Knowledge
Main Features
Telnet/SSH client
Real-time Contextual Help and Highlighting (CHH)
Real-time Tools:
System Diagnostics: ASA, IOS (including XE and XR), NX-OS
ASA: Firewall Top Talkers, Traceback Analyzer, Packet Tracer
IOS-XR: BGP Top Talkers, L2VPN Top Talkers, LPTS Top Talkers
File Analysis: Possibility to run system diagnostics and CHH offline on copy-pasted
show commands or file with show commands when box is not reachable
Telnet/SHH Client
Download
www.cisco.com -> Support -> Tools
Telnet/SHH Client
Quick connect
Recent activity
Search devices sort
Store accessed
devices
Telnet/SHH Client Settings
User settings
Logs
Proxy
Master password
Theme
Telnet/SHH Client Auto-check system
Telnet/SHH Client inside the client window
Search for
Case insensitive
Use regular expression in
search
Disable highlight
regex example
\s10.\d.\d\d\d.\d
Searches for IPv4 addresses
of the form 10.x.xxx.x
Logging
Logging session to file
Start/stop provide file
name
Telnet/SHH Client
Contextual Help and
Highlighting (CHH)
Contextual Help &
Highlighting
Highlighting
Show version
Show running-config
Show log
Any show command!
HTTP Links to
corresponding guides and
documents
Wireless issue:
Software mode
CLI Analyzer and wireless issue
Software mode change
4507-1#software expand file bootflash:cat4500es8-universalk9.SPA.03.07.02.E.152-3.E2.bin
Preparing install operation ...
[3]: Starting install operation
[3]: Expanding bundle bootflash:cat4500es8-universalk9.SPA.03.07.02.E.152-3.E2.bin
[3]: Copying package files
[3]: Package files copied
[3]: Finished expanding bundle bootflash:cat4500es8-universalk9.SPA.03.07.02.E.152-3.E2.bin
[3]: Verifying and copying expanded package files to bootflash:
4507-1#dir bootflash: | i conf
54328 -rw- 1726 Oct 24 2016 11:33:56 +00:00 packages.conf
4507-1#conf t
4507-1(config)#boot system flash bootlfash:packages.conf
4507-1#wr
Building configuration...
4507-1#reload
Proceed with reload? [confirm]
After the software mode change
4507-1#show mod
Chassis Type : WS-C4507R+E
Mod Redundancy role Operating mode Redundancy status We start to see wireless
----+-------------------+-------------------+----------------------------------
3 Active Supervisor SSO Active
Daughter Card
Mod Submodule Model Serial No. Hw Status
----+-----------------------+-----------------+------------+----+---------
3 Daughter Card WS-UA-SUP8E CAT1720L5N0 0.4 Ok
After the software mode change
4507-1(config)#wireless ?
assisted-roaming Configure dot11k assisted-roaming feature parameters
broadcast Enable Ethernet Broadcast Support
client Configure client parameters
dot11-padding Configure over-the-air frame padding
exclusionlist Manage exclusion list entries
ipv6 Global wireless IPv6 configurations
linktest Configure linktest frame size and number of frames to send
load-balancing Configure Aggressive Load Balancing
management Configure wireless management parameters
mdns-bridging Enable Ethernet mDNS Support
media-stream Config media stream groups
mgmt-via-wireless Enable management access from wireless clients
mobility Configure the Inter-Switch Mobility Manager
multicast Enable Ethernet Multicast Support
peer-blocking Configure p2p peer blocking Full support for wireless
probe Configure rate-limiting of probe requests.
qos Enable qos Services configuration
rf-network Sets the RF-Network Name
security Configure wireless security features
sip SIP preferred call numbers.
wgb Configure WGB client
wlancc Enable WLANCC on the controller
wps Global WPS settings
CLI Analyzer System
specific tools
ASA Tools
ASA Firewall Top Talkers
Helps determine which connections passing traffic through
an ASA have the highest bit rate during a certain period of
time.
GUI interface
direction
interfaces
Vlans
etc.
CPU packet
capture results
Flow analysis
Decodes
PCAP
Platform specific
CPU packet
capture - Top talkers
Conclusion
Summary
To troubleshoot, use step by step
approach, define the problem and
narrow it down
There is a variety of tools
available on Cisco Platforms
Tools depend on the platform and
require sufficient expertise
We are making effort to simplify
and add new troubleshooting
features and new tools, such as
Packet Trace and CLI Analyzer
Additional resources
Packet trace
http://www.cisco.com/c/en/us/support/docs/content-networking/adaptive-session-redundancy-asr/117858-technote-asr-00.html
ELAM overview
https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=7608
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/116644-technote-product-00.html
FED tracing
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3850-series-switches/117594-technote-hicpu3850-00.html
CLI Analyzer
https://cway.cisco.com/docs/cisco-cli-analyzer/2.0/About_the_Cisco_CLI_Analyzer.htm