Судьба пакета. Cisco IOS XE

в 7:16, , рубрики: acl, CEF, Cisco, IOS XE, ipsec, packet trace, Pbr, VTI, Блог компании CBS, Сетевые технологии

Судьба пакета. Cisco IOS XE - 1

Диагностику многих проблем на маршрутизаторе Cisco с операционной системой IOS XE можно начать с Packet Trace. Это трассировка обработки пакета внутри маршрутизатора, появившаяся не так давно. Ранее такой функционала был доступен только на межсетевых экранах ASA. Кто использовал packet-tracer на ASA, согласится – очень удобный инструмент. Теперь его аналог появился и на современных маршрутизаторах (ISR 4000, ASR, CRS).

Заметку я построю на живых примерах. Так проще получить представление о IOS-XE Packet Trace. Детали всегда можно найти на сайте вендора. Жаль, что там пока не много информации на этот счёт. По ходу нашего погружения вы поймёте, о чём я.

В качестве подопытного имеем маршрутизатор ISR 4000 (про специфику работы ISR 4000 и IOS XE я уже писал на Хабре). На нём настроен ряд технологий: статическая маршрутизация, PfR, PBR, трансляция адресов (NAT), межсетевой экран ZFW, ACL на интерфейсах, Flexible NetFlow, NBAR2, IPSec, GRE, VTI и прочее. Всё это сделает трассировку более насыщенной и приближённой к реальной эксплуатации.

Есть множество технологий и у каждой свой метод отладки. Чтобы не тратить время и сразу определить, где искать причину проблемы, как раз и пригодится Packet Trace.

Наблюдать будем за ICMP пакетом (echo request), отправленным с адреса 192.168.20.8 на 8.8.8.8.

Активация трассировки состоит из двух частей. Для начала запускаем условный отладчик (conditional debug). Именно в нём мы указываем, какие пакеты нас интересуют. В нашем случае это трафик, описываемый ACL 199 и поступающий на маршрутизатор через интерфейс GigabitEthernet0/0/0:

access-list 199 permit icmp host 192.168.20.8 host 8.8.8.8
debug platform condition interf GigabitEthernet0/0/0 ipv4 access-list 199 ingress
debug platform condition start

Условный отладчик используется не только для работы packet trace. Этот инструмент позволяет эффективно фильтровать лог-сообщения и сообщения отладчика (debug) на этапе их генерации. Мы можем задать условия и видеть записи, касающиеся только того, что нам нужно.

Далее включаем непосредственно packet trace. Указываем буфер и глубину трассировки. Минимально – 16 пакетов. Глубина: базовая (path-trace) или расширенная (fia-trace). В случае расширенной мы получим детальный вывод работы всех функций внутри процесса QFP. Именно он отвечает за передачу пакетов (datapath).

debug platform packet-trace packet 16 fia-trace
debug platform packet-trace enable

По сравнению с ASA packet-tracer синтаксис, конечно, не такой удобный.

ASA packet-tracer может сам генерировать пакеты для дальнейшей трассировки. IOS-XE Packet Trace этого делать не умеет. Для его работы, необходимо, чтобы пакет откуда-нибудь пришёл.
Команды для чистки хвостов. Пригодятся, когда со всем закончим.

no debug platform packet-trace enable
clear platform packet-trace statistics
clear platform condition all

Всё настроено. Запускаем пинг, чтобы нужный нам пакет прошёл через маршрутизатор.
Смотрим общий вывод по пакетам, попавшим в packet trace.

cbs-4000#show platform packet-trace summary
Pkt   Input             Output            State  Reason
0     Gi0/0/0           Gi0/0/1.5         FWD 

Он у нас один. Пришёл через интерфейс Gi0/0/0 и был передан дальше (состояние FWD) через Gi0/0/1.5.

