Nguyen Van Linh, profile picture
Uploaded byNguyen Van Linh
PDF, PPTX1,989 views

Brkdct 3101

The document provides an overview of the architecture of Nexus 9000 series switches and techniques for troubleshooting them. It discusses the modular components of Nexus 9500 switches including supervisors, fabrics, I/O modules, and line cards. It also covers tools for monitoring system health and detailed troubleshooting techniques. The goal is to provide an understanding of the Nexus 9000 architecture and introduce system telemetry and troubleshooting case scenarios.

Embed presentation

Download as PDF, PPTX
1 / 199
2 / 199
3 / 199
4 / 199
5 / 199
6 / 199
7 / 199
8 / 199
9 / 199
10 / 199
11 / 199
12 / 199
13 / 199
14 / 199
15 / 199
16 / 199
17 / 199
18 / 199
19 / 199
20 / 199
21 / 199
Most read
22 / 199
Most read
23 / 199
24 / 199
25 / 199
26 / 199
Most read
27 / 199
28 / 199
29 / 199
30 / 199
31 / 199
32 / 199
33 / 199
34 / 199
35 / 199
36 / 199
37 / 199
38 / 199
39 / 199
40 / 199
41 / 199
42 / 199
43 / 199
44 / 199
45 / 199
46 / 199
47 / 199
48 / 199
49 / 199
50 / 199
51 / 199
52 / 199
53 / 199
54 / 199
55 / 199
56 / 199
57 / 199
58 / 199
59 / 199
60 / 199
61 / 199
62 / 199
63 / 199
64 / 199
65 / 199
66 / 199
67 / 199
68 / 199
69 / 199
70 / 199
71 / 199
72 / 199
73 / 199
74 / 199
75 / 199
76 / 199
77 / 199
78 / 199
79 / 199
80 / 199
81 / 199
82 / 199
83 / 199
84 / 199
85 / 199
86 / 199
87 / 199
88 / 199
89 / 199
90 / 199
91 / 199
92 / 199
93 / 199
94 / 199
95 / 199
96 / 199
97 / 199
98 / 199
99 / 199
100 / 199
101 / 199
102 / 199
103 / 199
104 / 199
105 / 199
106 / 199
107 / 199
108 / 199
109 / 199
110 / 199
111 / 199
112 / 199
113 / 199
114 / 199
115 / 199
116 / 199
117 / 199
118 / 199
119 / 199
120 / 199
121 / 199
122 / 199
123 / 199
124 / 199
125 / 199
126 / 199
127 / 199
128 / 199
129 / 199
130 / 199
131 / 199
132 / 199
133 / 199
134 / 199
135 / 199
136 / 199
137 / 199
138 / 199
139 / 199
140 / 199
141 / 199
142 / 199
143 / 199
144 / 199
145 / 199
146 / 199
147 / 199
148 / 199
149 / 199
150 / 199
151 / 199
152 / 199
153 / 199
154 / 199
155 / 199
156 / 199
157 / 199
158 / 199
159 / 199
160 / 199
161 / 199
162 / 199
163 / 199
164 / 199
165 / 199
166 / 199
167 / 199
168 / 199
169 / 199
170 / 199
171 / 199
172 / 199
173 / 199
174 / 199
175 / 199
176 / 199
177 / 199
178 / 199
179 / 199
180 / 199
181 / 199
182 / 199
183 / 199
184 / 199
185 / 199
186 / 199
187 / 199
188 / 199
189 / 199
190 / 199
191 / 199
192 / 199
193 / 199
194 / 199
195 / 199
196 / 199
197 / 199
198 / 199
199 / 199
Nexus9000(Standalone) Architecture And Troubleshooting Shridhar V. Dhodapkar –Technical Leader (Services) CCIE 6367 (Routing & Switching) BRKDCT-3101
Session Abstract This session presents briefly the architecture of the latest generation of Nexus 9000 Series Modular switches. Topics include supervisors, fabrics, I/O modules, forwarding engines, and physical design elements, as well as the Top of the Rack Nexus9300 Switches. The session will also cover how to monitor the health of the system. We will walk you through in depth troubleshooting Tools and Techniques.
Session Goal • To provide an overall understanding of the Nexus 9000 switching architecture, supervisor, fabric, and I/O module design, packet flows, and key forwarding engine functions • This session will introduce System Telemetry, Troubleshooting tool Kits and troubleshooting case scenarios • This session will not examine NX-OS software architecture or other Nexus platform architectures
Related Sessions BRKARC-2222 - Cisco Nexus 9000 architecture BRKARC-3471 - Cisco NX-OS Software Architecture BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches
• Introduction • Architecture • System Health check Telemetry • Troubleshooting Toolkit • Nexus 9000 Troubleshooting • Common Link Layer Issues-L1 • Fabric Connectivity and • In band • L2/L3 Packet Forwarding • vPC • Nexus9000 Specific Limitation and Goodies Agenda
Introduction
Introduction-What is Nexus9000 Family ? Nexus 9500 Series Switches Nexus 9300 Series Switches Nexus9504/Nexus9508/Nexus9516 N9K-C9332PQ N9K-C9372PX N9K-C9372TX N9K-C9396
Architecture
9500 Field Upgradeable Units (FRU) • 9500 has the following modular components which can upgraded or replaced in the field • Supervisor • Fabric Module • Line Card • System Controller • Fan Tray • Power Supply • The Supervisor, System controller ,Fabric Module and LC have OBFL (On-Board Failure Logging) for failure analysis Nexus® 9508 Front View Nexus® 9508 Rear View
Nexus 9500 Platform FRU Supervisor Module-What it is Role • Redundant Half-width supervisor engine • Common for 4-, 8-, and 16- slot chassis • External Clock Input (PTP) • Responsible for control-plane functions System Controller-What it is Role • Offload supervisor from internal device management tasks • Central Point of Chassis Control • EOBC Switch (Ethernet Out of Band Channel) • EPC Switch (Ethernet Protocol Channel) • Power Supplies via SMB (System Management Bus) • Fan Trays
Nexus 9500 Platform Line Card • I/O module with Merchant and Merchant+ ASIC • Have Various Forwarding Tables • L2 Mac Table And L3 Host Table • ACL and Buffers for Queuing F P 1 F P 2 F P 3 F P 4 F P 5 F P 6 F P 7 F P 8 F P 9 F P 1 0 F P 1 1 F P 1 2 F P 1 3 F P 1 4 F P 1 5 F P 1 6 F P 1 7 F P 1 8 F P 1 9 F P 2 0 F P 2 1 F P 2 2 F P 2 3 F P 2 4 F P 2 5 F P 2 6 F P 2 7 F P 2 8 F P 2 9 F P 3 0 F P 3 1 F P 3 2 F P 3 3 F P 3 4 F P 3 5 F P 3 6 F P 3 7 F P 3 8 F P 3 9 F P 4 0 F P 4 1 F P 4 2 F P 4 3 F P 4 4 F P 4 5 F P 4 6 F P 4 7 F P 4 8 Note: Internal ports are called as Hi-Gig/HG ports 10G SFP+ Ports 40G QSFP HG MUX1 HG MUX3 FP 49 FP 50 FP 51 FP 52 Northstar 1 Warpcor e MF Port 7 - 5 2 - 0 3 1- 2 9 2 6- 2 4 T2 7 - 5 2 6- 2 4 0 - 2 3 - 5 6- 8 9- 1 1 FM4 FM3FM5FM6 FM2 FM1 HG MUX4 HG MUX2 HG MUX5 HG MUX6 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 Northstar 2 MF Port 0 - 2 9- 1 1 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 T2 7 - 5 2 - 0 3 1- 2 9 2 6- 2 4 HG Line Cards ASIC Name NFE=Network Forwarding Engine-Trident 2(T2) ALE=Application Leaf Engine-North Star(NS) -Donner N9K-X9564PQ
Nexus 9500 Fabric Module • Interconnect Line Card slots • Installed at the rear of the chassis • Leverages Broadcom Trident II ASICs • Max 1.92 Tbps per line card slot (6 Fabric Cards) • 960 Gbps per line card slot (3 Fabric Cards) • All Fabric Cards are active and carry traffic • Fan Tray requires Fabric Card to be present in even slot Trident II ASIC-NFE Trident II ASIC-NFE 32 x 40G Hi-Gig2 32 x 40G Hi-Gig2 Fabrics Modules
T2 Fabric 1 T2 320 Gbps (8x 40Gbps) T2 Fabric 2 T2 320 Gbps (8x 40Gbps) T2 Fabric 3 T2 320 Gbps (8x 40Gbps) T2 Fabric 4 T2 320 Gbps (8x 40Gbps) T2 Fabric 5 T2 320 Gbps (8x 40Gbps) T2 Fabric 6 T2 320 Gbps (8x 40Gbps) Line Card Slot 1.92 Tbps • An 8-Slot chassis fabric module can provide up to 320Gbps to each Line Card slot • With 6 fabric modules, each Line Card slot can have up to 1.92Tbps duplex forwarding bandwidth Data Plane Scaling for 8-Slot Chassis 1.60 Tbps 1.28 Tbps 960 Gbps 640 Gbps 320 Gbps Nexus 9500 Fabric Module
NFE ALE ALE NFE Fabric 1 Nx NFE Fabric 2 Nx NFE Fabric 3 Nx NFE Fabric 4 Nx NFE Fabric 5 Nx NFE Fabric 6 Nx NFE 2 x 42 Gbps 2 x 42 Gbps 12 x 42 Gbps 12 x 42 Gbps N = 1 for N9504 N = 2 for N9508 N = 4 for N9516 NFE ALE ALE NFE 12 x 42 Gbps 12 x 42 Gbps Note: Internal ports are called as Hi-Gig/HG ports Distributed Data Plane of Nexus 9500 Series Switches
Nexus9500 Series Line Card Summary Information X9600 Series Line Cards X9500 Series Line Cards X9400 Series ASIC Technology Merchant only N9K-X9636PQ Merchant+ N9K-X9564PX N9K-X9564TX N9K-X9536PQ Merchant only • N9K-X9432PQ • N9K-X9464PX • N9K-X9464TX Number of ASIC 3 T2 2 T2 + 2 NS 2 T2 + 2 NS 2 T2 + 2 NS 2 T2 40 gig 32 Ports 1 T2 48 1/10 gig , 4 QSFP Non Blocking Non Blocking Line rate > 200 byte packet Buffer Size 36 MB 104 MB 12 MB with one T2 24 MB with two T2
High Level Block Diagram-N9500 All PSU, SC, SUP, FM, and LC plug into the same Power Supply Interface
N9K-C9300 Series • Fixed Chassis • Port QSFP+ Uplink Module • 1 RU or 2RU or 3RU • AC/DC Power Supply • Front-to-Back & Back-to-Front Airflow • Latency: 1-2 usec • Wire-Speed L2/L3 Forwarding • Switch will not boot up without GEM Expansion Module
Nexus 9300 Series Switch Summary N9396TX/PX N93128TX N9372TX N9372TX N9372PX NFE (BCM T2) 1 1 2 1 1 ALE ( NorthStar)/GEM GEM-1 NS GEM-1 NS No GEM-1 Donner No GEM -1 Donner No GEM- 1 Donner Oversubscribed No 1.5:1 No No No Line Rate Yes Yes (packets > 194-Bytes) Yes Yes QoS Classes 8 4 8 4 4 Buffer (MB) 36 (12*3) 104 (12*2+40*2) 24 (12*2) 104 (12*2+40*2) 104 (12*2+40*2)
High Level Block Diagram-N9300 Northstar Egress (12+12)x12 Ingress (12+12)x12 BRCM Trident2 48 10G x 12 40G CPU 2C 1.5GHz DDR3 DIMM2 16GBTotal PCIe Trident II ASIC NorthStar ASIC 1 Network Interfaces 12 x 40G Hi-Gig2 12 x 40G Ethernet Front Panel 48x 1GE/10GE Ports GEM 4x 40GE QSFP+ Uplinks 1000BaseT Mgmt Port 2 USB Ports eUSB Boot Flash 12C • The last 2/3 numbers stand for total bandwidth in Gigabits • 93128 – 128G (96 x 10G + 8 x 40G) • 9396 – 96G (48 x 10G + 12 x 40G) • 9372 – 72G ( 48 x 10G + 8 x 40 G)
T2-NFE Parser L2/L3 Lookup & forwarding I-ACL Traffic Classification & Remarking Ingress Accounting & Policing Packet Modification E-ACL Output Q & Shaping EoQALE-NS Network Interface Fabric Module L3 LPM Lookup & Forwarding T2-NFE Parser L2/L3 Lookup & forwarding I-ACL Traffic Classification & Remarking Ingress Accounting & Policing Packet Modification E-ACL Output Q & Shaping EoQALE-NS Network Interface Ingress Line Card Egress Line Card Nexus9500 Unicast Packet Flow Parse the first 128 Byte and extract header info L2/L3 Lookup in MAC Table and IP Host Table Classify traffic based on 802.1q COS, IP Pres, DSCP &ACL Remark if needed Egress Line card sends packet to egress port based on DMOD/DPORT Class-based output queues. Support 6 classes including control traffic class Additional buffer is available for extended out put Ques EoQ Fabric Module Performs L3 LPM lookup and resolves Egress port and next-hop OOBFC Signaling OOBFC Signaling
N9K-C9300 High Level Block Diagram HiGiG2 Interface on T2 MACF ports on the GEM and to MACN ports (16 x 10G) x 3 = 480G FP Bandwidth (12 x 40G) = 480G Bandwidth to GEM Module (12 x 40G) = 480G FP Bandwidth Uplink Ports MACN ports. (16 x 10G) x 3 = 480G FP Bandwidth (12 x 40G) = 480G Bandwidth to GEM Module
Main Features of Trident2 1280Gbps Switch ASIC Packet Buffer Content aware Engine DCB Engine L2 MAC L3 Route L2/L3 Multicast 128 Integrated SerDes Dynamic Memory Manager L2/L3 Processing Host IF Counters 128 SERDES@10Gbps OR 32 SERDES@40Gbps Features Information Maximum IO and Core bandwidth 1280G MAC(L2) Entries 32K min -288K max L3 Hosts IPv4:16K min-112Kmax IPv6:8K min-56 max L3 Multicast Group 8K Virtual Ports 16K Maximum number of Physical ports 104
North Star Features Information Support Mixed Speed but in Fixed configuration. Network Interface:12 Ports Fabric Interface: 12 40 Gig Forwarding 720Mpps lookup rate on Ingress Datapath 720Mpps lookup rate at Egress Datapath Shared Memory Subsystem Ingress Path Buffer Egress Path Buffer 10 Mbytes 30 Mbytes Maximum number of Physical ports 24
Broadcom Unified Forwarding Table SUPPORTED COMBINATIONS T2 has the following Unified Forwarding Table: Mode L2 L3 Host LPM 0 288K 16K 16K 1 224K 56K 16K 2 160K 90K 16K 3 98K 122K 16K 4 32K 16K 128K
Routing Mode for Nexus9300 LPM Routing Mode Broadcom T2 Mode CLI Command Default system routing mode 3 ALPM Routing mode 4 System routing max-mode l3 N93K#show system routing mode Configured System Routing Mode: Hierarchical Applied System Routing Mode: Hierarchical (Default) N93K#show hardware internal forwarding table utilization module 1 Max Host Route Entries (shared v4/v6): 124928 Max LPM Table Entries : 16384
Routing Mode for Nexus9500 show hardware internal forwarding table utilization mod 1 Max Host Route Entries (shared v4/v6):16384 Max LPM Table Entries : 131072 show hardware internal forwarding table utilization mod 21 Max Host Route Entries (shared v4/v6): 0 Max LPM Table Entries :0 LPM Routing Mode Broadcom T2 Mode Cli Command Default System routing mode 3 (For Line card) 4 (For Fabric Module) Max-host routing mode 2--Line Card- V6 in LPM 3--For Fabric Module System routing max-mode host Nonhierarchical routing mode 3--For Line Card 4--With max-l3-mode option For Line card No Routes on Fabric Module System routing non-hierarchical Option [max-l3-mode] 64-bit ALPM routing mode Sub mode of mod 4 for Fabric modules System routing mode hierarchical 64b-alpm Non hierarchical routing mod
ACL TCAM TABLE Characteristic • Ingress ACL: 4K TCAM entries - 4x 512 banks + 8x 256 banks • Egress ACL: 1K TCAM entries - 4x 256 banks • Each ACL type needs its own dedicated bank/banks • IPv4, IPv6 or MAC each needs dedicated bank/banks • MAC-ACL IPv6 & any QOS needs double-width entries, which means needs at least 2 banks • VACL is programmed symmetrically in both egress and ingress ACL Interface Type Ingress ACL Egress ACL SVI TCAM Shared TCAM Not shared L3 TCAM Shared TCAM Shared
ACL Characteristics • Atomic/hitless update of existing applied ACL while modified • Temporary label swap (no use of default-result) • Two acl copies in tcam, if there is no enough space, process fails • ACL TCAM banks chaining not supported • L4OPs/LOUs only used for expansion beyond 5 lines, configurable • 10 L4op per acl limit • Specific applications (dhcp, bfd) may install their own ACLs which must merge with user configured racl, vacl, pacl
TCAM Carving for Nexus 9000 TCAM Region-N9500 Size Per Region IPV4 RACL 1536 IPv4 L3 QOS 256 Ingress System 256 SPAN 256 Ingress CoPP 256 Redirect 256 vPC Convergence 512 Egress IPv4 RACL 768 Egress System 256 256 Ingress Egress 3X512 256 256 256 256 3X256 512 256 TCAM Region-N9300 Size Per Region IPv4 PACL 512 IPV4 VACL 512 IPV4 RACL 512 IPv4 Port QOS 256 Ingress System 256 SPAN 256 Ingress CoPP 256 Redirect 256 vPC Convergence 512 Egress IPv4 RACL 256 Egress IPv4 VACL 512 Egress System 256 256 Ingress Egress 512 256 512 256 256 512 256 512 512 256 256
ACL TCAM Default Region and Carving • TCAM Banks will first get assigned to Feature which has largest region. • Next TCAM Bank will get assigned to Feature which need double Width. • TCAM Carving requires Line Card/TOR reload to take effect • To read current TCAM allocation N9K#Show system internal access-lists global • To reconfigure TCAM Region N9K(config)hardware access-list tcam <feature name> <size>
Buffer And Queuing-T2 Shared Buffer 12 MB Control Default OOBFC • T2 has 12 Mbytes of Buffer shared by all ports for all Traffic Shared Buffer 12 MB Control Default Module with T2 only Module with T2 And NS OOBFC: Out of band flow control unicast service pool • Shared buffer divided Into Control and default service pool if module is T2 only • Shared buffer divided into Control, default and OOBFC service Pool if Module is T2 and NS based
Buffer And Queuing-North Star Trident II ASIC NorthStar ASIC 1 12 x 40G Hi-Gig2 12 x 40G Ethernet Front Panel 48x 1GE/10GE Ports GEM 4x 40GE QSFP+ Uplinks Shared Buffer Control Default SPAN • North Star has 40 Mbytes of Buffer • Divided in to Three Pool • Control , SPAN , Default 10 MB Buffer 20 MB Buffer 10 MB Buffer
Buffer Boost Function with T2 and NS • Buffer boost is function which allow T2 to use extra buffer of NS • When Buffer boost is enabled on a port , T2 Local switch traffic is Sent to NS for extra buffer space- • When Buffer boost is disabled on a port, T2 local traffic to this port remains local on this NFE • Buffer Boost is enabled by default and can be disabled on a per port basis 1/10GE 1/10GE 1/10GE ALE-NS NFE T2 Network Interface 10 MB Buffer 10 MB Buffer 20 MB Buffer 12 MB Buffer Shared by all ports Fabric Module 1/10GE
System Health check Telemetry
Most Common System Health Check • What is the Best Recommended NX-OS Release • CPU & Memory usage • Inter Process Messaging usage-MTS • Traffic Stats/Drop To CPU • CoPP/Hardware Rate Limiter Drops • Ethernet Out of Band Drops/Error • Instant Buffer usage Stats • FATAL System Errors • Interface Errors for STP/Error disable • Inter ASIC Utilization • Hardware Capacity Check • Consistency Checkers –Various Tables • GOLD Diagnostic Checks • Sev1/2 Syslog
Platform Series Minimum Release Recommended Release Cisco Nexus 9500 6.1(2)I2(2b) 6.1(2)I3(4a) Cisco Nexus 9300 6.1(2)I2(2b) 6.1(2)I3(4a) General Recommendation for New and Existing Deployments http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/recommend ed_releaseb_Minimum_and_Recommended_Cisco_NXOS_Releases_for_Cisco_Nex us_9000_Series_Switches.html http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6- x/scalability/guide_34/b_Cisco_Nexus_9000_Series_NXOS_Verified_Scalability_Guide_61 2I34/b_Cisco_Nexus_9000_Series_NXOS_Verified_Scalability_Guide_612I34_chapter_01. html • Software Recommendation • Verified Scale limits for different features and protocol for each release
CPU & Memory Usage N9K#show system resources Load average: 1 minute: 0.00 5 minutes: 0.03 15 minutes: 0.05 Processes : 432 total, 1 running CPU states : 2.76% user, 0.75% kernel, 96.48% idle CPU0 states : 0.00% user, 0.00% kernel, 100.00% idle CPU1 states : 0.00% user, 1.01% kernel, 98.98% idle CPU2 states : 0.00% user, 2.94% kernel, 97.05% idle CPU3 states : 10.89% user, 1.98% kernel, 87.12% idle Memory usage: 16402328K total,3443588K used, 12958740K free Current memory status: OK N9K#show system internal memory-usage-per-module in-KB Slot 01:Used:1647420 Kbytes,Free:425680 Kbytes,Total:2073100 Kbytes Slot 02:Used:1627524 Kbytes,Free:445576 Kbytes,Total:2073100 Kbytes Slot 04:Used:1647560 Kbytes,Free:425540 Kbytes,Total:2073100 Kbytes N9K#show system internal memory-alerts-log Make sure log is clean CPU D R A M D R A M
CPU & Memory Usage show processes cpu sort | head lines 12 PID Runtime(ms) Invoked uSecs 1Sec Process ----- ----------- -------- ----- ------ ----------- 3357 220 3100 7099 45.50% adjmgr 5853 31655 10181 3109 0.50% ipqosmgr 5859 9489 52308 181 2.00% diag_port_lb 3477 672 3107 216 0.50% netstack 3478 268 175 1535 0.50% ospf Possibly ARP Table Churn Provides top process using CPU cycle
N9K#run bash bash-4.2$ top top - 11:13:32 up 9 days, 3:34, 4 users, load average: 0.11, 0.11, 0.08 Tasks: 226 total, 1 running, 220 sleeping, 0 stopped, 5 zombie Cpu(s): 0.8%us, 0.2%sy, 0.0%ni, 98.5%id, 0.0%wa, 0.1%hi, 0.3%si, 0.0%st Mem: 16402328k total, 3445044k used, 12957284k free, 72676k buffers PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1 root 20 0 2152 620 556 S 0 0.0 0:08.05 init 2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd 3 root 20 0 0 0 0 S 0 0.0 0:00.58 ksoftirqd/0 Top Command-display top CPU processes Auto update “top” provides an ongoing look at processor activity in real time
N9K#sh system internal mts buffers sum | diff node sapno recv_q pers_q npers_q log_q sup 320 0 0 4592 0 sup 284 0 19 0 0 sup 250 2 0 0 0 N9K#sh sockets client detail | inc pim|drops|Errors select drops: 10 Errors: select drops: 0 Errors: select drops: 0 Errors: Inter Process Messaging Usage For SAP 320 own by “OSPF” npers_q increasing Make Sure Drops/Errors not incrementing Message and transaction service-MTS
N9K#show hardware internal cpu-mac inband stats eth2 stats: RMON counters Rx Tx total packets 601163425 318962431 Per Queue Stats Queue Idx Packet Count Bytes Drops Csum Errors Allocation Failure Queue 0 17677525 111822449180 0 0 0 - - - - - - - - - - - - - - -SNIP- - - - - - - - - - - - - - - - - - - - - - - - Queue 7 17677525 111822449180 0 0 0 Interrupt Counters Rx overrun 0 Error counters Inband Driver Statistics-CPU Drops Rate statistics Rx packet rate (current/peak) 717 / 80695 pps Tx packet rate (current/peak) 360 / 1338 pps CRC errors/Collisions/late Collisions Alignment errors Symbol errors Sequence errors/Rx jabbers RX errors/Rx length errors
N9K# show system internal frame traffic | in drops Global input drops: bad-interface 0, bad-encap 0, failed-decap 0, Global output drops: eth_output_err 0, gre_err 0 otv_err 0 span_drop_en: 0 span_drops: 0 Crossbar down drops : 0 Flood_to_core LTL: Hits: 0 Misses: 0 Traffic Stats/Drops to CPU— (Cont’d) N9K# show system inband queuing statistics | in drop bpdu: recv 68, drop 0, congested 0 rcvbuf 2097152, sndbuf 262142 no drop 0 (q0): recv 1249377, drop 0, congested 0 rcvbuf 2097152, sndbuf 262142 no drop (q1): recv 4138154, drop 0, congested 0 rcvbuf 2097152, sndbuf 262142 no drop Drops From PKTmgr
Instant Buffer Utilization For CPU Port show hardware internal buffer info pkt-stats cpu [Q00-07] 0 0 0 0 0 0 0 0 [Q08-15] 0 0 0 0 0 0 0 0 [Q16-23] 0 0 0 0 0 0 0 0 [Q24-31] 0 0 0 0 0 0 0 0 [Q32-39] 0 0 0 0 0 0 0 0 [Q40-47] 0 0 0 0 0 0 0 0 • Total 48 Queues • Each Line Display Cell utilized for 8 queues • One Cell represent approximately 208 Bytes Congestion encountered if Counters keep incrementing
Ethernet Out Of Band Drops/Errors N9K#show hardware internal eobc stats | inc dropped RX packets:248308217 errors:0 dropped:0 overruns:0 frame:0 TX packets:71554006 errors:0 dropped:0 overruns:0 carrier:0 N9K# show system internal emon stats EMON MOD ONLINE BMP: 37f00067 FSM ID: 0 EOBCMON ======================================= HB tx_req 186396 module 1: rx_req 176410 rx_resp 176426 rx_miss 7 tx_resp 176410 Provides Stats for all Modules including Fabric module Heart bit miss
Instant Buffer Usage Stats N9K#show hardware internal buffer info pkt-stats mod 1 INSTANCE: 0 ---------------------------------------------------------- Output Shared Service Pool Buffer Utilization (in cells) SP-0 SP-1 SP-2 SP-3 ----------------------------------------------------------- Total Instant Usage 4474 0 89 2939 Remaining Instant Usage 25466 0 14255 3405 Peak/Max Cells Used 4821 0 327 3060 Switch Cell Count 29940 0 14344 6344 ---------------------------------------------------------- show hardware internal ns buffer info pkt-stats • Instant Buffer utilization per queue per port • One cell represents 208 bytes Show hardware internal buffer info pkt- stats input mod 1 • SP-3-Dedicted resource for Control Traffic • SP-0-Resource for Locally Switched Unicast ,Multicast and SPAN • SP-2 Extended Output queue for Unicast using buffers from North Star Buffer polling interval for 7.0 Release is 500msecs
N9K#show hardware internal buffer info pkt-stats mod 1 INSTANCE: 0 Output Shared Service Pool Buffer Utilization (in cells) SP-0 SP-1 SP-2 SP-3 ------------------------------------------------------------------------- Total Instant Usage 4474 0 89 2939 Remaining Instant Usage 25466 0 14255 3405 ------------------------------------------------------------------------- ASIC Port Q3 Q2 Q1 Q0 CPU SPAN [13] UC(OOBFC)->0 0 0 0 UC-> 0 0 0 1249 332 0 MC-> 0 0 0 3247 1996 0 Only printed if there is congestion • SP-3 Started filling the Queue • CPU buffer filling up Port 13 onwards are Front Panel Port Instant Buffer Usage Stats - With Buffer Usage
CoPP Drops We recommend that you use the strict default CoPP policy initially and then later modify the CoPP policies based on the data center and application requirements. Parameters Default Default policy Strict Default Policy 9 policy entries N9K# show policy-map interface control-plane mod 1 | in dropped dropped 0 packets; dropped 0 packets; dropped 0 packets; dropped 0 packets; dropped 7800 packets; Drops Seen for Default-Class at minimal rate is normal
CoPP Drops-Exception drops class-map copp-system-p-class-l3uc-data (match-any) match exception glean class-map copp-system-p-class-redirect (match-any) match access-group name copp-system-p-acl-ptp class-map copp-system-p-class-exception (match-any) match exception ip option match exception ip icmp unreachable match exception ipv6 option match exception ipv6 icmp unreachable class-map copp-system-p-class-exception-diag (match-any) match exception ttl-failure match exception mtu-failure Goal is to Classify all Traffic Using CoPP
Hardware Rate Limiter N9K# show hardware rate-limiter mod 1 Units for Config: packets per second Allowed, Dropped & Total: aggregated since last clear counters Module: 1 R-L Class Config Allowed Dropped Total +----------+-----+------------+------------+-------------+ L3 glean 100 0 0 0 L3 mcast loc-grp 3000 0 0 0 access-list-log 100 0 0 0 bfd 10000 1352890 0 1352890 fex 3000 0 0 0 span 50 0 0 0
FATAL System Errors N9K#show logging onboard mod 1 exception-log | incl FATAL prev 15 ------------------------------------------------------------------------ Date (mm/dd/yy)=01/15/15 Time (hs:mn:sec): 00:16:58 OBFL Exception log data for THIS SUP Module:0 ********* Exception info for module 0 ******** exception information --- exception instance 1 ---- Device Name : System Manager Device Errorcode : 0x0000023a ErrNum (devInfo) : 58 (0x3a) System Errorcode : 0x401e0089 Service in VDC has had a hap-reset Error Type : FATAL error
Common Interface Error counters and Status N9K# show interface counters errors mod 4 Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards -------------------------------------------------------------------------- Eth4/1 0 100 0 581 0 0 N9K# show interface status err-disabled Port Name Status Reason -------------------------------------------------------------------------- Eth4/1 err-disable link-flap
Interface Queuing Stats N9K#show queuing interface 4/18 Egress Queuing for Ethernet4/18 [System] QoS-Group# Bandwidth% PrioLevel Shape Qlimit Min Max Units 3 1 - - - 6(D) -------------------------SNIP-------------------------- 0 100 - - 6(D) ---------------------------------------------------- QOS GROUP 0 Unicast | OOBFC Unicast | Multicast Dropped Pkts | 0| 0| 0| ------------------------------------------------------------ QOS GROUP 7 Unicast | OOBFC Unicast | Multicast Dropped Pkts | 0| 0| 0|
N9K#show system internal interface counters mod 1 Internal Port Counters (150 secs rate) for Slot: 1 ==================================================== Interface ASIC ASIC BCM TxBitRate(BwUtil) TxPktRate RxBitRate(BwUtil) RxPktRate Port Inst Port (bps) (pps) (bps) (pps) ----------------------------------------------------------------------------------------- ii1/1/1 HG0 0 1 170512 (0.00) 0 0(0.00) 0 -------------------------------------------Snip------------------------------------------ ii1/1/14 HG1 1 2 0( 0.00) 0 1129882872(2.51) 960753 ii1/1/25 HG0 1 1 1790648 (0.00) 1043 22864(0.00) 20 Inter ASIC Utilization-HG Ports T2 #0 T2 #1 T2 #0 T2 #1 T2 #2 HG00HG00 Line Card Fabric Module
Verify Consistency Between Software and Hardware Table Table CLI Physical Interface show consistency-checker link-state Port-Channel Membership show consistency-checker membership port-channels Mac Address Table show consistency-checker l2 Vlan Membership show consistency-checker membership vlan L3 interface-LIF programming L3 interface-LIF programming –Logical Interface for Routing For RIB and FIB show consistency-checker forwarding ipv4 unicast
Consistency Checkers-Link and STP state N9K#show consistency-checker link-state mod 1 Link State Checks: Link state only Consistency Check: PASSED No inconsistencies found for: Ethernet1/1 2015 Mar 24 03:23:27 N9508a-SJ %$ VDC-1 %$ vshd: CC_LINK_STATE: Consistency Check: PASSED N9K# show consistency-checker stp-state vlan 18 Checks: Spanning tree state Consistency Check: PASSED 2015 Mar 24 03:25:21 N9508a-SJ %$ VDC-1 %$ vshd: CC_VLAN_STP_STATE: Consistency Check: PASSED
Consistency Checkers-Port Channel-Vlan Membership N9K# show consistency-checker membership vlan 18 Checks: Port membership of Vlan in vlan and egr_vlan table Ports configured as "switchport monitor” will be skipped Consistency Check: PASSED Vlan:18, Hardware state consistent for: Ethernet2/49 2015 Mar 24 03:28:31 N95a%$ VDC-1 %$ vshd: CC_VLAN_MEMBERSHIP: Consistency Check: PASSED N9K#show consistency-checker membership port-channels Checks: Trunk group and trunk membership table. Consistency Check: Failed Inconsistency found for port-channel1: Module:1, Unit: ['Ethernet3/49', 'Ethernet2/49'] Module:26, Unit: ['Ethernet3/49', 'Ethernet2/49’]
Consistency Checkers-Mac address Table N9K# show consistency-checker l2 module 1 Consistency check: PASSED Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen, + - primary entry using vPC Peer-Link, (T) - True, (F) - False Missing entries in the HW MAC Table VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ Extra and Discrepant entries in the HW MAC Table VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------
Consistency Checkers-L3 Interface N9K# show consistency-checker l3 mod 1 L3 LIF Checks: L3 Vlan, CML Flags, IPv4 Enable Consistency Check: PASSED No inconsistencies found for: Ethernet1/1 Ethernet1/2 Ethernet1/3 2015 Mar 24 04:07:27 N9508a-SJ %$ VDC-1 %$ vshd: CC_L3_LIF: Consistency Check: PASSED
Consistency Checker –Unicast Forwarding N9K#test consistency-checker forwarding Consistency check started. N9K# show consistency-checker forwarding ipv4 unicast module 1 IPV4 Consistency check (in progress): table_id(0x1) slot(1) Elapsed time : 8257 ms N9K# show consistency-checker forwarding ipv4 unicast module 1 IPV4 Consistency check : table_id(0x1) slot(1) Execution time : 13244 ms () No inconsistent adjacencies. No inconsistent routes. Consistency-Checker: PASS for 1
Gold Diagnostic Checks N9K# show diagnostic result mod 2 Module 2: 48x1/10G-T 4x40G Ethernet Module Test results:(.=Pass, F=Fail,I=Incomplete,U=Untested,A=Abort,E=Error disabled) 1) ASICRegisterCheck------------> . 2) PrimaryBootROM---------------> . 3) SecondaryBootROM-------------> . 4) OBFL-------------------------> . 6) BootFlash--------------------> . 7) AsicMemory-------------------> . 8) FpgaRegTest---------------- -> . 9) PortLoopback:--------------- > . Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ----------------------------------------------------- U U U . U U U U . . U U U . U U RewriteEngineLoopback On Demand Diagnostic can be executed
Sev1/2 Syslog show logging logfile | incl -1-|-2- 2015 Feb 25 10:30:17 N9508a-SJ %PLATFORM-2-MOD_PWRUP: Module 26 powered up (Serial number SAL1738D37W) 2015 Feb 25 10:32:37 N9508a-SJ %XBAR-2-XBAR_HGLINK_NOT_UP: fabric link 1 on module 2 unit 0 connected to fabric module 26 unit:0 is not up during module bring up 2015 Feb 25 10:32:39 N9508a-SJ %MODULE-2-MOD_FAIL: Initialization of module 26 (Serial number: SAL1738D37W) failed 2015 Feb 25 10:32:39 N9508a-SJ %PLATFORM-2-MOD_PWRDN: Module 26 powered down (Serial number SAL1738D37W)
Troubleshooting Toolkit
Troubleshooting Toolkit • Ethanalyzer • TCP Dump • ELAM • Packet Tracer • Flex Counter • ERSPAN • Consistency Checkers
Ethanalyzer-When To Use it • To Analyze the traffic sent and received by CPU • It uses wireshark’s code (an open source software) • Troubleshooting High CPU • Troubleshoot Control Plane issues Ex. OSPF , PIM , STP Flap. SUP Netstack NIC-ETH2 Pseudo Inband Note: Ethanalyzer does not allow capturing of hardware switched traffic between data ports of the switch
Ethanalyzer-CLI N9K# ethanalyzer local interface inband capture-filter "pim” detail Capturing on inband Frame 1 (60 bytes on wire, 60 bytes captured) Arrival Time: Mar 24, 2015 10:01:10.018889000 -------Snip------------------ [Protocols in frame: eth:ip:pim] N9K#ethanalyzer local interface inband display-filter "ospf” detail Capturing on inband Frame 1 (82 bytes on wire, 82 bytes captured) Arrival Time: Mar 24, 2015 10:04:11.425523000 -------------------Snip-------------------- [Frame is marked: False] [Protocols in frame: eth:ip:ospf] Some Available Options autostop :Autostop decode-internal :Internal header decoding limit-captured-frames :Maximum number of
TCP Dump • Tcpdump command works on most flavors of Linux operating system • Helps to prints out a description of the contents of packets on a network interface • Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal –CTRL-C • Tcpdump output can be saved to file for further reference • More info at http://www.tcpdump.org/
Tcpdump -syntax Syntax: tcpdump -h tcpdump version 4.1.1 libpcap version 1.2.1 Usage: tcpdump [-aAbdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ] bash-4.2# N9K# show feature | in bash Feature Name Instance State bash-shell 1 enabled N9K# run bash bash-4.2# sudo su Password:****** bash-4.2# whoami root bash-4.2# tcpdump –c 10 –I ps-inb
Tcpdump-Examples- bash-4.2# tcpdump -c 100 -w tcpdump.pcap -vvvv -i ps-inb tcpdump: WARNING: ps-inb: no IPv4 address assigned tcpdump: listening on ps-inb, link-type EN10MB (Ethernet), capture size 65535 bytes 100 packets captured 102 packets received by filter bash-4.2#cd /bootflash bash-4.2# tcpdump -tttt -r tcpdump.pcap | more reading from file tcpdump.pcap, link-type EN10MB (Ethernet) 2015-04-26 03:21:31.309350 00:0e:ee:01:1b:01 (oui Unknown) > 00:00:00:ff:ff:01 (oui Ethernet), ethertype Unknown (0x8833), length 160: 0x0000: 0000 fc08 0b00 0000 0000 0800 0000 0ffd ............... -------------------------------------more--------------------------------- Capturing 100 packets And writing to file Reading captured file
tshark bash-4.2$ tshark -i ps-inb Capturing on inband 0.000000 00:0e:ee:01:1b:01 -> 00:00:00:ff:ff:01 0x8833 Ethernet II 12.328377 00:0e:ee:01:1b:01 -> 00:00:00:ff:ff:01 0x8833 Ethernet II ^C2 packets captured bash-4.2$
Elam-Embedded Logic Analyzer Module-NS • Elam Allows to capture single packet based on Trigger • Triggers are configured using Packet information • Only Supported on North Star Based(ALE) Line Cards and GEMs • Use with TAC Supervision • Help to Answer following Questions • Was the Packet indeed Received by device on given Line card? • How did the Packet Look like? • How was the packet rewritten based on forwarding Decision made by T2? • Was the Packet correctly forwarded or Dropped?
