Geekly Articles each Day

パッケージの運命。 Cisco IOS XE


Packet Traceを使用して、Cisco IOS XEルータの多くの問題の診断を開始できます。 これは、ルータ内のパケット処理のトレースであり、それほど前には現れませんでした。 以前は、このような機能はASAファイアウォールでのみ利用可能でした。 ASAでパケットトレーサーを使用した人は同意するでしょう-非常に便利なツールです。 現在、そのアナログは最新のルーター(ISR 4000、ASR、CSR)に登場しています。

生きている例についてメモを作成します。 iOS-XEパケットトレースを簡単に把握できます。 詳細は、ベンダーのWebサイトでいつでも確認できます。 残念ながら、この主題に関する情報はまだ多くありません。 私たちのダイビング中に、あなたは私の言っていることを理解するでしょう。

実験として、ISR 4000ルーターがあります( Habré上のISR 4000とIOS XEの詳細については既に書いています)。 静的ルーティング、PfR、PBR、アドレス変換(NAT)、ZFWファイアウォール、インターフェイス上のACL、Flexible NetFlow、NBAR2、IPSec、GRE、VTIなど、多くのテクノロジが設定されています。 これにより、トレースが飽和状態になり、実際の操作により近くなります。

多くの技術があり、それぞれに独自のデバッグ方法があります。 時間を無駄にせず、問題の原因を探す場所をすぐに判断するために、パケットトレースが役立ちます。

アドレス192.168.20.8から8.8.8.8に送信されたICMPパケット(エコー要求)を観察します。

アクティブ化のトレースは、2つの部分で構成されます。 最初に、条件付きデバッグを実行します。 その中で、どのパッケージが興味を持っているかを示しています。 この場合、これはACL 199によって記述され、GigabitEthernet0 / 0/0インターフェイスを介してルーターに到着するトラフィックです。

access-list 199 permit icmp host 192.168.20.8 host 8.8.8.8 debug platform condition interf GigabitEthernet0/0/0 ipv4 access-list 199 ingress debug platform condition start

条件付きデバッガは、パケットトレース操作だけでなく使用されます。 このツールを使用すると、ログメッセージを効果的にフィルタリングし、生成の段階でメッセージをデバッグできます。 条件を設定し、必要なもののみに関連するレコードを表示できます。

次に、パケットトレースを直接オンにします。 バッファとトレースの深さを指定します。 最小-16パッケージ。 深さ:基本(パストレース)または高度(フィアトレース)。 拡張の場合、QFPプロセス内のすべての機能の作業の詳細な結論が得られます。 パケット転送(データパス)を担当するのは彼です。

 debug platform packet-trace packet 16 fia-trace debug platform packet-trace enable

ASAパケットトレーサーと比較して、構文は確かにそれほど便利ではありません。

ASAパケットトレーサー自体が、さらにトレースするためのパケットを生成できます。 IOS-XE Packet Traceは、これを行う方法を知りません。 それが機能するためには、パッケージがどこかから来ることが必要です。
尾を掃除するチーム。 すべてを終えたときに便利です。

 no debug platform packet-trace enable clear platform packet-trace statistics clear platform condition all

すべてがセットアップされました。 pingを開始して、必要なパケットがルーターを通過するようにします。
パケットトレースに入ったパケットの一般的な出力を確認します。

