Using NetFlow to isolate packet drops or blocks

Must have netflow configured ingress or egress ‘ip flow ingress/egress’

Use command:

R3#sh ip cache 1.1.1.1 255.255.255.255 flow
IP packet size distribution (86 total packets):
1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
.000 .534 .000 .465 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
1 active, 65535 inactive, 14 added
180 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 533256 bytes
0 active, 16384 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
——–         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet           6      0.0         7    43      0.0       1.9       8.6
ICMP                 7      0.0         5   100      0.0       0.1      15.4
Total:              13      0.0         6    67      0.0       0.9      12.3

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/1         1.1.1.1         Local         100.100.100.100 01 0000 0800     5

Null DstIf, ACL blocking traffic

R3#sh ip cache flow
IP packet size distribution (952 total packets):
1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
.018 .263 .399 .318 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
7 active, 65529 inactive, 216 added
7632 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 533256 bytes
0 active, 16384 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
——–         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-BGP            125      0.0         2    51      0.0       6.5      14.7
UDP-other           18      0.0         1    28      0.0       0.0      15.5
ICMP                63      0.0         4    98      0.0       0.8      15.4
IP-other             3      0.0        65    79      0.0     599.3      11.2
Total:             209      0.0         3    76      0.1      12.7      15.0

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/0         34.34.34.4      Null          8.8.8.8         01 0000 0800     5
Fa0/0         34.34.34.4      Fa1/1*        1.1.1.1         01 0000 0800     5
Fa0/0         34.34.34.4      Fa1/1         1.1.1.1         01 0000 0800     5
Fa0/0         34.34.34.4      Null          224.0.0.5       59 0000 0000   178
Fa1/1         1.1.1.1         Fa0/0         34.34.34.4      01 0000 0000     5
Fa1/1         1.1.1.1         Fa0/0*        34.34.34.4      01 0000 0000     5
R3#sh ip access-lists
Standard IP access list 1
10 deny   8.8.8.8
20 permit any
Extended IP access list EIGHT
10 deny ip any host 8.8.8.8 (5 matches)
20 permit ip any any (19 matches)

en
conf t
host R1
int f0/0
ip add 12.12.12.1 255.255.255.0
no shut
int loop 0
ip add 1.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.12.12.2

en
conf t
host R2
int f0/0
ip add 12.12.12.2 255.255.255.0
no shut
int f1/0
ip add 23.23.23.2 255.255.255.0
no shut
int loop 0
ip add 2.2.2.2 255.255.255.0
ip route 1.1.1.1 255.255.255.255 12.12.12.1
ip route 3.3.3.3 255.255.255.255 23.23.23.3
ip route 100.100.100.100 255.255.255.255 23.23.23.3

en
conf t
host R3
int f0/1
ip add 23.23.23.3 255.255.255.0
ip flow ingress
no shut
int loop 0
ip add 3.3.3.3 255.255.255.0
interface Loopback100
ip address 100.100.100.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 23.23.23.2

Nexus Static vs Dynamic Pinning

“As these examples show, the choice of pinning mode depends to a large extent on the way that servers are connected to the access switches. For dual-homed servers, static pinning results in more deterministic oversubscription ratios. However, for single-homed servers, dynamic pinning provides increased availability.”

Tiso, John (2011-10-31). Designing Cisco Network Service Architectures (ARCH) Foundation Learning Guide: (CCDP ARCH 642-874) (3rd Edition) (Foundation Learning Guides) (Kindle Locations 5819-5821). Pearson Education. Kindle Edition.

Debug to see solicited-node multicast address

R1 = 2001::1/64

R2= 2001::222:22FF:FE22:2222

 

R2#debug ipv6 icmp
  ICMP Packet debugging is on

R2#ping 2001::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1, timeout is 2 seconds:

*Aug  8 16:57:43.463: ICMPv6: Sent echo request, Src=2001::222:22FF:FE22:2222, Dst=2001::1
*Aug  8 16:57:43.467: ICMPv6: Sent N-Solicit, Src=2001::222:22FF:FE22:2222, Dst=FF02::1:FF00:1
*Aug  8 16:57:43.539: ICMPv6: Received N-Advert, Src=2001::1, Dst=2001::222:22FF:FE22:2222
*Aug  8 16:57:43.611: ICMPv6: Checksum error.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/22/40 ms
R2#
*Aug  8 16:57:45.463: ICMPv6: Sent echo request, Src=2001::222:22FF:FE22:2222, Dst=2001::1
*Aug  8 16:57:45.507: ICMPv6: Received echo reply, Src=2001::1, Dst=2001::222:22FF:FE22:2222
*Aug  8 16:57:45.511: ICMPv6: Sent echo request, Src=2001::222:22FF:FE22:2222, Dst=2001::1
*Aug  8 16:57:45.527: ICMPv6: Received echo reply, Src=2001::1, Dst=2001::222:22FF:FE22:2222
*Aug  8 16:57:45.531: ICMPv6: Sent echo request, Src=2001::222:22FF:FE22:2222, Dst=2001::1
*Aug  8 16:57:45.547: ICMPv6: Received echo reply, Src=2001::1, Dst=2001::222:22FF:FE22:2222
*Aug  8 16:57:45.547: ICMPv6: Sent echo request, Src=2001::222:22FF:FE22:2222, Dst=2001::1
R2#
*Aug  8 16:57:45.563: ICMPv6: Received echo reply, Src=2001::1, Dst=2001::222:22FF:FE22:2222
R2#
*Aug  8 16:57:48.559: ICMPv6: Received N-Solicit, Src=FE80::211:11FF:FE11:1111, Dst=2001::222:22FF:FE22:2222
*Aug  8 16:57:48.567: ICMPv6: Sent N-Advert, Src=2001::222:22FF:FE22:2222, Dst=FE80::211:11FF:FE11:1111
R2#
*Aug  8 16:57:53.571: ICMPv6: Sent N-Solicit, Src=FE80::222:22FF:FE22:2222, Dst=FE80::211:11FF:FE11:1111
*Aug  8 16:57:53.595: ICMPv6: Received N-Advert, Src=FE80::211:11FF:FE11:1111, Dst=FE80::222:22FF:FE22:2222
R2#
*Aug  8 16:57:58.595: ICMPv6: Received N-Solicit, Src=FE80::211:11FF:FE11:1111, Dst=FE80::222:22FF:FE22:2222
*Aug  8 16:57:58.603: ICMPv6: Sent N-Advert, Src=FE80::222:22FF:FE22:2222, Dst=FE80::211:11FF:FE11:1111
R2#
*Aug  8 16:59:32.423: ICMPv6: Sent R-Advert, Src=FE80::222:22FF:FE22:2222, Dst=FF02::1