ELAM Configuration 1. Init 2. Config 5. Reset 3. Arm 4. Read Trigger • Init – Initialize the ELAM – select the Asic instance, pipeline and select lines module-1# debug platform internal ns elam asic module-1(NS-elam)# trigger init ingress in-select 3 out-select 5 • Config – Configure the trigger based on different fields in the packet module-1(NS-elam-insel3)# set outer ipv4 src_ip 13.13.13.10 • Arm – Arm the trigger by setting the fields to match in hardware module-1(NS-elam-insel3)# start • Read – Once the trigger is triggered, read the report module-1(NS-elam-insel3)# report • Reset – Once the process is complete, reset the trigger to restart the process module-1(NS-elam-insel3)# reset
Elam Ingress & Egress Direction-TOR Front Panel 48x 1GE/10GE Ports GEM 4x 40GE QSFP+ Uplinks Trident II ASIC NorthStar ASIC 1 Network Interfaces 12 x 40G Hi-Gig2 12 x 40G Ethernet IP.Add=13.13.13.10 • Traffic entering GEM ports which has NS and exiting T2 is Egress Pipeline Ex. trigger init egress in-select 3 out-select 5 set outer ipv4 dst_ip 13.13.13.10 • Traffic Entering T2 and Exiting GEM ports is Ingress Pipeline Ex. trigger init ingress in-select 3 out-select 5 set outer ipv4 src_ip 13.13.13.10 IngressEgress
Elam Ingress & Egress Direction-EOR Front Panel 48x 1GE/10GE Ports 13.13.13.10 Trident II ASIC North Star ASIC Network Interfaces 12 x 40G Hi-Gig2 12 x 40G Ethernet N FE Fabric 1 N FE Fabric 3 Line Card • Traffic entering from Fabric Module in to NS of Line Card is Egress Pipeline Ex. trigger init egress in-select 3 out-select 5 set outer ipv4 dst_ip 13.13.13.10 • Traffic Entering NS and exiting towards Fabric Module is Ingress Pipeline Ex. trigger init ingress in-select 3 out-select 5 set outer ipv4 src_ip 13.13.13.10 IngressEgress
ELAM Sample Configuration & Key Info N9K# attach mod 6 module-6# debug platform internal ns elam asic 1 module-6(NS-elam)# trigger init egress in-select 3 out-select 5 module-6(NS-elam-insel3)# set outer ipv4 dst_ip 13.13.13.10 module-6(NS-elam-insel3)# start module-6(NS-elam-insel3)# status module-6(NS-elam-insel3)# report Eth5/1 Eth6/52 Nexus9508 with N9K-X9564TX 13.13.13.1/30 N9K-X9564TX 4 40Gig Port On NS 40 1/10 Gig On T2 13.13.13.10/30 If Packet Captured Status: Triggered
Important ELAM Fields GBL_C++: [MSG] - sideband is complete GBL_C++: [INFO] ovector: 000FFF GBL_C++ [INFO] hg2_srcmod: 0E GBL_C++ [INFO] hg2_srcpid: 0D GBL_C++ [INFO] hg2_dstmod: 11 GBL_C++ [INFO] hg2_dstpid: 0A GBL_C++ [INFO] ip_da: 000000000000D0D0D0A GBL_C++ [INFO] ip_sa: 000000000000D0D0D01 N9K# show interface hardware-mappings ------------------------------------------- ---------------------------- Name Ifindex Smod Unit HPort FPort NPort VPort ------------------------------------------ Eth5/2 1a280000 14 0 13 255 0 -1 Eth6/52 1a286600 17 1 10 255 51 -1 Information is in Hex Convert to Dec. Sideband is the result where packet will be sprayed. Should never be “0”
Packet Tracer-T2 • Helps to Trace the packet inside Switch. • Only packets in the direction of the flow are traced • Two Acls are installed for each filter on each Line card • One ACL for Front Panel Port Group • Second ACL for traffic exiting Fabric Module and ingressing Line card Trident II ASIC Network Interfaces FM Mod
Packet Tracer Configuration 13.13.13.10/30 Configure Filter Start Tracer Clear/Remove-all Stop Tracer Check Counter Filter rt test packet-tracer dst-ip 13.13.13.10 detail-fp test packet-tracer dst-ip 13.13.13.10 detail-hg test packet-tracer start test packet-tracer stop test packet-tracer show test packet-tracer clear remove
Sample Configuration & Identify Front Port-LC 13.13.13.10/30 N9K#test packet-tracer dst-ip 13.13.13.10 src-ip 13.13.13.1 detail-fp N9K#test packet-tracer show filter 1 non-zero Packet-tracer stats Module 6: Filter 1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-fp Module 21: Filter 1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-fp Module 26: Filter 1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-fp Eth6/52Eth6/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
Packet Tracer Sample Configuration & Key Info N9K# test packet-tracer start filter 1 N9K# test packet-tracer show filter 1 mod 6 non-zero Packet-tracer stats Module 6: Filter1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-fp ASIC instance 0: Entry 1: id = 7426, count = 5, active, fp, port 13 N9K# show interface hardware-mappings | grep 6/1 Name Ifindex Smod Unit Hport FPort Nport VPort Eth6/1 1a280000 16 0 13 255 0 -1 13.13.13.10/30 Eth6/52Eth6/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
Sample Configuration Identify Fabric Port LC From FM N9K# test packet-tracer dst-ip 13.13.13.10 src-ip 13.13.13.1 detail-hg N9K# test packet-tracer start filter 1 N9K# test packet-tracer show mod 6 non-zero Module 6: Filter 1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-hg ASIC instance 0: Entry 0: id = 7425, count = 68, stopped, fp, ASIC instance 1: Entry 1: id = 7426, count = 13, stopped, hg, port 1 Entry 2: id = 7427, count = 11, stopped, hg, port 2 13.13.13.10/30Eth6/52Eth8/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
Flex Counters –Adjacency Statistics • Flex counters used to count Next hop Adjacency stats • One can attach Stats to multiple Adjacency at same time • One Stat Counter per adjacency • Total Flex Counters are 16K per Switch
How To Configure Flex Counters N9K# sh ip route 13.13.13.10 IP Route Table for VRF "default" ‘'%<string>' in via output denotes VRF <string> 13.13.13.8/30, ubest/mbest: 1/0 *via 13.13.13.6, Eth6/52, [110/41], 00:33:14, ospf-10, intra N9K# test hardware internal adjacency statistics nexthop ipv4 13.13.13.6 interface ethernet 6/52 (enable |disable | show) 13.13.13.10/30 Eth6/52Eth6/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
Sample Configuration 13.13.13.10/30 N9K# test hardware internal adjacency statistics nexthop ipv4 13.13.13.6 interface ethernet 6/52 show Module:21 Unit:0 ------------------ Adjacency counters for nhip 13.13.13.6 if Ethernet6/52: Ucast: Packets 738 Bytes 90036 Mcast: Packets 0 Bytes 0 Module:22 Unit:1 ------------------ Adjacency counters for nhip 13.13.13.6 if Ethernet6/52: Ucast: Packets 946 Bytes 115412 Mcast: Packets 0 Bytes 0 Eth6/52Eth6/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
SPAN & ERSPAN • Switch Port Analyzer” • Provides efficient, high-performance traffic monitoring service • Duplicates network traffic to one or more monitor interfaces • Types Of SPAN • Local SPAN • Encapsulated Remote SPAN(ERSPAN) • Applications: • Troubleshooting connectivity issues • Base lining network utilization/performance • Detecting anomalous traffic flows • On Nexus9000 Span Traffic uses dedicated queue • Queue carrying SPAN traffic has low Priority over other queue’s during congestion
SPAN QOS Queue N9K# show queuing interface ethernet 4/18 | begin SPAN | SPAN QOS GROUP | +-----------------------------------------------------------------+ | | Unicast | OOBFC Unicast | Multicast | +------------------------------------------------------------------+ | Tx Pkts | 0| 0| 0| | Tx Byts | 0| 0| 0| | Dropped Pkts | 0| 0| 0| | Dropped Byts | 0| 0| 0| | Q Depth Byts | 0| 0| 0|
SPAN Configuration N9K(config)# monitor session 1 N9K(config-monitor)# source interface sup-eth 0 both N9K(config-monitor)# source interface ethernet 6/1 N9K(config-monitor)# destination interface ethernet 6/2 N9K(config-monitor)# No Shut N9K(config-monitor)# show monitor Session State Reason Description --- ----- ------------ -------------------- 1 up The session is up Local SPAN Session e6/1 e6/2 Local SPAN LocalSup-eth N9K(config)#int et 6/2 N9K(config-if)# switchport monitor
ERSPAN Configuration N9K(config)# monitor erspan origin ip-address 13.13.13.2 global N9K(config)# monitor session 1 type erspan-source N9K(config-erspan-src)# header-type 3 N9K(config-erspan-src)# source interface ethernet 6/1 N9K(config-erspan-src)# erspan-id 1 N9K(config-erspan-src)# ip ttl 16 N9K(config-erspan-src)# vrf default N9K(config-erspan-src)# destination ip 9.1.1.2 N9K(config-erspan-src)# marker-packet-2 N9K(config-erspan-src)# no shut Layer 3 e6/1 ERSPAN e6/2 L3 Only Supports Source ERSPAN Type-3 Header 32-bit Timestamp Supports on Nexus9300 only Marker packet carry original UTC time stamp to over come 32-bit wrapper issue
Consistency Checkers-Summary • Show consistency-checker stp-state vlan • Show consistency-checker link-state • Show consistency-checker membership vlan • Show consistency-checker membership port-channels • Show consistency-checker membership port-channels • Show consistency-checker l2 • Show consistency-checker l3 • Show consistency-checker forwarding ipv4 unicast
Nexus 9000 Troubleshooting
Understanding T2 interfaces-Xe0/hg N9K# bcm-shell mod 1 "show unit" Unit 0 chip BCM56852_A2 (current) Unit 1 chip BCM56852_A2 N9K#bcm-shell mod 1 “0:ps” ena/ speed/ link auto STP lrn inter max loop port link duplex scan neg? state pause discrd ops face frame back hg0 up 42G FD HW No Forward None FA XGMII 16360 hg2 up 42G FD HW No Forward None FA XGMII 16360 --------------------------------Snip---------------------------------- Hg11 up 42G FD HW No Forward None FA XGMII 16360 Xe0 !ena 40G FD HW No Disable None FA XGMII 1582 xe1 up 40G FD HW No Disable None FA XGMII 1582 --------------------------------Snip---------------------------------- Xe11 !ena 40G FD HW No Disable None FA XGMII 1582 Hg=Internal Ports Xe=Front Panel Port QSPF Ports QSPF Ports F P 01 F P 02 F P 03 F P 04 F P 05 F P 06 F P 07 F P 08 F P 09 F P 10 F P 11 F P 12 F P 13 F P 14 F P 15 F P 16 F P 17 F P 18 F P 19 F P 20 F P 21 F P 22 F P 23 F P 24 T2 Instance 0 T2 Instance 1 Eth1/1 Eth1/24 Xe0 Xe0 hg0 hg11 Xe11 Eth1/12 Xe11 Eth1/13 hg0 hg11
Layer -1 Issues- Transceiver Not Recognized N9K# show interface ethernet 4/18 transceiver details Ethernet4/18 transceiver is not present module-4# show hardware internal bcm-usd event-history xcvr 18 1) Event:E_STRING, length:135, at 220346 usecs after Thu Apr 16 20:50:17 2015 bcm_usd_xcvr_fcot_notify_default(941): [unit=0 nxosport=18 bcmport=30] fcot_state:0x2 fcot_type:0 sent MTS_OPC_FCOT_EVENT_INFO, rc 0x0 2) Event:E_STRING, length:93, at 647132 usecs after Thu Apr 16 20:50:14 2015 bcm_usd_xcvr_fcot_scan_sfp(3003): [unit=0 nxosport=18 bcmport=30] FCOT not supported err=-1
Interface MTU/Speed/Flow Control Verification N9K# show interface Ethernet 4/18 Ethernet4/18 is up admin state is up, Dedicated Interface Belongs to Po10 Hardware: 10000/40000 Ethernet, address: 7c69.f66e.d860 (bia 7c69.f66e.d860) MTU 9216 bytes, BW 40000000 Kbit, DLY 10 usec N9K# bcm-shell module 4 ” 1: ps Xe17" ena/ speed/ link auto STP lrn inter max loop port link duplex scan neg? state pause discrd ops face frame back xe17 up 40G FD HW No Disable None FA SR4 9298
Interface Flow Control Check N9K#Show interface ethernet 1/1 flowcontrol Port Send FlowControl Receive FlowControl RxPause TxPause admin oper admin oper ----------------------------------------------------------------------------- Eth1/1 off off off off 0 0 N9K#bcm-shell module 1 "ps" Wrong programming ena/ speed/ link auto TP lrn inter max loop port link duplex scan neg? state pause discrd ops face frame back xe0 up 10G FD HW No Disable TX RX None FA SFI 9298
Interface Input Drops N9K#bcm-shell mod1 “ cstat xe29” +------------------Programmable Statistics Counters[Port xe29]------+ | Type | No. | Value | Enabled For | +----------------------------------------------------------------- -+ | RX | 0(R)| 19163028| RIPD4 RIPD6 RDISC RPORTD | | | | | PDISC VLANDR | | | 1(R)| 28744286| IMBP | | | 4 | 993820| RPORTD FcmPortClass3RxDiscards | | | 6 | 19163407| RFILDR FcmPortClass2RxDiscards | | | 7 | 19163048| RDROP | | | 8 | 18169208| VLANDR | +-------------------------------------------------------------------+ | | 3(R)| 14704| TPKTD | | | 4(R)| 968303| TGIP4 TGIP6 FcmPortClass3TxFrames| | | 6 | 968303| TGIP4 FcmPortClass3TxFrames | +-------------------------------------------------------------------+ Ethernet1/30 is up Hardware: 1000/10000 Ethernet, address: 7426.acea.ceb9 (bia 7426.acea.ceb9) EtherType is 0x8100 0 input with dribble 1316 input discard bcm-shell mod 6 "cstat info" | gre VLANDR VLANDR Rx VLAN drops
Fabric Connectivity and Troubleshooting • In an 4-slot chassis N9K-C9504-FM has 1 T2 per module • In an 8-slot chassis N9K-C9508-FM has 2 T2 per module • In an 16-slot chassis N9K-C9516-FM has 4 T2 per module • FMs provides redundancy for internal data flow, the loss of FMs just increases the oversubscription factor. T2 T2 T2 T2T2 T2 N9K-C9508-FM-8 N9K-C9516-FM-16 T2 N9K-C9508-FM-4
Full-Rate Mode(FRM) V/S Oversubscribed Mode(OSM) • Each T2 have 32 40Gigport with total capacity of 1.2Tbps with “2” switching mode OSM(Default) - Uses all 32 40 Gig ports Line Rate achieved for packets > 200 Bytes FRM - Uses only 24 40 Gig ports Line rate achieved for > 64 Bytes Configuration Knob to Change the mode. N9K(config)# system fabric-mode full-rate Configuration effective after Reboot N9K#show system fabric-mode Applied System Fabric Mode:Full rate mode Use FRM mode to achieve line rate for 64 byte packets on 9636PQ , 9564PQ , 9564TX cards All other 94xx line cards will not be powered up in this mode
RTAG7 and DLB • Two Packet Hashing algorithm available from LC to FM • RTAG7-To Select HG Port use Packet Header. • For a flow same HG Link is used • DLB-Dynamic Load Balancing- Default algorithm • Initial Hash same as RTAG7 • Based on Link Quality pick up optimum HG Port • Better utilization of all HG links • N9K(config)# port-channel load-balance internal [dlb/rtg7] • N9K# show port-channel load-balance internal algorithm • HighGig port-channel load balance algorithm: dlb LC1 LC2 FM-2FM1 FM6 HG- Ports HG- Ports
Higig Link Failures – Fabric Module Policy • For any single Higig link failure between FM and LC Bring down the FM, if there is more than one FM Else bring down LC • Multiple Higig links failures for a Single LC going to Multiple FM - Bring down the LC module. • Multiple Higig links failures on LC to one of the FM - Bring down the LC module
4/8 slot Chassis – Fabric Connectivity N9K-X9536PQ T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T2 T 2 T 2 T2 40 Gig Link • 9500/9600 Series Line Card’s T2 have connectivity to all 6 Fabric Module’s T2 • 9400 series Line cards connects to all T2 but use only 4 Fabric Modules -No Connection to Slot 21 & 25 • Traffic between 9500/9600 Series Line Card and 9400 Line card will use subset Hi Gig links .
16 slot Chassis – Fabric Connectivity N9K-C9516-FM T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 N9K-X9536PQ T 2 T 2 T2 T 2 T 2 T2 • 9500 Series Line Card’s T2 will have connection to all 6 Fabric Module but to only 2 T2’s from each Fabric Module • 9500 series Line Card’s T2 will have connection to all 4 T2’s of Fabric module if there are only 3 Fabric module present • 9400 series cards connects to all T2 but use only 4 FM-No Connection to Slot 21 & 25 • Traffic between 9500 Series Line Card and 9400 will use subset Hi gig links. • N9K-X9636PQ line card module is not supported in 16 slot chassis 40 Gig Link
• With 3 FM configuration All 4 T2 units in each FM are connected to 9500 series LC modules' T2 units • Each blue line represents one 40 Gig link 16 slot Chassis – Fabric Connectivity T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 N9K-X9536PQ T2 T2
HG MUX1 HG MUX3 Northstar 1 Warpcore MF Port 7- 5 2- 0 31- 29 26- 24 T2 7- 5 26- 24 0- 2 3- 5 6-8 9- 11 FM24 FM23FM25FM26 FM22 FM21 HG MUX4 HG MUX2 HG MUX5 HG MUX6 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 Northstar 2 MF Port 0- 2 9- 11 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 T2 7- 5 2- 0 31- 29 26- 24 • Line cards N9K-X9464PX/TX , N9K-X9564PQ/TX have Mux • Mux used for connecting HiG Link from Line Cards to multiple Fabric Module • Mux available only for Half of the HiG interface of LC • By Default Mux Link Active to Odd number of Fabric Module Line Card Fabric Module’s Active Mux Link Standby Mux Link Line Cards With Mux to FM
FM Connectivity For N9K-X9564PX –With MUX show system internal fabric connectivity mod 5 | in B HiGIG Link-info Linecard slot:5 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 5 0 HG02 1B 25 0 HG12 5 0 HG03 1B 25 1 HG12 show system internal fabric connectivity mod 5 HiGIG Link-info Fabriccard slot:5 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 5 0 HG02 1A 26 0 HG14 5 0 HG03 1A 26 1 HG14 With FM from Slot 25 Down FM-26 T2-0 T2-1 HG014 LC T2-0 T2-1 FM-25 T2-0 T2-1 MUX HG02 HG03 HG012HG012 HG014 AB • Line cards N9K-X9464PX/TX , N9K-X9564PQ/TX have Mux • Mux used for connecting HiG Link from Line Cards to multiple Fabric Module • Mux available only for Half of the HiG interface of LC • By Default Mux Link Active to Odd number of Fabric Module
FM Connectivity For N9K-X9564PX –With MUX show system internal fabric connectivity mod 5 | in B HiGIG Link-info Linecard slot:5 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 5 0 HG02 1B 25 0 HG12 5 0 HG03 1B 25 1 HG12 show system internal fabric connectivity mod 5 HiGIG Link-info Fabriccard slot:5 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 5 0 HG02 1A 26 0 HG14 5 0 HG03 1A 26 1 HG14 With FM from Slot 25 Down LC T2-0 T2-1 FM-25 T2-0 T2-1 FM-26 T2-0 T2-1 MUX HG02 HG03 HG012HG012 HG014 HG014 LC T2-0 T2-1 FM-25 T2-0 T2-1 FM-26 T2-0 T2-1 MUX HG02 HG03 HG012HG012 HG014 HG014 A A B B
Fabric Troubleshooting commands show system internal fabric connectivity mod 1 HiGIG Link-info Linecard slot:1 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 1 0 HG00 - 21 0 HG00 1 0 HG01 - 21 1 HG00 show system internal fabric connectivity mod 21 HiGIG Link-info Fabriccard slot:21 FM-Slot FM-Unit FM-HGLink LC-Slot LC-Unit LC-HGLink MUX 21 0 HG00 1 0 HG00 21 1 HG00 1 0 HG01 T2 #0 T2 #1 T2 #0 T2 #1 T2 #2 Line Card Slot-1 Fabric Module Slot-21 HG00HG00
Fabric Port Drops and Link Status N9K# bcm-shell mod 21 "ps” | inc hg0 ena/ speed/ link auto STP lrn inter max loop port link duplex scan neg? state pause discrd ops face frame back hg0 up 42 FD HW No Forward None FA XGMII 16360 N9K# show hardware internal fabric interface asic counters mod 21 Counters for Fabric Ports: FabricInterface Forward Forward Error Pkt Error Pkt QOS Rx QOS Tx RxDrops TxDrops RxDrops TxDrops Drops Drops 0 / 1 / HG0 0 0 0 0 0 0 1 / 1 / HG0 0 0 1 0 0 0 0
Fabric Port STP State HW point of View N9K# sh vlan id 100 VLAN Name Status Ports ---- ------------------ --------- 100 VLAN0100 active Po1, Eth1/1 show sys internal xbar event-history {trace|errors|msgs|sw} show sys internal xbar-client event-history {trace|errors|msgs|sw} show tech-support xbar N9K# bcm mod 21 " stg show” STG 5: contains 1 VLAN (100) Forward: hg
Path of the Packet -Inband CPU NIC-Eth2 Netstack NIC-Eth3 System Controller-SC1 FabricModule FabricModule FabricModule Line Card Mod21 Mod26 Mod29 Mod23 OSPF Hello Eth6/1 • Traffic from all ingress Line Card to Supervisor will hash to one Fabric module • Traffic from Supervisor Card to Egress Line cad will hash on one FM. May not be same • CoPP is operational on all LC. However aggregate CoPP is on FM
Check for Drops/Errors-Line Card N9K#show hardware internal interface ethernet 6/1 asic counters Important Counters/Drops --------------- --------- --------- --------- --------- --------- --------- Interface Name Forward Forward Error Pkt Error Pkt QOS Rx QOS Tx RxDrops TxDrops RxDrops TxDrops Drops Drops --------------- --------- --------- --------- --------- --------- --------- Ethernet6/1 870 0 100 0 0 0 --------------- --------- --------- --------- --------- --------- --------- Forward Rx Drops = [ RDBGC0 RDBGC4 RDBGC6 RDBGC7 RDBGC8 ] Forward Tx Drops = [ TDBGC1 TDBGC3 TDBGC5 (excludes expected Multicast drops)] ErrorPkt Rx Drops= [ IUNHGI IUNKOPC RFCS RALN RFLR RERPKT RJBR RSCHCRC RUND RMTUE] ErrorPkt Tx Drops= [ TJBR TFCS TRPKT RMTUE TUFL TPCE ] QOS Rx Drops = [ RDISC DROP_PKT_ING DROP_PKT_IMTR DROP_PKT_YEL DROP_PKT_RED ] QOS Tx Drops = [ MCQ_DROP_PKT(0) MCQ_DROP_PKT(1) MCQ_DROP_PKT(2) Use slot <#> show hardware internal interface indiscard-stats instance <#> N9K#bcm-shell mod 6 "listreg RALN"| grep Description Description: Receive Alignment Error Frame Counter Trident II ASIC North Star ASIC Network Interfaces Line Card RDBGC0
Instant Buffer Usage Stats-With Buffer Usage N9K#show hardware internal buffer info pkt-stats mod 6 INSTANCE: 0 Output Shared Service Pool Buffer Utilization (in cells) SP-0 SP-1 SP-2 SP-3 ------------------------------------------------------------------------- Total Instant Usage 4474 0 89 2939 Remaining Instant Usage 25466 0 14255 3405 ------------------------------------------------------------------------ ASIC Port Q3 Q2 Q1 Q0 CPU SPAN [13] UC(OOBFC)-> 0 0 0 0 UC-> 0 0 0 1249 332 0 MC-> 0 0 0 3247 1996 0 Only printed if there is congestion • SP-3 Started filling the Queue • CPU buffer filling up
CoPP Drops on Line Card N9K# show policy-map interface control-plane mod 6 class copp-system-p-class- critical | in ospf|trans|dropped match access-group name copp-system-p-acl-ospf transmitted 21898 packets; dropped 0 packets; Trident II ASIC North Star ASIC Network Interfaces Line Card
Identify FM -Check CoPP Drops N9K# show hardware internal cpu-mac inband active-fm traffic-to-sup Active FM Module for traffic to sup: 0x00000015 Fabric Module in Slot 21 carry all traffic to Sup N9K# show policy-map interface control-plane mod 21 class copp-system-p-class- critical | in ospf|trans|dropped match access-group name copp-system-p-acl-ospf match access-group name copp-system-p-acl-ospf6 transmitted 21898 packets; dropped 0 packets;
Check for Drops/Errors-Fabric Module N9K# show system internal fabric connectivity mod 6 | grep 21 Identify HG Port on LC and FM LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 6 0 HG10 3B 21 0 HG15 N9K# sh hardware internal fabric interface asic counters module 6 instance 0 asic-port 11 Important Counters/Drops Verify Drops/Error on HG port on LC FabricInterface Forward Forward Error Pkt Error Pkt QOS Rx QOS Tx RxDrops TxDrops RxDrops TxDrops Drops Drops 0 / 11 / HG10 0 0 0 0 0 0 N9K# sh hardware internal fabric interface asic counters mod 21 in 0 asic-port 16 RxDrops TxDrops RxDrops TxDrops Drops Drops 0 / 11 / HG15 0 0 0 0 0 0
Verify Drops Between FM and SC module-21# show mvdxn internal port-status Switch type: Marvell 98DXN11 - 10 port switch Fabric Module in Slot 21 Port Descr Enable Status ANeg Speed Mode InByte OutByte InPkts OutPkts 3 SC1EPCswitch Yes UP No 2 6 109548011 117051401 274144 587285 module-29# show mvdxn internal port-status Switch type: Marvell 98DXN11 - 10 port switch System Controller in Slot 29 Port Descr Enable Status ANeg Speed Mode InByte OutByte InPkts OutPkts 7 FM1EPCswitch Yes UP No 2 6 746159513 60543666 620863 269592 10 port switch on System controller and Fabric module connect SC to FM FABRIC CARD System Controller MVDXN-SW MVDXN-SW
Drops/Errors On Supervisor N9K#show hardware internal cpu-mac inband counters in eth|ps- inb|dro eth2 Link encap:Ethernet HWaddr 00:00:00:01:1b:01 RX packets:2922013 errors:0 dropped:0 overruns:2 frame:0 TX packets:1652929 errors:0 dropped:0 overruns:0 carrier:0 eth3 Link encap:Ethernet HWaddr 00:00:00:01:1b:01 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 ps-inb Link encap:Ethernet HWaddr 00:00:00:01:1b:01 RX packets:54204 errors:0 dropped:3579 overruns:0 frame:0 TX packets:50626 errors:0 dropped:0 overruns:0 carrier:0 Netstack NIC-Eth2 Pseudo Inband NIC-Eth3 Supervisor Card
Drops/Errors On Supervisor-Cont. N9K#show hardware internal cpu-mac inband stats | in errors|rate|Queue Queue Idx Packet Count Bytes Drops Csum Errors Allocation Failure Queue 0 65429 580195964 2 0 0 Queue 7 65429 580195964 0 0 0 CRC errors ...................... 0 Alignment errors ................ 0 Symbol errors ................... 0 Carrier extension errors .........0 Rx packet rate (current/peak) 812 / 1097 pps Tx packet rate (current/peak) 454 / 741 pps Related show tech(s) Nexus9500# sh tech-support inband counters Nexus9500# show tech-support pktmgr Nexus9500# show tech-support <service>
L2 Mac And Vlan Table Verification N9K# sh mac address-table dynamic vlan 100 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False VLAN MAC Address Type age Secure NTFY Ports * 100 547f.ee1c.06fc dynamic 0 F F Eth6/1 N9K# bcm-shell mod 6 " l2 show" | in Hit mac=54:7f:ee:1c:06:fc vlan=100 GPORT=0x800800d modid=16 port=13/xe0 Hit N9K# bcm-shell mod 6 "vlan show 100” vlan 100 ports xe0,hg ....... untagged xe0 interface Ethernet6/1 switchport switchport access vlan 100 no shutdown Eth6/1 Mac=547f:ee1c.06fc
Spanning Tree Verification N9K# sh spanning-tree interface ethernet 6/1 Vlan Role Sts Cost Prio.Nbr Type VLAN0100 Desg FWD 4 128.1537 P2p N9K# bcm-shell mod 6 "dump vlan 100” VLAN.ipipe0[100]: <VP_GROUP_BITMAP=0x00000……STG=0X67 FID_ID=0x64 N9K# bcm-shell mod 6 "stg stp 103” STG 103: Block: xe1-xe47 Forward: xe0,hg interface Ethernet6/1 switchport switchport access vlan 100 no shutdown Eth6/1 Mac=547f:ee1c.06fc N9K# Dec 0x67=103 STG= STP Group ID N9K# Dec 0x64=100 FID_ID=Vlan ID.
Unicast L3 Forwarding • T2 has combination of dedicated TCAM table space and shared hash table memory known as Unified Forwarding Table (UFT) • The UFT is partitioned into three forwarding tables • MAC Address Table • IP Host Table • Longest Prefix Match-LPM Table • To maximize the system-wide forwarding scalability UFT tables on line cards and fabric modules for different forwarding lookup functions FM LC Feature Scale L3 Host Table And L2/L3 Multicast 120K L2 Mac Table 96K Feature Scale L3 LPM Table 128K
Unicast L3 Forwarding- Component Information Hardware-T2 uFDM Supervisor AM uRIB OSPF ARP FIB Manager Forwarding Hardware Theory of Operation Software/Hardware Programming • OSPF communicates with uRIB to build the routing table • AM builds the next-hop adjacency entry • uFDM distributes the information to the line cards • IP FIB (running on the line cards) programs the ASIC components with the forwarding and adjacency information. Remember: Software forwarding by the SUP is only used for control and exception packets
L3 Unicast Troubleshooting Flow HW Programming On LC/FM Use BCM commands Next-Hop Check the routing table Checking Route on RIB And FIB. ARP/MAC Check the ARP Table Check Forwarding Route Show ip route [ipv4] [<prefix>] Show ip arp [ipv4] show ip adjacency (Ipv4] show forwarding adjacency platform [ipv4] module <mod> show forwarding [ipv4] route module <mod> bcm-shell mod 22 "l3 defip show"
Unicast L3 Forwarding- Two Possible Scenarios Case 1: If incoming packet hit /32 host route on LC, forwarding decision is made on LC Case 2: If incoming packet miss /32 host route on LC. Now for Longest Prefix match (LPM) the packet get forwarded to FM • Install a default route 0.0.0.0/0 on Line Cards using the virtual MOD ID for Fabric Module as the DMOD to force Line Cards to forward LPM packets to Fabric Modules • Fabric Modules perform LPM lookup and forward packets to the resolved Destination MOD/Destination PORT Also will verify How to Check ECMP Route
Network Diagram-Problem Definition 13.13.13.0/30 13.13.13.12/30 .1 13.13.13.8/30 .2 .17 .9 .10 N9K# Nexus3064Q-ESC# N9508d-SJ# N9508c-SJ# Nexus3064Q-ESC# ping 13.13.13.10 PING 13.13.13.10 (13.13.13.10): 56 data bytes Request 0 timed out Nexus3064Q-ESC# traceroute 13.13.13.10 traceroute to 13.13.13.10 (13.13.13.10), 30 hops max, 40 byte packets 1 13.13.13.2 (13.13.13.2) 1.124 ms 0.911 ms 0.752 ms 2 * * * .18 .13 .14 13.13.13.16/30
Router MAC Programming Check • Router Mac address must be programmed in Hardware N9K1#show interface ethernet 6/1 | grep address Hardware: 100/1000/10000 Ethernet, address: 003a.99fc.dd7f N9K1# bcm-shell mod 6 "0:d chg my_station_tcam" | grep dd7f MY_STATION_TCAM.ipipe0[0]: <VALID=1,------snip----MAC_ADDR=0x003a99fcdd7f,
Verify /32 Host Route on Line card-Case 1 N9K1#show ip route 13.13.13.14 13.13.13.14/32, ubest/mbest: 1/0, attached *via 13.13.13.14, Eth6/33, [250/0], 00:37:24, am N9K1#bcm-shell mod 6 "0:l3 l3table show" | grep 13.13.13.14 Entry VRF IP address Mac Address INTF MOD PORT CLASS HIT 10 1 13.13.13.14 00:00:00:00:00:00 100010 0 0 0 y N9K1#bcm-shell mod 6 "0:l3 egress show"| grep 100010 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop 100010 88:f0:31:bf:ad:17 4095 4432 45 16 -1 no no N9K1#show system internal ethpm info interface ethernet 6/33 | grep -i STATIC IF_STATIC_INFO: port_name=Ethernet6/33,if_index:0x1a284000,ltl=40875,slot=5, nxos_port=32,dmod=16,dpid=45, /32 Host Entry
Next Hop Reached via L3-Port Channel N9K1#show ip route 10.164.112.22 10.164.112.22/32, ubest/mbest: 1/0 *via 13.13.13.14, Po200, [110/3], 00:09:33, ospf-10, intra N9K1#bcm-shell mod 6 "0:l3 l3table show" | grep 10.164.112.22 Entry VRF IP address Mac Address INTF MOD PORT CLASS HIT 175660 1 10.164.112.22 00:00:00:00:00:00 100012 0 0 0 y N9K1#bcm-shell mod 6 "0:l3 egress show"| grep 100012 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop 100010 88:f0:31:bf:ad:17 665 4761 3t 0 -1 no no N9K1#show system internal ethpm info interface port-channel 200 |grep –I STATIC IF_STATIC_INFO: port_name=port-channel200,if_index:0x160000c7,ltl=2597,slot=0, nxos_port=02,dmod=0,dpid=3, /32 Host Entry
Verify HW-Programming on LC or FM ? Case 2 N9K# show ip route 13.13.13.10 IP Route Table for VRF "default” 13.13.13.8/30, ubest/mbest: 1/0 *via 13.13.13.6, Eth6/52, [110/41], 00:22:29, ospf-10, intra N9K# show forwarding route 13.13.13.10 module 21 IPv4 routes for table default/base Prefix | Next-hop Interface | Labels 13.13.13.8/30 13.13.13.6 Ethernet6/52 This is not /32 host Route. Packet forwarding decision responsibility is of the Fabric Module ALL FM will be programmed with this Route
Line Card Punting Packets to Fabric For LPM ? N9K# show hardware internal forwarding adjacency statistics default-route mod 6 Module:6 Unit:0 Traffic matched adjacency for default route (destined to FM): Unicast: Packets 148 Bytes 13382 N9K# bcm-shell mod 6 "0:l3 defip show" Unit 0, Total Number of DEFIP entries: 12288 # VRF Net addr Next Hop Mac INTF MODID PORT PRIO CLASS HIT VLAN 3072Override 0.0.0.0/0 00:00:00:00:00:00 149149 0 0 0 0 y N9K# bcm-shell mod 6 "l3 egress show" | inc 149149 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop 149149 00:12:12:12:12:12 4095 8189 1 100 -1 no no Mod 100 is assign to Fabric Module
Longest Prefix Match on Fabric Module N9K# bcm-shell mod 22 "l3 defip show" | grep 13.13.13.8 # VRF Net addr Next Hop Mac INTF MODID PORT PRIO CLASS HIT VLAN 196620 1 13.13.13.8/30 00:00:00:00:00:00 100008 0 0 0 0 n N9K# bcm-shell mod 22 "l3 egress show" | grep 100008 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop 100008 88:f0:31:bf:ad:17 4095 4520 10 17 -1 no no N9K# show system internal ethpm info interface eth 6/52 | grep dmod IF_STATIC_INFO: port_name=Ethernet6/52,if_index0x1a286600,ltl=40856,slot=5,nxos_port=51, dmod=17,dpid=10,unit=1, Mac add used for rewrite
ECMP Route Validation N9K#show ip route 10.164.112.22 10.164.112.22/32, ubest/mbest: 2/0 *via 13.13.13.14, Eth6/33, [110/5], 01:11:55, ospf-10, intra *via 13.13.13.18, Eth6/34, [110/5], 01:11:55, ospf-10, intra N9K#sh routing hash 13.13.13.2 10.164.112.22 mod 6 Hashing to path *13.13.13.18 Out Interface: Eth6/34 N9K#bcm-shell mod 6 "0:l3 l3table show" | grep 10.164.112.22 Entry VRF IP address Mac Address INTF MOD PORT CLASS HIT 17 1 10.164.112.22 00:00:00:00:00:00 200256 0 0 0 n (ECMP) N9K#bcm-shell mod 6 "l3 multipath show" Multipath Egress Object 200256 Interfaces: 100008 100010 Follow same steps demonstrated for /32 Host entry to learn about Interface in multipath show cli Multi-Path
Use Tools From Toolkit • ELAM- IF Line Card has North Star module-6# debug platform internal ns elam asic 1 module-6(NS-elam)# trigger init egress in-select 3 out-select 5 module-6(NS-elam-insel3)# set outer ipv4 dst_ip 13.13.13.10 • Packet Tracer- For All FM and LC having T2 N9K# test packet-tracer dst-ip 13.13.13.10 src-ip 13.13.13.1 detail-fp • Flex Counter- Check Adjacency hit counter N9K# test hardware internal adjacency statistics nexthop ipv4 13.13.13.6 interface ethernet 6/52 enable • Consistency Checker show consistency-checker forwarding ipv4 unicast show tech-support forwarding l3 unicast show tech-support adjmgr show tech routing unicast
Virtual Port-Channel-vPC • Allow a single device to use a port channel across two upstream switches • Eliminate STP blocked ports • Dual-homed server operate in active-active mode • HSRP-Both active and standby peers forward packets-ARP response by Active • Configuration steps Same as other Nexus Products Logical Topology with vPC
Case:1 All vPC Leg UP MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 SVI10 10.10.10.1/24 SVI-Mac 78da.6e71.9a3f Standby 10.10.10.3 HSRP-Mac 0000.0c07.ac0a SVI20 SVI-mac 78da.6e71.9a3f 10.10.20.1/24 Standby 10.10.20.3 HSRP-Mac 0000.0c07.ac14 Switch-A Switch-B Vlan-10 Vlan-20 10.10.10.x/24 20.20.20.x/24 HOST-A HOST-B SVI10 10.10.10.2/24 SVI-mac 003a.99fc.dd7f Standby 10.10.10.3 HSRP-Mac 0000.0c07.ac0a SVI20 SVI-mac 003a.99fc.dd7f 10.10.20.2/24 Standby 10.10.20.3 HSRP-Mac 0000.0c07.ac14 Scenario: Traffic of a Host in Vlan 10 connected to Switch-A hash to N9K1 to reach Host in Vlan 20 connected to Switch-B PC1-PeerLink vPC Peer Link =Eth1/1,4/1