Смотрим трассировку его обработки

cbs-4000#show platform packet-trace packet 0
Packet: 0           CBUG ID: 8
Summary
  Input     : GigabitEthernet0/0/0
  Output    : GigabitEthernet0/0/1.5
  State     : FWD 
  Timestamp
    Start   : 6495209991683323 ns (02/18/2017 11:59:43.176192 UTC)
    Stop    : 6495209991814307 ns (02/18/2017 11:59:43.176323 UTC)
Path Trace
  Feature: IPV4                                             <=================
    Input       : GigabitEthernet0/0/0                      <=================
    Output      : GigabitEthernet0/0/0                      <=================
    Source      : 192.168.20.8                              <=================
    Destination : 8.8.8.8                                   <=================
    Protocol    : 1 (ICMP)                                  <=================
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
    Lapsed time : 4960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 5280 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
    Lapsed time : 1600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4a140 - IPV4_INPUT_ACL
    Lapsed time : 40160 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
    Lapsed time : 1440 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 236
    cft_bucket_number     : 566799
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8                  <=================
    tuple.dst_ip          : 8.8.8.8                       <=================
    tuple.src_port        : 61609                         <=================
    tuple.dst_port        : 161                           <=================
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP                          <=================
    tuple.l3_protocol     : IPV4                          <=================
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 236
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
    Lapsed time : 226240 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
    Lapsed time : 66880 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
    Lapsed time : 2560 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000084
    input vrf_idx         : 0
    calling feature       : FNF
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 236
    cft_bucket_number     : 566799
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 61609
    tuple.dst_port        : 161
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 236
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
    Lapsed time : 21120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
    Lapsed time : 119520 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e8c - IPV4_INPUT_VFR
    Lapsed time : 1280 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
    Lapsed time : 3840 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000080
    input vrf_idx         : 0
    calling feature       : CENT
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 236
    cft_bucket_number     : 566799
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 61609
    tuple.dst_port        : 161
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 236
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
    Lapsed time : 40640 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7ff70 - IPV4_INPUT_PBR              <=================
    Lapsed time : 34720 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS   <=================     
    Lapsed time : 2560 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0                     <=================
    Output      : GigabitEthernet0/0/1.5                   <=================
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS   <=================
    Lapsed time : 4160 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
    Lapsed time : 1280 ns
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
    Lapsed time : 218880 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
    Lapsed time : 2560 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
    Lapsed time : 1120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
    Lapsed time : 4480 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
    Lapsed time : 1920 ns
  Feature: ZBFW                                            <=================
    Action  : Fwd                                          <=================
    Zone-pair name  : in-out1                              <=================
    Class-map name  : CM-FW_in-out                         <=================
    Input interface : GigabitEthernet0/0/0                 <=================
    Egress interface: GigabitEthernet0/0/1.5               <=================
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
    Lapsed time : 721760 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
    Lapsed time : 3680 ns
  Feature: NAT                                             <=================
    Direction   : IN to OUT                                <=================
    Action      : Translate Source                         <=================
    Old Address : 192.168.20.8  00001                      <=================
    New Address : 87.87.87.87 00033                        <=================
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
    Lapsed time : 54880 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
    Lapsed time : 1600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e9c - IPV4_VFR_REFRAG
    Lapsed time : 960 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Output
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 238
    cft_bucket_number     : 566799
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 87.87.87.87
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 61609
    tuple.dst_port        : 161
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 238
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
    Lapsed time : 137600 ns
  Feature: IPSec                                            <=================
    Result    : IPSEC_RESULT_DENY                           <=================
    Action    : SEND_CLEAR                                  <=================
    SA Handle : 0    
    Peer Addr : 8.8.8.8                                     <=================
    Local Addr: 87.87.87.87                                 <=================
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
    Lapsed time : 50560 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 7040 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
    Lapsed time : 7040 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 1120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131ec4 - IPV4_OUTPUT_FRAG
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
    Lapsed time : 13600 ns
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
    Lapsed time : 112800 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
    Lapsed time : 41440 ns

Объём трассировки напрямую зависит от настроенных функций. Если бы у нас была только маршрутизация, данных было бы существенно меньше.

Часть названий понятна. Но присутствуют этапы, декодировать которые достаточно непросто. Документация вендора пока в этом плане не сильно помогает.

Выделим наиболее интересные моменты

1. Информация, идентифицирующая наш поток (flow) данных:

Feature: CFT
    …
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 61609
    tuple.dst_port        : 161
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4

Данные хранят в таблице CFT (Common Flow Table). Их используют технологии, которые оперируют в своей работе информацией о каждом потоке (Netflow, NBAR, PfR и пр.). Таблица CFT необходима, чтобы не хранить избыточную информацию.

2. Определение исходящего интерфейса:

Когда пакет только попал на маршрутизатор, исходящий интерфейс не определён. Подставляется входящий:


Feature: IPV4
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Source      : 192.168.20.8
    Destination : 8.8.8.8
    Protocol    : 1 (ICMP)

После того как определено, куда дальше слать пакет (выполнена функция маршрутизации), исходящий интерфейс меняется:

  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
    Lapsed time : 4160 ns

3. Данные об обработке пакета межсетевым экраном ZFW:

  Feature: ZBFW
    Action  : Fwd
    Zone-pair name  : in-out1
    Class-map name  : CM-FW_in-out
    Input interface : GigabitEthernet0/0/0
    Egress interface: GigabitEthernet0/0/1.5

Мы сразу видим, между какими зонами проходил пакет, и в какой класс он попал. Это достаточно удобно, так как конфигурация ZFW зачастую очень запутана.

4. Информация о трансляции адресов:

  Feature: NAT
    Direction   : IN to OUT
    Action      : Translate Source
    Old Address : 192.168.20.8  00001
    New Address : 87.87.87.87 00033

Адрес назначения в пакете был заменён на 87.87.87.87.

5. Так как на нашем маршрутизаторе настроен IPSec, будет отмечено, попал ли в него пакет:

  Feature: IPSec
    Result    : IPSEC_RESULT_DENY
    Action    : SEND_CLEAR
    SA Handle : 0
    Peer Addr : 8.8.8.8
    Local Addr: 87.87.87.87

Нет, не попал.

