×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Datacenter troubleshooting guide - day 3

Blog

Sat, 03/08/2014 - 00:09
Nov 17th, 2010
User Badges:
  • Cisco Employee,

“Datacenter troubleshooting guide” – a blog by  Gilles Dufour.

Day 3 – Looking at DP info


Last week, we had a look at the command show np 1 access-list trace vlan.

This command is quite important for many reasons.

Today we will look more into it.


But first, let's talk about the ACE design.

An ACE is composed of a Control Plane (CP) and a Data Plane (DP).

The CP is responsible for all the administration tasks, like managing the configuration, sending probes, keeping the stats,...

The routing/switching and loadbalancing is done by the data plane (DP).

Therefore, when you configure a new policy to loadbalance a new service, you enter the configuration at CP level.  This configuration is processed by the ACL-MERGE function from CP and it is then push down to DP.

When you do a 'show run' or a 'show service-policy' you look at information inside the CP.

But when you enter a command that often starts with show np, you look at information from the DP itself.


Most of the time, what you have configured at CP level is reflected at DP level.

But it may occur that the acl-merge process fails for some reason and therefore you end up with different configurations between CP and DP.

This is why it is important to look at DP info.


Going back to our  command show np 1 access-list trace, this is a DP command.

It will retrieve the  actions that DP will perform on your traffic.


We have seen last week the "vserver" action which is the loadbalancing one.

But there are other possible actions.

For example, if you configure a parameter-map to change the idle timeout.


switch/Admin(config)# policy-map multi-match SLB
switch/Admin(config-pmap)# class VIP-122-80
switch/Admin(config-pmap-c)# connection advanced-options TIMEOUT-IDLE__10_CONN



switch/Admin# show np 1 access-list trace vlan  20 in pro 6 source 192.168.20.45 0 des 192.168.20.122 80

--------------

Context ID: 0

<… ignore first part …>

action node 0x449f040
Action Leaf-node
version+aceid 0x2f8 (version 0 ace_id 760 dirty no)
action_flag 0x2 (permit yes log no punt_to_cp no capture no bridge no)
path ID 0x0
src nat 0x0 dst nat 0x0 vserver 0x51 fixup 0x0
TCP conn 0x51 AAA 0x0 Websense 0x0 QOS Policer 0x0


A new action is now visible under "TCP conn".

The parameter-map with id 81 (0x51) will be associated to this traffic.


To find out more about that parameter-map,  we won't use the show cfgmgr internal table command as we did before.

Instead, we will look at this object inside DP itself.



switch/Admin(config-pmap-c)# do show np 1 me-stats "-n 81"
Conn Policy Entry at Index: 81
-------------------------------
MSS Max: 1460  MSS Min: 0
FIN Timeout: 3600 secs  Rx Buf Share: 32768
Timewait: NONE  Nagle: Disabled
EmbryTO:   5 secs  Tx Buf Share: 32768
Rnd intial Seq: yes  Slow Strt Disabled: 1
Enque Limit: 36
SYN retry Cnt: 4  WS Factor: 0
Client Keep-Alive: 1  ACK Delay TO: 200 ms
SACK enable: 1  Timestamp enable: 1
Wind Scale Enable: 1  SYN Data Allow: 0
Server Reuse Enable: 0 Wan Opt RTT:   65535


IP Opt MIN Allow: 0  IP Opt MAX Allow: 0
IP Opt Min Clear: 0  IP Opt Max Clear: 0
IP Opt Min Deny: 0  IP Max Deny: 0
IP Opt Min Cnt: 0  IP Opt Max Cnt: 0
TCP Opt Min Clear: 1  TCP _opt Max Clear: 255
TCP Opt Min Deny: 0  TCP Opt Max Deny: 0
Norm TTL: 0  Norm TOS: 0
Norm Class: 0  Norm Hop: 0
IP Len Min: 0  IP Len Max: 0
IP Len Min Deny: 0  IP Len Max Deny: 0
Reserve Bits: 0  IP TS Action: 0 IP Rec RT Action: 0
IP Strict RT act: 0 IP Loose RT Action: 0
IP Security: 0  IP Stream: 0
IP Dont Frag: 0  Exceed MSS: 1
Chksum V: 1  TTL Ev Pr: 0
Urg: 0  Win Var: 0
TTL Norm val: 0  Class Norm Val: 0
Hop Norm Val: 0  Max Connections: 0
Inactivity TO: 4294967295 secs Unidirectional: 0
Reassemble TO: 60 secs
Conn Max: 4294967295


Let's see another action.