vPC-Router MAC Programming Check • Both Active and Standby Peer responsible for L3 switching • Virtual Mac address must be programmed in Hardware on Both peers Interface Grp Prio P State Active addr Standby addr Group addr Vlan10 10 100 Active 10.10.10.2 local 10.10.10.3 N9K1# bcm-shell mod 4 "0:d chg my_station_tcam" | grep VLAN_ID=0xa VLAN_ID=0xa,VALID=1, MAC_ADDR=0xc07ac0a, Interface Grp Prio P State Active addr Standby addr Group addr Vlan10 10 100 Standby 10.10.10.2 local 10.10.10.3 N9K2# bcm-shell mod 4 "0:d chg my_station_tcam" | grep VLAN_ID=0xa VLAN_ID=0xa,VALID=1, MAC_ADDR=0xc07ac0a,
vPC Peer Gateway Programming Check • Are N9K’s Configured with Peer-Gateway N9K1-SJ# show mac address-table vlan 10 | in G * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC G 10 0000.0c07.ac0a static - F F vPC Peer-Link(R) G 10 003a.99fc.dd7f static - F F sup-eth1(R) N9K2 SVI MAC G 10 78da.6e71.9a3f static - F F vPC Peer-Link® N9K# bcm-shell mod 4 "0:d chg my_station_tcam" | egrep 0x003a99fcdd7f MY_STATION_TCAM.ipipe0[0]: <VALID=1,MAC_ADDR_MASK=0xffffffffffff,MAC_ADDR=0x003a99fcdd7f,KEY=0x00000000003 a99fcdd7f,IPV6_TERMINATION_ALLOWED=1,IPV4_TERMINATION_ALLOWED=1,DATA=0x38,ARP_R ARP_TERMINATION_ALLOWED=1>
vPC Check For Traffic Ingressing Peer Link Egress Block Mask • vPC Check-Traffic from Peer Link should Not L2/L3 Switch with local and remote Legs up N9K1# show vpc brief | grep Po id Port Status Active vlans 1 Po1 up 10-20 id Port Status Consistency Reason Activevlans 10 Po10 up success success 10-20 20 Po20 up success success 10-20 N9K2# show vpc brief | grep Po id Port Status Active vlans 1 Po1 up 10-20 id Port Status Consistency Reason Activevlans 10 Po10 up success success 10-20 20 Po20 up success success 10-20 MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 Switch-A Switch-B PC1-PeerLink
MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 Switch-A Switch-B PC1-PeerLink vPC Check for Traffic Ingressing Peer Link (Cont’d) N9K1#show port-ch summary | in Po Group Port- Type Protocol Member Ports 1 Po1(SU) Eth LACP Eth1/1(P)Eth4/1(P) 10 Po10(SU)Eth LACP Eth4/18(P) 20 Po20(SU)Eth LACP Eth6/20(P) N9K1# show system internal vpcm info mask module 6 Masked ports for Module 6, Unit 0: [Src Port None]: Eth6/20 [Src Port Eth1/1]: Eth6/20 [Src Port Eth4/1]: Eth6/20 Masked ports for Module 6, Unit 1: Traffic Ingressing on Eth1/1 and Eth4/1 will not exit Eth 6/20
ACL redirect logic for routed packets-vPC Leg Down • Redirect ACL installed to redirect routed packets for the vPC for which local interface goes down • Mac address learned from vPC points virtual port MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 Switch-A Switch-B PC1-PeerLink Link Down N9K1# show hardware access-list tcam region | grep vpc VPC Convergence [vpc-convergence] size = 512 N9K1# sh mac address-table address30f7.0d9b.d401 VLAN MAC Address Type age Secure NTFY Ports 20 30f7.0d9b.d401 dynamic 0 F F vPC Peer-Link
ACL redirect logic for routed packets-vPC Leg Down • On N9K1 traffic entering Eth6/20 after L3 switch should egress Peer Link • N9K2 Should not drop traffic entering Peer link and forward traffic out to Eth 4/8 MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 Switch-A Switch-B PC1-PeerLink Ln Down N9K# bcm-shell module 6 "fp show group 57” InPorts->L3Routable DstTrunk Offset: 213 Width: 16 DATA=0x00008003 action={act=RedirectTrunk, param0=1(0x1) Trunk-id of vPC Peerlink Trunk-id of “3” Down vPC
ACL redirect logic for routed packets-Verify TrunkID N9Ka# show system internal ethpm info int port-channel1 | grep dpid IF_STATIC_INFO: port_name=port-channel1,if_index:0x16000000,ltl=2595,slot=95 dpid=1,unit=0,queue=0,xbar_unitbmp=0x0 ns_pid=0 N9508a-SJ# show system internal ethpm info int port-channel10 | grep dpid IF_STATIC_INFO: port_name=port-channel10,if_index:0x16000000,ltl=2595,slot=95 dpid=3,unit=0,queue=0,xbar_unitbmp=0x0 ns_pid=0 show tech-support vPC show tech-support cfs show tech-support port-channel Some important info to capture
ACL redirect logic for routed packets-Verify TrunkID NX-OS -7.0(3)I1(2) N9508a-SJ# show system internal access-list vpc-convergence mod 6 ------------------------------------------------------------ VPC Convergence Entries ------------------------------------------------------------ Instance: 0 ========== Ingress: ---------- Entry-ID DstTrunk-GID RedirectTrunk-GID Packet-Count ------------------------------------------------------------------------ 1539 3 1 6082015 Trunk-id of “3” Down vPC Trunk-id of vPC Peerlink
Nexus9000 Specific Limitation and Goodies
Email from Nexus9000 To Cisco SR • Commands output directly sent to email address • Information from Nexus9000 Can be directly attached to Service Request. • Information is sent as body to email- not as attachment N9K(config)# email N9K(config-email)# smtp N9K(config-email)# smtp-host 173.37.37.37 N9K(config-email)# from N9508a-sj@cisco.com N9K(config-email)# smtp-port 25 show run | email subject <SR-number> attach@cisco.com
Bash Support !!!! • Goes beyond what standard CLI can provide • Customers demand more capabilities/freedom Creativity • Feature: bash-shell • User Role: dev-ops or network-admin or vdc-admin* • Strongly recommended: Some experience with shell/Linux-Use with extreme care
Broadcom ASIC shell access on the Nexus 9000 !!! • The Nexus 9000 is based largely on the Broadcom Trident II ASIC-Known as T2 • The modular unit Fabric Modules (FM) and Line Cards (LC) each contain multiple instances of the T2 ASIC, as well as the TOR (top of rack) units • Access is provided to each and every instance of the T2 ASIC • No additional license is required to access the bcm-shell • Permitted by default role network-admin • Role based access control (RBAC) can be used to limit user access • Accounting log available for BCM activity
BCM Access some Examples N9K# bcm-shell mod 6 "show unit" Unit 0 chip BCM56852_A2 (current) Unit 1 chip BCM56852_A2 N9K# bcm-shell mod 6 "ps" | in 19 xe19 up 1G FD SW Yes Disable None FA XGMII 1582 N9K# show accounting log | last 2 Mon Apr 20 08:31:52 2015:type=update:id=console0:user=admin:cmd=bcm-shell module 6 "show unit" (SUCCESS) Mon Apr 20 08:32:14 2015:type=update:id=console0:user=admin:cmd=bcm-shell module 6 "ps" | in 19 (SUCCESS) QSPF Ports QSPF Ports F P 01 F P 02 F P 03 F P 04 F P 05 F P 06 F P 07 F P 08 F P 09 F P 10 F P 11 F P 12 F P 13 F P 14 F P 15 F P 16 F P 17 F P 18 F P 19 F P 20 F P 21 F P 22 F P 23 F P 24 T2 Instance 0 T2 Instance 1 Eth1/1 Eth1/24 Xe0 Xe0 hg0 hg11 Xe11 Eth1/12 Xe11 Eth1/13 hg0 hg11
BCM Access some Examples (Cont’d) N9K# bcm-shell mod 21 "config show l3" l3_alpm_enable=2 l3_max_ecmp_mode=1 l3_mem_entries=16384 N9K# bcm-shell mod 4 "config show l2 ” l2xmsg_hostbuf_size=16384 l2_mem_entries=98304
Python !!!! • Python is - Established, Modern and Powerful, Clean, lots of libraries, liberal license • Perl is available in gdb images only – not available in final images • Tcl is there but no one uses it in NX-OS • The license that Python has (GPL-Like with very few restrictions on modification, distribution and commercial use) make it very attractive to embed and distribute • On the box applications that can currently use Python scripts • Embedded Event Manager • Power On Auto Provisioning (POAP) • Create your own scripts that are like “Super commands” • Create your own command modifiers – the things that act on commands applied with a pipe “|”
Python-Continued • There are two Python environments on the N9000 • One executed from VSH • One executed from Bash • Both run in their own forked process • The main differences comes from the environment that they get initialized into • These differences between them should be minimal • There is a sandbox that should primarily contain lower privileged users • Network-admin users get basically a “pure” 2.7.5 python environment • That sandbox mostly applies to lower privileged users, they may be prevented from doing certain things in python • Also prevents file operations on files outside of bootflash
Python-Example N9K# python Python 2.7.5 (default, Oct 8 2013, 23:59:43) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> N9K# run bash python Python 2.7.5 (default, Oct 8 2013, 23:59:43) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> switch between VSH and the Interpreter (Bash 1) switching between VSH and Python
Python Script Example
Why Patching? Begin Code Test & Qualification Cycle Target Deployment Bug Found, Diagnose, Root Cause Defect Resolved, integrated into Maint. Maint. Released Restart Qual Cycle Actual Deployment 6 Months 10 Months Many customers spend extensive time and effort to test and qualify software prior to deployment. In today’s environments, if a defect is found, effectively root-caused, and integrated, since it is rolled out through a maintenance release, customers would need to restart their qualification cycle, wasting time, and pushing out deployment dates…
NX-OS Image Patching Begin Code Test & Qualification Cycle Target Deployment Bug Found, Diagnose, Root Cause Defect Resolved, Patch Released Continue Qual With additional tests Actual Deployment 6 Months 7 Months The Nexus9000 Standalone platforms introduces new patching capabilities that allows specific defects to be rolled out in an independent package that can be applied to existing base software binaries. This will help reduce customer code certification times, leading to greater customer satisfaction.
Patching Overview • NXOS platforms release major versions when introducing new features and engineering special builds to provide bug fixes. • The new goal will be to allow customers to deploy patches for specific fixes only without affecting the data plane of the device. • The patching architecture comes from IOS XR (SMU – Software Maintenance Upgrade) used to deliver Quick, Effective and Focused patches for specific sections of code. • Both binaries and libraries can be patched. • Supervisors and Line Card services can be patched. • Software patching will leverage process restart/reload or ISSU
Patch Uninstall Workflow - Detailed • User invokes “install deactivate <patch_name>” • System manager gracefully shuts down each impacted process • Softlinks are changed from active SMU to one in backup folder (if present). • Relevant SMU is removed from the /var/installer/activated/SMU directory. • System Manager triggers restart of impacted processes • (Optional) “install remove” deletes the patch from the local repository
CLI Commands – Patch Install Command Syntax Function Notes Install add install add <uri> [activate] Download patch from URI and add patch to repository. Only one patch can be added at a time. Optionally can activate patch in this step. Install remove install remove [<package> | inactive] User can remove only non- activated patches Confirmation y/n will be prompted Install activate install activate <package> [test] Installs a patch from the local repository. If not present, an error will be returned. Only one patch can be activated at a time. No show commands permitted during operation. Install deactivate install deactivate <package> Uninstall patch and move it to non- activated repository Only one patch can be deactivated at a time. **Patches must have no other patch dependencies Install commit install commit Preserves all activated patches across reloads. Activated patches are committed to a list kept in the patch repository
CLI Commands – Show Commands Command Function Sample show install request Shows current install operation along with time stamp, package name, initiating user and % complete. Fri May 10 09:06:55.921 UTC Install operation 13 '(admin) ‘install activate n9000-dk.6.0.2.U1.1.CSCuf08219.bin’ Started by user 'cisco' via CLI at 09:06:48 UTC Fri May 10 2013 The operation is 10% complete show install log [id | detail | from | last | reverse] Shows user information on previous installation operations. Optional [detail] command for verbose information. Install operation 1 by user ‘admin’ at Tue Sep 28 01:37:02 2004: install commit Operation completed successfully Install operation 2 by user ‘admin’ at Mon Oct 18 17:26:36 2004: install add tftp://10.52.241.252/bcarter/n3000-uk9.6.0.2.U1.1.CSCuf08219.bin Operation completed successfully Install operation 7 by user ‘lab’ at Mon Oct 18 17:31:13 2004: install activate n3000-uk9.6.0.2.U1.1.CSCuf08219’ Operation failed because service failed to come up. show install active [on- reload] Displays boot images and active or committed patches switch# show install active Boot Images: Kickstart Image: bootflash:/n9000-dk.6.1.234.gbin System Image: package:/isanboot/bin/images/sys Active Packages: n9000-dk.6.1.1.CSCui56298.bin
CLI Commands – Show Commands (Cont’d) Command Function Sample show install inactive [on- reload] Shows patches in the repository not yet activated switch# show install inactive Boot Images: Image: bootflash:/inseor.6.1.1.234.gbin System Image: package:/isanboot/bin/images/sys Inactive Packages: switch# show install pkg-info <package> Shows details of a specific patch. Requires that patch has been added using ‘install add’ first. switch# show install pkg-info n9000-dk.6.1.1.CSCui56298.bin Contents of Package file 'n9000-dk.6.1.1.CSCui56298.bin': Expiry date : Jan 19, 2015 02:55:56 UTC Uncompressed size : 17892613 Vendor : Cisco Systems Desc : Bug Fix for CDET: CSCui56298 Build : Built on Wed May 10 08:04:58 UTC 2013 Source : By n9k-infra-bld Platform: Nexus-9000. Supersedes: n9000-uk9.6.1.1.U1.1.CSCuf09119, n9000-uk9.6.1.1.U1.1.CSCuf02229 Pre-requisite: n9000-uk9.6.1.1.U1.1.CSCuf09219 Restart information: BGP process restart.
Sample Patch Install – Copy Patch to Switch N9K# copy scp://sdn@172.18.217.42/home/sdn/n9k/inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin bootflash: Enter vrf (If no input, current vrf 'default' is considered): management sdn@172.18.217.42's password: inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin 100% 233KB 232.7KB/s 00:01 Copy complete, now saving to disk (please wait)... N9508# N9508# dir | grep .gbin 238230 Jan 15 10:52:31 2014inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin N9508#
Sample Patch Install – Add patch to repository & verify N9K# install add bootflash:inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin Install operation 19 completed successfully at Wed Jan 15 10:55:14 2014 N9508# N9K# show install packages ----------------------------------------------------------- inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin inactive-commit Modules Module #27: inactive-commit Module #28: inactive-commit ----------------------------------------------------------- N9K# show install inactive Inactive Packages: inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin N9K#
Important Limitations • For every Feature please review Guidelines and Limitations • Cisco Nexus 9000 Series NX-OS Verified Scalability Guide http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6- x/scalability/guide_34/b_Cisco_Nexus_9000_Series_NX-OS_Verified_Scalability_Guide_612I34.html • Only one software image (called nx-os) is required to load the Cisco NX-OS operating system. • EPLD Upgrade are recommended but are not mandatory • User Configured MAC address for SVI- Packets will not be flooded if Layer 2 Adjacency is missing • Diagnostic-The Port Loop back and Boot up Port Loop back tests are not supported • ASIC Memory-NS test is applicable only for the N9K-X9564PX and N9K-X9564TX line cards. • Priority flow control (PFC) is supported on Cisco Nexus 9500 Series switches with the N9K- X9636PQ line card. • FEX is supported only on the Cisco Nexus 9372PX and 9396PX switches. • Cisco Nexus 9500 Series Switch can run in 8-queue mode only if all of its line cards are capable of running 8-queue mode.
Participate in the “My Favorite Speaker” Contest • Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) • Send a tweet and include • Your favorite speaker’s Twitter handle <Speaker—enter your Twitter handle here> • Two hashtags: #CLUS #MyFavoriteSpeaker • You can submit an entry for more than one of your “favorite” speakers • Don’t forget to follow @CiscoLive and @CiscoPress • View the official rules at http://bit.ly/CLUSwin Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online • Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. • Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education • Demos in the Cisco campus • Walk-in Self-Paced Labs • Table Topics • Meet the Engineer 1:1 meetings • Related sessions
Thank you
Backup Slides Backup Slides !!!!
Fabric Module NFE Fabric Module for Nexus 9504 NFE NFE Fabric Module for Nexus 9508 NFE NFE NFE NFE Fabric Module for Nexus 9516 Chassis Type Nexus 9504 Nexus 9508 Nexus 9516 NFEs per Fabric Module 1 2 4
Nexus 9500 Platform FRU- Line Card Connect to Fabric Modules Connect to Hosts or Network NFE 1 ALE 1 12 x 42 Gbps Network Interfaces 12 x 42 Gbps 18x 40 Gbps Ethern et 18x 40Gbps NFE NFE 12 x 40 Gbps12 x 40 Gbps NFE 12 x 40 Gbps N F E Fabric 1 N F E N F E Fabric 2 N F E N F E Fabric 3 N F E N F E Fabric 4 N F E N F E Fabric 5 N F E N F E Fabric 6 N F E 1 x 42 Gbps 1 x 42 Gbps
N9K-X9636PQ HG Ports HG Ports HG Ports QSPF PortsQSPF PortsQSPF Ports FP 01 FP 02 FP 03 FP 04 FP 05 FP 06 FP 07 FP 08 FP 09 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FM3 FM4FM2FM1 FM5 FM6 T2 Instance 0 T2 Instance 1 T2 Instance 2
N9K-X9464PX HG Ports HG Ports 10G SFP+ Ports 40G QSFP FM3FM2 FM4 FM6 MUX1-2 MUX3-4 T2 FP 1 FP 2 FP 3 FP 4 FP 5 FP 6 FP 7 FP 8 FP 9 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FP 37 FP 38 FP 39 FP 40 FP 41 FP 42 FP 43 FP 44 FP 45 FP 46 FP 47 FP 48 FP 49 FP 50 FP 51 FP 52
N9K-X9464TX HG Ports HG Ports 100/1000/10000 T Ports 40G QSFP FM3FM2 FM4 FM6 MUX1-2 MUX3-4 T2 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY FP 49 FP 50 FP 51 FP 52 FP 1 FP 2 FP 3 FP 4 FP 5 FP 6 FP 7 FP 8 FP 9 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FP 37 FP 38 FP 39 FP 40 FP 41 FP 42 FP 43 FP 44 FP 45 FP 46 FP 47 FP 48
N9K-X9432PQ QSPF PortsQSPF Ports HG Ports HG Ports FP 01 FP 02 FP 03 FP 04 FP 05 FP 06 FP 07 FP 08 FP 09 FP 10 FP 11 FP 12 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FM3 FM4FM2 FM6 T2 Instance 0 T2 Instance 2 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20
N9K-X9564PQ 10G SFP+ Ports 40G QSFP HG MUX1 HG MUX3 FP 49 FP 50 FP 51 FP 52 FP 1 FP 2 FP 3 FP 4 FP 5 FP 6 FP 7 FP 8 FP 9 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FP 37 FP 38 FP 39 FP 40 FP 41 FP 42 FP 43 FP 44 FP 45 FP 46 FP 47 FP 48 Northstar 1 Warpcore MF Port 7-5 2-0 31-29 26-24 T2 7-5 26-24 0-2 3-5 6-8 9-11 FM4 FM3FM5FM6 FM2 FM1 HG MUX4 HG MUX2 HG MUX5 HG MUX6 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 Northstar 2 MF Port 0-2 9-11 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 T2 7-5 2-0 31-29 26-24
N9K-X9564TX 100/1000/10000 T Ports 40G QSFP HG MUX1 HG MUX3 T2 FP 49 FP 50 FP 51 FP 52 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY FP 1 FP 2 FP 3 FP 4 FP 5 FP 6 FP 7 FP 8 FP 9 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FP 37 FP 38 FP 39 FP 40 FP 41 FP 42 FP 43 FP 44 FP 45 FP 46 FP 47 FP 48 Northstar 1 MF Port 7-5 2-0 31-29 26-24 T2 7-5 26-24 0-2 3-5 6-8 9-11 FM4 FM3FM5FM6 FM2 FM1 HG MUX4 HG MUX2 HG MUX5 HG MUX6 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 Northstar 2 MF Port 0-2 9-11 MN Port 0 1 2 3 4 5 6 7 8 9 10 11
Multicast L3 Forwarding • Before hardware can forward any Multicast packets, forwarding information has to propagate from Sup to the LC • Several layers are to be verified: MRIB (control-plane is created here) MFDM PI /PD (platform independent & forwarding information) • MFIB-IPFIB • IP FIB process programs hardware: FIB Table contains (*,G) and (S,G) forwarding entries and RPF information GROUP table contains forwarding and pointers replication information (pointers to MC VLAN) MC VLAN tables contain replication information (~OIF lists) Hardware (packets are forwarded here) & SDK Supervisor MRIB MF DM IP FIB IGMPPIM MSDP T2 FIB Table MC VLAN Table IPMC_GR Line Card
L2/L3 Multicast Packet Walk Fabric Module Trident II Parser Network Interfaces L2/L3 Lookup & pkt rewrite 10GE 40GE EACL Egress Q Trident II Parser L2/L3 Lookup & Pkt rewrite EACL Egress Q Trident II IACL Traffic Classification & Remarking IACL Traffic Classification& Remarking Network Interfaces 10GE 40GE Lkup in Host Table & L2 Table Lookup to resolve egr. modules; Sends one copy to each egr. module; Examines ingress packet. Get packet headers for processing. Lookup for local receiving ports; replicate pkts onto those ports.L2/L3 mcast lookup; Replicate pckts to local receiving ports; Send 1 copy to fabric module;
Multicast L3 Forwarding-MRIB N9K# show ip mroute 239.10.10.10 shared-tree IP Multicast Routing Table for VRF "default” (*, 239.10.10.10/32), uptime: 00:23:32, ip pim Incoming interface: Ethernet6/1, RPF nbr: 13.13.13.1 Outgoing interface list: (count: 1) Ethernet6/52, uptime: 00:22:42, pim Supervisor MRIB MF DM IP FIB PIM MSDPIGMP
Multicast L3 Forwarding-mFDM PI-Supervisor N9K# show forwarding distribution multicast outgoing- interface-list l3 1 Outgoing Interface List Index: 1 Reference Count: 4 Platform Index: 0xb00001 Number of Outgoing Interfaces: 1 t6/52 N9K# show forwarding distribution ip multicast route group 239.10.10.10 source 13.13.13.14 | in 13|Index (13.13.13.14/32, 239.10.10.10/32), RPF Interface: Ethernet6/1, flags: Outgoing Interface List Index: 1 Supervisor MRIB MF DM IP FIB PIM MSDPIGMP
Multicast L3 Forwarding IPFIB-Line card N9K# show forwarding ip multicast route group 239.10.10.10 source 13.13.13.14 mod 6 | inc 239|Eth (13.13.13.14/32, 239.10.10.10/32), RPF Interface: Ethernet6/1, flags: Outgoing Interface List Index: 1 Outgoing Interface List Index: 0x1 Ethernet6/52 T2 FIB Table MC VLAN Table IPMC_GR Line Card Mod 6 is N9K-X9564TX To reach Ethernet 6/52 which is on NS from front port of T2,Packets need to cross Fabric module
Multicast L3 Forwarding Entries on LC –BCM Shell N9K# bcm-shell mod 6 "ipmc table show" SRC IP ADDRESS MC IP ADDRESS MC GROUP VID VRF COS HWIDX CLASS HIT 13.13.13.14 239.10.10.10 0x2000007 0 1 0 75680 1 no 0.0.0.0 239.10.10.10 0x2000007 0 1 0 86578 2 no N9K#bcm-shell module 6 "mc show group=0x2000007" Group 0x2000007 (L3) port hg0, encap id -1 -------snip------------ port hg11, encap id -1 T2 FIB Table MC VLAN Table IPMC_GR Line Card Traffic spared to Hig towards Fabric
Multicast L3 Forwarding Entries on LC –BCM Shell N9K# bcm-shell mod 6 " search l3_entry_ipv4_multicast group_ip_addr=0xef0a0a0a source_ip_addr=0x0d0d0d0e” L3_ENTRY_IPV4_MULTICAST.ipipe0[75680]: SOURCE_IP_ADDR=0xd0d0d0e, GROUP_IP_ADDR=0xef0a0a0a, L3MC_INDEX=7 N9K# bcm-shell mod 6 " dum chg l3_entry_ipv4_multicast 75680” IPV4MC:EXPECTED_L3_IIF=0x112e, N9K# show system internal eltm info interface ethernet 6/1 | in LIF cr_flags = INTF LIF , LIF = 4398 (0x112e), LTL = 40959 (0x9fff) (S 0x0, P 0x0) T2 FIB Table MC VLAN Table IPMC_GR Line Card show tech-support multicast` show tech-support forwarding multicast
IGM Snooping Forwarding programming in vPC Scenario • IGMP Process Provides both Layer 3 IGMP Processing , and Layer 2 IGMP snooping functionality • Receivers use IGMP (Internet Group Management Protocol) to report their multicast group Membership to router • Layer 2 IGMP Snooping functions of IGMP process include processing snooped multicast router Packets Including IGMP reports and leaves sent by receiver • Once the group membership is learned , the Supervisor Engine informs I/O modules , which program Hardware • This will Constrain data-plane multicast packets to only those ports with multicast routeror interested receivers in HW
IGMP Snooping continued… • BCM on FM are in Mode 4. This will have L2 Table size of 32K & L3 Host Table 16K • L3 Host table will be used to program (*,G) /(S,G) entry. This will will accommodate maximum of 8K entry. • MFDM sends two OIF List information to MFIB. One for LC (S,G) OIF List and other for FM ( Mac, Group) OIF List in PIM disable Vlan. • MFIB will use (S,G) OIF list to program LC and Mac Group to Program FM in 32K L2 Table. • If PIM is enable FM can accommodate 8K(VRF, S,G) and will program Hardware. • Address aliasing is possible because on FM we use L2 table to program Mac Group information
IGMP Snooping (Cont’d) • With vPC IGMP will have knowledge of multi chassis Ether Channel trunk (MCT) interface. • When one of the vPC peer receives IGMP join , it will sync up this with peer over MCT link using cFS-Cisco Fabric Services over Ethernet . • Duplication of traffic crossing MCT is avoided using Port block Mask • VPC Support PIM-SM Only • For source in VPC domain – dual Forwarders are used • For Source in Layer 3 Cloud , Unicast best metric determines active forwarder • VPC Operational Primary in case of tie. CFS used to negotiate active Forwarder role
Configuration-IGMP Snooping enable by default Nexus9508-13# sh ip igm snooping vlan 103 IGMP Snooping information for vlan 103 IGMP snooping enabled Lookup mode: IP Optimised Multicast Flood (OMF) enabled IGMP querier present, address: 10.10.103.5, version: 2, i/f Po30 Nexus9508-13# sh ip igm snooping vlan 100 IGMP Snooping information for vlan 100 IGMP snooping enabled Lookup mode: IP Optimised Multicast Flood (OMF) enabled IGMP querier present, address: 192.168.100.2, version: 2, i/f Vlan100 Querier interval: 125 secs Querier last member query interval: 1 secs
Reference Topology for Troubleshooting N35K Eth 1/17,Eth 1/19 , Eth 1/33-34 N9508-12 N9508-13 N93k vPC 35vPC30 vPC Keep Alive vPC Peer Link PO-10 Ixia 10/2-Source Ixia 10/1-Receiver Eth1/3/1-4 Eth 6/9/1-4 Eth 1/48 Eth1/48 Eth 3/1-2 Eth 3/1-2 Eth 1/17-18 ,Eth 1/33-34
IGMP Snooping Troubleshooting • Stream will enter one of the VPC-Peer , Which will get forwarded across Peer link to other VPC Peer • Both boxes will have (S ,G) • Upon Creation of (S,G) , VPC Peers negotiate best metric • Both realize source is VPC-Connected • Install Entry as Win-Force • If either peer gets a PIM/IGMP Join for the given source , they both add Interface to OIF Nexus9508-12(config)# sh ip pim internal vpc rpf-source PIM vPC RPF-Source Cache for Context "default" - Chassis Role Primary Source: 192.168.100.10 Pref/Metric: 0/0 Source role: primary Forwarding state: Win-force (forwarding) MRIB Forwarding state: forwarding Nexus9508-13# sh ip pim internal vpc rpf-source PIM vPC RPF-Source Cache for Context "default" - Chassis Role Secondary Source: 192.168.100.10 Pref/Metric: 0/0 Source role: secondary Forwarding state: Win-force (forwarding) MRIB Forwarding state: forwarding
• IGMP Join from one of the receiver enter one of the VPC Pee. • This Peer encapsulates IGMP in CFS , sends to other Peer • Both Peer have identical State • Both Peer install OIF • Data traffic flows down to Receiver, also forwarded to other Peer on Peer Link • Other Peer drop the packet either by PORT BLOCK MASK blocking or no OIF Nexus9508-ESC-12# sh ip mroute 239.10.10.10 192.168.100.10 IP Multicast Routing Table for VRF "default" (192.168.100.10/32, 239.10.10.10/32), uptime: 01:00:09, ip pim mrib Incoming interface: Vlan100, RPF nbr: 192.168.100.10, uptime: 01:00:09, internal Outgoing interface list: (count: 1) Vlan101, uptime: 00:59:40, mrib Nexus9508-ESC-12# Nexus9508-ESC-13# sh ip mroute 239.10.10.10 192.168.100.10 IP Multicast Routing Table for VRF "default" (192.168.100.10/32, 239.10.10.10/32), uptime: 04:25:36, ip pim mrib Incoming interface: Vlan100, RPF nbr: 192.168.100.10, uptime: 04:25:36 Outgoing interface list: (count: 1) Vlan101, uptime: 02:04:41, mrib Nexus9508-ESC-13# vPC Peer receiving Join
Step to verify PI On Supervisor. Verify on Both Peers Nexus9508-ESC-12# sh ip igmp groups 239.10.10.10 IGMP Connected Group Membership for VRF "default" - matching Group "239.10.10.10" Type: S - Static, D - Dynamic, L - Local, T - SSM Translated Group Address Type Interface Uptime Expires Last Reporter 239.10.10.10 D Vlan101 00:01:23 00:02:56 192.168.101.13 Nexus9508-ESC-12# Nexus9508-ESC-13# sh ip igmp groups 239.10.10.10 IGMP Connected Group Membership for VRF "default" - matching Group "239.10.10.1 0" Type: S - Static, D - Dynamic, L - Local, T - SSM Translated Group Address Type Interface Uptime Expires Last Reporter 239.10.10.10 D Vlan101 00:01:18 00:03:01 192.168.101.13 Nexus9508-ESC-13#
CFS Provide info Nexus9508-ESC-12# sh ip igmp snooping groups vlan 101 detail IGMP Snooping group membership for vlan 101 Group addr: 239.10.10.10 Group ver: v2 [old-host-timer: not running] Last reporter: 192.168.101.10 IGMPv2 member ports: IGMPv1/v2 memb ports: Po35 [1 GQ missed], cfs:false, native:true vPC grp peer-link flag: exclude M2RIB vPC grp peer-link flag: exclude Nexus9508-ESC-12# Nexus9508-ESC-13# sh ip igm snooping groups vlan 101 det IGMP Snooping group membership for vlan 101 Group addr: 239.10.10.10 Group ver: v2 [old-host-timer: not running] Last reporter: 192.168.101.10 IGMPv2 member ports: IGMPv1/v2 memb ports: Po35 [0 GQ missed], cfs:true, native:false vPC grp peer-link flag: exclude M2RIB vPC grp peer-link flag: exclude Nexus9508-ESC-13#
Verifying Multicast forwarding Distribution Module Platform Independent On Supervisor Nexus9508-ESC-12# sh forwarding distribution multicast route group 239.10.10.10 source 192.168.100.10 (192.168.100.10/32, 239.10.10.10/32), RPF Interface: Vlan100, flags: Received Packets: 1073 Bytes: 36977 Number of Outgoing Interfaces: 2 Outgoing Interface List Index: 10 Vlan100 ( Mem L2 Ports: port-channel10 ) Vlan101 ( Mem L2 Ports: port-channel35 ) Note: On shutting down local vpc only, igmp does not send update to mfdm/ipfib to update the mroute state. That is why you did not see mfdm/ipfib removing local vpc. So if local leg of vPC is down we will still PC in the above output. Not showing PC 10 for Vlan 101 because of exclude flag seen while checking igmp snooping stats.
Verifying Multicast forwarding Distribution Module Platform Independent On Supervisor-(Cont’d) Nexus9508-12# sh forwarding multicast route group 239.10.10.10 source 192.168.100.10 mod 1 (192.168.100.10/32, 239.10.10.10/32), RPF Interface: Vlan100, flags: Received Packets: 1111 Bytes: 72215 Outgoing Interface List Index: 9 Number of next hops: 2 Outgoing Interface List Index: 9 Vlan: 101 port-channel35 bridged Vlan port-channel10 Hardware Outgoing Interface List Index: 33554443
Verifying Multicast forwarding Distribution Module Platform Independent On Supervisor-IGMP-Snooping Nexus9508-12# sh forwarding distribution ip igmp snooping vlan 101 group 239.10.10.10 det Vlan: 101, Group: 239.10.10.10, Source: 0.0.0.0 Outgoing Interface List Index: 4 Reference Count: 1 Platform Index: 0xa00004 Vpc peer link exclude flag set Number of Outgoing Interfaces: 2 port-channel10 port-channel35 Nexus9508-13# sh forwarding distribution ip igmp snooping vlan 101 group 239.10.10.10 det Vlan: 101, Group: 239.10.10.10, Source: 0.0.0.0 Outgoing Interface List Index: 5 Reference Count: 1 Platform Index: 0xa00005 Vpc peer link exclude flag set Number of Outgoing Interfaces: 2 port-channel10 port-channel35
Verifying Multicast Forwarding Distribution Module Platform Independent On Supervisor-Snooping Group. Nexus9508-12# sh forwarding distribution l2 multicast mac-based vlan 101 Vlan: 101, Group: 0100.5e0a.0a0a, Source: 0000.0000.0000 Outgoing Interface List Index: 3 Reference Count: 1 Platform Index: 0xa00003 Vpc peer link exclude flag set Number of Outgoing Interfaces: 2 port-channel10 port-channel35 Nexus9508-13# sh forwarding distribution l2 multicast mac-based vlan 101 Vlan: 101, Group: 0100.5e0a.0a0a, Source: 0000.0000.0000 Outgoing Interface List Index: 8 Reference Count: 1 Platform Index: 0xa00008 Vpc peer link exclude flag set Number of Outgoing Interfaces: 2 port-channel10 port-channel35
IPFIB on LC for IGMP Snooping programming. Nexus9508--12# sh forwarding multicast route group 239.10.10.10 source 192.168.100.10 mod 1 (192.168.100.10/32, 239.10.10.10/32), RPF Interface: Vlan100, flags: Received Packets: 5708 Bytes: 371020 Outgoing Interface List Index: 5 Number of next hops: 2 Outgoing Interface List Index: 5 port-channel30 (Vlan: 101) port-channel10 (bridged) Hardware Outgoing Interface List Index: 33554441 Nexus9508-13# sh forwarding multicast route group 239.10.10.10 source 192.168.100.10 mod 6 (192.168.100.10/32, 239.10.10.10/32), RPF Interface: Vlan100, flags: Received Packets: 6798 Bytes: 441870 Outgoing Interface List Index: 19 Number of next hops: 2 Outgoing Interface List Index: 19 port-channel30 (Vlan: 101) port-channel10 (bridged) Hardware Outgoing Interface List Index: 33554437
Nexus9508--12# bcm-shell mod 1 "mc show group=33554441" Executing mc show group=33554441 on bcm shell on module 1 Group 0x2000009 (L3) port hg0, encap id 400005 port hg1, encap id 400005 port xe10, encap id 21 port xe11, encap id 21 Verifying Hardware Programming Nexus9508-12# bcm-shell mod 3 "mc show group=33554441" Executing mc show group=33554441 on bcm shell on module 3 Group 0x2000009 (L3) port hg0, encap id 400005 port xe0, encap id -1 port xe1, encap id -1 Nexus9508-12# sh system internal eltm info interface vlan 101 | in LIF cr_flags = INTF VLAN , LIF = 21 (0x15), LTL = -1 (0xffffffff) (S 0x0, P 0x0) Nexus9508-ESC-12# If we see encap id a positive # then it is LIF If we see encap id = -1 then it is L2 bridge copy.
Nexus9508-12# bcm-shell module 1 "l2 show" | in MCast mac=01:00:5e:0a:0a:0a vlan=101 GPORT=0x0 modid=0 port=0 Static Hit MCast=33554435 mac=01:00:5e:0a:0a:14 vlan=100 GPORT=0x0 modid=0 port=0 Static MCast=33554435 Nexus9508-12# sh ip igmp gr vlan 100 From BCM to check what is HW index for given Group • Static entry of Mcast group • Hit Bit indicate flow is present • Mcast Index is where the traffic need to bridge show tech-support ip igmp snooping show tech-support ip multicast