В трейсах представлено достаточно много дополнительной информации. Например, IPV4_INPUT_PBR сигнализирует о том, что пакет прошёл через PBR. Но информации, был ли применен PBR или пакет передан на обработку стандартным правилам маршрутизации, в этом разделе мы не найдём. В нашем случае пакет не попал под правила PBR. Запись IPV4_INPUT_TCP_ADJUST_MSS говорит о том, что на интерфейсе настроена команда ip tcp adjust-mss. При этом, как и в предыдущем примере, никаких деталей мы не получаем.

Большая часть информации, выводимой устройством, не представляет интереса. Однако ситуация будет меняться, когда с пакетом что-то пойдёт не так.

Ситуация №1. Пакет отброшен ACL на входном интерфейсе

cbs-4000#show platform packet-trace summary
Pkt   Input             Output            State  Reason
0     Gi0/0/0           Gi0/0/0           DROP   8   (Ipv4Acl)

Пакет был отброшен (DROP), так как сработал ACL (Ipv4Acl).

Трассировка обработки пакета

cbs-4000#show platform packet-trace packet 0
Packet: 0           CBUG ID: 35
Summary
  Input     : GigabitEthernet0/0/0
  Output    : GigabitEthernet0/0/0
  State     : DROP 8   (Ipv4Acl)
  Timestamp
    Start   : 6515970748260480 ns (02/18/2017 17:45:43.568889 UTC)
    Stop    : 6515970748313558 ns (02/18/2017 17:45:43.568942 UTC)
Path Trace
  Feature: IPV4
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Source      : 192.168.20.8
    Destination : 8.8.8.8
    Protocol    : 1 (ICMP)
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
    Lapsed time : 6560 ns
  Feature: FIA_TRACE                               
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 5920 ns                              
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
    Lapsed time : 1440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d8375c - STILE_LEGACY_DROP_EXT
    Lapsed time : 3680 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7b554 - INGRESS_MMA_LOOKUP_DROP_EXT
    Lapsed time : 63040 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6e0f8 - INPUT_DROP_FNF_AOR_EXT
    Lapsed time : 8320 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6dc44 - INPUT_FNF_DROP_EXT
    Lapsed time : 324800 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6e6c8 - INPUT_DROP_FNF_AOR_RELEASE_EXT
    Lapsed time : 8320 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81128ebc - INPUT_DROP_EXT                 <=================
    Lapsed time : 1920 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4a140 - IPV4_INPUT_ACL                 <=================
    Lapsed time : 794240 ns

INPUT_DROP_EXT и IPV4_INPUT_ACL сообщают, что пакет был отброшен именно на входящем интерфейсе. Трейсы получились короткими, как жизнь пакета.

Ситуация №2. Пакет отброшен ACL на исходящем интерфейсе

cbs-4000#show platform packet-trace summary
Pkt   Input             Output            State  Reason
0     Gi0/0/0           Gi0/0/1.5         DROP   8   (Ipv4Acl)

И снова пакет не был передан (DROP) из-за ACL (Ipv4Acl). Теперь, правда, в качестве исходящего интерфейса фигурирует Gi0/0/1.5.

Трассировка обработки пакета

cbs-4000#show platform packet-trace packet 0
Packet: 0           CBUG ID: 33
Summary
  Input     : GigabitEthernet0/0/0
  Output    : GigabitEthernet0/0/0
  State     : DROP 8   (Ipv4Acl)
  Timestamp
    Start   : 6515547984424423 ns (02/18/2017 17:38:40.479689 UTC)
    Stop    : 6515547984571057 ns (02/18/2017 17:38:40.479835 UTC)
Path Trace
  Feature: IPV4
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Source      : 192.168.20.8
    Destination : 8.8.8.8
    Protocol    : 1 (ICMP)
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
    Lapsed time : 8320 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 4320 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
    Lapsed time : 3520 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4a140 - IPV4_INPUT_ACL
    Lapsed time : 43360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
    Lapsed time : 1280 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 5
    cft_bucket_number     : 1591662
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 443
    tuple.dst_port        : 57521
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 5
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
    Lapsed time : 222240 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
    Lapsed time : 67200 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
    Lapsed time : 2240 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000084
    input vrf_idx         : 0
    calling feature       : FNF
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 5
    cft_bucket_number     : 1591662
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 443
    tuple.dst_port        : 57521
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 5
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
    Lapsed time : 22080 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
    Lapsed time : 136320 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e8c - IPV4_INPUT_VFR
    Lapsed time : 1280 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
    Lapsed time : 2560 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000080
    input vrf_idx         : 0
    calling feature       : CENT
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 5
    cft_bucket_number     : 1591662
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 443
    tuple.dst_port        : 57521
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 5
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
    Lapsed time : 40160 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7ff70 - IPV4_INPUT_PBR
    Lapsed time : 39520 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
    Lapsed time : 1120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
    Lapsed time : 4320 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
    Lapsed time : 1920 ns
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
    Lapsed time : 274240 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
    Lapsed time : 2400 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
    Lapsed time : 1120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
    Lapsed time : 2880 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
    Lapsed time : 1600 ns
  Feature: ZBFW
    Action  : Fwd
    Zone-pair name  : in-out1
    Class-map name  : CM-FW_in-out
    Input interface : GigabitEthernet0/0/0
    Egress interface: GigabitEthernet0/0/1.5
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
    Lapsed time : 989760 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
    Lapsed time : 2720 ns
  Feature: NAT
    Direction   : IN to OUT
    Action      : Translate Source
    Old Address : 192.168.20.8  00001
    New Address : 87.87.87.87 00036
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
    Lapsed time : 36800 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
    Lapsed time : 3200 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e9c - IPV4_VFR_REFRAG
    Lapsed time : 1120 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Output
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 7
    cft_bucket_number     : 1591662
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 87.87.87.87
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 443
    tuple.dst_port        : 57521
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 7
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
    Lapsed time : 141920 ns
  Feature: IPSec
    Result    : IPSEC_RESULT_DENY
    Action    : SEND_CLEAR
    SA Handle : 0
    Peer Addr : 8.8.8.8
    Local Addr: 87.87.87.87
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
    Lapsed time : 46080 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 2560 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81128eb8 - OUTPUT_DROP_EXT                  <=================
    Lapsed time : 3360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d4a144 - IPV4_OUTPUT_ACL                  <=================
    Lapsed time : 121760 ns