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.5 FWD

1つあります。 Gi0 / 0/0インターフェースを経由し、Gi0 / 0 / 1.5を介してさらに転送されました(FWD状態)。

その処理のトレースを見る
 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 8 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 State : FWD Timestamp Start : 6495209991683323 ns (02/18/2017 11:59:43.176192 UTC) Stop : 6495209991814307 ns (02/18/2017 11:59:43.176323 UTC) Path Trace Feature: IPV4 <================= Input : GigabitEthernet0/0/0 <================= Output : GigabitEthernet0/0/0 <================= Source : 192.168.20.8 <================= Destination : 8.8.8.8 <================= Protocol : 1 (ICMP) <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 4960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 40160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1440 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 236 cft_bucket_number : 566799 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 <================= tuple.dst_ip : 8.8.8.8 <================= tuple.src_port : 61609 <================= tuple.dst_port : 161 <================= tuple.vrfid : 0 tuple.l4_protocol : ICMP <================= tuple.l3_protocol : IPV4 <================= pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 236 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 226240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 66880 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 236 cft_bucket_number : 566799 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 61609 tuple.dst_port : 161 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 236 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 21120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 119520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 3840 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 236 cft_bucket_number : 566799 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 61609 tuple.dst_port : 161 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 236 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 40640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR <================= Lapsed time : 34720 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS <================= Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : GigabitEthernet0/0/1.5 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <================= Lapsed time : 4160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1280 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 218880 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 4480 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 1920 ns Feature: ZBFW <================= Action : Fwd <================= Zone-pair name : in-out1 <================= Class-map name : CM-FW_in-out <================= Input interface : GigabitEthernet0/0/0 <================= Egress interface: GigabitEthernet0/0/1.5 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 721760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 3680 ns Feature: NAT <================= Direction : IN to OUT <================= Action : Translate Source <================= Old Address : 192.168.20.8 00001 <================= New Address : 87.87.87.87 00033 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA Lapsed time : 54880 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 960 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Output triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 238 cft_bucket_number : 566799 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 87.87.87.87 tuple.dst_ip : 8.8.8.8 tuple.src_port : 61609 tuple.dst_port : 161 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 238 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT Lapsed time : 137600 ns Feature: IPSec <================= Result : IPSEC_RESULT_DENY <================= Action : SEND_CLEAR <================= SA Handle : 0 Peer Addr : 8.8.8.8 <================= Local Addr: 87.87.87.87 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY Lapsed time : 50560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE Lapsed time : 7040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE Lapsed time : 7040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY Lapsed time : 13600 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL Lapsed time : 112800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT Lapsed time : 41440 ns

トレースボリュームは、設定された機能に直接依存します。 ルーティングのみがある場合、データははるかに少なくなります。

名前のいくつかは明確です。 しかし、デコードが容易ではない段階があります。 この点に関して、ベンダーのドキュメントはあまり役に立ちません。

最も興味深い点を強調します。

1.データフローを識別する情報:

 Feature: CFT … tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 61609 tuple.dst_port : 161 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4

データはCFT(共通フローテーブル)に保存されます。 これらは、各ストリームに関する情報(Netflow、NBAR、PfRなど)を使用して作業を行うテクノロジーで使用されます。 CFTテーブルは、冗長な情報を保存しないために必要です。

2.アウトバウンドインターフェイスの定義:

パケットがルーターに到着したとき、発信インターフェイスは未定義です。 着信が置換されます。

 Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP)

パケットをさらにどこに送信するかが決定されると(ルーティング機能が実行されます)、発信インターフェイスが変更されます。

  Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 4160 ns

3. ZFWファイアウォールによるパケット処理に関するデータ:

  Feature: ZBFW Action : Fwd Zone-pair name : in-out1 Class-map name : CM-FW_in-out Input interface : GigabitEthernet0/0/0 Egress interface: GigabitEthernet0/0/1.5

パケットがどのゾーンを通過し、どのクラスで落下したかがすぐにわかります。 ZFW構成はしばしば非常に混乱するため、これは十分に便利です。

4.アドレス変換情報:

  Feature: NAT Direction : IN to OUT Action : Translate Source Old Address : 192.168.20.8 00001 New Address : 87.87.87.87 00033

パケットの宛先アドレスは87.87.87.87に置き換えられました。

5. IPSecはルーターで構成されているため、パケットが着信したかどうかが確認されます。

  Feature: IPSec Result : IPSEC_RESULT_DENY Action : SEND_CLEAR SA Handle : 0 Peer Addr : 8.8.8.8 Local Addr: 87.87.87.87