More Related Content

PDF
Network Programming: Data Plane Development Kit (DPDK)
byAndriy Berestovskyy
 
PDF
Fun with Network Interfaces
byKernel TLV
 
PDF
DPDK in Containers Hands-on Lab
byMichelle Holley
 
PDF
Intel DPDK Step by Step instructions
byHisaki Ohara
 
PDF
DPDK In Depth
byKernel TLV
 
PPTX
PCIe
byChiaYang Tsai
 
PDF
BPF / XDP 8월 세미나 KossLab
byTaeung Song
 
PPTX
The TCP/IP Stack in the Linux Kernel
byDivye Kapoor
 
Network Programming: Data Plane Development Kit (DPDK)
byAndriy Berestovskyy
 
Fun with Network Interfaces
byKernel TLV
 
DPDK in Containers Hands-on Lab
byMichelle Holley
 
Intel DPDK Step by Step instructions
byHisaki Ohara
 
DPDK In Depth
byKernel TLV
 
PCIe
byChiaYang Tsai
 
BPF / XDP 8월 세미나 KossLab
byTaeung Song
 
The TCP/IP Stack in the Linux Kernel
byDivye Kapoor
 

What's hot

PPTX
Understanding DPDK
byDenys Haryachyy
 
PPTX
Introduction to DPDK
byKernel TLV
 
PPTX
Linux Network Stack
byAdrien Mahieux
 
PDF
Segment Routing: A Tutorial
byAPNIC
 
PDF
DPDK: Multi Architecture High Performance Packet Processing
byMichelle Holley
 
PDF
FCスイッチゾーニング設定ガイド
byBrocade
 
PPTX
FD.io VPP事始め
bytetsusat
 
PPT
Deploying Carrier Ethernet features on ASR 9000
byVinod Kumar Balasubramanyam
 
PDF
How to run P4 BMv2
byKentaro Ebisawa
 
PDF
DPDK & Layer 4 Packet Processing
byMichelle Holley
 
PDF
10GbE時代のネットワークI/O高速化
byTakuya ASADA
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
PDF
EBPF and Linux Networking
byPLUMgrid
 
PPT
Access control list 2
byKishore Kumar
 
PDF
192.0.0.4 on android
by@ otsuka752
 
PPT
Bgp
byFebrian ‎
 
PPTX
Presentation on arp protocol
byMohd. Ahmad Siddiqi
 
ODP
Sockets and Socket-Buffer
bySourav Punoriyar
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PPTX
Understanding DPDK algorithmics
byDenys Haryachyy
 
Understanding DPDK
byDenys Haryachyy
 
Introduction to DPDK
byKernel TLV
 
Linux Network Stack
byAdrien Mahieux
 
Segment Routing: A Tutorial
byAPNIC
 
DPDK: Multi Architecture High Performance Packet Processing
byMichelle Holley
 
FCスイッチゾーニング設定ガイド
byBrocade
 
FD.io VPP事始め
bytetsusat
 
Deploying Carrier Ethernet features on ASR 9000
byVinod Kumar Balasubramanyam
 
How to run P4 BMv2
byKentaro Ebisawa
 
DPDK & Layer 4 Packet Processing
byMichelle Holley
 
10GbE時代のネットワークI/O高速化
byTakuya ASADA
 
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
EBPF and Linux Networking
byPLUMgrid
 
Access control list 2
byKishore Kumar
 
192.0.0.4 on android
by@ otsuka752
 
Bgp
byFebrian ‎
 
Presentation on arp protocol
byMohd. Ahmad Siddiqi
 
Sockets and Socket-Buffer
bySourav Punoriyar
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
Understanding DPDK algorithmics
byDenys Haryachyy
 

Similar to Brkdct 3101

PDF
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
bykds850
 
PDF
Next Generation Nexus 9000 Architecture
byCisco Canada
 
PPTX
Introduction to nexux from zero to Hero
byDhruv Sharma
 
PPTX
Cisco nx os
byUtpal Sinha
 
PDF
Brkarc 3470 - cisco nexus 7000-7700 switch architecture (2016 las vegas) - 2 ...
bykds850
 