В трейсах в самом конце мы обнаружим информацию о судьбе пакета: OUTPUT_DROP_EXT и IPV4_OUTPUT_ACL. Пакет практически вырвался из лап маршрутизатора, о чём свидетельствует прохождение большинства стадий обработки.

Ситуация №3. Пакет отброшен межсетевым экраном

cbs-4000#show platform packet-trace summary
Pkt   Input             Output            State  Reason
0     Gi0/0/0           Gi0/0/1.5         DROP   184 (FirewallPolicy)

Пакет отброшен (DROP). Причина – политики межсетевого экрана (FirewallPolicy).

Трассировка обработки пакета

cbs-4000#show platform packet-trace packet 0
Packet: 0           CBUG ID: 36
Summary
  Input     : GigabitEthernet0/0/0
  Output    : GigabitEthernet0/0/1.5
  State     : DROP 184 (FirewallPolicy)
  Timestamp
    Start   : 6516783739710881 ns (02/18/2017 17:59:16.560339 UTC)
    Stop    : 6516783739809427 ns (02/18/2017 17:59:16.560438 UTC)
Path Trace
  Feature: IPV4
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Source      : 192.168.20.8
    Destination : 8.8.8.8
    Protocol    : 1 (ICMP)
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
    Lapsed time : 8800 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 5440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
    Lapsed time : 1600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4a140 - IPV4_INPUT_ACL
    Lapsed time : 47360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
    Lapsed time : 1440 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 135
    cft_bucket_number     : 875224
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 56789
    tuple.dst_port        : 514
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 135
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
    Lapsed time : 202560 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
    Lapsed time : 63360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
    Lapsed time : 4640 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000084
    input vrf_idx         : 0
    calling feature       : FNF
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 135
    cft_bucket_number     : 875224
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 56789
    tuple.dst_port        : 514
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 135
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
    Lapsed time : 20640 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
    Lapsed time : 127360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e8c - IPV4_INPUT_VFR
    Lapsed time : 1440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
    Lapsed time : 2720 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000080
    input vrf_idx         : 0
    calling feature       : CENT
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 135
    cft_bucket_number     : 875224
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 56789
    tuple.dst_port        : 514
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 135
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
    Lapsed time : 43840 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7ff70 - IPV4_INPUT_PBR
    Lapsed time : 37120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
    Lapsed time : 1280 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
    Lapsed time : 4800 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
    Lapsed time : 1760 ns
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
    Lapsed time : 255680 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
    Lapsed time : 2240 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
    Lapsed time : 4160 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
    Lapsed time : 1760 ns
  Feature: ZBFW                                           <=================
    Action  : Drop                                        <=================
    Reason  : ICMP policy drop:classify result            <=================                 
    Zone-pair name  : in-out1                             <=================
    Class-map name  : class-default                       <=================
    Input interface : GigabitEthernet0/0/0                <=================
    Egress interface: GigabitEthernet0/0/1.5              <=================
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81128eb8 - OUTPUT_DROP_EXT            <=================
    Lapsed time : 640 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT        <=================
    Lapsed time : 639200 ns

Наличие сообщений OUTPUT_DROP_EXT и IPV4_OUTPUT_INSPECT показывает, что пакет отброшен политиками инспектирования, которое выполняется как раз МСЭ. Детали находим в информации по ZFW:

Feature: ZBFW
    Action  : Drop
    Reason  : ICMP policy drop:classify result
    Zone-pair name  : in-out1
    Class-map name  : class-default
    Input interface : GigabitEthernet0/0/0
    Egress interface: GigabitEthernet0/0/1.5

Reason сообщает о том, что пакет был классифицирован, как ICMP. Класс, в который попал пакет и где он был отброшен, — class-default.

