Судьба пакета. Cisco IOS XE


    Диагностику многих проблем на маршрутизаторе Cisco с операционной системой IOS XE можно начать с Packet Trace. Это трассировка обработки пакета внутри маршрутизатора, появившаяся не так давно. Ранее такой функционала был доступен только на межсетевых экранах ASA. Кто использовал packet-tracer на ASA, согласится – очень удобный инструмент. Теперь его аналог появился и на современных маршрутизаторах (ISR 4000, ASR, CSR).

    Заметку я построю на живых примерах. Так проще получить представление о IOS-XE Packet Trace. Детали всегда можно найти на сайте вендора. Жаль, что там пока не много информации на этот счёт. По ходу нашего погружения вы поймёте, о чём я.

    В качестве подопытного имеем маршрутизатор ISR 4000 (про специфику работы ISR 4000 и IOS XE я уже писал на Хабре). На нём настроен ряд технологий: статическая маршрутизация, PfR, PBR, трансляция адресов (NAT), межсетевой экран ZFW, ACL на интерфейсах, Flexible NetFlow, NBAR2, IPSec, GRE, VTI и прочее. Всё это сделает трассировку более насыщенной и приближённой к реальной эксплуатации.

    Есть множество технологий и у каждой свой метод отладки. Чтобы не тратить время и сразу определить, где искать причину проблемы, как раз и пригодится Packet Trace.

    Наблюдать будем за ICMP пакетом (echo request), отправленным с адреса 192.168.20.8 на 8.8.8.8.

    Активация трассировки состоит из двух частей. Для начала запускаем условный отладчик (conditional debug). Именно в нём мы указываем, какие пакеты нас интересуют. В нашем случае это трафик, описываемый ACL 199 и поступающий на маршрутизатор через интерфейс GigabitEthernet0/0/0:

    access-list 199 permit icmp host 192.168.20.8 host 8.8.8.8
    debug platform condition interf GigabitEthernet0/0/0 ipv4 access-list 199 ingress
    debug platform condition start

    Условный отладчик используется не только для работы packet trace. Этот инструмент позволяет эффективно фильтровать лог-сообщения и сообщения отладчика (debug) на этапе их генерации. Мы можем задать условия и видеть записи, касающиеся только того, что нам нужно.

    Далее включаем непосредственно packet trace. Указываем буфер и глубину трассировки. Минимально – 16 пакетов. Глубина: базовая (path-trace) или расширенная (fia-trace). В случае расширенной мы получим детальный вывод работы всех функций внутри процесса QFP. Именно он отвечает за передачу пакетов (datapath).

    debug platform packet-trace packet 16 fia-trace
    debug platform packet-trace enable

    По сравнению с ASA packet-tracer синтаксис, конечно, не такой удобный.

    ASA packet-tracer может сам генерировать пакеты для дальнейшей трассировки. IOS-XE Packet Trace этого делать не умеет. Для его работы, необходимо, чтобы пакет откуда-нибудь пришёл.
    Команды для чистки хвостов. Пригодятся, когда со всем закончим.

    no debug platform packet-trace enable
    clear platform packet-trace statistics
    clear platform condition all

    Всё настроено. Запускаем пинг, чтобы нужный нам пакет прошёл через маршрутизатор.
    Смотрим общий вывод по пакетам, попавшим в packet trace.

    cbs-4000#show platform packet-trace summary
    Pkt   Input             Output            State  Reason
    0     Gi0/0/0           Gi0/0/1.5         FWD 

    Он у нас один. Пришёл через интерфейс Gi0/0/0 и был передан дальше (состояние FWD) через Gi0/0/1.5.

