Professional Documents
Culture Documents
Troubleshooting Lab
Rama Darbha, Solutions Architect, CCIE #28006
Michael Robertson, Network Engineer, CCIE #33990
LTRARC-2003
Agenda
• IOS-XE platform functionality
• Components
• Interaction with features
• Troubleshooting tools specific to IOS-XE
• Resource monitoring
• Embedded packet capture
• Packet tracing
• Feature specific tools
• Feature specific configuration
• Conditional debugging
• Firewall sessions and drops
• Monitoring traffic using Flexible Netflow
Troubleshooting: What does it mean?
Thank you for joining Company Corporation
• We’re a new organization trying to build and sell widgets
• The widget industry has intense competition, so we hire only the best
• You’re our newest network engineer
• We’re growing so quickly that we needed you to help out with the increasing
demands of network functionality and uptime
IOS-XE Overview
See Appendix for details diagrams
IOS-XE Overview
• Multi-core CPUs
• Symmetric multiprocessing (SMP)
• Each process uses a different core
• IOS runs as a daemon (IOSd) which utilizes multi-core infrastructure
• Platform Abstraction
• Platform Independent (PI) focused IOS process
• Platform Dependent (PD) code/drivers abstracted from core IOS process
interconn. GE switch
ESP ESP
QFP
FECP
Crypto
QFP
Assist.
interconn.
SPA
IOCP
Aggreg.
ESP ESP
Netflow QFP
Netflow
FECP
NAT
Input ACL
NBAR Classify
NBAR Classify IP Unicast Crypto
QFP
… Assist.
MQC Classify
MQC Policing
… IP Multicast interconn.
MAC Accounting
NAT IOS Firewall
SIP SIP
Packet For interconn.
PBR Us Output ACL
SPA
IOCP
Aggreg.
Flag Server
172.16.1.200 172.16.1.X 10.1.X.1
192.168.255.X
Web Server
10.1.X.100
Laptop
192.168.1.Y
Day 1 – Overview
• It’s your first day on the job
• We’re a company that only runs IOS-XE
• We were told that it’s better than IOS!
• Your boss tells you to review the health of the routers in your network
• Check them for:
• CPU
• Memory
• Resource allocation
Resource Management
Resource Monitoring Commands
• Initial troubleshooting should be executed using fundamental resource
monitoring commands
Platform Outputs IOS Outputs
show platform resources
• Bonus activity:
• Understand the scope of each command
• Identify the processes that utilize the most memory and CPU
• Trace the PIDs that launched IOSd
Total Memory
Resources Monitoring – Process Memory IOS
• Memory utilization by processes within IOS
• The company is rolling out a new external facing web server to sell widgets
• Application team has built the server and verified it’s up
• Boss needs you to verify that traffic to the web server is properly working
Embedded Packet
Capture
Embedded Packet Capture (EPC)
• Captures are performed on the router on receive and transmit of packet
• Tool for verifying connectivity at network layer
• Bonus:
• Look at packet contents to validate:
• TCP flags
• TCP Data
• HTTP headers
• HTTP content
• Set up captures to only capture header data
TCP: ACK
• Step 4: Test traffic
HTTP: GET
TCP: ACK
• Step 5: Check packets in
HTTP: Data 1
capture buffer TCP: ACK
HTTP: 200OK
CSR# show monitor capture CAPOUT buffer
buffer size (KB) : 10240
buffer used (KB) : 128
packets in buf : 59
packets dropped : 0 TCP: ACK
packets per sec : 14 TCP: FIN
TCP: FIN
TCP: ACK
EPC Packet Header
• Summary of all packets
CSR#show monitor capture CAPOUT buffer brief
-------------------------------------------------------------
# size timestamp source destination protocol
-------------------------------------------------------------
0 74 0.000000 192.168.1.X -> 10.1.X.100 TCP
1 74 0.000000 10.1.X.100 -> 192.168.1.X TCP
2 66 0.000991 192.168.1.X -> 10.1.X.100 TCP Look at packet size to
3 241 0.000991 192.168.1.X -> 10.1.X.100 TCP assume importance
4 66 0.001999 10.1.X.100 -> 192.168.1.X TCP
5 1514 0.003997 10.1.X.100 -> 192.168.1.X TCP (ie. HTTP GET)
6 1097 0.003997 10.1.X.100 -> 192.168.1.X TCP
7 66 0.003997 10.1.X.100 -> 192.168.1.X TCP
8 66 0.003997 192.168.1.X -> 10.1.X.100 TCP
9 66 0.119033 192.168.1.X -> 10.1.X.100 TCP
10 66 0.119033 192.168.1.X -> 10.1.X.100 TCP < 80 byte packets
11 66 0.205043 10.1.X.100 -> 192.168.1.X TCP normally just signaling
12 66 0.210032 10.1.X.100 -> 192.168.1.X TCP
13 66 0.216028 192.168.1.X -> 10.1.X.100 TCP (ie. ACK, FIN, RST)
EPC Packet Data Full
CSR# show monitor capture CAPOUT buffer dump
0
0000: FA163E3B 994CFA16 3E3F93C6 08004500 ..>;.L..>?....E.
0010: 003C1DCC 40004006 61B3AC10 01C80A01 .<..@.@.a.......
0020: 0364AEC3 0050CBBD 48D00000 0000A002 .d...P..H....... • Full dump of packet
0030: 3908E9BA 00000204 05B40402 080A5142 9.............QB
0040: 551C0000 00000103 0307 U.........
• ASCII output from packet
1
0000: FA163E3F 93C6FA16 3E3B994C 08004500 ..>?....>;.L..E.
0010: 003C0000 40003F06 807F0A01 0364AC10 .<..@.?......d.. 3
0020: 01C80050 AEC3BF8F 96E8CBBD 48D1A012 ...P........H... 0000: FA163E8A ADE0FA16 3ED62901 08004500 ..>.....>.)...E.
0030: 3890A290 00000204 05B40402 080A082C 8.............., 0010: 016F0218 40007F06 2946C0A8 011E0A01 .o..@...)F......
0040: E8EC5142 551C0103 0307 ..QBU..... 0020: 0364D914 00503902 EF53C605 06065018 .d...P9..S....P.