いいえ、私はしませんでした。

トレースは多くの追加情報を提供します。 たとえば、IPV4_INPUT_PBRは、パケットがPBRを通過したことを示します。 ただし、PBRが適用されたかどうか、または標準ルーティングルールへの処理のためにパケットが送信されたかどうかに関する情報は見つかりません。 この場合、パケットはPBRルールに該当しませんでした。 エントリIPV4_INPUT_TCP_ADJUST_MSSは、インターフェイスでip tcp adjust-mssコマンドが設定されていることを示します。 同時に、前の例のように、詳細は取得しません。

デバイスによって表示される情報のほとんどは関心がありません。 ただし、パッケージに問題が発生すると状況が変わります。

状況1 入力インターフェイスでパケットがドロップされたACL

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/0 DROP 8 (Ipv4Acl)

ACL(Ipv4Acl)が機能したため、パケットはドロップ(DROP)されました。

パッケージ処理トレース
 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 35 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 State : DROP 8 (Ipv4Acl) Timestamp Start : 6515970748260480 ns (02/18/2017 17:45:43.568889 UTC) Stop : 6515970748313558 ns (02/18/2017 17:45:43.568942 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 6560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5920 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 1440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d8375c - STILE_LEGACY_DROP_EXT Lapsed time : 3680 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b554 - INGRESS_MMA_LOOKUP_DROP_EXT Lapsed time : 63040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6e0f8 - INPUT_DROP_FNF_AOR_EXT Lapsed time : 8320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc44 - INPUT_FNF_DROP_EXT Lapsed time : 324800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6e6c8 - INPUT_DROP_FNF_AOR_RELEASE_EXT Lapsed time : 8320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81128ebc - INPUT_DROP_EXT <================= Lapsed time : 1920 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL <================= Lapsed time : 794240 ns

INPUT_DROP_EXTおよびIPV4_INPUT_ACLは、パケットがインバウンドインターフェイスでドロップされたことを報告します。 パッケージの寿命のように、トレースは短いことが判明しました。

状況No. 2。 アウトバウンドインターフェイスでパケットドロップACL

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.5 DROP 8 (Ipv4Acl)

繰り返しますが、ACL(Ipv4Acl)のためにパケットは送信されませんでした(DROP)。 ただし、現在、Gi0 / 0 / 1.5は発信インターフェイスとして表示されます。

パッケージ処理トレース
 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 33 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 State : DROP 8 (Ipv4Acl) Timestamp Start : 6515547984424423 ns (02/18/2017 17:38:40.479689 UTC) Stop : 6515547984571057 ns (02/18/2017 17:38:40.479835 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 8320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 4320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 3520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 43360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1280 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 5 cft_bucket_number : 1591662 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 57521 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 5 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 222240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 67200 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 2240 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 5 cft_bucket_number : 1591662 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 57521 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 5 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 22080 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 136320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 5 cft_bucket_number : 1591662 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 57521 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 5 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 40160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR Lapsed time : 39520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 4320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1920 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 274240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 2400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 2880 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 1600 ns Feature: ZBFW Action : Fwd Zone-pair name : in-out1 Class-map name : CM-FW_in-out Input interface : GigabitEthernet0/0/0 Egress interface: GigabitEthernet0/0/1.5 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 989760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 2720 ns Feature: NAT Direction : IN to OUT Action : Translate Source Old Address : 192.168.20.8 00001 New Address : 87.87.87.87 00036 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA Lapsed time : 36800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 3200 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 1120 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Output triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 7 cft_bucket_number : 1591662 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 87.87.87.87 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 57521 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 7 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT Lapsed time : 141920 ns Feature: IPSec Result : IPSEC_RESULT_DENY Action : SEND_CLEAR SA Handle : 0 Peer Addr : 8.8.8.8 Local Addr: 87.87.87.87 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY Lapsed time : 46080 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81128eb8 - OUTPUT_DROP_EXT <================= Lapsed time : 3360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d4a144 - IPV4_OUTPUT_ACL <================= Lapsed time : 121760 ns