PPTX
Nexus 7000 Series Innovations: M3 Module, DCI, Scale
byTony Antony
 
PPTX
Cisco nexus series
byAnwesh Dixit
 
PDF
BRKARC-3470 - Nexus 7000 and 7700 Architecture.pdf
byssuser1d1e521
 
PPTX
01-05-N9K Hardware.pptx
byFeizhang41
 
PDF
Brkarc 3601
byNguyen Van Linh
 
PDF
cisco-n2k-c2348upq-datasheet.pdf
byHi-Network.com
 
PDF
Brkarc 3454
byNguyen Van Linh
 
PDF
cisco-n2k-c2248tp-e-datasheet.pdf
byHi-Network.com
 
PDF
N7K Hardware Architecture with proper explanation
byKalkiNarayana
 
PDF
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
byCisco Canada
 
PDF
N7K Hardware Architecture and it's components
byKalkiNarayana
 
PDF
cisco-n2k-c2348tq-e-datasheet.pdf
byHi-Network.com
 
PPTX
Training Nexus 7 data & operation 2024.pptx
byrudyhermawan37
 
PPTX
Linkmeup v23-compass-eos
byeucariot
 
PPT
Fruct4 n8xx olpc-connectivity
byOSLL
 
Brkarc 3454 - in-depth and personal with the cisco nexus 2000 fabric extender...
bykds850
 
Next Generation Nexus 9000 Architecture
byCisco Canada
 
Introduction to nexux from zero to Hero
byDhruv Sharma
 
Cisco nx os
byUtpal Sinha
 
Brkarc 3470 - cisco nexus 7000-7700 switch architecture (2016 las vegas) - 2 ...
bykds850
 
Nexus 7000 Series Innovations: M3 Module, DCI, Scale
byTony Antony
 
Cisco nexus series
byAnwesh Dixit
 
BRKARC-3470 - Nexus 7000 and 7700 Architecture.pdf
byssuser1d1e521
 
01-05-N9K Hardware.pptx
byFeizhang41
 
Brkarc 3601
byNguyen Van Linh
 
cisco-n2k-c2348upq-datasheet.pdf
byHi-Network.com
 
Brkarc 3454
byNguyen Van Linh
 
cisco-n2k-c2248tp-e-datasheet.pdf
byHi-Network.com
 
N7K Hardware Architecture with proper explanation
byKalkiNarayana
 
Cisco Connect Vancouver 2017 - Gain insight and programmability with Cisco DC...
byCisco Canada
 
N7K Hardware Architecture and it's components
byKalkiNarayana
 
cisco-n2k-c2348tq-e-datasheet.pdf
byHi-Network.com
 
Training Nexus 7 data & operation 2024.pptx
byrudyhermawan37
 
Linkmeup v23-compass-eos
byeucariot
 
Fruct4 n8xx olpc-connectivity
byOSLL
 

Recently uploaded

PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PDF
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PDF
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PDF
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
PDF
MAD (1).pdf Mobile application develipment
byprathiT1
 
PDF
How Azure DevOps Consultants Dubai Reduce Release Delays.pdf
byLogicEra
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Techbrains Baku 2025 by GoUP - all speaker session
byHusseinMalikMammadli
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
MAD (1).pdf Mobile application develipment
byprathiT1
 
How Azure DevOps Consultants Dubai Reduce Release Delays.pdf
byLogicEra
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Artificial Intelligence and Barbarism - Conceptual Map
byalfadix
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Information and Communication Technologies and Power
byJeffrey Hart
 