    Смотрим трассировку его обработки
    cbs-4000#show platform packet-trace packet 0
    Packet: 0           CBUG ID: 8
    Summary
      Input     : GigabitEthernet0/0/0
      Output    : GigabitEthernet0/0/1.5
      State     : FWD 
      Timestamp
        Start   : 6495209991683323 ns (02/18/2017 11:59:43.176192 UTC)
        Stop    : 6495209991814307 ns (02/18/2017 11:59:43.176323 UTC)
    Path Trace
      Feature: IPV4                                             <=================
        Input       : GigabitEthernet0/0/0                      <=================
        Output      : GigabitEthernet0/0/0                      <=================
        Source      : 192.168.20.8                              <=================
        Destination : 8.8.8.8                                   <=================
        Protocol    : 1 (ICMP)                                  <=================
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
        Lapsed time : 4960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 5280 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
        Lapsed time : 1600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4a140 - IPV4_INPUT_ACL
        Lapsed time : 40160 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
        Lapsed time : 1440 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 236
        cft_bucket_number     : 566799
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8                  <=================
        tuple.dst_ip          : 8.8.8.8                       <=================
        tuple.src_port        : 61609                         <=================
        tuple.dst_port        : 161                           <=================
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP                          <=================
        tuple.l3_protocol     : IPV4                          <=================
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 236
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
        Lapsed time : 226240 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
        Lapsed time : 66880 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
        Lapsed time : 2560 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000084
        input vrf_idx         : 0
        calling feature       : FNF
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 236
        cft_bucket_number     : 566799
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 61609
        tuple.dst_port        : 161
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 236
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
        Lapsed time : 21120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
        Lapsed time : 119520 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e8c - IPV4_INPUT_VFR
        Lapsed time : 1280 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
        Lapsed time : 3840 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000080
        input vrf_idx         : 0
        calling feature       : CENT
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 236
        cft_bucket_number     : 566799
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 61609
        tuple.dst_port        : 161
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 236
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
        Lapsed time : 40640 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7ff70 - IPV4_INPUT_PBR              <=================
        Lapsed time : 34720 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS   <=================     
        Lapsed time : 2560 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0                     <=================
        Output      : GigabitEthernet0/0/1.5                   <=================
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS   <=================
        Lapsed time : 4160 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
        Lapsed time : 1280 ns
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
        Lapsed time : 218880 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
        Lapsed time : 2560 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
        Lapsed time : 1120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
        Lapsed time : 4480 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
        Lapsed time : 1920 ns
      Feature: ZBFW                                            <=================
        Action  : Fwd                                          <=================
        Zone-pair name  : in-out1                              <=================
        Class-map name  : CM-FW_in-out                         <=================
        Input interface : GigabitEthernet0/0/0                 <=================
        Egress interface: GigabitEthernet0/0/1.5               <=================
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
        Lapsed time : 721760 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
        Lapsed time : 3680 ns
      Feature: NAT                                             <=================
        Direction   : IN to OUT                                <=================
        Action      : Translate Source                         <=================
        Old Address : 192.168.20.8  00001                      <=================
        New Address : 87.87.87.87 00033                        <=================
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
        Lapsed time : 54880 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
        Lapsed time : 1600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e9c - IPV4_VFR_REFRAG
        Lapsed time : 960 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Output
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 238
        cft_bucket_number     : 566799
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 87.87.87.87
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 61609
        tuple.dst_port        : 161
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 238
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
        Lapsed time : 137600 ns
      Feature: IPSec                                            <=================
        Result    : IPSEC_RESULT_DENY                           <=================
        Action    : SEND_CLEAR                                  <=================
        SA Handle : 0    
        Peer Addr : 8.8.8.8                                     <=================
        Local Addr: 87.87.87.87                                 <=================
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
        Lapsed time : 50560 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 7040 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
        Lapsed time : 7040 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 1120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131ec4 - IPV4_OUTPUT_FRAG
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
        Lapsed time : 13600 ns
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
        Lapsed time : 112800 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
        Lapsed time : 41440 ns

    Объём трассировки напрямую зависит от настроенных функций. Если бы у нас была только маршрутизация, данных было бы существенно меньше.

    Часть названий понятна. Но присутствуют этапы, декодировать которые достаточно непросто. Документация вендора пока в этом плане не сильно помогает.

    Выделим наиболее интересные моменты

    1. Информация, идентифицирующая наш поток (flow) данных:

    Feature: CFT
        …
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 61609
        tuple.dst_port        : 161
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
    

    Данные хранят в таблице CFT (Common Flow Table). Их используют технологии, которые оперируют в своей работе информацией о каждом потоке (Netflow, NBAR, PfR и пр.). Таблица CFT необходима, чтобы не хранить избыточную информацию.

    2. Определение исходящего интерфейса:

    Когда пакет только попал на маршрутизатор, исходящий интерфейс не определён. Подставляется входящий:

    
    Feature: IPV4
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Source      : 192.168.20.8
        Destination : 8.8.8.8
        Protocol    : 1 (ICMP)

    После того как определено, куда дальше слать пакет (выполнена функция маршрутизации), исходящий интерфейс меняется:

      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
        Lapsed time : 4160 ns

    3. Данные об обработке пакета межсетевым экраном ZFW:

      Feature: ZBFW
        Action  : Fwd
        Zone-pair name  : in-out1
        Class-map name  : CM-FW_in-out
        Input interface : GigabitEthernet0/0/0
        Egress interface: GigabitEthernet0/0/1.5

    Мы сразу видим, между какими зонами проходил пакет, и в какой класс он попал. Это достаточно удобно, так как конфигурация ZFW зачастую очень запутана.