最後のトレースには、パッケージの運命に関する情報があります:OUTPUT_DROP_EXTおよびIPV4_OUTPUT_ACL。 ほとんどの処理段階が経過したことから明らかなように、パケットはルーターの足からほとんど逃げ出しました。

状況No. 3。 ファイアウォールによってドロップされたパケット

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.5 DROP 184 (FirewallPolicy)

パケットはドロップされます(DROP)。 その理由は、ファイアウォールポリシー(FirewallPolicy)です。

パッケージ処理トレース
 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 36 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 State : DROP 184 (FirewallPolicy) Timestamp Start : 6516783739710881 ns (02/18/2017 17:59:16.560339 UTC) Stop : 6516783739809427 ns (02/18/2017 17:59:16.560438 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 8800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 47360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1440 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 135 cft_bucket_number : 875224 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 56789 tuple.dst_port : 514 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 135 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 202560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 63360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 4640 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 135 cft_bucket_number : 875224 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 56789 tuple.dst_port : 514 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 135 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 20640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 127360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 2720 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 135 cft_bucket_number : 875224 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 56789 tuple.dst_port : 514 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 135 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 43840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR Lapsed time : 37120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 4800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1760 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 255680 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 2240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 4160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 1760 ns Feature: ZBFW <================= Action : Drop <================= Reason : ICMP policy drop:classify result <================= Zone-pair name : in-out1 <================= Class-map name : class-default <================= Input interface : GigabitEthernet0/0/0 <================= Egress interface: GigabitEthernet0/0/1.5 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x81128eb8 - OUTPUT_DROP_EXT <================= Lapsed time : 640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT <================= Lapsed time : 639200 ns

OUTPUT_DROP_EXT IPV4_OUTPUT_INSPECT , , . ZFW:

 Feature: ZBFW Action : Drop Reason : ICMP policy drop:classify result Zone-pair name : in-out1 Class-map name : class-default Input interface : GigabitEthernet0/0/0 Egress interface: GigabitEthernet0/0/1.5

Reason , , ICMP. , , — class-default.

№4. PBR

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.6 FWD

(FWD). Gi0/0/1.6.

 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 36 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 State : FWD Timestamp Start : 6517659109765260 ns (02/18/2017 18:13:51.930393 UTC) Stop : 6517659109927732 ns (02/18/2017 18:13:51.930556 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 10400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 265600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 3680 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 69 cft_bucket_number : 2000178 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 57521 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 69 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 223360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 85440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 3040 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 69 cft_bucket_number : 2000178 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 57521 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 69 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 19680 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 153600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 69 cft_bucket_number : 2000178 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 57521 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 69 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 49600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR <================= Lapsed time : 69760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : GigabitEthernet0/0/1.6 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 7840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1600 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 280480 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 3840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 3840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 5440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS Lapsed time : 1280 ns Feature: ZBFW Action : Fwd Zone-pair name : in-out2 Class-map name : CM-FW_in-out Input interface : GigabitEthernet0/0/0 Egress interface: GigabitEthernet0/0/1.6 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 789120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 11200 ns Feature: NAT Direction : IN to OUT Action : Translate Source Old Address : 192.168.20.8 New Address : 62.62.62.62 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA Lapsed time : 38400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 4000 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 800 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Output triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 71 cft_bucket_number : 2000178 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 62.62.62.62 tuple.dst_ip : 8.8.8.8 tuple.src_port : 57521 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 71 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT Lapsed time : 140160 ns Feature: IPSec Result : IPSEC_RESULT_DENY Action : SEND_CLEAR SA Handle : 0 Peer Addr : 8.8.8.8 Local Addr: 62.62.62.62 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY Lapsed time : 66400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE Lapsed time : 3840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE Lapsed time : 13440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG Lapsed time : 2240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY Lapsed time : 18720 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL Lapsed time : 113440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.6 Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT Lapsed time : 43680 ns

( ) PBR, . , , NAT'.