0030: 0100F309 00004745 54202F20 48545450 ......GET / HTTP
2 0040: 2F312E31 0D0A486F 73743A20 31302E31 /1.1..Host: 10.1
0000: FA163E3B 994CFA16 3E3F93C6 08004500 ..>;.L..>?....E. 0050: 2EXX2E31 30300D0A 55736572 2D416765 .X.100..User-Age
0010: 00341DCD 40004006 61BAAC10 01C80A01 .4..@.@.a....... 0060: 6E743A20 4D6F7A69 6C6C612F 352E3020 nt: Mozilla/5.0
0020: 0364AEC3 0050CBBD 48D1BF8F 96E98010 .d...P..H....... 0070: 2857696E 646F7773 204E5420 362E313B (Windows NT 6.1;
0030: 00730976 00000101 080A5142 5520082C .s.v......QBU ., 0080: 20574F57 36343B20 72763A33 372E3029 WOW64; rv:37.0)
0040: E8EC .. 0090: 20476563 6B6F2F32 30313030 31303120 Gecko/20100101
00A0: 46697265 666F782F 33372E30 0D0A4163 Firefox/37.0..Ac
00B0: 63657074 3A207465 78742F68 746D6C2C cept: text/html,
Netflow Netflow
NBAR Classify
NBAR Classify
…
MQC Classify IP Unicast
MQC Policing
… IP Multicast
MAC Accounting
NAT Packet For Us
IOS Firewall
PBR Output ACL
• Packet tracing prints each module/process that the packet moves through
Packet Tracing Overview
• Two forms of packet tracing
1. Initial Packet Diagnostics
2. Feature Invocation Array (FIA) Tracing
• Initial Packet Diagnostics
• Verify packets are traced and passed
• FIA Tracing
• Perform detailed step by step analysis
• Understand every process that is touching the packet
• Isolate process that could potentially cause issue
Packet Tracing Locations
• Identify direction of initial packet
• Select receiving interface to apply packet trace
TCP: SYN
• (Optional) Step 10: Clear all conditional matching and packet trace
CSR# clear platform condition all
Day 2 – Task 2 Objectives
• Use packet tracing to validate that all packets are properly forwarded
1. Create ACL to match traffic
2. Bind ACL and interface to conditional matching
3. Enable packet tracing functionality
4. Copy packets by selecting correct:
• Starting header point
• Total size of packet
5. Enable FIA-trace by selecting correct:
• Total number of packets captured
• Total size of packets captured
6. Send test traffic
7. View packet tracer statistics
8. View FIA trace of packet
Time limit: 20 minutes
Packet Tracing – Initial Diagnostic Analysis
• Step 1: Identify traffic to be packet traced using ACL
• Ensure bidirectional communication
• ACL is created to match traffic (EPC ACL can be reused)
CSR(config)# ip access-list extended PACKET_TRACE
CSR(config-ext-nacl)#10 permit ip host 192.168.1.X host 10.1.X.100
CSR(config-ext-nacl)#20 permit ip host 10.1.X.100 host 192.168.1.X
Conditions Direction
----------------------------------------------------------------------------------------------|---------
GigabitEthernet1 & IPV4 ACL [PACKET_TRACE] both
...
IOSXE Packet Tracing Configs: Packet tracing
debug platform packet-trace enable
debug platform packet-trace packet 16 fia-trace data-size 2048 commands
debug platform packet-trace copy packet both size 2048 L2
FIA-trace commands
Packet Tracing – Tracing the packets
• Step 7: Packet has been been matched and traced
CSR# show platform packet-trace statistics
Packets Summary Packet matches conditional criteria
Matched 59
Traced 16
Packets Received
Validate that packets are traced
Ingress 59 in addition to being matched
Inject 0
Packets Processed Packet is received
Forward 59
Punt 0
Drop 0
Packet is forwarded
...
Packet Copy In
fa163ef3 b8cafa16 3e9ef62e 08004500 003c7e50 40004006 0389ac10 01c80a01
010ac9d7 00505223 dac10000 0000a002 39087cb3 00000204 05b40402 080a3dc3
a4910000 00000103 0307
Packet Copy Out
fa163eeb f48dfa16 3e590373 08004500 003c7e50 40003f06 0489ac10 01c80a01
010ac9d7 00505223 dac10000 0000a002 39087cb3 00000204 05b40402 080a3dc3
a4910000 00000103 0307
Zero Impact Troubleshooting
• Remove all configurations
• EPC
CSR# no monitor capture CAPOUT
CSR# no monitor capture CAPIN
• Packet Tracing
CSR# clear platform condition all
• Capture ACL
CSR(config)# no ip access-list extended CAPTURE_ACL
CSR(config)# no ip access-list extended PACKET_TRACE
Day 2 – Summary
• Your boss is satisfied!
• Go home and have a beer and relax knowing you did a great job!
• Summary of activities
• Embedded Packet Capture (EPC)
• Capture packet headers and packet data
• Traffic is captured on interface
• Packet tracing with FIA-trace
• Feature specific tracing of packets
• Features build on each other
End of Day 2
Day 3 – Task 1 Troubleshooting
• You come in on your third day of work, feeling good about yesterday’s validation
and verification
• Waiting for you at your desk is your boss, something happened in the middle of
the night and traffic to the webserver is no longer working!
• You tell your boss, “No worry chief! I got this covered.”
CSR# show monitor capture CAPIN buffer Pod1#show monitor capture CAPIN buffer brief
buffer size (KB) : 10240 -------------------------------------------------------------
buffer used (KB) : 0 # size timestamp source destination protocol
packets in buf : 0 -------------------------------------------------------------
packets dropped : 0
packets per sec : 0
Packet Trace - Configuration
• Step 1: Set up ACL to capture traffic
CSR(config)# ip access-list extended PACKET_TRACE
CSR(config-ext-nacl)#10 permit tcp host 192.168.1.X host 10.1.X.100 eq 80
CSR(config-ext-nacl)#20 permit tcp host 10.1.X.100 eq 80 host 192.168.1.X
TCP: SYN
Packet Tracing – Process tracing
• Enable FIA tracing without doing diagnostics
...