Brkdct 3101

  • 2.
    Nexus9000(Standalone) Architecture And Troubleshooting Shridhar V.Dhodapkar –Technical Leader (Services) CCIE 6367 (Routing & Switching) BRKDCT-3101
  • 3.
    Session Abstract This sessionpresents briefly the architecture of the latest generation of Nexus 9000 Series Modular switches. Topics include supervisors, fabrics, I/O modules, forwarding engines, and physical design elements, as well as the Top of the Rack Nexus9300 Switches. The session will also cover how to monitor the health of the system. We will walk you through in depth troubleshooting Tools and Techniques.
  • 4.
    Session Goal • Toprovide an overall understanding of the Nexus 9000 switching architecture, supervisor, fabric, and I/O module design, packet flows, and key forwarding engine functions • This session will introduce System Telemetry, Troubleshooting tool Kits and troubleshooting case scenarios • This session will not examine NX-OS software architecture or other Nexus platform architectures
  • 5.
    Related Sessions BRKARC-2222 -Cisco Nexus 9000 architecture BRKARC-3471 - Cisco NX-OS Software Architecture BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches
  • 6.
    • Introduction • Architecture •System Health check Telemetry • Troubleshooting Toolkit • Nexus 9000 Troubleshooting • Common Link Layer Issues-L1 • Fabric Connectivity and • In band • L2/L3 Packet Forwarding • vPC • Nexus9000 Specific Limitation and Goodies Agenda
  • 7.
  • 8.
    Introduction-What is Nexus9000Family ? Nexus 9500 Series Switches Nexus 9300 Series Switches Nexus9504/Nexus9508/Nexus9516 N9K-C9332PQ N9K-C9372PX N9K-C9372TX N9K-C9396
  • 9.
  • 10.
    9500 Field UpgradeableUnits (FRU) • 9500 has the following modular components which can upgraded or replaced in the field • Supervisor • Fabric Module • Line Card • System Controller • Fan Tray • Power Supply • The Supervisor, System controller ,Fabric Module and LC have OBFL (On-Board Failure Logging) for failure analysis Nexus® 9508 Front View Nexus® 9508 Rear View
  • 11.
    Nexus 9500 PlatformFRU Supervisor Module-What it is Role • Redundant Half-width supervisor engine • Common for 4-, 8-, and 16- slot chassis • External Clock Input (PTP) • Responsible for control-plane functions System Controller-What it is Role • Offload supervisor from internal device management tasks • Central Point of Chassis Control • EOBC Switch (Ethernet Out of Band Channel) • EPC Switch (Ethernet Protocol Channel) • Power Supplies via SMB (System Management Bus) • Fan Trays
  • 12.
    Nexus 9500 PlatformLine Card • I/O module with Merchant and Merchant+ ASIC • Have Various Forwarding Tables • L2 Mac Table And L3 Host Table • ACL and Buffers for Queuing F P 1 F P 2 F P 3 F P 4 F P 5 F P 6 F P 7 F P 8 F P 9 F P 1 0 F P 1 1 F P 1 2 F P 1 3 F P 1 4 F P 1 5 F P 1 6 F P 1 7 F P 1 8 F P 1 9 F P 2 0 F P 2 1 F P 2 2 F P 2 3 F P 2 4 F P 2 5 F P 2 6 F P 2 7 F P 2 8 F P 2 9 F P 3 0 F P 3 1 F P 3 2 F P 3 3 F P 3 4 F P 3 5 F P 3 6 F P 3 7 F P 3 8 F P 3 9 F P 4 0 F P 4 1 F P 4 2 F P 4 3 F P 4 4 F P 4 5 F P 4 6 F P 4 7 F P 4 8 Note: Internal ports are called as Hi-Gig/HG ports 10G SFP+ Ports 40G QSFP HG MUX1 HG MUX3 FP 49 FP 50 FP 51 FP 52 Northstar 1 Warpcor e MF Port 7 - 5 2 - 0 3 1- 2 9 2 6- 2 4 T2 7 - 5 2 6- 2 4 0 - 2 3 - 5 6- 8 9- 1 1 FM4 FM3FM5FM6 FM2 FM1 HG MUX4 HG MUX2 HG MUX5 HG MUX6 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 Northstar 2 MF Port 0 - 2 9- 1 1 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 T2 7 - 5 2 - 0 3 1- 2 9 2 6- 2 4 HG Line Cards ASIC Name NFE=Network Forwarding Engine-Trident 2(T2) ALE=Application Leaf Engine-North Star(NS) -Donner N9K-X9564PQ
  • 13.
    Nexus 9500 FabricModule • Interconnect Line Card slots • Installed at the rear of the chassis • Leverages Broadcom Trident II ASICs • Max 1.92 Tbps per line card slot (6 Fabric Cards) • 960 Gbps per line card slot (3 Fabric Cards) • All Fabric Cards are active and carry traffic • Fan Tray requires Fabric Card to be present in even slot Trident II ASIC-NFE Trident II ASIC-NFE 32 x 40G Hi-Gig2 32 x 40G Hi-Gig2 Fabrics Modules
  • 14.
    T2 Fabric 1 T2 320 Gbps (8x40Gbps) T2 Fabric 2 T2 320 Gbps (8x 40Gbps) T2 Fabric 3 T2 320 Gbps (8x 40Gbps) T2 Fabric 4 T2 320 Gbps (8x 40Gbps) T2 Fabric 5 T2 320 Gbps (8x 40Gbps) T2 Fabric 6 T2 320 Gbps (8x 40Gbps) Line Card Slot 1.92 Tbps • An 8-Slot chassis fabric module can provide up to 320Gbps to each Line Card slot • With 6 fabric modules, each Line Card slot can have up to 1.92Tbps duplex forwarding bandwidth Data Plane Scaling for 8-Slot Chassis 1.60 Tbps 1.28 Tbps 960 Gbps 640 Gbps 320 Gbps Nexus 9500 Fabric Module
  • 15.
    NFE ALE ALE NFE Fabric 1 NxNFE Fabric 2 Nx NFE Fabric 3 Nx NFE Fabric 4 Nx NFE Fabric 5 Nx NFE Fabric 6 Nx NFE 2 x 42 Gbps 2 x 42 Gbps 12 x 42 Gbps 12 x 42 Gbps N = 1 for N9504 N = 2 for N9508 N = 4 for N9516 NFE ALE ALE NFE 12 x 42 Gbps 12 x 42 Gbps Note: Internal ports are called as Hi-Gig/HG ports Distributed Data Plane of Nexus 9500 Series Switches
  • 16.
    Nexus9500 Series LineCard Summary Information X9600 Series Line Cards X9500 Series Line Cards X9400 Series ASIC Technology Merchant only N9K-X9636PQ Merchant+ N9K-X9564PX N9K-X9564TX N9K-X9536PQ Merchant only • N9K-X9432PQ • N9K-X9464PX • N9K-X9464TX Number of ASIC 3 T2 2 T2 + 2 NS 2 T2 + 2 NS 2 T2 + 2 NS 2 T2 40 gig 32 Ports 1 T2 48 1/10 gig , 4 QSFP Non Blocking Non Blocking Line rate > 200 byte packet Buffer Size 36 MB 104 MB 12 MB with one T2 24 MB with two T2
  • 17.
    High Level BlockDiagram-N9500 All PSU, SC, SUP, FM, and LC plug into the same Power Supply Interface
  • 18.
    N9K-C9300 Series • FixedChassis • Port QSFP+ Uplink Module • 1 RU or 2RU or 3RU • AC/DC Power Supply • Front-to-Back & Back-to-Front Airflow • Latency: 1-2 usec • Wire-Speed L2/L3 Forwarding • Switch will not boot up without GEM Expansion Module
  • 19.
    Nexus 9300 SeriesSwitch Summary N9396TX/PX N93128TX N9372TX N9372TX N9372PX NFE (BCM T2) 1 1 2 1 1 ALE ( NorthStar)/GEM GEM-1 NS GEM-1 NS No GEM-1 Donner No GEM -1 Donner No GEM- 1 Donner Oversubscribed No 1.5:1 No No No Line Rate Yes Yes (packets > 194-Bytes) Yes Yes QoS Classes 8 4 8 4 4 Buffer (MB) 36 (12*3) 104 (12*2+40*2) 24 (12*2) 104 (12*2+40*2) 104 (12*2+40*2)
  • 20.
    High Level BlockDiagram-N9300 Northstar Egress (12+12)x12 Ingress (12+12)x12 BRCM Trident2 48 10G x 12 40G CPU 2C 1.5GHz DDR3 DIMM2 16GBTotal PCIe Trident II ASIC NorthStar ASIC 1 Network Interfaces 12 x 40G Hi-Gig2 12 x 40G Ethernet Front Panel 48x 1GE/10GE Ports GEM 4x 40GE QSFP+ Uplinks 1000BaseT Mgmt Port 2 USB Ports eUSB Boot Flash 12C • The last 2/3 numbers stand for total bandwidth in Gigabits • 93128 – 128G (96 x 10G + 8 x 40G) • 9396 – 96G (48 x 10G + 12 x 40G) • 9372 – 72G ( 48 x 10G + 8 x 40 G)
  • 21.
    T2-NFE Parser L2/L3 Lookup & forwarding I-ACL Traffic Classification & Remarking Ingress Accounting& Policing Packet Modification E-ACL Output Q & Shaping EoQALE-NS Network Interface Fabric Module L3 LPM Lookup & Forwarding T2-NFE Parser L2/L3 Lookup & forwarding I-ACL Traffic Classification & Remarking Ingress Accounting & Policing Packet Modification E-ACL Output Q & Shaping EoQALE-NS Network Interface Ingress Line Card Egress Line Card Nexus9500 Unicast Packet Flow Parse the first 128 Byte and extract header info L2/L3 Lookup in MAC Table and IP Host Table Classify traffic based on 802.1q COS, IP Pres, DSCP &ACL Remark if needed Egress Line card sends packet to egress port based on DMOD/DPORT Class-based output queues. Support 6 classes including control traffic class Additional buffer is available for extended out put Ques EoQ Fabric Module Performs L3 LPM lookup and resolves Egress port and next-hop OOBFC Signaling OOBFC Signaling
  • 22.
    N9K-C9300 High LevelBlock Diagram HiGiG2 Interface on T2 MACF ports on the GEM and to MACN ports (16 x 10G) x 3 = 480G FP Bandwidth (12 x 40G) = 480G Bandwidth to GEM Module (12 x 40G) = 480G FP Bandwidth Uplink Ports MACN ports. (16 x 10G) x 3 = 480G FP Bandwidth (12 x 40G) = 480G Bandwidth to GEM Module
  • 23.
    Main Features ofTrident2 1280Gbps Switch ASIC Packet Buffer Content aware Engine DCB Engine L2 MAC L3 Route L2/L3 Multicast 128 Integrated SerDes Dynamic Memory Manager L2/L3 Processing Host IF Counters 128 SERDES@10Gbps OR 32 SERDES@40Gbps Features Information Maximum IO and Core bandwidth 1280G MAC(L2) Entries 32K min -288K max L3 Hosts IPv4:16K min-112Kmax IPv6:8K min-56 max L3 Multicast Group 8K Virtual Ports 16K Maximum number of Physical ports 104
  • 24.
    North Star Features Information SupportMixed Speed but in Fixed configuration. Network Interface:12 Ports Fabric Interface: 12 40 Gig Forwarding 720Mpps lookup rate on Ingress Datapath 720Mpps lookup rate at Egress Datapath Shared Memory Subsystem Ingress Path Buffer Egress Path Buffer 10 Mbytes 30 Mbytes Maximum number of Physical ports 24
  • 25.
    Broadcom Unified ForwardingTable SUPPORTED COMBINATIONS T2 has the following Unified Forwarding Table: Mode L2 L3 Host LPM 0 288K 16K 16K 1 224K 56K 16K 2 160K 90K 16K 3 98K 122K 16K 4 32K 16K 128K
  • 26.
    Routing Mode forNexus9300 LPM Routing Mode Broadcom T2 Mode CLI Command Default system routing mode 3 ALPM Routing mode 4 System routing max-mode l3 N93K#show system routing mode Configured System Routing Mode: Hierarchical Applied System Routing Mode: Hierarchical (Default) N93K#show hardware internal forwarding table utilization module 1 Max Host Route Entries (shared v4/v6): 124928 Max LPM Table Entries : 16384
  • 27.
    Routing Mode forNexus9500 show hardware internal forwarding table utilization mod 1 Max Host Route Entries (shared v4/v6):16384 Max LPM Table Entries : 131072 show hardware internal forwarding table utilization mod 21 Max Host Route Entries (shared v4/v6): 0 Max LPM Table Entries :0 LPM Routing Mode Broadcom T2 Mode Cli Command Default System routing mode 3 (For Line card) 4 (For Fabric Module) Max-host routing mode 2--Line Card- V6 in LPM 3--For Fabric Module System routing max-mode host Nonhierarchical routing mode 3--For Line Card 4--With max-l3-mode option For Line card No Routes on Fabric Module System routing non-hierarchical Option [max-l3-mode] 64-bit ALPM routing mode Sub mode of mod 4 for Fabric modules System routing mode hierarchical 64b-alpm Non hierarchical routing mod
  • 28.
    ACL TCAM TABLE Characteristic •Ingress ACL: 4K TCAM entries - 4x 512 banks + 8x 256 banks • Egress ACL: 1K TCAM entries - 4x 256 banks • Each ACL type needs its own dedicated bank/banks • IPv4, IPv6 or MAC each needs dedicated bank/banks • MAC-ACL IPv6 & any QOS needs double-width entries, which means needs at least 2 banks • VACL is programmed symmetrically in both egress and ingress ACL Interface Type Ingress ACL Egress ACL SVI TCAM Shared TCAM Not shared L3 TCAM Shared TCAM Shared
  • 29.
    ACL Characteristics • Atomic/hitlessupdate of existing applied ACL while modified • Temporary label swap (no use of default-result) • Two acl copies in tcam, if there is no enough space, process fails • ACL TCAM banks chaining not supported • L4OPs/LOUs only used for expansion beyond 5 lines, configurable • 10 L4op per acl limit • Specific applications (dhcp, bfd) may install their own ACLs which must merge with user configured racl, vacl, pacl
  • 30.
    TCAM Carving forNexus 9000 TCAM Region-N9500 Size Per Region IPV4 RACL 1536 IPv4 L3 QOS 256 Ingress System 256 SPAN 256 Ingress CoPP 256 Redirect 256 vPC Convergence 512 Egress IPv4 RACL 768 Egress System 256 256 Ingress Egress 3X512 256 256 256 256 3X256 512 256 TCAM Region-N9300 Size Per Region IPv4 PACL 512 IPV4 VACL 512 IPV4 RACL 512 IPv4 Port QOS 256 Ingress System 256 SPAN 256 Ingress CoPP 256 Redirect 256 vPC Convergence 512 Egress IPv4 RACL 256 Egress IPv4 VACL 512 Egress System 256 256 Ingress Egress 512 256 512 256 256 512 256 512 512 256 256
  • 31.
    ACL TCAM DefaultRegion and Carving • TCAM Banks will first get assigned to Feature which has largest region. • Next TCAM Bank will get assigned to Feature which need double Width. • TCAM Carving requires Line Card/TOR reload to take effect • To read current TCAM allocation N9K#Show system internal access-lists global • To reconfigure TCAM Region N9K(config)hardware access-list tcam <feature name> <size>
  • 32.
    Buffer And Queuing-T2 Shared Buffer 12MB Control Default OOBFC • T2 has 12 Mbytes of Buffer shared by all ports for all Traffic Shared Buffer 12 MB Control Default Module with T2 only Module with T2 And NS OOBFC: Out of band flow control unicast service pool • Shared buffer divided Into Control and default service pool if module is T2 only • Shared buffer divided into Control, default and OOBFC service Pool if Module is T2 and NS based
  • 33.
    Buffer And Queuing-NorthStar Trident II ASIC NorthStar ASIC 1 12 x 40G Hi-Gig2 12 x 40G Ethernet Front Panel 48x 1GE/10GE Ports GEM 4x 40GE QSFP+ Uplinks Shared Buffer Control Default SPAN • North Star has 40 Mbytes of Buffer • Divided in to Three Pool • Control , SPAN , Default 10 MB Buffer 20 MB Buffer 10 MB Buffer
  • 34.
    Buffer Boost Functionwith T2 and NS • Buffer boost is function which allow T2 to use extra buffer of NS • When Buffer boost is enabled on a port , T2 Local switch traffic is Sent to NS for extra buffer space- • When Buffer boost is disabled on a port, T2 local traffic to this port remains local on this NFE • Buffer Boost is enabled by default and can be disabled on a per port basis 1/10GE 1/10GE 1/10GE ALE-NS NFE T2 Network Interface 10 MB Buffer 10 MB Buffer 20 MB Buffer 12 MB Buffer Shared by all ports Fabric Module 1/10GE
  • 35.
  • 36.
    Most Common SystemHealth Check • What is the Best Recommended NX-OS Release • CPU & Memory usage • Inter Process Messaging usage-MTS • Traffic Stats/Drop To CPU • CoPP/Hardware Rate Limiter Drops • Ethernet Out of Band Drops/Error • Instant Buffer usage Stats • FATAL System Errors • Interface Errors for STP/Error disable • Inter ASIC Utilization • Hardware Capacity Check • Consistency Checkers –Various Tables • GOLD Diagnostic Checks • Sev1/2 Syslog
  • 37.
    Platform Series MinimumRelease Recommended Release Cisco Nexus 9500 6.1(2)I2(2b) 6.1(2)I3(4a) Cisco Nexus 9300 6.1(2)I2(2b) 6.1(2)I3(4a) General Recommendation for New and Existing Deployments http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/recommend ed_releaseb_Minimum_and_Recommended_Cisco_NXOS_Releases_for_Cisco_Nex us_9000_Series_Switches.html http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6- x/scalability/guide_34/b_Cisco_Nexus_9000_Series_NXOS_Verified_Scalability_Guide_61 2I34/b_Cisco_Nexus_9000_Series_NXOS_Verified_Scalability_Guide_612I34_chapter_01. html • Software Recommendation • Verified Scale limits for different features and protocol for each release
  • 38.
    CPU & MemoryUsage N9K#show system resources Load average: 1 minute: 0.00 5 minutes: 0.03 15 minutes: 0.05 Processes : 432 total, 1 running CPU states : 2.76% user, 0.75% kernel, 96.48% idle CPU0 states : 0.00% user, 0.00% kernel, 100.00% idle CPU1 states : 0.00% user, 1.01% kernel, 98.98% idle CPU2 states : 0.00% user, 2.94% kernel, 97.05% idle CPU3 states : 10.89% user, 1.98% kernel, 87.12% idle Memory usage: 16402328K total,3443588K used, 12958740K free Current memory status: OK N9K#show system internal memory-usage-per-module in-KB Slot 01:Used:1647420 Kbytes,Free:425680 Kbytes,Total:2073100 Kbytes Slot 02:Used:1627524 Kbytes,Free:445576 Kbytes,Total:2073100 Kbytes Slot 04:Used:1647560 Kbytes,Free:425540 Kbytes,Total:2073100 Kbytes N9K#show system internal memory-alerts-log Make sure log is clean CPU D R A M D R A M
  • 39.
    CPU & MemoryUsage show processes cpu sort | head lines 12 PID Runtime(ms) Invoked uSecs 1Sec Process ----- ----------- -------- ----- ------ ----------- 3357 220 3100 7099 45.50% adjmgr 5853 31655 10181 3109 0.50% ipqosmgr 5859 9489 52308 181 2.00% diag_port_lb 3477 672 3107 216 0.50% netstack 3478 268 175 1535 0.50% ospf Possibly ARP Table Churn Provides top process using CPU cycle
  • 40.
    N9K#run bash bash-4.2$ top top- 11:13:32 up 9 days, 3:34, 4 users, load average: 0.11, 0.11, 0.08 Tasks: 226 total, 1 running, 220 sleeping, 0 stopped, 5 zombie Cpu(s): 0.8%us, 0.2%sy, 0.0%ni, 98.5%id, 0.0%wa, 0.1%hi, 0.3%si, 0.0%st Mem: 16402328k total, 3445044k used, 12957284k free, 72676k buffers PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1 root 20 0 2152 620 556 S 0 0.0 0:08.05 init 2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd 3 root 20 0 0 0 0 S 0 0.0 0:00.58 ksoftirqd/0 Top Command-display top CPU processes Auto update “top” provides an ongoing look at processor activity in real time
  • 41.
    N9K#sh system internalmts buffers sum | diff node sapno recv_q pers_q npers_q log_q sup 320 0 0 4592 0 sup 284 0 19 0 0 sup 250 2 0 0 0 N9K#sh sockets client detail | inc pim|drops|Errors select drops: 10 Errors: select drops: 0 Errors: select drops: 0 Errors: Inter Process Messaging Usage For SAP 320 own by “OSPF” npers_q increasing Make Sure Drops/Errors not incrementing Message and transaction service-MTS
  • 42.
    N9K#show hardware internalcpu-mac inband stats eth2 stats: RMON counters Rx Tx total packets 601163425 318962431 Per Queue Stats Queue Idx Packet Count Bytes Drops Csum Errors Allocation Failure Queue 0 17677525 111822449180 0 0 0 - - - - - - - - - - - - - - -SNIP- - - - - - - - - - - - - - - - - - - - - - - - Queue 7 17677525 111822449180 0 0 0 Interrupt Counters Rx overrun 0 Error counters Inband Driver Statistics-CPU Drops Rate statistics Rx packet rate (current/peak) 717 / 80695 pps Tx packet rate (current/peak) 360 / 1338 pps CRC errors/Collisions/late Collisions Alignment errors Symbol errors Sequence errors/Rx jabbers RX errors/Rx length errors
  • 43.
    N9K# show systeminternal frame traffic | in drops Global input drops: bad-interface 0, bad-encap 0, failed-decap 0, Global output drops: eth_output_err 0, gre_err 0 otv_err 0 span_drop_en: 0 span_drops: 0 Crossbar down drops : 0 Flood_to_core LTL: Hits: 0 Misses: 0 Traffic Stats/Drops to CPU— (Cont’d) N9K# show system inband queuing statistics | in drop bpdu: recv 68, drop 0, congested 0 rcvbuf 2097152, sndbuf 262142 no drop 0 (q0): recv 1249377, drop 0, congested 0 rcvbuf 2097152, sndbuf 262142 no drop (q1): recv 4138154, drop 0, congested 0 rcvbuf 2097152, sndbuf 262142 no drop Drops From PKTmgr
  • 44.
    Instant Buffer UtilizationFor CPU Port show hardware internal buffer info pkt-stats cpu [Q00-07] 0 0 0 0 0 0 0 0 [Q08-15] 0 0 0 0 0 0 0 0 [Q16-23] 0 0 0 0 0 0 0 0 [Q24-31] 0 0 0 0 0 0 0 0 [Q32-39] 0 0 0 0 0 0 0 0 [Q40-47] 0 0 0 0 0 0 0 0 • Total 48 Queues • Each Line Display Cell utilized for 8 queues • One Cell represent approximately 208 Bytes Congestion encountered if Counters keep incrementing
  • 45.
    Ethernet Out OfBand Drops/Errors N9K#show hardware internal eobc stats | inc dropped RX packets:248308217 errors:0 dropped:0 overruns:0 frame:0 TX packets:71554006 errors:0 dropped:0 overruns:0 carrier:0 N9K# show system internal emon stats EMON MOD ONLINE BMP: 37f00067 FSM ID: 0 EOBCMON ======================================= HB tx_req 186396 module 1: rx_req 176410 rx_resp 176426 rx_miss 7 tx_resp 176410 Provides Stats for all Modules including Fabric module Heart bit miss
  • 46.
    Instant Buffer UsageStats N9K#show hardware internal buffer info pkt-stats mod 1 INSTANCE: 0 ---------------------------------------------------------- Output Shared Service Pool Buffer Utilization (in cells) SP-0 SP-1 SP-2 SP-3 ----------------------------------------------------------- Total Instant Usage 4474 0 89 2939 Remaining Instant Usage 25466 0 14255 3405 Peak/Max Cells Used 4821 0 327 3060 Switch Cell Count 29940 0 14344 6344 ---------------------------------------------------------- show hardware internal ns buffer info pkt-stats • Instant Buffer utilization per queue per port • One cell represents 208 bytes Show hardware internal buffer info pkt- stats input mod 1 • SP-3-Dedicted resource for Control Traffic • SP-0-Resource for Locally Switched Unicast ,Multicast and SPAN • SP-2 Extended Output queue for Unicast using buffers from North Star Buffer polling interval for 7.0 Release is 500msecs
  • 47.
    N9K#show hardware internalbuffer info pkt-stats mod 1 INSTANCE: 0 Output Shared Service Pool Buffer Utilization (in cells) SP-0 SP-1 SP-2 SP-3 ------------------------------------------------------------------------- Total Instant Usage 4474 0 89 2939 Remaining Instant Usage 25466 0 14255 3405 ------------------------------------------------------------------------- ASIC Port Q3 Q2 Q1 Q0 CPU SPAN [13] UC(OOBFC)->0 0 0 0 UC-> 0 0 0 1249 332 0 MC-> 0 0 0 3247 1996 0 Only printed if there is congestion • SP-3 Started filling the Queue • CPU buffer filling up Port 13 onwards are Front Panel Port Instant Buffer Usage Stats - With Buffer Usage
  • 48.
    CoPP Drops We recommendthat you use the strict default CoPP policy initially and then later modify the CoPP policies based on the data center and application requirements. Parameters Default Default policy Strict Default Policy 9 policy entries N9K# show policy-map interface control-plane mod 1 | in dropped dropped 0 packets; dropped 0 packets; dropped 0 packets; dropped 0 packets; dropped 7800 packets; Drops Seen for Default-Class at minimal rate is normal
  • 49.
    CoPP Drops-Exception drops class-mapcopp-system-p-class-l3uc-data (match-any) match exception glean class-map copp-system-p-class-redirect (match-any) match access-group name copp-system-p-acl-ptp class-map copp-system-p-class-exception (match-any) match exception ip option match exception ip icmp unreachable match exception ipv6 option match exception ipv6 icmp unreachable class-map copp-system-p-class-exception-diag (match-any) match exception ttl-failure match exception mtu-failure Goal is to Classify all Traffic Using CoPP
  • 50.
    Hardware Rate Limiter N9K#show hardware rate-limiter mod 1 Units for Config: packets per second Allowed, Dropped & Total: aggregated since last clear counters Module: 1 R-L Class Config Allowed Dropped Total +----------+-----+------------+------------+-------------+ L3 glean 100 0 0 0 L3 mcast loc-grp 3000 0 0 0 access-list-log 100 0 0 0 bfd 10000 1352890 0 1352890 fex 3000 0 0 0 span 50 0 0 0
  • 51.
    FATAL System Errors N9K#showlogging onboard mod 1 exception-log | incl FATAL prev 15 ------------------------------------------------------------------------ Date (mm/dd/yy)=01/15/15 Time (hs:mn:sec): 00:16:58 OBFL Exception log data for THIS SUP Module:0 ********* Exception info for module 0 ******** exception information --- exception instance 1 ---- Device Name : System Manager Device Errorcode : 0x0000023a ErrNum (devInfo) : 58 (0x3a) System Errorcode : 0x401e0089 Service in VDC has had a hap-reset Error Type : FATAL error
  • 52.
    Common Interface Errorcounters and Status N9K# show interface counters errors mod 4 Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards -------------------------------------------------------------------------- Eth4/1 0 100 0 581 0 0 N9K# show interface status err-disabled Port Name Status Reason -------------------------------------------------------------------------- Eth4/1 err-disable link-flap
  • 53.
    Interface Queuing Stats N9K#showqueuing interface 4/18 Egress Queuing for Ethernet4/18 [System] QoS-Group# Bandwidth% PrioLevel Shape Qlimit Min Max Units 3 1 - - - 6(D) -------------------------SNIP-------------------------- 0 100 - - 6(D) ---------------------------------------------------- QOS GROUP 0 Unicast | OOBFC Unicast | Multicast Dropped Pkts | 0| 0| 0| ------------------------------------------------------------ QOS GROUP 7 Unicast | OOBFC Unicast | Multicast Dropped Pkts | 0| 0| 0|
  • 54.
    N9K#show system internalinterface counters mod 1 Internal Port Counters (150 secs rate) for Slot: 1 ==================================================== Interface ASIC ASIC BCM TxBitRate(BwUtil) TxPktRate RxBitRate(BwUtil) RxPktRate Port Inst Port (bps) (pps) (bps) (pps) ----------------------------------------------------------------------------------------- ii1/1/1 HG0 0 1 170512 (0.00) 0 0(0.00) 0 -------------------------------------------Snip------------------------------------------ ii1/1/14 HG1 1 2 0( 0.00) 0 1129882872(2.51) 960753 ii1/1/25 HG0 1 1 1790648 (0.00) 1043 22864(0.00) 20 Inter ASIC Utilization-HG Ports T2 #0 T2 #1 T2 #0 T2 #1 T2 #2 HG00HG00 Line Card Fabric Module
  • 55.
    Verify Consistency BetweenSoftware and Hardware Table Table CLI Physical Interface show consistency-checker link-state Port-Channel Membership show consistency-checker membership port-channels Mac Address Table show consistency-checker l2 Vlan Membership show consistency-checker membership vlan L3 interface-LIF programming L3 interface-LIF programming –Logical Interface for Routing For RIB and FIB show consistency-checker forwarding ipv4 unicast
  • 56.
    Consistency Checkers-Link andSTP state N9K#show consistency-checker link-state mod 1 Link State Checks: Link state only Consistency Check: PASSED No inconsistencies found for: Ethernet1/1 2015 Mar 24 03:23:27 N9508a-SJ %$ VDC-1 %$ vshd: CC_LINK_STATE: Consistency Check: PASSED N9K# show consistency-checker stp-state vlan 18 Checks: Spanning tree state Consistency Check: PASSED 2015 Mar 24 03:25:21 N9508a-SJ %$ VDC-1 %$ vshd: CC_VLAN_STP_STATE: Consistency Check: PASSED
  • 57.
    Consistency Checkers-Port Channel-VlanMembership N9K# show consistency-checker membership vlan 18 Checks: Port membership of Vlan in vlan and egr_vlan table Ports configured as "switchport monitor” will be skipped Consistency Check: PASSED Vlan:18, Hardware state consistent for: Ethernet2/49 2015 Mar 24 03:28:31 N95a%$ VDC-1 %$ vshd: CC_VLAN_MEMBERSHIP: Consistency Check: PASSED N9K#show consistency-checker membership port-channels Checks: Trunk group and trunk membership table. Consistency Check: Failed Inconsistency found for port-channel1: Module:1, Unit: ['Ethernet3/49', 'Ethernet2/49'] Module:26, Unit: ['Ethernet3/49', 'Ethernet2/49’]
  • 58.
    Consistency Checkers-Mac addressTable N9K# show consistency-checker l2 module 1 Consistency check: PASSED Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen, + - primary entry using vPC Peer-Link, (T) - True, (F) - False Missing entries in the HW MAC Table VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ Extra and Discrepant entries in the HW MAC Table VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------
  • 59.
    Consistency Checkers-L3 Interface N9K#show consistency-checker l3 mod 1 L3 LIF Checks: L3 Vlan, CML Flags, IPv4 Enable Consistency Check: PASSED No inconsistencies found for: Ethernet1/1 Ethernet1/2 Ethernet1/3 2015 Mar 24 04:07:27 N9508a-SJ %$ VDC-1 %$ vshd: CC_L3_LIF: Consistency Check: PASSED
  • 60.
    Consistency Checker –UnicastForwarding N9K#test consistency-checker forwarding Consistency check started. N9K# show consistency-checker forwarding ipv4 unicast module 1 IPV4 Consistency check (in progress): table_id(0x1) slot(1) Elapsed time : 8257 ms N9K# show consistency-checker forwarding ipv4 unicast module 1 IPV4 Consistency check : table_id(0x1) slot(1) Execution time : 13244 ms () No inconsistent adjacencies. No inconsistent routes. Consistency-Checker: PASS for 1
  • 61.
    Gold Diagnostic Checks N9K#show diagnostic result mod 2 Module 2: 48x1/10G-T 4x40G Ethernet Module Test results:(.=Pass, F=Fail,I=Incomplete,U=Untested,A=Abort,E=Error disabled) 1) ASICRegisterCheck------------> . 2) PrimaryBootROM---------------> . 3) SecondaryBootROM-------------> . 4) OBFL-------------------------> . 6) BootFlash--------------------> . 7) AsicMemory-------------------> . 8) FpgaRegTest---------------- -> . 9) PortLoopback:--------------- > . Port 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ----------------------------------------------------- U U U . U U U U . . U U U . U U RewriteEngineLoopback On Demand Diagnostic can be executed
  • 62.
    Sev1/2 Syslog show logginglogfile | incl -1-|-2- 2015 Feb 25 10:30:17 N9508a-SJ %PLATFORM-2-MOD_PWRUP: Module 26 powered up (Serial number SAL1738D37W) 2015 Feb 25 10:32:37 N9508a-SJ %XBAR-2-XBAR_HGLINK_NOT_UP: fabric link 1 on module 2 unit 0 connected to fabric module 26 unit:0 is not up during module bring up 2015 Feb 25 10:32:39 N9508a-SJ %MODULE-2-MOD_FAIL: Initialization of module 26 (Serial number: SAL1738D37W) failed 2015 Feb 25 10:32:39 N9508a-SJ %PLATFORM-2-MOD_PWRDN: Module 26 powered down (Serial number SAL1738D37W)
  • 63.
  • 64.
    Troubleshooting Toolkit • Ethanalyzer •TCP Dump • ELAM • Packet Tracer • Flex Counter • ERSPAN • Consistency Checkers
  • 65.
    Ethanalyzer-When To Useit • To Analyze the traffic sent and received by CPU • It uses wireshark’s code (an open source software) • Troubleshooting High CPU • Troubleshoot Control Plane issues Ex. OSPF , PIM , STP Flap. SUP Netstack NIC-ETH2 Pseudo Inband Note: Ethanalyzer does not allow capturing of hardware switched traffic between data ports of the switch
  • 66.
    Ethanalyzer-CLI N9K# ethanalyzer localinterface inband capture-filter "pim” detail Capturing on inband Frame 1 (60 bytes on wire, 60 bytes captured) Arrival Time: Mar 24, 2015 10:01:10.018889000 -------Snip------------------ [Protocols in frame: eth:ip:pim] N9K#ethanalyzer local interface inband display-filter "ospf” detail Capturing on inband Frame 1 (82 bytes on wire, 82 bytes captured) Arrival Time: Mar 24, 2015 10:04:11.425523000 -------------------Snip-------------------- [Frame is marked: False] [Protocols in frame: eth:ip:ospf] Some Available Options autostop :Autostop decode-internal :Internal header decoding limit-captured-frames :Maximum number of
  • 67.
    TCP Dump • Tcpdumpcommand works on most flavors of Linux operating system • Helps to prints out a description of the contents of packets on a network interface • Tcpdump will, if not run with the -c flag, continue capturing packets until it is interrupted by a SIGINT signal –CTRL-C • Tcpdump output can be saved to file for further reference • More info at http://www.tcpdump.org/
  • 68.
    Tcpdump -syntax Syntax: tcpdump-h tcpdump version 4.1.1 libpcap version 1.2.1 Usage: tcpdump [-aAbdDefIKlLnNOpqRStuUvxX] [ -B size ] [ -c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ] bash-4.2# N9K# show feature | in bash Feature Name Instance State bash-shell 1 enabled N9K# run bash bash-4.2# sudo su Password:****** bash-4.2# whoami root bash-4.2# tcpdump –c 10 –I ps-inb
  • 69.
    Tcpdump-Examples- bash-4.2# tcpdump -c100 -w tcpdump.pcap -vvvv -i ps-inb tcpdump: WARNING: ps-inb: no IPv4 address assigned tcpdump: listening on ps-inb, link-type EN10MB (Ethernet), capture size 65535 bytes 100 packets captured 102 packets received by filter bash-4.2#cd /bootflash bash-4.2# tcpdump -tttt -r tcpdump.pcap | more reading from file tcpdump.pcap, link-type EN10MB (Ethernet) 2015-04-26 03:21:31.309350 00:0e:ee:01:1b:01 (oui Unknown) > 00:00:00:ff:ff:01 (oui Ethernet), ethertype Unknown (0x8833), length 160: 0x0000: 0000 fc08 0b00 0000 0000 0800 0000 0ffd ............... -------------------------------------more--------------------------------- Capturing 100 packets And writing to file Reading captured file
  • 70.
    tshark bash-4.2$ tshark -ips-inb Capturing on inband 0.000000 00:0e:ee:01:1b:01 -> 00:00:00:ff:ff:01 0x8833 Ethernet II 12.328377 00:0e:ee:01:1b:01 -> 00:00:00:ff:ff:01 0x8833 Ethernet II ^C2 packets captured bash-4.2$
  • 71.
    Elam-Embedded Logic AnalyzerModule-NS • Elam Allows to capture single packet based on Trigger • Triggers are configured using Packet information • Only Supported on North Star Based(ALE) Line Cards and GEMs • Use with TAC Supervision • Help to Answer following Questions • Was the Packet indeed Received by device on given Line card? • How did the Packet Look like? • How was the packet rewritten based on forwarding Decision made by T2? • Was the Packet correctly forwarded or Dropped?
  • 72.
    ELAM Configuration 1. Init 2.Config 5. Reset 3. Arm 4. Read Trigger • Init – Initialize the ELAM – select the Asic instance, pipeline and select lines module-1# debug platform internal ns elam asic module-1(NS-elam)# trigger init ingress in-select 3 out-select 5 • Config – Configure the trigger based on different fields in the packet module-1(NS-elam-insel3)# set outer ipv4 src_ip 13.13.13.10 • Arm – Arm the trigger by setting the fields to match in hardware module-1(NS-elam-insel3)# start • Read – Once the trigger is triggered, read the report module-1(NS-elam-insel3)# report • Reset – Once the process is complete, reset the trigger to restart the process module-1(NS-elam-insel3)# reset
  • 73.
    Elam Ingress &Egress Direction-TOR Front Panel 48x 1GE/10GE Ports GEM 4x 40GE QSFP+ Uplinks Trident II ASIC NorthStar ASIC 1 Network Interfaces 12 x 40G Hi-Gig2 12 x 40G Ethernet IP.Add=13.13.13.10 • Traffic entering GEM ports which has NS and exiting T2 is Egress Pipeline Ex. trigger init egress in-select 3 out-select 5 set outer ipv4 dst_ip 13.13.13.10 • Traffic Entering T2 and Exiting GEM ports is Ingress Pipeline Ex. trigger init ingress in-select 3 out-select 5 set outer ipv4 src_ip 13.13.13.10 IngressEgress
  • 74.
    Elam Ingress &Egress Direction-EOR Front Panel 48x 1GE/10GE Ports 13.13.13.10 Trident II ASIC North Star ASIC Network Interfaces 12 x 40G Hi-Gig2 12 x 40G Ethernet N FE Fabric 1 N FE Fabric 3 Line Card • Traffic entering from Fabric Module in to NS of Line Card is Egress Pipeline Ex. trigger init egress in-select 3 out-select 5 set outer ipv4 dst_ip 13.13.13.10 • Traffic Entering NS and exiting towards Fabric Module is Ingress Pipeline Ex. trigger init ingress in-select 3 out-select 5 set outer ipv4 src_ip 13.13.13.10 IngressEgress