This time, we configure source natting.


switch/Admin(config-pmap-c)# nat dynamic 1 vlan 40


Let's check one more time the actions that we have at DP level after this new config addition.


switch/Admin(config-pmap-c)# do show np 1 access-list trace vlan 20 in pro 6 source 192.168.20.45 0 des 192.168.20.122 80

--------------

Context ID: 0

<… ignore first part …>

action_flag 0x2 (permit yes log no punt_to_cp no capture no bridge no)

path ID 0x0

src nat 0x1a dst nat 0x0 vserver 0x51 fixup 0x0

TCP conn 0x51 AAA 0x0 Websense 0x0 QOS Policer 0x0

Syslog Info 0

Hitcount 0

Syslog info:



We can see that we have another action - src nat.

We can check the cfgmgr internal table and verify that this object exist


switch/Admin(config-pmap-c)# do sho cfgmgr internal table nat


Nat-Id  Ref Count  Ctx-Id  Flags
---------------------------------------------------------------------------
26      2          0      ADDED, UPDATED, DATA_VALID,



Not very useful.

More interesting is to get the interface id with the command :


switch/Admin(config-pmap-c)# do show np 1 interface iflookup
First burnt-in MAC: 00:30:f2:75:f3:f1
Last  burnt-in MAC: 00:30:f2:75:f3:f7
No of burnt-in MACs: 7
Hostid: 2
Shared vlan macs currently in use (offset from 2048): 0-7
Vlan-vmac indexes currently in use: 0-3
Flags:  Valid shared bridged ftstatus ssl-test normalization icmp-guard switch-m
ode ftvlan remove-eth-pad no-of-lifs


Vlan   ifid matchid ctxt primary vvind ftgrp ttl optact df ma_idx   Flags
----   ---- ------- ---- ------- ----- ----- --- ------ -- ------   -----
1      1    1       0    1       1     100   0   2      0  512      1101000000
10     2    2       0    10      0     100   0   2      0  512      1001000000
20     5    5       0    20      2     100   0   2      0  4608     1101010000
30     3    3       0    30      0     100   0   2      0  512      1011000000
40     6    6       0    40      3     100   0   2      0  12800    1101110000
60     9    9       0    60      0     100   0   2      0  8704     1001100000
77     13   13      0    77      0     100   0   2      0  512      1001000100
330    4    4       0    330     0     100   0   2      0  512      1011000000


With the interface id (6) and the src nat action id 26 (0x1a), we can now check what natpool is going to be used by DP


switch/Admin(config-pmap-c)# do show np 1 nat src-nat 26 6


        ID:9 mapped_if:6 policy_id:26 ixp_hint:in IXP1 type:DYNAMIC nat_pool_id:
27
                ID:27 PAT:0 ixp_binding:in IXP1
                lower:172.16.40.1 upper:172.16.40.254 Bitmap-ID:70
                Level 1 Bitmap: 0x1
                Level 2 Bitmap:


We can verify it does match my configuration


interface vlan 40
  ip address 192.168.40.121 255.255.255.0
  alias 192.168.40.124 255.255.255.0
  peer ip address 192.168.40.123 255.255.255.0
  access-group input PERMIT-ANY
  nat-pool 1 172.16.40.1 172.16.40.254 netmask 255.255.255.0



Next week, we will look into our first layer 7 rule and how to troubleshoot common issues.


Gilles Dufour

Loading.

Actions

This Blog

Related Content