Packet Copy In
fa163ef3 b8cafa16 3e9ef62e 08004500 003c1836 40004006 69a3ac10 01c80a01
010aca5c 005088f7 1f650000 0000a002 3908972f 00000204 05b40402 080a4489
07530000 00000103 0307
Packet Copy Out
fa163ef3 b8cafa16 3e9ef62e 08004500 003c1836 40003f06 6aa3ac10 01c80a01
010aca5c 005088f7 1f650000 0000a002 3908972f 00000204 05b40402 080a4489
07530000 00000103 0307
Packet Tracing
• uRPF is set up to drop traffic
interface GigabitEthernet1
ip address 172.16.1.X 255.255.255.0
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100
uRPF is enabled in
ip policy route-map REQUIRED_APPLICATIONS strict mode
ip access-group INTERNET_BLACKLIST in
• Celebrating you go out for a well deserved lunch but when come back from
lunch and the website is down again!
• You tell your boss, “don’t worry captain, I’m on it!”
CSR# show monitor capture CAPIN buffer Pod1#show monitor capture CAPIN buffer brief
buffer size (KB) : 10240 -------------------------------------------------------------
buffer used (KB) : 0 # size timestamp source destination protocol
packets in buf : 0 -------------------------------------------------------------
packets dropped : 0
packets per sec : 0
Packet Trace – Configuration
• Step 1: Set up ACL to capture traffic
CSR(config)# ip access-list extended PACKET_TRACE
CSR(config-ext-nacl)#10 permit tcp host 192.168.1.X host 10.1.X.100 eq 80
CSR(config-ext-nacl)#20 permit tcp host 10.1.X.100 eq 80 host 192.168.1.X
TCP: SYN
Packet Tracing – Process tracing
• Enable FIA tracing directly
• We’re confident enough in our troubleshooting ability to go directly to FIA tracing
...
Packet Copy In
fa163ef3 b8cafa16 3e9ef62e 08004500 003c0012 40004006 81c7ac10 01c80a01
010acc0f 00506924 73b90000 0000a002 3908f47c 00000204 05b40402 080a44af
73ab0000 00000103 0307
Packet Copy Out
fa163e5c 0db9fa16 3ef3b8ca 08004500 003c0012 40003f06 82c7ac10 01c80a01
010acc0f 00506924 73b90000 0000a002 3908f47c 00000204 05b40402 080a44af
73ab0000 00000103 0307
Packet Tracing
interface GigabitEthernet1
ip address 172.16.1.X 255.255.255.0
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100 PBR configured
ip policy route-map REQUIRED_APPLICATIONS to send traffic to
ip access-group INTERNET_BLACKLIST in
different next hop
route-map REQUIRED_APPLICATIONS permit 25 Match condition for
match ip address 99
set ip next-hop 172.16.1.203 PBR is incorrectly
! configured
access-list 99 permit host 172.16.1.200
access-list 99 permit 192.168.1.0 0.0.0.255
• Packet Tracing
CSR# clear platform condition all
• Capture ACL
CSR(config)# no ip access-list extended CAPTURE_ACL
CSR(config)# no ip access-list extended PACKET_TRACE
• Now that the network is stable, the boss wants a firewall implemented to protect
the webserver
• A contractor was paid to deploy it this morning
• When you come in, you have some work waiting for you
• You need to validate the firewall configuration implemented by the contractor
Firewall Configuration and
Session Monitoring
Firewall Configuration Validation
• Step 1: Validate firewall only configuration
CSR# show tech-support firewall
CSR# show platform hardware qfp active statistics drop clear Clears counters after output
Use this command to
initialize output
• View packets dropped by firewall feature
CSR# show platform hardware qfp active feature firewall drop
CSR# show platform hardware qfp active feature firewall drop all Includes zero drop
counters
Day 4 – Task 1 Objectives
• Use the commands provided in the previous slides to validate the firewall
configuration
• Examine the sessions on the device to ensure traffic is flowing properly
• Bonus:
• Look at detailed connection logs to examine:
• Egress/Ingress interfaces
• Connection up time
• All the output is blank indicating the firewall isn’t dropping anything
• This is a good thing in this scenario
Day 4 – Overview continued
• Your manager wants you to provide more detail information proving that the
traffic is being mapped to the correct zone security policy
CSR# debug platform condition interface GigabitEthernet X ipv4 access-list PACKET_TRACE both
CSR# debug platform condition start
CSR# debug platform packet-trace enable
• Bonus:
• Use the Lab Guide to try to understand the relevant messages
• Use Lab Guide to track connection build states
04/15 19:13:19.311 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000056710241763425 :FW_DEBUG_FLG_POLICY:[172.16.1.200] 44419 => [10.1.1.100] 80 6 (0): Check SYN flood limit. limit_n_cnt:
ffffffff00000000 limit ffffffff curr_cnt 0
04/15 19:13:19.311 [cpp-dp-fw]: (verbose): QFP:0.0 Thread:000 TS:00000056710241768271 :FW_DEBUG_L4:[172.16.1.200] 44419 => [10.1.1.100] 80 6 (0): FW: Classify 172.16.1.200:44419 =>
10.1.1.100:80 6 zone pair OUTSIDE->INSIDE_ZP
04/15 19:13:19.311 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000056710241820789 :FW_DEBUG_EVENT:[172.16.1.200] 44419 => [10.1.1.100] 80 6 (0): Classify Actions: Action Inspect (8)
Protocol http (12) Match_index 4
04/15 19:13:19.312 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000056710241824855 :FW_DEBUG_EVENT:[172.16.1.200] 44419 => [10.1.1.100] 80 6 (0): Classify Action: Rule[7361776.10422817.1]
ACE(10)
04/15 19:13:19.312 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000056710241914895 :FW_DEBUG_L4:[172.16.1.200] 44419 => [10.1.1.100] 80 6 (0): Session ID:0x00000005, TCP: detect SYN. state
was LISTEN -> SYNSENT seq# 2171264973 ack# 0 window 14600 zone-pair name OUTSIDE->INSIDE_ZP
04/15 19:13:19.312 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000056710241918324 :FW_DEBUG_L4:[172.16.1.200] 44419 => [10.1.1.100] 80 6 (0): Session ID:0x00000005, TCP: start SYNWAIT timer
- 30000 msec
04/15 19:13:19.312 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000056710243938614 :FW_DEBUG_L4:[10.1.1.100] 80 => [172.16.1.200] 44419 6 (0): Session ID:0x00000005, TCP: state was SYNSEND -
> SYNRCVD seq# 2663126407 ack# 2171264974 window 14480 zone-pair name OUTSIDE->INSIDE_ZP
04/15 19:13:19.314 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000056710245500749 :FW_DEBUG_L4:[172.16.1.200] 44419 => [10.1.1.100] 80 6 (0): Session ID:0x00000005, TCP: state was SYNRCVD -
> ESTAB seq# 2171264974 ack# 2663126408 window 115 zone-pair name OUTSIDE->INSIDE_ZP
04/15 19:13:19.314 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000056710245507922 :FW_DEBUG_L4:[172.16.1.200] 44419 => [10.1.1.100] 80 6 (0): Session ID:0x00000005, TCP: start TCP idle
timer - 3600000 msec
Day 4 – Summary
• Your boss is happy and lets you go home, knowing that the FW is working
properly
• Summary of Activities
• Firewall feature specific command outputs
• Outputs to validate firewall sessions
• Monitor drops caused by firewall feature
• Conditional debugging
End of Day 4
Day 5 – Troubleshooting 1
• You come in the next day and, what would you know, looks like traffic is broken
again!