  • 75.
    ELAM Sample Configuration& Key Info N9K# attach mod 6 module-6# debug platform internal ns elam asic 1 module-6(NS-elam)# trigger init egress in-select 3 out-select 5 module-6(NS-elam-insel3)# set outer ipv4 dst_ip 13.13.13.10 module-6(NS-elam-insel3)# start module-6(NS-elam-insel3)# status module-6(NS-elam-insel3)# report Eth5/1 Eth6/52 Nexus9508 with N9K-X9564TX 13.13.13.1/30 N9K-X9564TX 4 40Gig Port On NS 40 1/10 Gig On T2 13.13.13.10/30 If Packet Captured Status: Triggered
  • 76.
    Important ELAM Fields GBL_C++:[MSG] - sideband is complete GBL_C++: [INFO] ovector: 000FFF GBL_C++ [INFO] hg2_srcmod: 0E GBL_C++ [INFO] hg2_srcpid: 0D GBL_C++ [INFO] hg2_dstmod: 11 GBL_C++ [INFO] hg2_dstpid: 0A GBL_C++ [INFO] ip_da: 000000000000D0D0D0A GBL_C++ [INFO] ip_sa: 000000000000D0D0D01 N9K# show interface hardware-mappings ------------------------------------------- ---------------------------- Name Ifindex Smod Unit HPort FPort NPort VPort ------------------------------------------ Eth5/2 1a280000 14 0 13 255 0 -1 Eth6/52 1a286600 17 1 10 255 51 -1 Information is in Hex Convert to Dec. Sideband is the result where packet will be sprayed. Should never be “0”
  • 77.
    Packet Tracer-T2 • Helpsto Trace the packet inside Switch. • Only packets in the direction of the flow are traced • Two Acls are installed for each filter on each Line card • One ACL for Front Panel Port Group • Second ACL for traffic exiting Fabric Module and ingressing Line card Trident II ASIC Network Interfaces FM Mod
  • 78.
    Packet Tracer Configuration 13.13.13.10/30 ConfigureFilter Start Tracer Clear/Remove-all Stop Tracer Check Counter Filter rt test packet-tracer dst-ip 13.13.13.10 detail-fp test packet-tracer dst-ip 13.13.13.10 detail-hg test packet-tracer start test packet-tracer stop test packet-tracer show test packet-tracer clear remove
  • 79.
    Sample Configuration &Identify Front Port-LC 13.13.13.10/30 N9K#test packet-tracer dst-ip 13.13.13.10 src-ip 13.13.13.1 detail-fp N9K#test packet-tracer show filter 1 non-zero Packet-tracer stats Module 6: Filter 1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-fp Module 21: Filter 1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-fp Module 26: Filter 1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-fp Eth6/52Eth6/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
  • 80.
    Packet Tracer SampleConfiguration & Key Info N9K# test packet-tracer start filter 1 N9K# test packet-tracer show filter 1 mod 6 non-zero Packet-tracer stats Module 6: Filter1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-fp ASIC instance 0: Entry 1: id = 7426, count = 5, active, fp, port 13 N9K# show interface hardware-mappings | grep 6/1 Name Ifindex Smod Unit Hport FPort Nport VPort Eth6/1 1a280000 16 0 13 255 0 -1 13.13.13.10/30 Eth6/52Eth6/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
  • 81.
    Sample Configuration IdentifyFabric Port LC From FM N9K# test packet-tracer dst-ip 13.13.13.10 src-ip 13.13.13.1 detail-hg N9K# test packet-tracer start filter 1 N9K# test packet-tracer show mod 6 non-zero Module 6: Filter 1 installed: src-ip 13.13.13.1 dst-ip 13.13.13.10 detail-hg ASIC instance 0: Entry 0: id = 7425, count = 68, stopped, fp, ASIC instance 1: Entry 1: id = 7426, count = 13, stopped, hg, port 1 Entry 2: id = 7427, count = 11, stopped, hg, port 2 13.13.13.10/30Eth6/52Eth8/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
  • 82.
    Flex Counters –AdjacencyStatistics • Flex counters used to count Next hop Adjacency stats • One can attach Stats to multiple Adjacency at same time • One Stat Counter per adjacency • Total Flex Counters are 16K per Switch
  • 83.
    How To ConfigureFlex Counters N9K# sh ip route 13.13.13.10 IP Route Table for VRF "default" ‘'%<string>' in via output denotes VRF <string> 13.13.13.8/30, ubest/mbest: 1/0 *via 13.13.13.6, Eth6/52, [110/41], 00:33:14, ospf-10, intra N9K# test hardware internal adjacency statistics nexthop ipv4 13.13.13.6 interface ethernet 6/52 (enable |disable | show) 13.13.13.10/30 Eth6/52Eth6/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
  • 84.
    Sample Configuration 13.13.13.10/30 N9K# testhardware internal adjacency statistics nexthop ipv4 13.13.13.6 interface ethernet 6/52 show Module:21 Unit:0 ------------------ Adjacency counters for nhip 13.13.13.6 if Ethernet6/52: Ucast: Packets 738 Bytes 90036 Mcast: Packets 0 Bytes 0 Module:22 Unit:1 ------------------ Adjacency counters for nhip 13.13.13.6 if Ethernet6/52: Ucast: Packets 946 Bytes 115412 Mcast: Packets 0 Bytes 0 Eth6/52Eth6/1 Nexus9508 with N9K-X9564TX 13.13.13.1/30 13.13.13.10/30
  • 85.
    SPAN & ERSPAN •Switch Port Analyzer” • Provides efficient, high-performance traffic monitoring service • Duplicates network traffic to one or more monitor interfaces • Types Of SPAN • Local SPAN • Encapsulated Remote SPAN(ERSPAN) • Applications: • Troubleshooting connectivity issues • Base lining network utilization/performance • Detecting anomalous traffic flows • On Nexus9000 Span Traffic uses dedicated queue • Queue carrying SPAN traffic has low Priority over other queue’s during congestion
  • 86.
    SPAN QOS Queue N9K#show queuing interface ethernet 4/18 | begin SPAN | SPAN QOS GROUP | +-----------------------------------------------------------------+ | | Unicast | OOBFC Unicast | Multicast | +------------------------------------------------------------------+ | Tx Pkts | 0| 0| 0| | Tx Byts | 0| 0| 0| | Dropped Pkts | 0| 0| 0| | Dropped Byts | 0| 0| 0| | Q Depth Byts | 0| 0| 0|
  • 87.
    SPAN Configuration N9K(config)# monitorsession 1 N9K(config-monitor)# source interface sup-eth 0 both N9K(config-monitor)# source interface ethernet 6/1 N9K(config-monitor)# destination interface ethernet 6/2 N9K(config-monitor)# No Shut N9K(config-monitor)# show monitor Session State Reason Description --- ----- ------------ -------------------- 1 up The session is up Local SPAN Session e6/1 e6/2 Local SPAN LocalSup-eth N9K(config)#int et 6/2 N9K(config-if)# switchport monitor
  • 88.
    ERSPAN Configuration N9K(config)# monitorerspan origin ip-address 13.13.13.2 global N9K(config)# monitor session 1 type erspan-source N9K(config-erspan-src)# header-type 3 N9K(config-erspan-src)# source interface ethernet 6/1 N9K(config-erspan-src)# erspan-id 1 N9K(config-erspan-src)# ip ttl 16 N9K(config-erspan-src)# vrf default N9K(config-erspan-src)# destination ip 9.1.1.2 N9K(config-erspan-src)# marker-packet-2 N9K(config-erspan-src)# no shut Layer 3 e6/1 ERSPAN e6/2 L3 Only Supports Source ERSPAN Type-3 Header 32-bit Timestamp Supports on Nexus9300 only Marker packet carry original UTC time stamp to over come 32-bit wrapper issue
  • 89.
    Consistency Checkers-Summary • Showconsistency-checker stp-state vlan • Show consistency-checker link-state • Show consistency-checker membership vlan • Show consistency-checker membership port-channels • Show consistency-checker membership port-channels • Show consistency-checker l2 • Show consistency-checker l3 • Show consistency-checker forwarding ipv4 unicast
  • 90.
  • 91.
    Understanding T2 interfaces-Xe0/hg N9K#bcm-shell mod 1 "show unit" Unit 0 chip BCM56852_A2 (current) Unit 1 chip BCM56852_A2 N9K#bcm-shell mod 1 “0:ps” ena/ speed/ link auto STP lrn inter max loop port link duplex scan neg? state pause discrd ops face frame back hg0 up 42G FD HW No Forward None FA XGMII 16360 hg2 up 42G FD HW No Forward None FA XGMII 16360 --------------------------------Snip---------------------------------- Hg11 up 42G FD HW No Forward None FA XGMII 16360 Xe0 !ena 40G FD HW No Disable None FA XGMII 1582 xe1 up 40G FD HW No Disable None FA XGMII 1582 --------------------------------Snip---------------------------------- Xe11 !ena 40G FD HW No Disable None FA XGMII 1582 Hg=Internal Ports Xe=Front Panel Port QSPF Ports QSPF Ports F P 01 F P 02 F P 03 F P 04 F P 05 F P 06 F P 07 F P 08 F P 09 F P 10 F P 11 F P 12 F P 13 F P 14 F P 15 F P 16 F P 17 F P 18 F P 19 F P 20 F P 21 F P 22 F P 23 F P 24 T2 Instance 0 T2 Instance 1 Eth1/1 Eth1/24 Xe0 Xe0 hg0 hg11 Xe11 Eth1/12 Xe11 Eth1/13 hg0 hg11
  • 92.
    Layer -1 Issues-Transceiver Not Recognized N9K# show interface ethernet 4/18 transceiver details Ethernet4/18 transceiver is not present module-4# show hardware internal bcm-usd event-history xcvr 18 1) Event:E_STRING, length:135, at 220346 usecs after Thu Apr 16 20:50:17 2015 bcm_usd_xcvr_fcot_notify_default(941): [unit=0 nxosport=18 bcmport=30] fcot_state:0x2 fcot_type:0 sent MTS_OPC_FCOT_EVENT_INFO, rc 0x0 2) Event:E_STRING, length:93, at 647132 usecs after Thu Apr 16 20:50:14 2015 bcm_usd_xcvr_fcot_scan_sfp(3003): [unit=0 nxosport=18 bcmport=30] FCOT not supported err=-1
  • 93.
    Interface MTU/Speed/Flow ControlVerification N9K# show interface Ethernet 4/18 Ethernet4/18 is up admin state is up, Dedicated Interface Belongs to Po10 Hardware: 10000/40000 Ethernet, address: 7c69.f66e.d860 (bia 7c69.f66e.d860) MTU 9216 bytes, BW 40000000 Kbit, DLY 10 usec N9K# bcm-shell module 4 ” 1: ps Xe17" ena/ speed/ link auto STP lrn inter max loop port link duplex scan neg? state pause discrd ops face frame back xe17 up 40G FD HW No Disable None FA SR4 9298
  • 94.
    Interface Flow ControlCheck N9K#Show interface ethernet 1/1 flowcontrol Port Send FlowControl Receive FlowControl RxPause TxPause admin oper admin oper ----------------------------------------------------------------------------- Eth1/1 off off off off 0 0 N9K#bcm-shell module 1 "ps" Wrong programming ena/ speed/ link auto TP lrn inter max loop port link duplex scan neg? state pause discrd ops face frame back xe0 up 10G FD HW No Disable TX RX None FA SFI 9298
  • 95.
    Interface Input Drops N9K#bcm-shellmod1 “ cstat xe29” +------------------Programmable Statistics Counters[Port xe29]------+ | Type | No. | Value | Enabled For | +----------------------------------------------------------------- -+ | RX | 0(R)| 19163028| RIPD4 RIPD6 RDISC RPORTD | | | | | PDISC VLANDR | | | 1(R)| 28744286| IMBP | | | 4 | 993820| RPORTD FcmPortClass3RxDiscards | | | 6 | 19163407| RFILDR FcmPortClass2RxDiscards | | | 7 | 19163048| RDROP | | | 8 | 18169208| VLANDR | +-------------------------------------------------------------------+ | | 3(R)| 14704| TPKTD | | | 4(R)| 968303| TGIP4 TGIP6 FcmPortClass3TxFrames| | | 6 | 968303| TGIP4 FcmPortClass3TxFrames | +-------------------------------------------------------------------+ Ethernet1/30 is up Hardware: 1000/10000 Ethernet, address: 7426.acea.ceb9 (bia 7426.acea.ceb9) EtherType is 0x8100 0 input with dribble 1316 input discard bcm-shell mod 6 "cstat info" | gre VLANDR VLANDR Rx VLAN drops
  • 96.
    Fabric Connectivity andTroubleshooting • In an 4-slot chassis N9K-C9504-FM has 1 T2 per module • In an 8-slot chassis N9K-C9508-FM has 2 T2 per module • In an 16-slot chassis N9K-C9516-FM has 4 T2 per module • FMs provides redundancy for internal data flow, the loss of FMs just increases the oversubscription factor. T2 T2 T2 T2T2 T2 N9K-C9508-FM-8 N9K-C9516-FM-16 T2 N9K-C9508-FM-4
  • 97.
    Full-Rate Mode(FRM) V/SOversubscribed Mode(OSM) • Each T2 have 32 40Gigport with total capacity of 1.2Tbps with “2” switching mode OSM(Default) - Uses all 32 40 Gig ports Line Rate achieved for packets > 200 Bytes FRM - Uses only 24 40 Gig ports Line rate achieved for > 64 Bytes Configuration Knob to Change the mode. N9K(config)# system fabric-mode full-rate Configuration effective after Reboot N9K#show system fabric-mode Applied System Fabric Mode:Full rate mode Use FRM mode to achieve line rate for 64 byte packets on 9636PQ , 9564PQ , 9564TX cards All other 94xx line cards will not be powered up in this mode
  • 98.
    RTAG7 and DLB •Two Packet Hashing algorithm available from LC to FM • RTAG7-To Select HG Port use Packet Header. • For a flow same HG Link is used • DLB-Dynamic Load Balancing- Default algorithm • Initial Hash same as RTAG7 • Based on Link Quality pick up optimum HG Port • Better utilization of all HG links • N9K(config)# port-channel load-balance internal [dlb/rtg7] • N9K# show port-channel load-balance internal algorithm • HighGig port-channel load balance algorithm: dlb LC1 LC2 FM-2FM1 FM6 HG- Ports HG- Ports
  • 99.
    Higig Link Failures– Fabric Module Policy • For any single Higig link failure between FM and LC Bring down the FM, if there is more than one FM Else bring down LC • Multiple Higig links failures for a Single LC going to Multiple FM - Bring down the LC module. • Multiple Higig links failures on LC to one of the FM - Bring down the LC module
  • 100.
    4/8 slot Chassis– Fabric Connectivity N9K-X9536PQ T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T2 T 2 T 2 T2 40 Gig Link • 9500/9600 Series Line Card’s T2 have connectivity to all 6 Fabric Module’s T2 • 9400 series Line cards connects to all T2 but use only 4 Fabric Modules -No Connection to Slot 21 & 25 • Traffic between 9500/9600 Series Line Card and 9400 Line card will use subset Hi Gig links .
  • 101.
    16 slot Chassis– Fabric Connectivity N9K-C9516-FM T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 N9K-X9536PQ T 2 T 2 T2 T 2 T 2 T2 • 9500 Series Line Card’s T2 will have connection to all 6 Fabric Module but to only 2 T2’s from each Fabric Module • 9500 series Line Card’s T2 will have connection to all 4 T2’s of Fabric module if there are only 3 Fabric module present • 9400 series cards connects to all T2 but use only 4 FM-No Connection to Slot 21 & 25 • Traffic between 9500 Series Line Card and 9400 will use subset Hi gig links. • N9K-X9636PQ line card module is not supported in 16 slot chassis 40 Gig Link
  • 102.
    • With 3FM configuration All 4 T2 units in each FM are connected to 9500 series LC modules' T2 units • Each blue line represents one 40 Gig link 16 slot Chassis – Fabric Connectivity T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 T 2 N9K-X9536PQ T2 T2
  • 103.
    HG MUX1 HG MUX3 Northstar 1 Warpcore MF Port 7- 5 2- 0 31- 29 26- 24 T2 7- 5 26- 24 0- 2 3- 5 6-89- 11 FM24 FM23FM25FM26 FM22 FM21 HG MUX4 HG MUX2 HG MUX5 HG MUX6 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 Northstar 2 MF Port 0- 2 9- 11 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 T2 7- 5 2- 0 31- 29 26- 24 • Line cards N9K-X9464PX/TX , N9K-X9564PQ/TX have Mux • Mux used for connecting HiG Link from Line Cards to multiple Fabric Module • Mux available only for Half of the HiG interface of LC • By Default Mux Link Active to Odd number of Fabric Module Line Card Fabric Module’s Active Mux Link Standby Mux Link Line Cards With Mux to FM
  • 104.
    FM Connectivity ForN9K-X9564PX –With MUX show system internal fabric connectivity mod 5 | in B HiGIG Link-info Linecard slot:5 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 5 0 HG02 1B 25 0 HG12 5 0 HG03 1B 25 1 HG12 show system internal fabric connectivity mod 5 HiGIG Link-info Fabriccard slot:5 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 5 0 HG02 1A 26 0 HG14 5 0 HG03 1A 26 1 HG14 With FM from Slot 25 Down FM-26 T2-0 T2-1 HG014 LC T2-0 T2-1 FM-25 T2-0 T2-1 MUX HG02 HG03 HG012HG012 HG014 AB • Line cards N9K-X9464PX/TX , N9K-X9564PQ/TX have Mux • Mux used for connecting HiG Link from Line Cards to multiple Fabric Module • Mux available only for Half of the HiG interface of LC • By Default Mux Link Active to Odd number of Fabric Module
  • 105.
    FM Connectivity ForN9K-X9564PX –With MUX show system internal fabric connectivity mod 5 | in B HiGIG Link-info Linecard slot:5 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 5 0 HG02 1B 25 0 HG12 5 0 HG03 1B 25 1 HG12 show system internal fabric connectivity mod 5 HiGIG Link-info Fabriccard slot:5 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 5 0 HG02 1A 26 0 HG14 5 0 HG03 1A 26 1 HG14 With FM from Slot 25 Down LC T2-0 T2-1 FM-25 T2-0 T2-1 FM-26 T2-0 T2-1 MUX HG02 HG03 HG012HG012 HG014 HG014 LC T2-0 T2-1 FM-25 T2-0 T2-1 FM-26 T2-0 T2-1 MUX HG02 HG03 HG012HG012 HG014 HG014 A A B B
  • 106.
    Fabric Troubleshooting commands showsystem internal fabric connectivity mod 1 HiGIG Link-info Linecard slot:1 LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 1 0 HG00 - 21 0 HG00 1 0 HG01 - 21 1 HG00 show system internal fabric connectivity mod 21 HiGIG Link-info Fabriccard slot:21 FM-Slot FM-Unit FM-HGLink LC-Slot LC-Unit LC-HGLink MUX 21 0 HG00 1 0 HG00 21 1 HG00 1 0 HG01 T2 #0 T2 #1 T2 #0 T2 #1 T2 #2 Line Card Slot-1 Fabric Module Slot-21 HG00HG00
  • 107.
    Fabric Port Dropsand Link Status N9K# bcm-shell mod 21 "ps” | inc hg0 ena/ speed/ link auto STP lrn inter max loop port link duplex scan neg? state pause discrd ops face frame back hg0 up 42 FD HW No Forward None FA XGMII 16360 N9K# show hardware internal fabric interface asic counters mod 21 Counters for Fabric Ports: FabricInterface Forward Forward Error Pkt Error Pkt QOS Rx QOS Tx RxDrops TxDrops RxDrops TxDrops Drops Drops 0 / 1 / HG0 0 0 0 0 0 0 1 / 1 / HG0 0 0 1 0 0 0 0
  • 108.
    Fabric Port STPState HW point of View N9K# sh vlan id 100 VLAN Name Status Ports ---- ------------------ --------- 100 VLAN0100 active Po1, Eth1/1 show sys internal xbar event-history {trace|errors|msgs|sw} show sys internal xbar-client event-history {trace|errors|msgs|sw} show tech-support xbar N9K# bcm mod 21 " stg show” STG 5: contains 1 VLAN (100) Forward: hg
  • 109.
    Path of thePacket -Inband CPU NIC-Eth2 Netstack NIC-Eth3 System Controller-SC1 FabricModule FabricModule FabricModule Line Card Mod21 Mod26 Mod29 Mod23 OSPF Hello Eth6/1 • Traffic from all ingress Line Card to Supervisor will hash to one Fabric module • Traffic from Supervisor Card to Egress Line cad will hash on one FM. May not be same • CoPP is operational on all LC. However aggregate CoPP is on FM
  • 110.
    Check for Drops/Errors-LineCard N9K#show hardware internal interface ethernet 6/1 asic counters Important Counters/Drops --------------- --------- --------- --------- --------- --------- --------- Interface Name Forward Forward Error Pkt Error Pkt QOS Rx QOS Tx RxDrops TxDrops RxDrops TxDrops Drops Drops --------------- --------- --------- --------- --------- --------- --------- Ethernet6/1 870 0 100 0 0 0 --------------- --------- --------- --------- --------- --------- --------- Forward Rx Drops = [ RDBGC0 RDBGC4 RDBGC6 RDBGC7 RDBGC8 ] Forward Tx Drops = [ TDBGC1 TDBGC3 TDBGC5 (excludes expected Multicast drops)] ErrorPkt Rx Drops= [ IUNHGI IUNKOPC RFCS RALN RFLR RERPKT RJBR RSCHCRC RUND RMTUE] ErrorPkt Tx Drops= [ TJBR TFCS TRPKT RMTUE TUFL TPCE ] QOS Rx Drops = [ RDISC DROP_PKT_ING DROP_PKT_IMTR DROP_PKT_YEL DROP_PKT_RED ] QOS Tx Drops = [ MCQ_DROP_PKT(0) MCQ_DROP_PKT(1) MCQ_DROP_PKT(2) Use slot <#> show hardware internal interface indiscard-stats instance <#> N9K#bcm-shell mod 6 "listreg RALN"| grep Description Description: Receive Alignment Error Frame Counter Trident II ASIC North Star ASIC Network Interfaces Line Card RDBGC0
  • 111.
    Instant Buffer UsageStats-With Buffer Usage N9K#show hardware internal buffer info pkt-stats mod 6 INSTANCE: 0 Output Shared Service Pool Buffer Utilization (in cells) SP-0 SP-1 SP-2 SP-3 ------------------------------------------------------------------------- Total Instant Usage 4474 0 89 2939 Remaining Instant Usage 25466 0 14255 3405 ------------------------------------------------------------------------ ASIC Port Q3 Q2 Q1 Q0 CPU SPAN [13] UC(OOBFC)-> 0 0 0 0 UC-> 0 0 0 1249 332 0 MC-> 0 0 0 3247 1996 0 Only printed if there is congestion • SP-3 Started filling the Queue • CPU buffer filling up
  • 112.
    CoPP Drops onLine Card N9K# show policy-map interface control-plane mod 6 class copp-system-p-class- critical | in ospf|trans|dropped match access-group name copp-system-p-acl-ospf transmitted 21898 packets; dropped 0 packets; Trident II ASIC North Star ASIC Network Interfaces Line Card
  • 113.
    Identify FM -CheckCoPP Drops N9K# show hardware internal cpu-mac inband active-fm traffic-to-sup Active FM Module for traffic to sup: 0x00000015 Fabric Module in Slot 21 carry all traffic to Sup N9K# show policy-map interface control-plane mod 21 class copp-system-p-class- critical | in ospf|trans|dropped match access-group name copp-system-p-acl-ospf match access-group name copp-system-p-acl-ospf6 transmitted 21898 packets; dropped 0 packets;
  • 114.
    Check for Drops/Errors-FabricModule N9K# show system internal fabric connectivity mod 6 | grep 21 Identify HG Port on LC and FM LC-Slot LC-Unit LC-HGLink MUX FM-Slot FM-Unit FM-HGLink 6 0 HG10 3B 21 0 HG15 N9K# sh hardware internal fabric interface asic counters module 6 instance 0 asic-port 11 Important Counters/Drops Verify Drops/Error on HG port on LC FabricInterface Forward Forward Error Pkt Error Pkt QOS Rx QOS Tx RxDrops TxDrops RxDrops TxDrops Drops Drops 0 / 11 / HG10 0 0 0 0 0 0 N9K# sh hardware internal fabric interface asic counters mod 21 in 0 asic-port 16 RxDrops TxDrops RxDrops TxDrops Drops Drops 0 / 11 / HG15 0 0 0 0 0 0
  • 115.
    Verify Drops BetweenFM and SC module-21# show mvdxn internal port-status Switch type: Marvell 98DXN11 - 10 port switch Fabric Module in Slot 21 Port Descr Enable Status ANeg Speed Mode InByte OutByte InPkts OutPkts 3 SC1EPCswitch Yes UP No 2 6 109548011 117051401 274144 587285 module-29# show mvdxn internal port-status Switch type: Marvell 98DXN11 - 10 port switch System Controller in Slot 29 Port Descr Enable Status ANeg Speed Mode InByte OutByte InPkts OutPkts 7 FM1EPCswitch Yes UP No 2 6 746159513 60543666 620863 269592 10 port switch on System controller and Fabric module connect SC to FM FABRIC CARD System Controller MVDXN-SW MVDXN-SW
  • 116.
    Drops/Errors On Supervisor N9K#showhardware internal cpu-mac inband counters in eth|ps- inb|dro eth2 Link encap:Ethernet HWaddr 00:00:00:01:1b:01 RX packets:2922013 errors:0 dropped:0 overruns:2 frame:0 TX packets:1652929 errors:0 dropped:0 overruns:0 carrier:0 eth3 Link encap:Ethernet HWaddr 00:00:00:01:1b:01 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 ps-inb Link encap:Ethernet HWaddr 00:00:00:01:1b:01 RX packets:54204 errors:0 dropped:3579 overruns:0 frame:0 TX packets:50626 errors:0 dropped:0 overruns:0 carrier:0 Netstack NIC-Eth2 Pseudo Inband NIC-Eth3 Supervisor Card
  • 117.
    Drops/Errors On Supervisor-Cont. N9K#showhardware internal cpu-mac inband stats | in errors|rate|Queue Queue Idx Packet Count Bytes Drops Csum Errors Allocation Failure Queue 0 65429 580195964 2 0 0 Queue 7 65429 580195964 0 0 0 CRC errors ...................... 0 Alignment errors ................ 0 Symbol errors ................... 0 Carrier extension errors .........0 Rx packet rate (current/peak) 812 / 1097 pps Tx packet rate (current/peak) 454 / 741 pps Related show tech(s) Nexus9500# sh tech-support inband counters Nexus9500# show tech-support pktmgr Nexus9500# show tech-support <service>
  • 118.
    L2 Mac AndVlan Table Verification N9K# sh mac address-table dynamic vlan 100 Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False VLAN MAC Address Type age Secure NTFY Ports * 100 547f.ee1c.06fc dynamic 0 F F Eth6/1 N9K# bcm-shell mod 6 " l2 show" | in Hit mac=54:7f:ee:1c:06:fc vlan=100 GPORT=0x800800d modid=16 port=13/xe0 Hit N9K# bcm-shell mod 6 "vlan show 100” vlan 100 ports xe0,hg ....... untagged xe0 interface Ethernet6/1 switchport switchport access vlan 100 no shutdown Eth6/1 Mac=547f:ee1c.06fc
  • 119.
    Spanning Tree Verification N9K#sh spanning-tree interface ethernet 6/1 Vlan Role Sts Cost Prio.Nbr Type VLAN0100 Desg FWD 4 128.1537 P2p N9K# bcm-shell mod 6 "dump vlan 100” VLAN.ipipe0[100]: <VP_GROUP_BITMAP=0x00000……STG=0X67 FID_ID=0x64 N9K# bcm-shell mod 6 "stg stp 103” STG 103: Block: xe1-xe47 Forward: xe0,hg interface Ethernet6/1 switchport switchport access vlan 100 no shutdown Eth6/1 Mac=547f:ee1c.06fc N9K# Dec 0x67=103 STG= STP Group ID N9K# Dec 0x64=100 FID_ID=Vlan ID.
  • 120.
    Unicast L3 Forwarding •T2 has combination of dedicated TCAM table space and shared hash table memory known as Unified Forwarding Table (UFT) • The UFT is partitioned into three forwarding tables • MAC Address Table • IP Host Table • Longest Prefix Match-LPM Table • To maximize the system-wide forwarding scalability UFT tables on line cards and fabric modules for different forwarding lookup functions FM LC Feature Scale L3 Host Table And L2/L3 Multicast 120K L2 Mac Table 96K Feature Scale L3 LPM Table 128K
  • 121.
    Unicast L3 Forwarding-Component Information Hardware-T2 uFDM Supervisor AM uRIB OSPF ARP FIB Manager Forwarding Hardware Theory of Operation Software/Hardware Programming • OSPF communicates with uRIB to build the routing table • AM builds the next-hop adjacency entry • uFDM distributes the information to the line cards • IP FIB (running on the line cards) programs the ASIC components with the forwarding and adjacency information. Remember: Software forwarding by the SUP is only used for control and exception packets
  • 122.
    L3 Unicast TroubleshootingFlow HW Programming On LC/FM Use BCM commands Next-Hop Check the routing table Checking Route on RIB And FIB. ARP/MAC Check the ARP Table Check Forwarding Route Show ip route [ipv4] [<prefix>] Show ip arp [ipv4] show ip adjacency (Ipv4] show forwarding adjacency platform [ipv4] module <mod> show forwarding [ipv4] route module <mod> bcm-shell mod 22 "l3 defip show"
  • 123.
    Unicast L3 Forwarding-Two Possible Scenarios Case 1: If incoming packet hit /32 host route on LC, forwarding decision is made on LC Case 2: If incoming packet miss /32 host route on LC. Now for Longest Prefix match (LPM) the packet get forwarded to FM • Install a default route 0.0.0.0/0 on Line Cards using the virtual MOD ID for Fabric Module as the DMOD to force Line Cards to forward LPM packets to Fabric Modules • Fabric Modules perform LPM lookup and forward packets to the resolved Destination MOD/Destination PORT Also will verify How to Check ECMP Route
  • 124.
    Network Diagram-Problem Definition 13.13.13.0/30 13.13.13.12/30 .1 13.13.13.8/30 .2.17 .9 .10 N9K# Nexus3064Q-ESC# N9508d-SJ# N9508c-SJ# Nexus3064Q-ESC# ping 13.13.13.10 PING 13.13.13.10 (13.13.13.10): 56 data bytes Request 0 timed out Nexus3064Q-ESC# traceroute 13.13.13.10 traceroute to 13.13.13.10 (13.13.13.10), 30 hops max, 40 byte packets 1 13.13.13.2 (13.13.13.2) 1.124 ms 0.911 ms 0.752 ms 2 * * * .18 .13 .14 13.13.13.16/30
  • 125.
    Router MAC ProgrammingCheck • Router Mac address must be programmed in Hardware N9K1#show interface ethernet 6/1 | grep address Hardware: 100/1000/10000 Ethernet, address: 003a.99fc.dd7f N9K1# bcm-shell mod 6 "0:d chg my_station_tcam" | grep dd7f MY_STATION_TCAM.ipipe0[0]: <VALID=1,------snip----MAC_ADDR=0x003a99fcdd7f,
  • 126.
    Verify /32 HostRoute on Line card-Case 1 N9K1#show ip route 13.13.13.14 13.13.13.14/32, ubest/mbest: 1/0, attached *via 13.13.13.14, Eth6/33, [250/0], 00:37:24, am N9K1#bcm-shell mod 6 "0:l3 l3table show" | grep 13.13.13.14 Entry VRF IP address Mac Address INTF MOD PORT CLASS HIT 10 1 13.13.13.14 00:00:00:00:00:00 100010 0 0 0 y N9K1#bcm-shell mod 6 "0:l3 egress show"| grep 100010 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop 100010 88:f0:31:bf:ad:17 4095 4432 45 16 -1 no no N9K1#show system internal ethpm info interface ethernet 6/33 | grep -i STATIC IF_STATIC_INFO: port_name=Ethernet6/33,if_index:0x1a284000,ltl=40875,slot=5, nxos_port=32,dmod=16,dpid=45, /32 Host Entry
  • 127.
    Next Hop Reachedvia L3-Port Channel N9K1#show ip route 10.164.112.22 10.164.112.22/32, ubest/mbest: 1/0 *via 13.13.13.14, Po200, [110/3], 00:09:33, ospf-10, intra N9K1#bcm-shell mod 6 "0:l3 l3table show" | grep 10.164.112.22 Entry VRF IP address Mac Address INTF MOD PORT CLASS HIT 175660 1 10.164.112.22 00:00:00:00:00:00 100012 0 0 0 y N9K1#bcm-shell mod 6 "0:l3 egress show"| grep 100012 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop 100010 88:f0:31:bf:ad:17 665 4761 3t 0 -1 no no N9K1#show system internal ethpm info interface port-channel 200 |grep –I STATIC IF_STATIC_INFO: port_name=port-channel200,if_index:0x160000c7,ltl=2597,slot=0, nxos_port=02,dmod=0,dpid=3, /32 Host Entry
  • 128.
    Verify HW-Programming onLC or FM ? Case 2 N9K# show ip route 13.13.13.10 IP Route Table for VRF "default” 13.13.13.8/30, ubest/mbest: 1/0 *via 13.13.13.6, Eth6/52, [110/41], 00:22:29, ospf-10, intra N9K# show forwarding route 13.13.13.10 module 21 IPv4 routes for table default/base Prefix | Next-hop Interface | Labels 13.13.13.8/30 13.13.13.6 Ethernet6/52 This is not /32 host Route. Packet forwarding decision responsibility is of the Fabric Module ALL FM will be programmed with this Route
  • 129.
    Line Card PuntingPackets to Fabric For LPM ? N9K# show hardware internal forwarding adjacency statistics default-route mod 6 Module:6 Unit:0 Traffic matched adjacency for default route (destined to FM): Unicast: Packets 148 Bytes 13382 N9K# bcm-shell mod 6 "0:l3 defip show" Unit 0, Total Number of DEFIP entries: 12288 # VRF Net addr Next Hop Mac INTF MODID PORT PRIO CLASS HIT VLAN 3072Override 0.0.0.0/0 00:00:00:00:00:00 149149 0 0 0 0 y N9K# bcm-shell mod 6 "l3 egress show" | inc 149149 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop 149149 00:12:12:12:12:12 4095 8189 1 100 -1 no no Mod 100 is assign to Fabric Module
  • 130.
    Longest Prefix Matchon Fabric Module N9K# bcm-shell mod 22 "l3 defip show" | grep 13.13.13.8 # VRF Net addr Next Hop Mac INTF MODID PORT PRIO CLASS HIT VLAN 196620 1 13.13.13.8/30 00:00:00:00:00:00 100008 0 0 0 0 n N9K# bcm-shell mod 22 "l3 egress show" | grep 100008 Entry Mac Vlan INTF PORT MOD MPLS_LABEL ToCpu Drop 100008 88:f0:31:bf:ad:17 4095 4520 10 17 -1 no no N9K# show system internal ethpm info interface eth 6/52 | grep dmod IF_STATIC_INFO: port_name=Ethernet6/52,if_index0x1a286600,ltl=40856,slot=5,nxos_port=51, dmod=17,dpid=10,unit=1, Mac add used for rewrite
  • 131.
    ECMP Route Validation N9K#showip route 10.164.112.22 10.164.112.22/32, ubest/mbest: 2/0 *via 13.13.13.14, Eth6/33, [110/5], 01:11:55, ospf-10, intra *via 13.13.13.18, Eth6/34, [110/5], 01:11:55, ospf-10, intra N9K#sh routing hash 13.13.13.2 10.164.112.22 mod 6 Hashing to path *13.13.13.18 Out Interface: Eth6/34 N9K#bcm-shell mod 6 "0:l3 l3table show" | grep 10.164.112.22 Entry VRF IP address Mac Address INTF MOD PORT CLASS HIT 17 1 10.164.112.22 00:00:00:00:00:00 200256 0 0 0 n (ECMP) N9K#bcm-shell mod 6 "l3 multipath show" Multipath Egress Object 200256 Interfaces: 100008 100010 Follow same steps demonstrated for /32 Host entry to learn about Interface in multipath show cli Multi-Path
  • 132.
    Use Tools FromToolkit • ELAM- IF Line Card has North Star module-6# debug platform internal ns elam asic 1 module-6(NS-elam)# trigger init egress in-select 3 out-select 5 module-6(NS-elam-insel3)# set outer ipv4 dst_ip 13.13.13.10 • Packet Tracer- For All FM and LC having T2 N9K# test packet-tracer dst-ip 13.13.13.10 src-ip 13.13.13.1 detail-fp • Flex Counter- Check Adjacency hit counter N9K# test hardware internal adjacency statistics nexthop ipv4 13.13.13.6 interface ethernet 6/52 enable • Consistency Checker show consistency-checker forwarding ipv4 unicast show tech-support forwarding l3 unicast show tech-support adjmgr show tech routing unicast
  • 133.
    Virtual Port-Channel-vPC • Allowa single device to use a port channel across two upstream switches • Eliminate STP blocked ports • Dual-homed server operate in active-active mode • HSRP-Both active and standby peers forward packets-ARP response by Active • Configuration steps Same as other Nexus Products Logical Topology with vPC
  • 134.
    Case:1 All vPCLeg UP MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 SVI10 10.10.10.1/24 SVI-Mac 78da.6e71.9a3f Standby 10.10.10.3 HSRP-Mac 0000.0c07.ac0a SVI20 SVI-mac 78da.6e71.9a3f 10.10.20.1/24 Standby 10.10.20.3 HSRP-Mac 0000.0c07.ac14 Switch-A Switch-B Vlan-10 Vlan-20 10.10.10.x/24 20.20.20.x/24 HOST-A HOST-B SVI10 10.10.10.2/24 SVI-mac 003a.99fc.dd7f Standby 10.10.10.3 HSRP-Mac 0000.0c07.ac0a SVI20 SVI-mac 003a.99fc.dd7f 10.10.20.2/24 Standby 10.10.20.3 HSRP-Mac 0000.0c07.ac14 Scenario: Traffic of a Host in Vlan 10 connected to Switch-A hash to N9K1 to reach Host in Vlan 20 connected to Switch-B PC1-PeerLink vPC Peer Link =Eth1/1,4/1
  • 135.
    vPC-Router MAC ProgrammingCheck • Both Active and Standby Peer responsible for L3 switching • Virtual Mac address must be programmed in Hardware on Both peers Interface Grp Prio P State Active addr Standby addr Group addr Vlan10 10 100 Active 10.10.10.2 local 10.10.10.3 N9K1# bcm-shell mod 4 "0:d chg my_station_tcam" | grep VLAN_ID=0xa VLAN_ID=0xa,VALID=1, MAC_ADDR=0xc07ac0a, Interface Grp Prio P State Active addr Standby addr Group addr Vlan10 10 100 Standby 10.10.10.2 local 10.10.10.3 N9K2# bcm-shell mod 4 "0:d chg my_station_tcam" | grep VLAN_ID=0xa VLAN_ID=0xa,VALID=1, MAC_ADDR=0xc07ac0a,
  • 136.
    vPC Peer GatewayProgramming Check • Are N9K’s Configured with Peer-Gateway N9K1-SJ# show mac address-table vlan 10 | in G * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC G 10 0000.0c07.ac0a static - F F vPC Peer-Link(R) G 10 003a.99fc.dd7f static - F F sup-eth1(R) N9K2 SVI MAC G 10 78da.6e71.9a3f static - F F vPC Peer-Link® N9K# bcm-shell mod 4 "0:d chg my_station_tcam" | egrep 0x003a99fcdd7f MY_STATION_TCAM.ipipe0[0]: <VALID=1,MAC_ADDR_MASK=0xffffffffffff,MAC_ADDR=0x003a99fcdd7f,KEY=0x00000000003 a99fcdd7f,IPV6_TERMINATION_ALLOWED=1,IPV4_TERMINATION_ALLOWED=1,DATA=0x38,ARP_R ARP_TERMINATION_ALLOWED=1>