Ситуация №4. Пакет маршрутизируется правилами PBR

cbs-4000#show platform packet-trace summary
Pkt   Input             Output            State  Reason
0     Gi0/0/0           Gi0/0/1.6         FWD

Пакет передан (FWD). Теперь исходящий интерфейс Gi0/0/1.6.

Трассировка обработки пакета

cbs-4000#show platform packet-trace packet 0
Packet: 0           CBUG ID: 36
Summary
  Input     : GigabitEthernet0/0/0
  Output    : GigabitEthernet0/0/1.6
  State     : FWD 
  Timestamp
    Start   : 6517659109765260 ns (02/18/2017 18:13:51.930393 UTC)
    Stop    : 6517659109927732 ns (02/18/2017 18:13:51.930556 UTC)
Path Trace
  Feature: IPV4
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Source      : 192.168.20.8
    Destination : 8.8.8.8
    Protocol    : 1 (ICMP)
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
    Lapsed time : 10400 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 5440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
    Lapsed time : 1600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4a140 - IPV4_INPUT_ACL
    Lapsed time : 265600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 1120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
    Lapsed time : 3680 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 69
    cft_bucket_number     : 2000178
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 57521
    tuple.dst_port        : 443
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 69
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
    Lapsed time : 223360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
    Lapsed time : 85440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
    Lapsed time : 3040 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000084
    input vrf_idx         : 0
    calling feature       : FNF
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 69
    cft_bucket_number     : 2000178
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 57521
    tuple.dst_port        : 443
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 69
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
    Lapsed time : 19680 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
    Lapsed time : 153600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e8c - IPV4_INPUT_VFR
    Lapsed time : 1120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
    Lapsed time : 2560 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000080
    input vrf_idx         : 0
    calling feature       : CENT
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 69
    cft_bucket_number     : 2000178
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 57521
    tuple.dst_port        : 443
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 69
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
    Lapsed time : 49600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7ff70 - IPV4_INPUT_PBR              <=================
    Lapsed time : 69760 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
    Lapsed time : 1440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0                     <=================
    Output      : GigabitEthernet0/0/1.6                   <=================
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
    Lapsed time : 7840 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
    Lapsed time : 1600 ns
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
    Lapsed time : 280480 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
    Lapsed time : 3840 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
    Lapsed time : 3840 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
    Lapsed time : 5440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS
    Lapsed time : 1280 ns
  Feature: ZBFW
    Action  : Fwd
    Zone-pair name  : in-out2
    Class-map name  : CM-FW_in-out
    Input interface : GigabitEthernet0/0/0
    Egress interface: GigabitEthernet0/0/1.6
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
    Lapsed time : 789120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
    Lapsed time : 11200 ns
  Feature: NAT
    Direction   : IN to OUT
    Action      : Translate Source
    Old Address : 192.168.20.8
    New Address : 62.62.62.62
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
    Lapsed time : 38400 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
    Lapsed time : 4000 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x81131e9c - IPV4_VFR_REFRAG
    Lapsed time : 800 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Output
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 71
    cft_bucket_number     : 2000178
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 62.62.62.62
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 57521
    tuple.dst_port        : 443
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 71
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
    Lapsed time : 140160 ns
  Feature: IPSec
    Result    : IPSEC_RESULT_DENY
    Action    : SEND_CLEAR
    SA Handle : 0
    Peer Addr : 8.8.8.8
    Local Addr: 62.62.62.62
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
    Lapsed time : 66400 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 3840 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
    Lapsed time : 13440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 1120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x81131ec4 - IPV4_OUTPUT_FRAG
    Lapsed time : 2240 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
    Lapsed time : 18720 ns
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
    Lapsed time : 113440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1.6
    Entry       : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
    Lapsed time : 43680 ns

Если мы сравним трассировку пакета при маршрутизации стандартными правилами (статическая маршрутизация) и при маршрутизации правилами PBR, мы не увидим разницы. Изменятся только исходящий интерфейс, и адрес, подставляемый в NAT’е.

Ситуация №5. Пакет передаётся через VTI интерфейс

В этом примере пингуем адрес 172.28.0.1.

cbs-4000#show platform packet-trace summary
Pkt   Input             Output            State  Reason
0     Gi0/0/0           Gi0/0/1.5         FWD

Пакет передан (FWD). Исходящий интерфейс Gi0/0/1.5.