• Use the troubleshooting tools we’ve learned so far to validate the behaviour
• EPC
• Packet tracing
• Firewall session and drops
• Conditional debugging
CSR# show monitor capture CAPIN buffer CSR# show monitor capture CAPIN buffer brief
buffer size (KB) : 10240 -------------------------------------------------------------
buffer used (KB) : 256 # size timestamp source destination protocol
packets in buf : 2 -------------------------------------------------------------
packets dropped : 0 0 74 0.000000 192.168.1.X -> 10.1.1.100 TCP
packets per sec : 0 1 74 0.003997 10.1.X.100 -> 192.168.1.X TCP
Firewall - Packet Tracing
• Step 1: Set up ACL to capture traffic
CSR(config)# ip access-list extended PACKET_TRACE
CSR(config-ext-nacl)#10 permit tcp host 192.168.1.X host 10.1.X.100 eq 80
CSR(config-ext-nacl)#20 permit tcp host 10.1.X.100 eq 80 host 192.168.1.X
TCP: SYN
Firewall – Process Tracing
• Enable FIA tracing without doing diagnostics
• Step 2: Drop counters indicates that packets are being dropped due:
• Firewall
• Invalid TCP initiator
CSR# show platform hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
FirewallL4 6 444
pair OUTSIDE->INSIDE_ZP
04/15 19:58:36.030 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426962024531
###################################################################################################
04/15 19:58:36.030 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426962026797 CCE IPV4 UIDB_INFO W0:ea0cd910, W1:20000000, tcam_region_index:d910, key_index:00, cmd:00000000
04/15 19:58:36.030 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426962053461 cce_sw_tcam_top:: root:0xea0cd910 top:0xea0cd934 pType:0000000000
04/15 19:58:36.030 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426962057167 cce_sw_tcam_dump_key:: 0xac1001c8 :0x06002fff :0x0050ad8d :0x0a010164
:0xd9100001
04/15 19:58:36.030 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000059426962066407 :FW_DEBUG_EVENT:[172.16.1.200] 44429 => [10.1.1.100] 80 6 (0): Classify Actions: Action Unknown
Classify Action (82) Protocol unknown_proto (0) Match_index 0
04/15 19:58:36.030 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000059426962072141 :FW_DEBUG_EVENT:[172.16.1.200] 44429 => [10.1.1.100] 80 6 (0): Classify Action:
Rule[7361776.2547953.1] ACE(10)
04/15 19:58:36.030 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000059426962078964 :FW_DEBUG_L4 FW_DEBUG_FLG_POLICY :[172.16.1.200] 44429 => [10.1.1.100] 80 6 (0): Policy Action
Pass: Class CUSTOM_APPLICATIONS zone pair OUTSIDE->INSIDE_ZP
04/15 19:58:36.032 [cpp-dp-fw]: (verbose): QFP:0.0 Thread:000 TS:00000059426962085371 :FW_DEBUG_EVENT:[172.16.1.200] 44429 => [10.1.1.100] 80 6 (0): fw_invoke passed packet
04/15 19:58:36.032 [cpp-dp-fw]: (verbose): QFP:0.0 Thread:000 TS:00000059426964090102 :FW_DEBUG_EVENT:[10.1.1.100] 80 => [172.16.1.200] 44429 6 (0): insp pkt: in GigabitEthernet2
out GigabitEthernet1 pkt_sb_flags 0x80000000 pkt_sb_flags2 0x0 izone 2 ozone 1 vrf is not enabled. nvi is not enabled.