№5. VTI

172.28.0.1.

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 Gi0/0/1.5 FWD

(FWD). Gi0/0/1.5.

 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 50 Summary Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1.5 State : FWD Timestamp Start : 6665377802839987 ns (02/20/2017 11:15:48.257340 UTC) Stop : 6665377803172303 ns (02/20/2017 11:15:48.257673 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 172.28.0.1 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 5600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 4160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 3040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 19840 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1280 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 186 cft_bucket_number : 407373 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 172.28.0.1 tuple.src_port : 6603 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 186 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 296480 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 43040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 186 cft_bucket_number : 407373 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 172.28.0.1 tuple.src_port : 6603 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 186 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 20160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 134400 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 3840 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 186 cft_bucket_number : 407373 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 172.28.0.1 tuple.src_port : 6603 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 186 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 45440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR Lapsed time : 14080 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : Tunnel1 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <================= Lapsed time : 5920 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL Lapsed time : 1600 ns Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: OCE_TRACE Type : OCE_ADJ_IPV4 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL Lapsed time : 245440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE Lapsed time : 1760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE Lapsed time : 4160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 3040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS Lapsed time : 1280 ns Feature: ZBFW <================= Action : Fwd <================= Zone-pair name : N/A <================= Class-map name : N/A <================= Input interface : GigabitEthernet0/0/0 <================= Egress interface: Tunnel1 <================= Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 30080 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE Lapsed time : 7360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG Lapsed time : 640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6e1b8 - IPV4_TUNNEL_OUTPUT_FNF_AOR Lapsed time : 3520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6d8e4 - IPV4_TUNNEL_OUTPUT_FNF_FINAL Lapsed time : 1440 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x80d6e640 - IPV4_TUNNEL_OUTPUT_FNF_AOR_RELEASE Lapsed time : 800 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86ce8 - IPV4_TUNNEL_OUTPUT_FINAL Lapsed time : 20640 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86d30 - IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT <================= Lapsed time : 7200 ns Feature: IPSec <================= Result : IPSEC_RESULT_SA <================= Action : ENCRYPT <================= SA Handle : 98 <================= Peer Addr : 188.188.188.188 <================= Local Addr: 87.87.87.87 <================= Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY_EXT Lapsed time : 44480 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d7641c - IPV4_OUTPUT_IPSEC_DOUBLE_ACL_EXT Lapsed time : 11200 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT Lapsed time : 4960 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x8113ac50 - IPV4_OUTPUT_IPSEC_INLINE_FRAG_CHK_EXT Lapsed time : 7680 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d7635c - IPV4_OUTPUT_IPSEC_TUNNEL_RERUN_JUMP_EXT Lapsed time : 4480 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d764ac - IPV4_OUTPUT_IPSEC_POST_PROCESS_EXT Lapsed time : 12160 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT Lapsed time : 1600 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT Lapsed time : 1440 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86cec - IPV4_TUNNEL_GOTO_OUTPUT Lapsed time : 11680 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86d98 - IPV4_TUNNEL_FW_CHECK_EXT Lapsed time : 15040 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x81131e60 - IPV4_INPUT_DST_LOOKUP_ISSUE_EXT Lapsed time : 8480 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x81131eb8 - IPV4_INPUT_ARL_EXT Lapsed time : 5760 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x81131e6c - IPV4_INTERNAL_DST_LOOKUP_CONSUME_EXT Lapsed time : 2880 ns Feature: FIA_TRACE Input : Tunnel1 Output : Tunnel1 Entry : 0x80d86dc8 - IPV4_TUNNEL_ENCAP_FOR_US_EXT Lapsed time : 5600 ns Feature: FIA_TRACE Input : Tunnel1 <================= Output : GigabitEthernet0/0/1.5 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <================= Lapsed time : 4000 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131f20 - IPV4_TUNNEL_ENCAP_GOTO_OUTPUT_FEATURE_EXT Lapsed time : 11520 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e98 - IPV4_OUTPUT_VFR Lapsed time : 1440 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT Lapsed time : 5120 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE Lapsed time : 2240 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA Lapsed time : 6400 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE Lapsed time : 1440 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e9c - IPV4_VFR_REFRAG Lapsed time : 800 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Output triplet.vrf_idx : 0 triplet.network_start : 0x01004104 triplet.triplet_flags : 0x00000000 triplet.counter : 186 cft_bucket_number : 407373 cft_l3_payload_size : 100 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 87.87.87.87 tuple.dst_ip : 188.188.188.188 tuple.src_port : 6603 tuple.dst_port : 443 tuple.vrfid : 0 tuple.l4_protocol : 50 tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 186 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ipsec Classification ID: [CANA-L7:9] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT Lapsed time : 138080 ns Feature: IPSec <================= Result : IPSEC_RESULT_DENY <================= Action : SEND_CLEAR <================= SA Handle : 0 Peer Addr : 188.188.188.188 <================= Local Addr: 87.87.87.87 <================= Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY Lapsed time : 27840 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE Lapsed time : 2880 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE Lapsed time : 7520 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81131ec4 - IPV4_OUTPUT_FRAG Lapsed time : 16800 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x8111ea94 - L2_REWRITE_AFTER_FRAG_WITHOUT_CLIP_EXT Lapsed time : 11520 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY Lapsed time : 12000 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL Lapsed time : 108320 ns Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT Lapsed time : 49120 ns