Трассировка обработки пакета

cbs-4000#show platform packet-trace packet 0
Packet: 0           CBUG ID: 50
Summary
  Input     : GigabitEthernet0/0/0
  Output    : GigabitEthernet0/0/1.5
  State     : FWD 
  Timestamp
    Start   : 6665377802839987 ns (02/20/2017 11:15:48.257340 UTC)
    Stop    : 6665377803172303 ns (02/20/2017 11:15:48.257673 UTC)
Path Trace
  Feature: IPV4
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Source      : 192.168.20.8
    Destination : 172.28.0.1
    Protocol    : 1 (ICMP)
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
    Lapsed time : 5600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 4160 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
    Lapsed time : 3040 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4a140 - IPV4_INPUT_ACL
    Lapsed time : 19840 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
    Lapsed time : 1280 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 186
    cft_bucket_number     : 407373
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 172.28.0.1
    tuple.src_port        : 6603
    tuple.dst_port        : 443
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 186
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
    Lapsed time : 296480 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
    Lapsed time : 43040 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
    Lapsed time : 2560 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000084
    input vrf_idx         : 0
    calling feature       : FNF
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 186
    cft_bucket_number     : 407373
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 172.28.0.1
    tuple.src_port        : 6603
    tuple.dst_port        : 443
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 186
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
    Lapsed time : 20160 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
    Lapsed time : 134400 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e8c - IPV4_INPUT_VFR
    Lapsed time : 1120 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
    Lapsed time : 3840 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000080
    input vrf_idx         : 0
    calling feature       : CENT
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 186
    cft_bucket_number     : 407373
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 172.28.0.1
    tuple.src_port        : 6603
    tuple.dst_port        : 443
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 186
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
    Lapsed time : 45440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7ff70 - IPV4_INPUT_PBR
    Lapsed time : 14080 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
    Lapsed time : 1280 ns
  Feature: FIA_TRACE             
    Input       : GigabitEthernet0/0/0                     <=================
    Output      : Tunnel1                                  <=================
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS   <=================
    Lapsed time : 5920 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
    Lapsed time : 1600 ns
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: OCE_TRACE
    Type       : OCE_ADJ_IPV4
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
    Lapsed time : 245440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
    Lapsed time : 1760 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
    Lapsed time : 4160 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
    Lapsed time : 3040 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS
    Lapsed time : 1280 ns
  Feature: ZBFW                                       <=================
    Action  : Fwd                                     <=================
    Zone-pair name  : N/A                             <=================
    Class-map name  : N/A                             <=================
    Input interface : GigabitEthernet0/0/0            <=================
    Egress interface: Tunnel1                         <=================
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
    Lapsed time : 30080 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
    Lapsed time : 2560 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
    Lapsed time : 1600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x81131e9c - IPV4_VFR_REFRAG
    Lapsed time : 800 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
    Lapsed time : 7360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x81131ec4 - IPV4_OUTPUT_FRAG
    Lapsed time : 640 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d6e1b8 - IPV4_TUNNEL_OUTPUT_FNF_AOR
    Lapsed time : 3520 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d6d8e4 - IPV4_TUNNEL_OUTPUT_FNF_FINAL
    Lapsed time : 1440 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x80d6e640 - IPV4_TUNNEL_OUTPUT_FNF_AOR_RELEASE
    Lapsed time : 800 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d86ce8 - IPV4_TUNNEL_OUTPUT_FINAL
    Lapsed time : 20640 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d86d30 - IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT <=================
    Lapsed time : 7200 ns
  Feature: IPSec                                     <=================
    Result    : IPSEC_RESULT_SA                      <=================
    Action    : ENCRYPT                              <=================
    SA Handle : 98                                   <=================
    Peer Addr : 188.188.188.188                      <=================
    Local Addr: 87.87.87.87                          <=================
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY_EXT
    Lapsed time : 44480 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d7641c - IPV4_OUTPUT_IPSEC_DOUBLE_ACL_EXT
    Lapsed time : 11200 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
    Lapsed time : 4960 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x8113ac50 - IPV4_OUTPUT_IPSEC_INLINE_FRAG_CHK_EXT
    Lapsed time : 7680 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d7635c - IPV4_OUTPUT_IPSEC_TUNNEL_RERUN_JUMP_EXT
    Lapsed time : 4480 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d764ac - IPV4_OUTPUT_IPSEC_POST_PROCESS_EXT
    Lapsed time : 12160 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
    Lapsed time : 1600 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
    Lapsed time : 1440 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d86cec - IPV4_TUNNEL_GOTO_OUTPUT
    Lapsed time : 11680 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d86d98 - IPV4_TUNNEL_FW_CHECK_EXT
    Lapsed time : 15040 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x81131e60 - IPV4_INPUT_DST_LOOKUP_ISSUE_EXT
    Lapsed time : 8480 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x81131eb8 - IPV4_INPUT_ARL_EXT
    Lapsed time : 5760 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x81131e6c - IPV4_INTERNAL_DST_LOOKUP_CONSUME_EXT
    Lapsed time : 2880 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : Tunnel1
    Entry       : 0x80d86dc8 - IPV4_TUNNEL_ENCAP_FOR_US_EXT
    Lapsed time : 5600 ns
  Feature: FIA_TRACE                         
    Input       : Tunnel1                                    <=================
    Output      : GigabitEthernet0/0/1.5                     <=================
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <=================
    Lapsed time : 4000 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131f20 - IPV4_TUNNEL_ENCAP_GOTO_OUTPUT_FEATURE_EXT
    Lapsed time : 11520 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
    Lapsed time : 1440 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
    Lapsed time : 5120 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
    Lapsed time : 2240 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
    Lapsed time : 6400 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
    Lapsed time : 1440 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e9c - IPV4_VFR_REFRAG
    Lapsed time : 800 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Output
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01004104
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 186
    cft_bucket_number     : 407373
    cft_l3_payload_size   : 100
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 87.87.87.87
    tuple.dst_ip          : 188.188.188.188
    tuple.src_port        : 6603
    tuple.dst_port        : 443
    tuple.vrfid           : 0
    tuple.l4_protocol     : 50
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 186
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ipsec
    Classification ID: [CANA-L7:9]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
    Lapsed time : 138080 ns
  Feature: IPSec                                      <=================
    Result    : IPSEC_RESULT_DENY                     <=================
    Action    : SEND_CLEAR                            <=================
    SA Handle : 0
    Peer Addr : 188.188.188.188                       <=================
    Local Addr: 87.87.87.87                           <=================
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
    Lapsed time : 27840 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 2880 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
    Lapsed time : 7520 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81131ec4 - IPV4_OUTPUT_FRAG
    Lapsed time : 16800 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8111ea94 - L2_REWRITE_AFTER_FRAG_WITHOUT_CLIP_EXT
    Lapsed time : 11520 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
    Lapsed time : 12000 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
    Lapsed time : 108320 ns
  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
    Lapsed time : 49120 ns