04/15 19:58:36.032 [cpp-dp-fw]: (verbose): QFP:0.0 Thread:000 TS:00000059426964099949 :FW_DEBUG_EVENT:[10.1.1.100] 80 => [172.16.1.200] 44429 6 (0): fw_ntuple: key1-ipaddr1
10.1.1.100 key1-ipaddr2 172.16.1.200 proto 6 key-flags 0 key2-port1 80 key2-port2 44429 ip6addr1 - :: ip6addr2 - :: ip6port1 - 80 ip6port2 - 44429
Firewall Debugs
• Response packet debugs
04/15 19:58:36.032 [cpp-dp-fw]: (info): QFP:0.0 Thread:000
TS:00000059426964201819 :FW_DEBUG_EVENT:[10.1.1.100] 80 => [172.16.1.200]
44429
04/15 19:58:36.0326[cpp-dp-fw]:
(0): (info):
Classify Action:
QFP:0.0 Thread:000 Rule[7683424.2459297.1]
TS:00000059426964107459 :FW_DEBUG_L4:[10.1.1.100] 80 => [172.16.1.200]ACE(20)
44429 6 (0): Session miss:- SI packet
04/15 19:58:36.032 [cpp-dp-fw]: (verbose): QFP:0.0 Thread:000 TS:00000059426964111819 :FW_DEBUG_L4:[10.1.1.100] 80 => [172.16.1.200] 44429 6 (0): FW: Classify 10.1.1.100:80 =>
04/15 19:58:36.235 [cpp-dp-fw]:
172.16.1.200:44429 6 zone pair INSIDE->OUTSIDE_ZP (warn): QFP:0.0 Thread:000
04/15 19:58:36.032 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426964116522
TS:00000059426964260225 :FW_DEBUG_FLG_DROP:[10.1.1.100] 80 => [172.16.1.200]
###################################################################################################
04/15 19:58:36.032 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426964117685 CCE IPV4 PKT (src:10.1.1.100,dst:172.16.1.200,sprt:0050,dprt:ad8d,prot:06,tos:00,len:0014,ttl:3f)
44429
19:58:36.0326[cpp-dp]:
, intf:3fe
04/15 (0): Proto
(verbose): QFP:0.0 TCP (6)
Thread:000 not initiator Dropping packet reason 37:Invalid TCP
TS:00000059426964120769
###################################################################################################
initiator
04/15 19:58:36.032 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426964121889 CCE IPV4 UIDB_INFO W0:ea0bea80, W1:20000000, tcam_region_index:ea80, key_index:00, cmd:00000000
04/15 19:58:36.032 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426964125369 cce_sw_tcam_top:: root:0xea0bea80 top:0xea0beaa4 pType:0000000000
04/15 19:58:36.032 [cpp-dp]: (verbose): QFP:0.0 Thread:000 TS:00000059426964127925 cce_sw_tcam_dump_key:: 0x0a010164 :0x06012fff :0xad8d0050 :0xac1001c8
:0xea800001
04/15 19:58:36.032 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000059426964194635 :FW_DEBUG_ALG_INSPECT:[10.1.1.100] 80 => [172.16.1.200] 44429 6 (0): L7 App type calculated l7
appl 1
04/15 19:58:36.032 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000059426964197889 :FW_DEBUG_EVENT:[10.1.1.100] 80 => [172.16.1.200] 44429 6 (0): Classify Actions: Action Inspect
(8) Protocol unknown_proto (0) Match_index 1
04/15 19:58:36.032 [cpp-dp-fw]: (info): QFP:0.0 Thread:000 TS:00000059426964201819 :FW_DEBUG_EVENT:[10.1.1.100] 80 => [172.16.1.200] 44429 6 (0): Classify Action:
Rule[7683424.2459297.1] ACE(20)
04/15 19:58:36.235 [cpp-dp-fw]: (warn): QFP:0.0 Thread:000 TS:00000059426964260225 :FW_DEBUG_FLG_DROP:[10.1.1.100] 80 => [172.16.1.200] 44429 6 (0): Proto TCP (6) not initiator
Dropping packet reason 37:Invalid TCP initiator
04/15 19:58:38.030 [cpp-dp-fw]: (verbose): QFP:0.0 Thread:000 TS:00000059428961952609 :FW_DEBUG_EVENT:[172.16.1.200] 44429 => [10.1.1.100] 80 6 (0): insp pkt: in GigabitEthernet1
out GigabitEthernet2 pkt_sb_flags 0x80000000 pkt_sb_flags2 0x0 izone 1 ozone 2 vrf is not enabled. nvi is not enabled.
04/15 19:58:38.030 [cpp-dp-fw]: (verbose): QFP:0.0 Thread:000 TS:00000059428961969506 :FW_DEBUG_EVENT:[172.16.1.200] 44429 => [10.1.1.100] 80 6 (0): fw_ntuple: key1-ipaddr1
10.1.1.100 key1-ipaddr2 172.16.1.200 proto 6 key-flags 0 key2-port1 80 key2-port2 44429 ip6addr1 - :: ip6addr2 - :: ip6port1 - 80 ip6port2 - 44429
Firewall – Dropped Packet Analysis
• Initiating packet is let through on pass action by firewall
[172.16.1.200] 44429 => [10.1.1.100] 80 6 (0): Policy Action Pass: Class CUSTOM_APPLICATIONS zone pair
OUTSIDE->INSIDE_ZP
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Internet of Things (IoT) Cisco Education Offerings
Course Description Cisco Certification
NEW! CCNA Industrial An associate level instructor led training course designed to prepare you CCNA® Industrial
for the CCNA Industrial certification
Managing Industrial Networks with This curriculum addresses foundational skills needed to manage and Cisco Industrial
Cisco Networking Technologies (IMINS) administer networked industrial control systems. It provides plant Networking Specialist
administrators, control system engineers and traditional network engineers
with an understanding of the networking technologies needed in today's
connected plants and enterprises
Control Systems Fundamentals For IT and Network Engineers, covers basic concepts in Industrial Control
for Industrial Networking (ICINS) systems including an introduction to automation industry verticals,
automation environment and an overview of industrial control networks
Networking Fundamentals For Industrial Engineers and Control System Technicians, covers basic IP
for Industrial Control Systems (INICS) and networking concepts, and introductory overview of Automation
industry Protocols.
Building Business Specialist Skills • Builds non-technical skills key to ensure business impact and influence. Cisco Enterprise IT
Topics include: business analysis, finance, technology adoption and Business Specialist
effective communications.
Applying Cisco Specialized Business Value Builds skills to discover and address technology needs using a business- Cisco Business Value Specialist
Analysis Skills focused, consultative sales approach
Executing Advanced Cisco Business Value Enables customer transformation through business architecture and Cisco Certified Business
Analysis and Design Techniques solution selling expertise Value Practitioner
Performing Cisco Business-Focused Provides skills and an approach to build a strategic roadmap of IT Cisco Transformative
Transformative Architecture Engagements initiatives, aligned to business priorities Architecture Specialist
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Security Cisco Education Offerings
Course Description Cisco Certification
Implementing Cisco IOS Network Security (IINS) Focuses on the design, implementation, and monitoring of a comprehensive CCNA® Security
security policy, using Cisco IOS security features
Implementing Cisco Edge Network Security Solutions
(SENSS) Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Implementing Cisco Threat Control Solutions (SITCS)
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Implementing Cisco Secure Access Solutions (SISAS) Security and Cloud Web Security
Implementing Cisco Secure Mobility Solutions Deploy Cisco’s Identity Services Engine and 802.1X secure network access
(SIMOS)
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Securing Cisco Networks with Threat Detection and Designed for professional security analysts, the course covers essential areas of Cisco Cybersecurity Specialist
Analysis (SCYBER) competency including event monitoring, security event/alarm/traffic analysis, and
incident response
CCIE R&S Advanced Workshops (CIERS-1 & Expert level trainings including: instructor led workshops, self CCIE® Routing & Switching
CIERS-2) plus assessments, practice labs and CCIE Lab Builder to prepare candidates
Self Assessments, Workbooks & Labs for the CCIE R&S practical exam.