, . :

 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : Tunnel1 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 5920 ns

. , ( zone-pair):

 Feature: ZBFW Action : Fwd Zone-pair name : N/A Class-map name : N/A Input interface : GigabitEthernet0/0/0 Egress interface: Tunnel1

, .

 IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT Feature: IPSec Result : IPSEC_RESULT_SA Action : ENCRYPT SA Handle : 98 Peer Addr : 188.188.188.188 Local Addr: 87.87.87.87

, .

  Feature: FIA_TRACE Input : Tunnel1 Output : GigabitEthernet0/0/1.5 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT Lapsed time : 4000 ns

, IPSec ( crypto-map). , IPSec .

 Feature: IPSec Result : IPSEC_RESULT_DENY Action : SEND_CLEAR SA Handle : 0 Peer Addr : 188.188.188.188 Local Addr: 87.87.87.87

№6. next-hop ( )

 cbs-4000#show platform packet-trace summary Pkt Input Output State Reason 0 Gi0/0/0 internal0/0/rp:0 PUNT 10 (Incomplete adjacency)

PUNT , CEF' (process switching). – adjacency next-hop (Incomplete adjacency). , .

 cbs-4000#show platform packet-trace packet 0 Packet: 0 CBUG ID: 55 Summary Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 State : PUNT 10 (Incomplete adjacency) Timestamp Start : 6668916530895154 ns (02/20/2017 12:14:46.985396 UTC) Stop : 6668916530979351 ns (02/20/2017 12:14:46.985480 UTC) Path Trace Feature: IPV4 Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Source : 192.168.20.8 Destination : 8.8.8.8 Protocol : 1 (ICMP) Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x8112bfbc - DEBUG_COND_INPUT_PKT Lapsed time : 9760 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE Lapsed time : 5920 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME Lapsed time : 3200 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4a140 - IPV4_INPUT_ACL Lapsed time : 15040 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME Lapsed time : 960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN Lapsed time : 1440 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x0000008c input vrf_idx : 0 calling feature : STILE direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 74 cft_bucket_number : 769995 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 55391 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 74 returned cft_error : 14 returned fid : 0x00000000 Feature: NBAR Packet number in flow: N/A Classification state: Final Classification name: ping Classification ID: [CANA-L7:479] Number of matched sub-classifications: 0 Number of extracted fields: 0 Is PA (split) packet: False TPH-MQC bitmask value: 0x0 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d83558 - IPV4_INPUT_STILE_LEGACY Lapsed time : 252800 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP Lapsed time : 48960 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d59618 - IPV4_INPUT_FME_PROCESS Lapsed time : 4000 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000084 input vrf_idx : 0 calling feature : FNF direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 74 cft_bucket_number : 769995 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.8 tuple.src_port : 443 tuple.dst_port : 55391 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 74 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST Lapsed time : 20640 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST Lapsed time : 127520 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x81131e8c - IPV4_INPUT_VFR Lapsed time : 1280 