Bridge Assurance and Network Ports

Cisco NX-OS contains additional features to promote the stability of the network by protecting STP from bridging loops. Bridge assurance works in conjunction with Rapid-PVST BPDUs, and is enabled globally by default in NX-OS. Bridge assurance causes the switch to send BPDUs on all operational ports that carry a port type setting of “network”, including alternate and backup ports for each hello time period. If a neighbor port stops receiving BPDUs, the port is moved into the blocking state. If the blocked port begins receiving BPDUs again, it is removed from bridge assurance blocking, and goes through normal Rapid-PVST transition. This bidirectional hello mechanism helps prevent looping conditions caused by unidirectional links or a malfunctioning switch.

Bridge assurance works in conjunction with the spanning-tree port type command. The default port type for all ports in the switch is “normal” for backward compatibility with devices that do not yet support bridge assurance; therefore, even though bridge assurance is enabled globally, it is not active by default on these ports. The port must be configured to a spanning tree port type of “network” for bridge assurance to function on that port. Both ends of a point-to-point Rapid-PVST connection must have the switches enabled for bridge assurance, and have the connecting ports set to type “network” for bridge assurance to function properly. This can be accomplished on two switches running NX-OS, with bridge assurance on by default, and ports configured as type “network” as shown below.

To verify that bridge assurance is enabled globally, use the following command:

dcb-n7k1# show running-config all | include assurance

spanning-tree bridge assurance

Port channel between two Nexus 7010s with ports set as type network:

interface port-channel99

  switchport

  switchport mode trunk

  switchport trunk allowed vlan 128-133,151-153,161-167,180-183

  switchport trunk allowed vlan add 300-399,770-771

  spanning-tree port type network

  spanning-tree guard loop

  logging event port link-status

  description <link to n7k2>

Spanning tree bridge assurance as of this validation effort is only available in Cisco NX-OS. Integration of the Nexus 7000 aggregation layer with Cisco Catalyst 6500 and 4948 switches running Cisco IOS was accomplished by leaving the connecting ports set as their default spanning tree port type of “normal”, effectively not enabling bridge assurance on the ports.

 

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/nx_7000_dc.html#wp873732

http://blog.ciscoinferno.net/bridge-assurance

https://supportforums.cisco.com/thread/2000819

Understanding EtherChannel Load Balancing and Redundancy on Catalyst Switches

The Catalyst 3750/3560 series switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel. The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel) between your switch and another switch or host. With Cisco IOS Software Release 12.2(20)SE and earlier, the number of EtherChannels has a limit of 12. With Cisco IOS Software Release 12.2(25)SE and later, the number of EtherChannels has a limit of 48.

EtherChannel balances the traffic load across the links in a channel through the reduction of part of the binary pattern that the addresses in the frame form to a numerical value that selects one of the links in the channel. EtherChannel load balancing can use MAC addresses or IP addresses, source or destination addresses, or both source and destination addresses. The mode applies to all EtherChannels that are configured on the switch. You configure the load balancing and forwarding method with use of the port-channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac} global configuration command.

You can find out which interface is used in the EtherChannel to forward traffic based on the load balancing method. The command for this determination is test etherchannel load-balance interface port-channel number {ip | mac} [source_ip_add | source_mac_add] [dest_ip_add | dest_mac_add].

Issue the show etherchannel load-balance command in order to check the frame distribution policy. You can determine which interface in the EtherChannel forwards traffic, with the frame distribution policy as a basis. Issue the remote login switch command to log in remotely to the Switch Processor (SP) console in order to make this determination. Then, issue the test etherchannel load-balance interface port-channel number {ip | l4port | mac} [source_ip_add | source_mac_add | source_l4_port] [dest_ip_add | dest_mac_add | dest_l4_port] command.

http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml#catalyst

These are some examples:

  1. 6509#remote login switch
        Trying Switch ...
        Entering CONSOLE for Switch
        Type "^C^C^C" to end this session
    
        6509-sp#test etherchannel load-balance interface port-channel 1 
        ip 10.10.10.2 10.10.10.1 
    
    !--- This command should be on one line.
    
        Would select Gi6/1 of Po1
    
         6509-sp#
  2. 6509#remote login switch
        Trying Switch ...
        Entering CONSOLE for Switch
        Type "^C^C^C" to end this session
    
        6509-sp#test etherchannel load-balance interface port-channel 1 mac 
        00d0.c0d7.2dd4 0002.fc26.2494 
    
    !--- This command should be on one line.
    
        Would select Gi6/1 of Po1
    
         6509-sp#