• Implementing Cisco IP Routing v2.0 Professional level instructor led trainings to prepare candidates for the CCNP® Routing & Switching
• Implementing Cisco IP Switched CCNP R&S exams (ROUTE, SWITCH and TSHOOT). Also available in
Networks V2.0 self study eLearning formats with Cisco Learning Labs.
• Troubleshooting and Maintaining
Cisco IP Networks v2.0
Interconnecting Cisco Networking Devices: Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 CCNA® Routing & Switching
Part 2 (or combined) networks. Also available in self study eLearning format with Cisco Learning
Lab.
Interconnecting Cisco Networking Devices: Installation, configuration, and basic support of a branch network. Also CCENT® Routing & Switching
Part 1 available in self study eLearning format with Cisco Learning Lab.
• Conducting Cisco Unified Wireless Site Survey Professional level instructor led trainings to prepare candidates to conduct CCNP® Wireless
• Implementing Cisco Unified Wireless Voice site surveys, implement, configure and support APs and controllers in
Networks converged Enterprise networks. Focused on 802.11 and related
• Implementing Cisco Unified Wireless Mobility technologies to deploy voice networks, mobility services, and wireless
Services security.
• Implementing Cisco Unified Wireless Security
Services
Implementing Cisco Unified Wireless Network Prepares candidates to design, install, configure, monitor and conduct CCNA® Wireless
Essential basic troubleshooting tasks of a Cisco WLAN in Enterprise installations.
Designing Cisco Network Service Architectures Provides learner with the ability to perform conceptual, intermediate, and CCDP® (Design Professional)
(ARCH) detailed design of a network infrastructure that supports desired capacity,
performance, availability required for converged Enterprise network
services and applications.
Designing for Cisco Internetwork Solutions Instructor led training focused on fundamental design methodologies used CCDA® (Design Associate)
(DESGN) to determine requirements for network performance, security, voice, and
wireless solutions. Prepares candidates for the CCDA certification exam.
Deploying Cisco Service Provider Network Routing SPROUTE covers the implementation of routing protocols (OSPF, IS-IS, BGP), CCNP Service Provider®
(SPROUTE) & Advanced (SPADVROUTE) route manipulations, and HA routing features; SPADVROUTE covers advanced
routing topics in BGP, multicast services including PIM-SM, and IPv6;
Implementing Cisco Service Provider Next-Generation
Core Network Services (SPCORE) SPCORE covers network services, including MPLS-LDP, MPLS traffic engineering,
QoS mechanisms, and transport technologies;
Edge Network Services (SPEDGE) SPEDGE covers network services, including MPLS Layer 3 VPNs, Layer 2 VPNs,
and Carrier Ethernet services; all within SP IP NGN environments.
Building Cisco Service Provider Next-Generation The two courses introduce networking technologies and solutions, including OSI CCNA Service Provider®
Networks, Part 1&2 (SPNGN1), (SPNGN2) and TCP/IP models, IPv4/v6, switching, routing, transport types, security, network
management, and Cisco OS (IOS and IOS XR).
Implementing Cisco Service Provider Mobility UMTS The three courses (SPUMTS, SPCDMA, SPLTE) cover knowledge and skills Cisco Service Provider Mobility
Networks (SPUMTS); required to understand products, technologies, and architectures that are found in CDMA to LTE Specialist;
Implementing Cisco Service Provider Mobility CDMA Universal Mobile Telecommunications Systems (UMTS) and Code Division Multiple Cisco Service Provider Mobility UMTS
Networks (SPCDMA); Access (CDMA) packet core networks, plus their migration to Long-Term Evolution to LTE Specialist
Implementing Cisco Service Provider Mobility LTE (LTE) Evolved Packet Systems (EPS), including Evolved Packet Core (EPC) and
Networks (SPLTE) Radio Access Networks (RANs).
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Implementing and Maintaining Cisco Technologies Service Provider/Enterprise engineers to implement, verification-test, and optimize Cisco IOS XR Specialist
Using IOS XR (IMTXR) core/edge technologies in a Cisco IOS XR environment.
Collaboration Cisco Education Offerings
Course Description Cisco Certification
CCIE Collaboration Advanced Workshop (CIEC) Gain expert-level skills to integrate, configure, and troubleshoot complex CCIE® Collaboration
collaboration networks
Implementing Cisco Collaboration Applications Understand how to implement the full suite of Cisco collaboration CCNP® Collaboration
(CAPPS) applications including Jabber, Cisco Unified IM and Presence, and Cisco
Unity Connection.
Implementing Cisco IP Telephony and Video Learn how to implement Cisco Unified Communications Manager, CUBE, CCNP® Collaboration
Part 1 (CIPTV1) and audio and videoconferences in a single-site voice and video network.
Implementing Cisco IP Telephony and Video Obtain the skills to implement Cisco Unified Communications Manager in a
Part 2 (CIPTV2) modern, multisite collaboration environment.
Troubleshooting Cisco IP Telephony and Video Troubleshoot complex integrated voice and video infrastructures
(CTCOLLAB)
Implementing Cisco Collaboration Devices Acquire a basic understanding of collaboration technologies like Cisco Call CCNA® Collaboration
(CICD) Manager and Cisco Unified Communications Manager.