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS Lapsed time : 2560 ns Feature: CFT API : cft_handle_pkt packet capabilities : 0x00000080 input vrf_idx : 0 calling feature : CENT direction : Input triplet.vrf_idx : 0 triplet.network_start : 0x01003f8e triplet.triplet_flags : 0x00000000 triplet.counter : 74 cft_bucket_number : 769995 cft_l3_payload_size : 40 cft_pkt_ind_flags : 0x00000000 cft_pkt_ind_valid : 0x00000931 tuple.src_ip : 192.168.20.8 tuple.dst_ip : 8.8.8.7 tuple.src_port : 443 tuple.dst_port : 55391 tuple.vrfid : 0 tuple.l4_protocol : ICMP tuple.l3_protocol : IPV4 pkt_sb_state : 0 pkt_sb.num_flows : 0 pkt_sb.tuple_epoch : 74 returned cft_error : 14 returned fid : 0x00000000 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS Lapsed time : 39360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d7ff70 - IPV4_INPUT_PBR Lapsed time : 43680 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/0 Entry : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS Lapsed time : 1120 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : GigabitEthernet0/0/1 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS <================= Lapsed time : 135360 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : internal0/0/rp:0 <================= Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <================= Lapsed time : 30240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL_EXT Lapsed time : 8640 ns Feature: OCE_TRACE Type : OCE_ADJ_PUNT Feature: OCE_TRACE Type : OCE_ADJ_PUNT Feature: OCE_TRACE Type : OCE_ADJ_PUNT Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d6d974 - IPV4_INPUT_FNF_FINAL_EXT Lapsed time : 277600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE_EXT Lapsed time : 6720 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS_EXT Lapsed time : 2560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE_EXT Lapsed time : 11200 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x81131ef4 - IPV4_INTERNAL_ARL_SANITY_EXT Lapsed time : 10560 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d70b28 - IPV4_OUTPUT_INSPECT_EXT Lapsed time : 12160 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE_EXT Lapsed time : 1600 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x81131e9c - IPV4_VFR_REFRAG_EXT Lapsed time : 2240 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY_EXT Lapsed time : 24320 ns Feature: FIA_TRACE Input : GigabitEthernet0/0/0 <================= Output : internal0/0/rp:0 <================= Entry : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT <================= Lapsed time : 137440 ns

:

 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : GigabitEthernet0/0/1 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS Lapsed time : 135360 ns

CEF , (internal0/0/rp:0):

 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT Lapsed time : 30240 ns

, (INTERNAL_TRANSMIT):

 Feature: FIA_TRACE Input : GigabitEthernet0/0/0 Output : internal0/0/rp:0 Entry : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT Lapsed time : 137440 ns

Packet Trace QFP. , , . debug ip packet. .

おわりに

, IOS XE Packet Trace , . , , , show debug.

– (packet capture). IOS XE IOS.

Packet capture
:
 monitor capture CAP access-list 199 monitor capture CAP interface GigabitEthernet0/0/0 in monitor capture CAP start
, , :
 monitor capture CAP stop monitor capture CAP export tftp://10.0.0.1/CAP.pcap no monitor capture CAP

Source: https://habr.com/ru/post/J323080/

More articles:


All Articles