Трейсы изменились, так как маршрутизация пакета усложнилась. Сначала он передаётся на туннельный интерфейс:

Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : Tunnel1
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
    Lapsed time : 5920 ns

Далее срабатывают правила межсетевого экрана. Так как у нас входящий и туннельный интерфейсы находятся в одной зоне, проверки трафика не происходит (мы не попадаем ни в один из zone-pair):

Feature: ZBFW
    Action  : Fwd
    Zone-pair name  : N/A
    Class-map name  : N/A
    Input interface : GigabitEthernet0/0/0
    Egress interface: Tunnel1

После того как пакет попал в туннельный интерфейс, его необходимо зашифровать.

IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT
  Feature: IPSec
    Result    : IPSEC_RESULT_SA
    Action    : ENCRYPT
    SA Handle : 98
    Peer Addr : 188.188.188.188
    Local Addr: 87.87.87.87

Ещё раз происходит маршрутизация пакета, уже зашифрованного.

  Feature: FIA_TRACE
    Input       : Tunnel1
    Output      : GigabitEthernet0/0/1.5
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT
    Lapsed time : 4000 ns

Пакет проходит через внешний интерфейс, где настроен IPSec (висит crypto-map). Хоть пакет уже зашифрован, система проверяет не попадает ли он в IPSec на исходящем интерфейсе.

Feature: IPSec
    Result    : IPSEC_RESULT_DENY
    Action    : SEND_CLEAR
    SA Handle : 0
    Peer Addr : 188.188.188.188
    Local Addr: 87.87.87.87

Ситуация №6. Пакет передаётся на несуществующий next-hop (или отказавший)

cbs-4000#show platform packet-trace summary
Pkt   Input             Output            State  Reason
0     Gi0/0/0           internal0/0/rp:0  PUNT   10  (Incomplete adjacency)

Статус PUNT означает, что пакет не может быть обработан CEF'ом и передаётся на обработку процессором (process switching). Причина – маршрутизатор не обнаружил нужной записи в таблице adjacency для передачи пакета на соседний next-hop (Incomplete adjacency). Что логично, так как его нет.