Cisco Data Center CCIE Unified Fabric Prepare for your CCIE Data Center practical exam with hands on lab CCIE® Data Center
Workshop (DCXUF); exercises running on a dedicated comprehensive topology
Cisco Data Center CCIE Unified Computing
Workshop (DCXUC)
Implementing Cisco Data Center Unified Fabric Obtain the skills to deploy complex virtualized Data Center Fabric and CCNP® Data Center
(DCUFI); Computing environments with Nexus and Cisco UCS.
Implementing Cisco Data Center Unified
Computing (DCUCI)
Introducing Cisco Data Center Networking Learn basic data center technologies and how to build a data center CCNA® Data Center
(DCICN); Introducing Cisco Data Center infrastructure.
Technologies (DCICT)
Product Training Portfolio: DCAC9k, DCINX9k, Get a deep understanding of the Cisco data center product line including
DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K the Cisco Nexus9K in ACI and NexusOS modes
Integrating Business Applications with Network Learn networking concepts, and how to deploy and troubleshoot Cisco Business Application
Programmability (NIPBA); programmable network architectures with these self-paced courses. Engineer Specialist Certification
Integrating Business Applications with Network
Programmability for Cisco ACI (NPIBAACI)
Developing with Cisco Network Programmability Learn how to build applications for network environments and effectively Cisco Network Programmability
(NPDEV); bridge the gap between IT professionals and software developers. Developer Specialist Certification
Developing with Cisco Network Programmability
for Cisco ACI (NPDEVACI)
Designing with Cisco Network Programmability Learn how to expand your skill set from traditional IT infrastructure to Cisco Network Programmability
(NPDES); application integration through programmability. Design Specialist Certification
Designing with Cisco Network Programmability
for Cisco ACI (NPDESACI)
Implementing Cisco Network Programmability Learn how to implement and troubleshoot open IT infrastructure Cisco Network Programmability
(NPENG); technologies. Engineer Specialist Certification
For more details,
Implementing Ciscoplease visit:
Network http://learningnetwork.cisco.com
Programmability
Questions?
for Cisco ACIVisit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
(NPENGACI)
Cloud Cisco Education Offerings
Course Description Cisco Certification
Designing the FlexPod Solution (FPDESIGN); Learn how to design, implement and administer FlexPod solutions FlexPod Design Specialist;
Implementing and Administering the FlexPod FlexPod Implementation &
Solution (FPIMPADM) Administration Specialist
UCS Director (UCSDF) Learn how to manage physical and virtual infrastructure using
orchestration and automation functions of UCS Director.
Cisco Prime Service Catalog Learn how to deliver data center, workplace, and application services in an
on-demand, automated, and repeatable method.
Cisco Intercloud Fabric Learn how to implement end-to-end hybrid clouds with Intercloud Fabric
for Business and Intercloud Fabric for Providers.
Cisco Intelligent Automation for Cloud Learn how to implement and manage cloud deployments with Cisco
Intelligent Automation for Cloud
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Appendix
ASR1K Software Architecture
RP
CPU
RP
Chassis Manager
IOS CPU
interconn.Linux GE switch
Kernel
ESP ESP
FECP Chassis Manager
EOBC (1 Gbps) FECP
Drivers Forwarding Manager
Drivers
I2C Drivers
Linux Kernel
Crypto
QFP
Assist.
QFP
µ µµ Crypto
µ BQS
µ µ Assist.
interconn.
ESI (10-40 Gbps)
SIP SIP
IOCP interconn.
SPA Driver Chassis
SPA Driver
SPA Driver Manager
SPA
IOCP
Aggreg.
Linux Kernel
EOBC (1 Gbps)
Drivers Forwarding Manager
• Manages EOBC on RP Drivers
Drivers
I2C
• Manages ESI links on RP/ESP/SIP Linux Kernel
• Manages timing circuitry on RP
• Reset and power-down on RP/ESP/SIP QFP
µ µµ Crypto
µ BQS
µ µ Assist.
Communicates IOS hardware components
EOBC (1 Gbps)
Drivers Forwarding Manager
Drivers
FMAN-FP communicates information Drivers
I2C
Linux Kernel
back to FMAN-RP
QFP
• e.g. statistics µ µµ Crypto
µ BQS
• FMAN-RP pushes info back to IOS µ µ Assist.
Written in C IOS
Chassis Manager
EOBC (1 Gbps)
Drivers Forwarding Manager
• assisted by various memories Drivers
TCAM, DRAM,… various speeds PPE Microcode runs here
Drivers
I2C
• Linux Kernel
BQS
Crypto
µ …
PPE PPE PPE PPE
µ µ
7 8
Dispatcher
N
Assist.
Packet Buffer
interconn.Linux GE switch
Kernel
ESP ESP
FECP Chassis Manager
EOBC (1 Gbps) FECP
Drivers Forwarding Manager
Drivers
I2C Drivers
Linux Kernel
Crypto
QFP
Assist.
QFP
µ µµ Crypto
µ BQS
µ µ Assist.
interconn.
ESI (10-40 Gbps)
SIP SIP
IOCP interconn.
SPA Driver Chassis
SPA Driver
SPA Driver Manager
SPA
IOCP
Aggreg.
Linux Kernel
EOBC (1 Gbps)
Drivers Forwarding Manager
• Manages EOBC on RP Drivers
Drivers
I2C
• Manages ESI links on RP/ESP/SIP Linux Kernel
• Manages timing circuitry on RP
• Reset and power-down on RP/ESP/SIP QFP
µ µµ Crypto
µ BQS
µ µ Assist.
Communicates IOS hardware components
EOBC (1 Gbps)
Drivers Forwarding Manager
Drivers
FMAN-FP communicates information Drivers
I2C
Linux Kernel
back to FMAN-RP
QFP
• e.g. statistics µ µµ Crypto
µ BQS
• FMAN-RP pushes info back to IOS µ µ Assist.
Written in C IOS
Chassis Manager
EOBC (1 Gbps)
Drivers Forwarding Manager
• assisted by various memories Drivers
TCAM, DRAM,… various speeds PPE Microcode runs here
Drivers
I2C
• Linux Kernel
BQS
Crypto
µ …
PPE PPE PPE PPE
µ µ
7 8
Dispatcher
N
Assist.
Packet Buffer
SPA
IOCP
Aggreg.