  • 137.
    vPC Check ForTraffic Ingressing Peer Link Egress Block Mask • vPC Check-Traffic from Peer Link should Not L2/L3 Switch with local and remote Legs up N9K1# show vpc brief | grep Po id Port Status Active vlans 1 Po1 up 10-20 id Port Status Consistency Reason Activevlans 10 Po10 up success success 10-20 20 Po20 up success success 10-20 N9K2# show vpc brief | grep Po id Port Status Active vlans 1 Po1 up 10-20 id Port Status Consistency Reason Activevlans 10 Po10 up success success 10-20 20 Po20 up success success 10-20 MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 Switch-A Switch-B PC1-PeerLink
  • 138.
    MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 KeepAlive Eth4/18 Eth6/20 Switch-A Switch-B PC1-PeerLink vPC Check for Traffic Ingressing Peer Link (Cont’d) N9K1#show port-ch summary | in Po Group Port- Type Protocol Member Ports 1 Po1(SU) Eth LACP Eth1/1(P)Eth4/1(P) 10 Po10(SU)Eth LACP Eth4/18(P) 20 Po20(SU)Eth LACP Eth6/20(P) N9K1# show system internal vpcm info mask module 6 Masked ports for Module 6, Unit 0: [Src Port None]: Eth6/20 [Src Port Eth1/1]: Eth6/20 [Src Port Eth4/1]: Eth6/20 Masked ports for Module 6, Unit 1: Traffic Ingressing on Eth1/1 and Eth4/1 will not exit Eth 6/20
  • 139.
    ACL redirect logicfor routed packets-vPC Leg Down • Redirect ACL installed to redirect routed packets for the vPC for which local interface goes down • Mac address learned from vPC points virtual port MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 Switch-A Switch-B PC1-PeerLink Link Down N9K1# show hardware access-list tcam region | grep vpc VPC Convergence [vpc-convergence] size = 512 N9K1# sh mac address-table address30f7.0d9b.d401 VLAN MAC Address Type age Secure NTFY Ports 20 30f7.0d9b.d401 dynamic 0 F F vPC Peer-Link
  • 140.
    ACL redirect logicfor routed packets-vPC Leg Down • On N9K1 traffic entering Eth6/20 after L3 switch should egress Peer Link • N9K2 Should not drop traffic entering Peer link and forward traffic out to Eth 4/8 MCT-1/1, 4/1 N9k1 N9k2 vPC20vPC10 Eth4/18 Eth6/20 Keep Alive Eth4/18 Eth6/20 Switch-A Switch-B PC1-PeerLink Ln Down N9K# bcm-shell module 6 "fp show group 57” InPorts->L3Routable DstTrunk Offset: 213 Width: 16 DATA=0x00008003 action={act=RedirectTrunk, param0=1(0x1) Trunk-id of vPC Peerlink Trunk-id of “3” Down vPC
  • 141.
    ACL redirect logicfor routed packets-Verify TrunkID N9Ka# show system internal ethpm info int port-channel1 | grep dpid IF_STATIC_INFO: port_name=port-channel1,if_index:0x16000000,ltl=2595,slot=95 dpid=1,unit=0,queue=0,xbar_unitbmp=0x0 ns_pid=0 N9508a-SJ# show system internal ethpm info int port-channel10 | grep dpid IF_STATIC_INFO: port_name=port-channel10,if_index:0x16000000,ltl=2595,slot=95 dpid=3,unit=0,queue=0,xbar_unitbmp=0x0 ns_pid=0 show tech-support vPC show tech-support cfs show tech-support port-channel Some important info to capture
  • 142.
    ACL redirect logicfor routed packets-Verify TrunkID NX-OS -7.0(3)I1(2) N9508a-SJ# show system internal access-list vpc-convergence mod 6 ------------------------------------------------------------ VPC Convergence Entries ------------------------------------------------------------ Instance: 0 ========== Ingress: ---------- Entry-ID DstTrunk-GID RedirectTrunk-GID Packet-Count ------------------------------------------------------------------------ 1539 3 1 6082015 Trunk-id of “3” Down vPC Trunk-id of vPC Peerlink
  • 143.
  • 144.
    Email from Nexus9000To Cisco SR • Commands output directly sent to email address • Information from Nexus9000 Can be directly attached to Service Request. • Information is sent as body to email- not as attachment N9K(config)# email N9K(config-email)# smtp N9K(config-email)# smtp-host 173.37.37.37 N9K(config-email)# from N9508a-sj@cisco.com N9K(config-email)# smtp-port 25 show run | email subject <SR-number> attach@cisco.com
  • 145.
    Bash Support !!!! •Goes beyond what standard CLI can provide • Customers demand more capabilities/freedom Creativity • Feature: bash-shell • User Role: dev-ops or network-admin or vdc-admin* • Strongly recommended: Some experience with shell/Linux-Use with extreme care
  • 146.
    Broadcom ASIC shellaccess on the Nexus 9000 !!! • The Nexus 9000 is based largely on the Broadcom Trident II ASIC-Known as T2 • The modular unit Fabric Modules (FM) and Line Cards (LC) each contain multiple instances of the T2 ASIC, as well as the TOR (top of rack) units • Access is provided to each and every instance of the T2 ASIC • No additional license is required to access the bcm-shell • Permitted by default role network-admin • Role based access control (RBAC) can be used to limit user access • Accounting log available for BCM activity
  • 147.
    BCM Access someExamples N9K# bcm-shell mod 6 "show unit" Unit 0 chip BCM56852_A2 (current) Unit 1 chip BCM56852_A2 N9K# bcm-shell mod 6 "ps" | in 19 xe19 up 1G FD SW Yes Disable None FA XGMII 1582 N9K# show accounting log | last 2 Mon Apr 20 08:31:52 2015:type=update:id=console0:user=admin:cmd=bcm-shell module 6 "show unit" (SUCCESS) Mon Apr 20 08:32:14 2015:type=update:id=console0:user=admin:cmd=bcm-shell module 6 "ps" | in 19 (SUCCESS) QSPF Ports QSPF Ports F P 01 F P 02 F P 03 F P 04 F P 05 F P 06 F P 07 F P 08 F P 09 F P 10 F P 11 F P 12 F P 13 F P 14 F P 15 F P 16 F P 17 F P 18 F P 19 F P 20 F P 21 F P 22 F P 23 F P 24 T2 Instance 0 T2 Instance 1 Eth1/1 Eth1/24 Xe0 Xe0 hg0 hg11 Xe11 Eth1/12 Xe11 Eth1/13 hg0 hg11
  • 148.
    BCM Access someExamples (Cont’d) N9K# bcm-shell mod 21 "config show l3" l3_alpm_enable=2 l3_max_ecmp_mode=1 l3_mem_entries=16384 N9K# bcm-shell mod 4 "config show l2 ” l2xmsg_hostbuf_size=16384 l2_mem_entries=98304
  • 149.
    Python !!!! • Pythonis - Established, Modern and Powerful, Clean, lots of libraries, liberal license • Perl is available in gdb images only – not available in final images • Tcl is there but no one uses it in NX-OS • The license that Python has (GPL-Like with very few restrictions on modification, distribution and commercial use) make it very attractive to embed and distribute • On the box applications that can currently use Python scripts • Embedded Event Manager • Power On Auto Provisioning (POAP) • Create your own scripts that are like “Super commands” • Create your own command modifiers – the things that act on commands applied with a pipe “|”
  • 150.
    Python-Continued • There aretwo Python environments on the N9000 • One executed from VSH • One executed from Bash • Both run in their own forked process • The main differences comes from the environment that they get initialized into • These differences between them should be minimal • There is a sandbox that should primarily contain lower privileged users • Network-admin users get basically a “pure” 2.7.5 python environment • That sandbox mostly applies to lower privileged users, they may be prevented from doing certain things in python • Also prevents file operations on files outside of bootflash
  • 151.
    Python-Example N9K# python Python 2.7.5(default, Oct 8 2013, 23:59:43) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> N9K# run bash python Python 2.7.5 (default, Oct 8 2013, 23:59:43) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> switch between VSH and the Interpreter (Bash 1) switching between VSH and Python
  • 152.
  • 153.
    Why Patching? Begin CodeTest & Qualification Cycle Target Deployment Bug Found, Diagnose, Root Cause Defect Resolved, integrated into Maint. Maint. Released Restart Qual Cycle Actual Deployment 6 Months 10 Months Many customers spend extensive time and effort to test and qualify software prior to deployment. In today’s environments, if a defect is found, effectively root-caused, and integrated, since it is rolled out through a maintenance release, customers would need to restart their qualification cycle, wasting time, and pushing out deployment dates…
  • 154.
    NX-OS Image Patching BeginCode Test & Qualification Cycle Target Deployment Bug Found, Diagnose, Root Cause Defect Resolved, Patch Released Continue Qual With additional tests Actual Deployment 6 Months 7 Months The Nexus9000 Standalone platforms introduces new patching capabilities that allows specific defects to be rolled out in an independent package that can be applied to existing base software binaries. This will help reduce customer code certification times, leading to greater customer satisfaction.
  • 155.
    Patching Overview • NXOSplatforms release major versions when introducing new features and engineering special builds to provide bug fixes. • The new goal will be to allow customers to deploy patches for specific fixes only without affecting the data plane of the device. • The patching architecture comes from IOS XR (SMU – Software Maintenance Upgrade) used to deliver Quick, Effective and Focused patches for specific sections of code. • Both binaries and libraries can be patched. • Supervisors and Line Card services can be patched. • Software patching will leverage process restart/reload or ISSU
  • 156.
    Patch Uninstall Workflow- Detailed • User invokes “install deactivate <patch_name>” • System manager gracefully shuts down each impacted process • Softlinks are changed from active SMU to one in backup folder (if present). • Relevant SMU is removed from the /var/installer/activated/SMU directory. • System Manager triggers restart of impacted processes • (Optional) “install remove” deletes the patch from the local repository
  • 157.
    CLI Commands –Patch Install Command Syntax Function Notes Install add install add <uri> [activate] Download patch from URI and add patch to repository. Only one patch can be added at a time. Optionally can activate patch in this step. Install remove install remove [<package> | inactive] User can remove only non- activated patches Confirmation y/n will be prompted Install activate install activate <package> [test] Installs a patch from the local repository. If not present, an error will be returned. Only one patch can be activated at a time. No show commands permitted during operation. Install deactivate install deactivate <package> Uninstall patch and move it to non- activated repository Only one patch can be deactivated at a time. **Patches must have no other patch dependencies Install commit install commit Preserves all activated patches across reloads. Activated patches are committed to a list kept in the patch repository
  • 158.
    CLI Commands –Show Commands Command Function Sample show install request Shows current install operation along with time stamp, package name, initiating user and % complete. Fri May 10 09:06:55.921 UTC Install operation 13 '(admin) ‘install activate n9000-dk.6.0.2.U1.1.CSCuf08219.bin’ Started by user 'cisco' via CLI at 09:06:48 UTC Fri May 10 2013 The operation is 10% complete show install log [id | detail | from | last | reverse] Shows user information on previous installation operations. Optional [detail] command for verbose information. Install operation 1 by user ‘admin’ at Tue Sep 28 01:37:02 2004: install commit Operation completed successfully Install operation 2 by user ‘admin’ at Mon Oct 18 17:26:36 2004: install add tftp://10.52.241.252/bcarter/n3000-uk9.6.0.2.U1.1.CSCuf08219.bin Operation completed successfully Install operation 7 by user ‘lab’ at Mon Oct 18 17:31:13 2004: install activate n3000-uk9.6.0.2.U1.1.CSCuf08219’ Operation failed because service failed to come up. show install active [on- reload] Displays boot images and active or committed patches switch# show install active Boot Images: Kickstart Image: bootflash:/n9000-dk.6.1.234.gbin System Image: package:/isanboot/bin/images/sys Active Packages: n9000-dk.6.1.1.CSCui56298.bin
  • 159.
    CLI Commands –Show Commands (Cont’d) Command Function Sample show install inactive [on- reload] Shows patches in the repository not yet activated switch# show install inactive Boot Images: Image: bootflash:/inseor.6.1.1.234.gbin System Image: package:/isanboot/bin/images/sys Inactive Packages: switch# show install pkg-info <package> Shows details of a specific patch. Requires that patch has been added using ‘install add’ first. switch# show install pkg-info n9000-dk.6.1.1.CSCui56298.bin Contents of Package file 'n9000-dk.6.1.1.CSCui56298.bin': Expiry date : Jan 19, 2015 02:55:56 UTC Uncompressed size : 17892613 Vendor : Cisco Systems Desc : Bug Fix for CDET: CSCui56298 Build : Built on Wed May 10 08:04:58 UTC 2013 Source : By n9k-infra-bld Platform: Nexus-9000. Supersedes: n9000-uk9.6.1.1.U1.1.CSCuf09119, n9000-uk9.6.1.1.U1.1.CSCuf02229 Pre-requisite: n9000-uk9.6.1.1.U1.1.CSCuf09219 Restart information: BGP process restart.
  • 160.
    Sample Patch Install– Copy Patch to Switch N9K# copy scp://sdn@172.18.217.42/home/sdn/n9k/inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin bootflash: Enter vrf (If no input, current vrf 'default' is considered): management sdn@172.18.217.42's password: inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin 100% 233KB 232.7KB/s 00:01 Copy complete, now saving to disk (please wait)... N9508# N9508# dir | grep .gbin 238230 Jan 15 10:52:31 2014inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin N9508#
  • 161.
    Sample Patch Install– Add patch to repository & verify N9K# install add bootflash:inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin Install operation 19 completed successfully at Wed Jan 15 10:55:14 2014 N9508# N9K# show install packages ----------------------------------------------------------- inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin inactive-commit Modules Module #27: inactive-commit Module #28: inactive-commit ----------------------------------------------------------- N9K# show install inactive Inactive Packages: inseor_CSCuxP1fix.6.1.2.I1.2.CSCab00001.gbin N9K#
  • 162.
    Important Limitations • Forevery Feature please review Guidelines and Limitations • Cisco Nexus 9000 Series NX-OS Verified Scalability Guide http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6- x/scalability/guide_34/b_Cisco_Nexus_9000_Series_NX-OS_Verified_Scalability_Guide_612I34.html • Only one software image (called nx-os) is required to load the Cisco NX-OS operating system. • EPLD Upgrade are recommended but are not mandatory • User Configured MAC address for SVI- Packets will not be flooded if Layer 2 Adjacency is missing • Diagnostic-The Port Loop back and Boot up Port Loop back tests are not supported • ASIC Memory-NS test is applicable only for the N9K-X9564PX and N9K-X9564TX line cards. • Priority flow control (PFC) is supported on Cisco Nexus 9500 Series switches with the N9K- X9636PQ line card. • FEX is supported only on the Cisco Nexus 9372PX and 9396PX switches. • Cisco Nexus 9500 Series Switch can run in 8-queue mode only if all of its line cards are capable of running 8-queue mode.
  • 163.
    Participate in the“My Favorite Speaker” Contest • Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) • Send a tweet and include • Your favorite speaker’s Twitter handle <Speaker—enter your Twitter handle here> • Two hashtags: #CLUS #MyFavoriteSpeaker • You can submit an entry for more than one of your “favorite” speakers • Don’t forget to follow @CiscoLive and @CiscoPress • View the official rules at http://bit.ly/CLUSwin Promote Your Favorite Speaker and You Could Be a Winner
  • 164.
    Complete Your OnlineSession Evaluation Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online • Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. • Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
  • 165.
    Continue Your Education •Demos in the Cisco campus • Walk-in Self-Paced Labs • Table Topics • Meet the Engineer 1:1 meetings • Related sessions
  • 166.
  • 168.
  • 169.
    Fabric Module NFE Fabric Modulefor Nexus 9504 NFE NFE Fabric Module for Nexus 9508 NFE NFE NFE NFE Fabric Module for Nexus 9516 Chassis Type Nexus 9504 Nexus 9508 Nexus 9516 NFEs per Fabric Module 1 2 4
  • 170.
    Nexus 9500 PlatformFRU- Line Card Connect to Fabric Modules Connect to Hosts or Network NFE 1 ALE 1 12 x 42 Gbps Network Interfaces 12 x 42 Gbps 18x 40 Gbps Ethern et 18x 40Gbps NFE NFE 12 x 40 Gbps12 x 40 Gbps NFE 12 x 40 Gbps N F E Fabric 1 N F E N F E Fabric 2 N F E N F E Fabric 3 N F E N F E Fabric 4 N F E N F E Fabric 5 N F E N F E Fabric 6 N F E 1 x 42 Gbps 1 x 42 Gbps
  • 171.
    N9K-X9636PQ HG Ports HGPorts HG Ports QSPF PortsQSPF PortsQSPF Ports FP 01 FP 02 FP 03 FP 04 FP 05 FP 06 FP 07 FP 08 FP 09 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FM3 FM4FM2FM1 FM5 FM6 T2 Instance 0 T2 Instance 1 T2 Instance 2
  • 172.
    N9K-X9464PX HG Ports HGPorts 10G SFP+ Ports 40G QSFP FM3FM2 FM4 FM6 MUX1-2 MUX3-4 T2 FP 1 FP 2 FP 3 FP 4 FP 5 FP 6 FP 7 FP 8 FP 9 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FP 37 FP 38 FP 39 FP 40 FP 41 FP 42 FP 43 FP 44 FP 45 FP 46 FP 47 FP 48 FP 49 FP 50 FP 51 FP 52
  • 173.
    N9K-X9464TX HG Ports HGPorts 100/1000/10000 T Ports 40G QSFP FM3FM2 FM4 FM6 MUX1-2 MUX3-4 T2 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY FP 49 FP 50 FP 51 FP 52 FP 1 FP 2 FP 3 FP 4 FP 5 FP 6 FP 7 FP 8 FP 9 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FP 37 FP 38 FP 39 FP 40 FP 41 FP 42 FP 43 FP 44 FP 45 FP 46 FP 47 FP 48
  • 174.
    N9K-X9432PQ QSPF PortsQSPF Ports HGPorts HG Ports FP 01 FP 02 FP 03 FP 04 FP 05 FP 06 FP 07 FP 08 FP 09 FP 10 FP 11 FP 12 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FM3 FM4FM2 FM6 T2 Instance 0 T2 Instance 2 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20
  • 175.
    N9K-X9564PQ 10G SFP+ Ports 40GQSFP HG MUX1 HG MUX3 FP 49 FP 50 FP 51 FP 52 FP 1 FP 2 FP 3 FP 4 FP 5 FP 6 FP 7 FP 8 FP 9 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FP 37 FP 38 FP 39 FP 40 FP 41 FP 42 FP 43 FP 44 FP 45 FP 46 FP 47 FP 48 Northstar 1 Warpcore MF Port 7-5 2-0 31-29 26-24 T2 7-5 26-24 0-2 3-5 6-8 9-11 FM4 FM3FM5FM6 FM2 FM1 HG MUX4 HG MUX2 HG MUX5 HG MUX6 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 Northstar 2 MF Port 0-2 9-11 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 T2 7-5 2-0 31-29 26-24
  • 176.
    N9K-X9564TX 100/1000/10000 T Ports 40GQSFP HG MUX1 HG MUX3 T2 FP 49 FP 50 FP 51 FP 52 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY 10G PHY FP 1 FP 2 FP 3 FP 4 FP 5 FP 6 FP 7 FP 8 FP 9 FP 10 FP 11 FP 12 FP 13 FP 14 FP 15 FP 16 FP 17 FP 18 FP 19 FP 20 FP 21 FP 22 FP 23 FP 24 FP 25 FP 26 FP 27 FP 28 FP 29 FP 30 FP 31 FP 32 FP 33 FP 34 FP 35 FP 36 FP 37 FP 38 FP 39 FP 40 FP 41 FP 42 FP 43 FP 44 FP 45 FP 46 FP 47 FP 48 Northstar 1 MF Port 7-5 2-0 31-29 26-24 T2 7-5 26-24 0-2 3-5 6-8 9-11 FM4 FM3FM5FM6 FM2 FM1 HG MUX4 HG MUX2 HG MUX5 HG MUX6 MN Port 0 1 2 3 4 5 6 7 8 9 10 11 Northstar 2 MF Port 0-2 9-11 MN Port 0 1 2 3 4 5 6 7 8 9 10 11
  • 177.
    Multicast L3 Forwarding •Before hardware can forward any Multicast packets, forwarding information has to propagate from Sup to the LC • Several layers are to be verified: MRIB (control-plane is created here) MFDM PI /PD (platform independent & forwarding information) • MFIB-IPFIB • IP FIB process programs hardware: FIB Table contains (*,G) and (S,G) forwarding entries and RPF information GROUP table contains forwarding and pointers replication information (pointers to MC VLAN) MC VLAN tables contain replication information (~OIF lists) Hardware (packets are forwarded here) & SDK Supervisor MRIB MF DM IP FIB IGMPPIM MSDP T2 FIB Table MC VLAN Table IPMC_GR Line Card
  • 178.
    L2/L3 Multicast PacketWalk Fabric Module Trident II Parser Network Interfaces L2/L3 Lookup & pkt rewrite 10GE 40GE EACL Egress Q Trident II Parser L2/L3 Lookup & Pkt rewrite EACL Egress Q Trident II IACL Traffic Classification & Remarking IACL Traffic Classification& Remarking Network Interfaces 10GE 40GE Lkup in Host Table & L2 Table Lookup to resolve egr. modules; Sends one copy to each egr. module; Examines ingress packet. Get packet headers for processing. Lookup for local receiving ports; replicate pkts onto those ports.L2/L3 mcast lookup; Replicate pckts to local receiving ports; Send 1 copy to fabric module;
  • 179.
    Multicast L3 Forwarding-MRIB N9K#show ip mroute 239.10.10.10 shared-tree IP Multicast Routing Table for VRF "default” (*, 239.10.10.10/32), uptime: 00:23:32, ip pim Incoming interface: Ethernet6/1, RPF nbr: 13.13.13.1 Outgoing interface list: (count: 1) Ethernet6/52, uptime: 00:22:42, pim Supervisor MRIB MF DM IP FIB PIM MSDPIGMP
  • 180.
    Multicast L3 Forwarding-mFDMPI-Supervisor N9K# show forwarding distribution multicast outgoing- interface-list l3 1 Outgoing Interface List Index: 1 Reference Count: 4 Platform Index: 0xb00001 Number of Outgoing Interfaces: 1 t6/52 N9K# show forwarding distribution ip multicast route group 239.10.10.10 source 13.13.13.14 | in 13|Index (13.13.13.14/32, 239.10.10.10/32), RPF Interface: Ethernet6/1, flags: Outgoing Interface List Index: 1 Supervisor MRIB MF DM IP FIB PIM MSDPIGMP
  • 181.
    Multicast L3 ForwardingIPFIB-Line card N9K# show forwarding ip multicast route group 239.10.10.10 source 13.13.13.14 mod 6 | inc 239|Eth (13.13.13.14/32, 239.10.10.10/32), RPF Interface: Ethernet6/1, flags: Outgoing Interface List Index: 1 Outgoing Interface List Index: 0x1 Ethernet6/52 T2 FIB Table MC VLAN Table IPMC_GR Line Card Mod 6 is N9K-X9564TX To reach Ethernet 6/52 which is on NS from front port of T2,Packets need to cross Fabric module
  • 182.
    Multicast L3 ForwardingEntries on LC –BCM Shell N9K# bcm-shell mod 6 "ipmc table show" SRC IP ADDRESS MC IP ADDRESS MC GROUP VID VRF COS HWIDX CLASS HIT 13.13.13.14 239.10.10.10 0x2000007 0 1 0 75680 1 no 0.0.0.0 239.10.10.10 0x2000007 0 1 0 86578 2 no N9K#bcm-shell module 6 "mc show group=0x2000007" Group 0x2000007 (L3) port hg0, encap id -1 -------snip------------ port hg11, encap id -1 T2 FIB Table MC VLAN Table IPMC_GR Line Card Traffic spared to Hig towards Fabric
  • 183.
    Multicast L3 ForwardingEntries on LC –BCM Shell N9K# bcm-shell mod 6 " search l3_entry_ipv4_multicast group_ip_addr=0xef0a0a0a source_ip_addr=0x0d0d0d0e” L3_ENTRY_IPV4_MULTICAST.ipipe0[75680]: SOURCE_IP_ADDR=0xd0d0d0e, GROUP_IP_ADDR=0xef0a0a0a, L3MC_INDEX=7 N9K# bcm-shell mod 6 " dum chg l3_entry_ipv4_multicast 75680” IPV4MC:EXPECTED_L3_IIF=0x112e, N9K# show system internal eltm info interface ethernet 6/1 | in LIF cr_flags = INTF LIF , LIF = 4398 (0x112e), LTL = 40959 (0x9fff) (S 0x0, P 0x0) T2 FIB Table MC VLAN Table IPMC_GR Line Card show tech-support multicast` show tech-support forwarding multicast
  • 184.
    IGM Snooping Forwarding programmingin vPC Scenario • IGMP Process Provides both Layer 3 IGMP Processing , and Layer 2 IGMP snooping functionality • Receivers use IGMP (Internet Group Management Protocol) to report their multicast group Membership to router • Layer 2 IGMP Snooping functions of IGMP process include processing snooped multicast router Packets Including IGMP reports and leaves sent by receiver • Once the group membership is learned , the Supervisor Engine informs I/O modules , which program Hardware • This will Constrain data-plane multicast packets to only those ports with multicast routeror interested receivers in HW
  • 185.
    IGMP Snooping continued… •BCM on FM are in Mode 4. This will have L2 Table size of 32K & L3 Host Table 16K • L3 Host table will be used to program (*,G) /(S,G) entry. This will will accommodate maximum of 8K entry. • MFDM sends two OIF List information to MFIB. One for LC (S,G) OIF List and other for FM ( Mac, Group) OIF List in PIM disable Vlan. • MFIB will use (S,G) OIF list to program LC and Mac Group to Program FM in 32K L2 Table. • If PIM is enable FM can accommodate 8K(VRF, S,G) and will program Hardware. • Address aliasing is possible because on FM we use L2 table to program Mac Group information
  • 186.
    IGMP Snooping (Cont’d) •With vPC IGMP will have knowledge of multi chassis Ether Channel trunk (MCT) interface. • When one of the vPC peer receives IGMP join , it will sync up this with peer over MCT link using cFS-Cisco Fabric Services over Ethernet . • Duplication of traffic crossing MCT is avoided using Port block Mask • VPC Support PIM-SM Only • For source in VPC domain – dual Forwarders are used • For Source in Layer 3 Cloud , Unicast best metric determines active forwarder • VPC Operational Primary in case of tie. CFS used to negotiate active Forwarder role
  • 187.
    Configuration-IGMP Snooping enableby default Nexus9508-13# sh ip igm snooping vlan 103 IGMP Snooping information for vlan 103 IGMP snooping enabled Lookup mode: IP Optimised Multicast Flood (OMF) enabled IGMP querier present, address: 10.10.103.5, version: 2, i/f Po30 Nexus9508-13# sh ip igm snooping vlan 100 IGMP Snooping information for vlan 100 IGMP snooping enabled Lookup mode: IP Optimised Multicast Flood (OMF) enabled IGMP querier present, address: 192.168.100.2, version: 2, i/f Vlan100 Querier interval: 125 secs Querier last member query interval: 1 secs
  • 188.
    Reference Topology forTroubleshooting N35K Eth 1/17,Eth 1/19 , Eth 1/33-34 N9508-12 N9508-13 N93k vPC 35vPC30 vPC Keep Alive vPC Peer Link PO-10 Ixia 10/2-Source Ixia 10/1-Receiver Eth1/3/1-4 Eth 6/9/1-4 Eth 1/48 Eth1/48 Eth 3/1-2 Eth 3/1-2 Eth 1/17-18 ,Eth 1/33-34
  • 189.
    IGMP Snooping Troubleshooting •Stream will enter one of the VPC-Peer , Which will get forwarded across Peer link to other VPC Peer • Both boxes will have (S ,G) • Upon Creation of (S,G) , VPC Peers negotiate best metric • Both realize source is VPC-Connected • Install Entry as Win-Force • If either peer gets a PIM/IGMP Join for the given source , they both add Interface to OIF Nexus9508-12(config)# sh ip pim internal vpc rpf-source PIM vPC RPF-Source Cache for Context "default" - Chassis Role Primary Source: 192.168.100.10 Pref/Metric: 0/0 Source role: primary Forwarding state: Win-force (forwarding) MRIB Forwarding state: forwarding Nexus9508-13# sh ip pim internal vpc rpf-source PIM vPC RPF-Source Cache for Context "default" - Chassis Role Secondary Source: 192.168.100.10 Pref/Metric: 0/0 Source role: secondary Forwarding state: Win-force (forwarding) MRIB Forwarding state: forwarding
  • 190.
    • IGMP Joinfrom one of the receiver enter one of the VPC Pee. • This Peer encapsulates IGMP in CFS , sends to other Peer • Both Peer have identical State • Both Peer install OIF • Data traffic flows down to Receiver, also forwarded to other Peer on Peer Link • Other Peer drop the packet either by PORT BLOCK MASK blocking or no OIF Nexus9508-ESC-12# sh ip mroute 239.10.10.10 192.168.100.10 IP Multicast Routing Table for VRF "default" (192.168.100.10/32, 239.10.10.10/32), uptime: 01:00:09, ip pim mrib Incoming interface: Vlan100, RPF nbr: 192.168.100.10, uptime: 01:00:09, internal Outgoing interface list: (count: 1) Vlan101, uptime: 00:59:40, mrib Nexus9508-ESC-12# Nexus9508-ESC-13# sh ip mroute 239.10.10.10 192.168.100.10 IP Multicast Routing Table for VRF "default" (192.168.100.10/32, 239.10.10.10/32), uptime: 04:25:36, ip pim mrib Incoming interface: Vlan100, RPF nbr: 192.168.100.10, uptime: 04:25:36 Outgoing interface list: (count: 1) Vlan101, uptime: 02:04:41, mrib Nexus9508-ESC-13# vPC Peer receiving Join
  • 191.
    Step to verifyPI On Supervisor. Verify on Both Peers Nexus9508-ESC-12# sh ip igmp groups 239.10.10.10 IGMP Connected Group Membership for VRF "default" - matching Group "239.10.10.10" Type: S - Static, D - Dynamic, L - Local, T - SSM Translated Group Address Type Interface Uptime Expires Last Reporter 239.10.10.10 D Vlan101 00:01:23 00:02:56 192.168.101.13 Nexus9508-ESC-12# Nexus9508-ESC-13# sh ip igmp groups 239.10.10.10 IGMP Connected Group Membership for VRF "default" - matching Group "239.10.10.1 0" Type: S - Static, D - Dynamic, L - Local, T - SSM Translated Group Address Type Interface Uptime Expires Last Reporter 239.10.10.10 D Vlan101 00:01:18 00:03:01 192.168.101.13 Nexus9508-ESC-13#
  • 192.
    CFS Provide info Nexus9508-ESC-12#sh ip igmp snooping groups vlan 101 detail IGMP Snooping group membership for vlan 101 Group addr: 239.10.10.10 Group ver: v2 [old-host-timer: not running] Last reporter: 192.168.101.10 IGMPv2 member ports: IGMPv1/v2 memb ports: Po35 [1 GQ missed], cfs:false, native:true vPC grp peer-link flag: exclude M2RIB vPC grp peer-link flag: exclude Nexus9508-ESC-12# Nexus9508-ESC-13# sh ip igm snooping groups vlan 101 det IGMP Snooping group membership for vlan 101 Group addr: 239.10.10.10 Group ver: v2 [old-host-timer: not running] Last reporter: 192.168.101.10 IGMPv2 member ports: IGMPv1/v2 memb ports: Po35 [0 GQ missed], cfs:true, native:false vPC grp peer-link flag: exclude M2RIB vPC grp peer-link flag: exclude Nexus9508-ESC-13#
  • 193.
    Verifying Multicast forwardingDistribution Module Platform Independent On Supervisor Nexus9508-ESC-12# sh forwarding distribution multicast route group 239.10.10.10 source 192.168.100.10 (192.168.100.10/32, 239.10.10.10/32), RPF Interface: Vlan100, flags: Received Packets: 1073 Bytes: 36977 Number of Outgoing Interfaces: 2 Outgoing Interface List Index: 10 Vlan100 ( Mem L2 Ports: port-channel10 ) Vlan101 ( Mem L2 Ports: port-channel35 ) Note: On shutting down local vpc only, igmp does not send update to mfdm/ipfib to update the mroute state. That is why you did not see mfdm/ipfib removing local vpc. So if local leg of vPC is down we will still PC in the above output. Not showing PC 10 for Vlan 101 because of exclude flag seen while checking igmp snooping stats.
  • 194.
    Verifying Multicast forwardingDistribution Module Platform Independent On Supervisor-(Cont’d) Nexus9508-12# sh forwarding multicast route group 239.10.10.10 source 192.168.100.10 mod 1 (192.168.100.10/32, 239.10.10.10/32), RPF Interface: Vlan100, flags: Received Packets: 1111 Bytes: 72215 Outgoing Interface List Index: 9 Number of next hops: 2 Outgoing Interface List Index: 9 Vlan: 101 port-channel35 bridged Vlan port-channel10 Hardware Outgoing Interface List Index: 33554443
  • 195.
    Verifying Multicast forwardingDistribution Module Platform Independent On Supervisor-IGMP-Snooping Nexus9508-12# sh forwarding distribution ip igmp snooping vlan 101 group 239.10.10.10 det Vlan: 101, Group: 239.10.10.10, Source: 0.0.0.0 Outgoing Interface List Index: 4 Reference Count: 1 Platform Index: 0xa00004 Vpc peer link exclude flag set Number of Outgoing Interfaces: 2 port-channel10 port-channel35 Nexus9508-13# sh forwarding distribution ip igmp snooping vlan 101 group 239.10.10.10 det Vlan: 101, Group: 239.10.10.10, Source: 0.0.0.0 Outgoing Interface List Index: 5 Reference Count: 1 Platform Index: 0xa00005 Vpc peer link exclude flag set Number of Outgoing Interfaces: 2 port-channel10 port-channel35
  • 196.
    Verifying Multicast ForwardingDistribution Module Platform Independent On Supervisor-Snooping Group. Nexus9508-12# sh forwarding distribution l2 multicast mac-based vlan 101 Vlan: 101, Group: 0100.5e0a.0a0a, Source: 0000.0000.0000 Outgoing Interface List Index: 3 Reference Count: 1 Platform Index: 0xa00003 Vpc peer link exclude flag set Number of Outgoing Interfaces: 2 port-channel10 port-channel35 Nexus9508-13# sh forwarding distribution l2 multicast mac-based vlan 101 Vlan: 101, Group: 0100.5e0a.0a0a, Source: 0000.0000.0000 Outgoing Interface List Index: 8 Reference Count: 1 Platform Index: 0xa00008 Vpc peer link exclude flag set Number of Outgoing Interfaces: 2 port-channel10 port-channel35
  • 197.
    IPFIB on LCfor IGMP Snooping programming. Nexus9508--12# sh forwarding multicast route group 239.10.10.10 source 192.168.100.10 mod 1 (192.168.100.10/32, 239.10.10.10/32), RPF Interface: Vlan100, flags: Received Packets: 5708 Bytes: 371020 Outgoing Interface List Index: 5 Number of next hops: 2 Outgoing Interface List Index: 5 port-channel30 (Vlan: 101) port-channel10 (bridged) Hardware Outgoing Interface List Index: 33554441 Nexus9508-13# sh forwarding multicast route group 239.10.10.10 source 192.168.100.10 mod 6 (192.168.100.10/32, 239.10.10.10/32), RPF Interface: Vlan100, flags: Received Packets: 6798 Bytes: 441870 Outgoing Interface List Index: 19 Number of next hops: 2 Outgoing Interface List Index: 19 port-channel30 (Vlan: 101) port-channel10 (bridged) Hardware Outgoing Interface List Index: 33554437
  • 198.
    Nexus9508--12# bcm-shell mod1 "mc show group=33554441" Executing mc show group=33554441 on bcm shell on module 1 Group 0x2000009 (L3) port hg0, encap id 400005 port hg1, encap id 400005 port xe10, encap id 21 port xe11, encap id 21 Verifying Hardware Programming Nexus9508-12# bcm-shell mod 3 "mc show group=33554441" Executing mc show group=33554441 on bcm shell on module 3 Group 0x2000009 (L3) port hg0, encap id 400005 port xe0, encap id -1 port xe1, encap id -1 Nexus9508-12# sh system internal eltm info interface vlan 101 | in LIF cr_flags = INTF VLAN , LIF = 21 (0x15), LTL = -1 (0xffffffff) (S 0x0, P 0x0) Nexus9508-ESC-12# If we see encap id a positive # then it is LIF If we see encap id = -1 then it is L2 bridge copy.
  • 199.
    Nexus9508-12# bcm-shell module1 "l2 show" | in MCast mac=01:00:5e:0a:0a:0a vlan=101 GPORT=0x0 modid=0 port=0 Static Hit MCast=33554435 mac=01:00:5e:0a:0a:14 vlan=100 GPORT=0x0 modid=0 port=0 Static MCast=33554435 Nexus9508-12# sh ip igmp gr vlan 100 From BCM to check what is HW index for given Group • Static entry of Mcast group • Hit Bit indicate flow is present • Mcast Index is where the traffic need to bridge show tech-support ip igmp snooping show tech-support ip multicast