Трассировка обработки пакета

cbs-4000#show platform packet-trace packet 0
Packet: 0           CBUG ID: 55
Summary
  Input     : GigabitEthernet0/0/0
  Output    : internal0/0/rp:0
  State     : PUNT 10  (Incomplete adjacency)
  Timestamp
    Start   : 6668916530895154 ns (02/20/2017 12:14:46.985396 UTC)
    Stop    : 6668916530979351 ns (02/20/2017 12:14:46.985480 UTC)
Path Trace
  Feature: IPV4
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Source      : 192.168.20.8
    Destination : 8.8.8.8
    Protocol    : 1 (ICMP)
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
    Lapsed time : 9760 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
    Lapsed time : 5920 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
    Lapsed time : 3200 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4a140 - IPV4_INPUT_ACL
    Lapsed time : 15040 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
    Lapsed time : 960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
    Lapsed time : 1440 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x0000008c
    input vrf_idx         : 0
    calling feature       : STILE
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 74
    cft_bucket_number     : 769995
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 443
    tuple.dst_port        : 55391
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 74
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: NBAR
    Packet number in flow: N/A
    Classification state: Final
    Classification name: ping
    Classification ID: [CANA-L7:479]
    Number of matched sub-classifications: 0
    Number of extracted fields: 0
    Is PA (split) packet: False
    TPH-MQC bitmask value: 0x0
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
    Lapsed time : 252800 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
    Lapsed time : 48960 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
    Lapsed time : 4000 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000084
    input vrf_idx         : 0
    calling feature       : FNF
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 74
    cft_bucket_number     : 769995
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.8
    tuple.src_port        : 443
    tuple.dst_port        : 55391
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 74
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
    Lapsed time : 20640 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
    Lapsed time : 127520 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x81131e8c - IPV4_INPUT_VFR
    Lapsed time : 1280 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
    Lapsed time : 2560 ns
  Feature: CFT
    API                   : cft_handle_pkt
    packet capabilities   : 0x00000080
    input vrf_idx         : 0
    calling feature       : CENT
    direction             : Input
    triplet.vrf_idx       : 0
    triplet.network_start : 0x01003f8e
    triplet.triplet_flags : 0x00000000
    triplet.counter       : 74
    cft_bucket_number     : 769995
    cft_l3_payload_size   : 40
    cft_pkt_ind_flags     : 0x00000000
    cft_pkt_ind_valid     : 0x00000931
    tuple.src_ip          : 192.168.20.8
    tuple.dst_ip          : 8.8.8.7
    tuple.src_port        : 443
    tuple.dst_port        : 55391
    tuple.vrfid           : 0
    tuple.l4_protocol     : ICMP
    tuple.l3_protocol     : IPV4
    pkt_sb_state          : 0
    pkt_sb.num_flows      : 0
    pkt_sb.tuple_epoch    : 74
    returned cft_error    : 14
    returned fid          : 0x00000000
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
    Lapsed time : 39360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d7ff70 - IPV4_INPUT_PBR
    Lapsed time : 43680 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/0
    Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
    Lapsed time : 1120 ns
  Feature: FIA_TRACE                                          
    Input       : GigabitEthernet0/0/0                      <=================
    Output      : GigabitEthernet0/0/1                      <=================
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS    <=================
    Lapsed time : 135360 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0                       <=================
    Output      : internal0/0/rp:0                           <=================
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <=================
    Lapsed time : 30240 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL_EXT
    Lapsed time : 8640 ns
  Feature: OCE_TRACE
    Type       : OCE_ADJ_PUNT
  Feature: OCE_TRACE
    Type       : OCE_ADJ_PUNT
  Feature: OCE_TRACE
    Type       : OCE_ADJ_PUNT
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL_EXT
    Lapsed time : 277600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE_EXT
    Lapsed time : 6720 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS_EXT
    Lapsed time : 2560 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE_EXT
    Lapsed time : 11200 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x81131ef4 - IPV4_INTERNAL_ARL_SANITY_EXT
    Lapsed time : 10560 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT_EXT
    Lapsed time : 12160 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE_EXT
    Lapsed time : 1600 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x81131e9c - IPV4_VFR_REFRAG_EXT
    Lapsed time : 2240 ns
  Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY_EXT
    Lapsed time : 24320 ns
  Feature: FIA_TRACE          
    Input       : GigabitEthernet0/0/0                   <=================
    Output      : internal0/0/rp:0                       <=================
    Entry       : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT <=================
    Lapsed time : 137440 ns

Для пакета определён исходящий интерфейс:

Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : GigabitEthernet0/0/1
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
    Lapsed time : 135360 ns

Но так как в CEF нет нужных записей, он отправляется на обработку процессором (internal0/0/rp:0):

Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT
    Lapsed time : 30240 ns

Запись, свидетельствующая о факте передаче пакета процессору (INTERNAL_TRANSMIT):

Feature: FIA_TRACE
    Input       : GigabitEthernet0/0/0
    Output      : internal0/0/rp:0
    Entry       : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT
    Lapsed time : 137440 ns

Packet Trace предоставляет нам данные по обработке пакета в QFP. Это значит, что как только пакет попал в распоряжение ЦПУ, наши трейсы больше не помогут. В этом случае можно попробовать использовать debug ip packet. Но с этим отладчиком нужно быть очень аккуратными.

Заключение

Приведенные примеры наглядно демонстрируют, что IOS XE Packet Trace во многих ситуациях позволит нам достаточно оперативно понять, где засахарилось. Дальше, владея такой информацией, можно уже более детально разбираться с проблемой, жонглируя различными вариациями команд show и debug.

При диагностике не стоит забывать ещё об одном средстве – захвате пакетов (packet capture). На IOS XE этот функционал сделали более удобным по сравнению с обычным IOS.

Packet capture

Активация захвата пакетов:

monitor capture CAP access-list 199
monitor capture CAP interface GigabitEthernet0/0/0 inside
monitor capture CAP start

Выключение, выгрузка дампа на внешний ПК, деактивация:

monitor capture CAP stop
monitor capture CAP export tftp://10.0.0.1/CAP.pcap
no monitor capture CAP

Автор: CBS

Источник


* - обязательные к заполнению поля


https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js