DDRAM Egress
Ingress
Buffer
Boot Flash IOCP Scheduler
Status
(OBFL,…) (SC854x SOC)
…
JTAG Ctrl
SPA Aggregation Network
clock
ASIC (Marmot) … distribution
…
Agg.
SPA
ESP
FECP
QFP
intercon.
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
QFP
intercon.
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
QFP
intercon.
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow
DDRAM
Input ACL
Packet Processor EngineNetflow Complex BQS
NAT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…) NBAR Classify
MQC Classify IP Unicast
JTAG Ctrl … PPE6 PPE7 PPE8 … … N
PPE
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow
DDRAM
Input ACL
Packet Processor EngineNetflow Complex BQS
NAT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…) NBAR Classify
MQC Classify IP Unicast
JTAG Ctrl … PPE6 PPE7 PPE8 … … N
PPE
QFP
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow Netflow
DDRAM Packet Processor EngineComplex BQS
BGP Accounting
NAT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP NBAR Classify
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify IP Unicast
JTAG Ctrl … PPE6 PPE7 PPE8 … …N
PPE
QFP
intercon.
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
SPA
IOCP
Aggreg.
DDRAM Egress
Ingress
Buffer
Boot Flash IOCP Scheduler
Status
(OBFL,…) (SC854x SOC)
JTAG Ctrl
SPA Aggregation Network
clock
ASIC (Marmot) … distribution
…
Agg.
SPA
Resource Monitoring – Processes IOS
• Processes used by IOS
CSR# show processes
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
1 Cwe 7F645CF5AB33 2 13 15322656/24000 0 Chunk Manager
8 Lst 7F645CF88ECD 152689 24234 630022704/24000 0 Check heaps
9 Cwe 7F645CF7DBCD 286 2651 10722784/24000 0 Pool Manager
13 Cwe 7F64586985DE 1864 79491 2323192/24000 0 IOSXE heartbeat
37 Mwe 7F6459F5EF9D 2511 5257 47721376/24000 0 ARP Input
38 Mwe 7F6459F5936E 3896 165846 2321584/24000 0 ARP Background
41 Lwe 7F645A4969F2 0 1 023408/24000 0 CEF MIB API
49 Hwe 7F6458699A71 0 1 022512/24000 0 IOSXE signals IO
67 Lwe 7F645A7BFEC0 1 83 1246152/48000 0 Logger
68 Mwe 7F645A66B6CF 4067 158960 2522960/24000 0 TTY Background
This command only shows processes inside the IOS daemon. Use platform keyword to
Please use 'show processes platform' see processes for Linux
to show processes for the underlying operating system.
Resource Monitoring – Processes platform
• Processes running on platform
CSR# show processes platform
CPU utilization for five seconds: 0%, one minute: 1%, five minutes: 1%
Pid PPid Status Size Name
--------------------------------------------------------
1 0 S 1863680 init
13292 12762 S 1056264192 fman_rp
11915 1 S 4292608 pvp.sh
13897 11915 S 4227072 pman.sh
14187 13897 S 3795505152 linux_iosd-imag Process name
16251 15821 S 192000000 vman
18537 18027 S 1981214720 fman_fp_image
18974 18553 S 803053568 qfp-ucode-csr
Parent PID
Current PID
Resource Monitoring Outputs
Pod1# show processes platform detailed name linux_iosd-imag
Name: linux_iosd-imag
Process id : 14312
Parent process id: 14036
Current process
Group id : 14312
Status : S
Session id : 12385 Parent process
User time : 1017598
Kernel time : 314621
Priority : 20
Virtual bytes
Resident pages
: 3795484672
: 149681
~3.8 Gb
Resident limit : 4294967295
Minor page faults: 155255
Major page faults: 1245
Resource Monitoring – Process Memory platform
• Memory allocated by Linux to processes
4Gb allocated to entire platform at boot
~600Mb currently
used by IOSd
Resource Monitoring – Memory IOS
CSR# show memory
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 7F63DA92A010 2202708736 274602132 1928106604 1928057400 1297759876
lsmpi_io 7F6386C281A8 6295128 6294304 824 824 412
Processor memory
lsmpi_io memory
Load Average
1-Min : 0.00
5-Min : 0.00
15-Min : 0.00
EPC Capture Filter
• Filters can be replaced
• If all packets are forwarded, then further troubleshooting may not be necessary
TCP: SYN
• Waiting for you at your desk is your boss, something happened in the middle of
the night and traffic to the webserver is no longer working!
• You tell your boss, “No worry chief! I got this covered.”
CSR# show monitor capture CAPIN buffer CSR# show monitor capture CAPIN buffer brief
buffer size (KB) : 10240 -------------------------------------------------------------
buffer used (KB) : 0 # size timestamp source destination protocol
packets in buf : 0 -------------------------------------------------------------
packets dropped : 0
packets per sec : 0
Packet Trace - Configuration
• Step 1: Set up ACL to capture traffic
CSR(config)# ip access-list extended PACKET_TRACE
CSR(config-ext-nacl)#10 permit tcp host 172.16.1.200 host 10.1.1.10 eq 80
CSR(config-ext-nacl)#20 permit tcp host 10.1.1.10 eq 80 host 172.16.1.20
TCP: SYN
Packet Tracing – Process tracing
• Enable FIA tracing without doing diagnostics
...
Packet Copy In
fa163ef3 b8cafa16 3e9ef62e 08004500 003ce490 40004006 9d48ac10 01c80a01
010ac9d9 00502be2 a8230000 0000a002 39082d61 00000204 05b40402 080a3dd1
4cb30000 00000103 0307
Packet Copy Out
fa163ef3 b8cafa16 3e9ef62e 08004500 003ce490 40003f06 9e48ac10 01c80a01
010ac9d9 00502be2 a8230000 0000a002 39082d61 00000204 05b40402 080a3dd1
4cb30000 00000103 0307
Packet Tracing
• IPv4_INPUT_ACL indicates that interface ACL is dropping the packet
• Check contents of ACL and make necessary corrections
interface GigabitEthernet1
ip address 172.16.1.X 255.255.255.0
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100
ip policy route-map REQUIRED_APPLICATIONS
ip access-group INTERNET_BLACKLIST in
ACL is set up to
drop traffic