    4. Информация о трансляции адресов:

      Feature: NAT
        Direction   : IN to OUT
        Action      : Translate Source
        Old Address : 192.168.20.8  00001
        New Address : 87.87.87.87 00033

    Адрес назначения в пакете был заменён на 87.87.87.87.

    5. Так как на нашем маршрутизаторе настроен IPSec, будет отмечено, попал ли в него пакет:

      Feature: IPSec
        Result    : IPSEC_RESULT_DENY
        Action    : SEND_CLEAR
        SA Handle : 0
        Peer Addr : 8.8.8.8
        Local Addr: 87.87.87.87

    Нет, не попал.

    В трейсах представлено достаточно много дополнительной информации. Например, IPV4_INPUT_PBR сигнализирует о том, что пакет прошёл через PBR. Но информации, был ли применен PBR или пакет передан на обработку стандартным правилам маршрутизации, в этом разделе мы не найдём. В нашем случае пакет не попал под правила PBR. Запись IPV4_INPUT_TCP_ADJUST_MSS говорит о том, что на интерфейсе настроена команда ip tcp adjust-mss. При этом, как и в предыдущем примере, никаких деталей мы не получаем.

    Большая часть информации, выводимой устройством, не представляет интереса. Однако ситуация будет меняться, когда с пакетом что-то пойдёт не так.

    Ситуация №1. Пакет отброшен ACL на входном интерфейсе

    cbs-4000#show platform packet-trace summary
    Pkt   Input             Output            State  Reason
    0     Gi0/0/0           Gi0/0/0           DROP   8   (Ipv4Acl)

    Пакет был отброшен (DROP), так как сработал ACL (Ipv4Acl).

    Трассировка обработки пакета
    cbs-4000#show platform packet-trace packet 0
    Packet: 0           CBUG ID: 35
    Summary
      Input     : GigabitEthernet0/0/0
      Output    : GigabitEthernet0/0/0
      State     : DROP 8   (Ipv4Acl)
      Timestamp
        Start   : 6515970748260480 ns (02/18/2017 17:45:43.568889 UTC)
        Stop    : 6515970748313558 ns (02/18/2017 17:45:43.568942 UTC)
    Path Trace
      Feature: IPV4
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Source      : 192.168.20.8
        Destination : 8.8.8.8
        Protocol    : 1 (ICMP)
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
        Lapsed time : 6560 ns
      Feature: FIA_TRACE                               
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 5920 ns                              
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
        Lapsed time : 1440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d8375c - STILE_LEGACY_DROP_EXT
        Lapsed time : 3680 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7b554 - INGRESS_MMA_LOOKUP_DROP_EXT
        Lapsed time : 63040 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6e0f8 - INPUT_DROP_FNF_AOR_EXT
        Lapsed time : 8320 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6dc44 - INPUT_FNF_DROP_EXT
        Lapsed time : 324800 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6e6c8 - INPUT_DROP_FNF_AOR_RELEASE_EXT
        Lapsed time : 8320 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81128ebc - INPUT_DROP_EXT                 <=================
        Lapsed time : 1920 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4a140 - IPV4_INPUT_ACL                 <=================
        Lapsed time : 794240 ns

    INPUT_DROP_EXT и IPV4_INPUT_ACL сообщают, что пакет был отброшен именно на входящем интерфейсе. Трейсы получились короткими, как жизнь пакета.

    Ситуация №2. Пакет отброшен ACL на исходящем интерфейсе

    cbs-4000#show platform packet-trace summary
    Pkt   Input             Output            State  Reason
    0     Gi0/0/0           Gi0/0/1.5         DROP   8   (Ipv4Acl)

    И снова пакет не был передан (DROP) из-за ACL (Ipv4Acl). Теперь, правда, в качестве исходящего интерфейса фигурирует Gi0/0/1.5.

    Трассировка обработки пакета
    cbs-4000#show platform packet-trace packet 0
    Packet: 0           CBUG ID: 33
    Summary
      Input     : GigabitEthernet0/0/0
      Output    : GigabitEthernet0/0/0
      State     : DROP 8   (Ipv4Acl)
      Timestamp
        Start   : 6515547984424423 ns (02/18/2017 17:38:40.479689 UTC)
        Stop    : 6515547984571057 ns (02/18/2017 17:38:40.479835 UTC)
    Path Trace
      Feature: IPV4
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Source      : 192.168.20.8
        Destination : 8.8.8.8
        Protocol    : 1 (ICMP)
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
        Lapsed time : 8320 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 4320 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
        Lapsed time : 3520 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4a140 - IPV4_INPUT_ACL
        Lapsed time : 43360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
        Lapsed time : 1280 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 5
        cft_bucket_number     : 1591662
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 443
        tuple.dst_port        : 57521
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 5
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
        Lapsed time : 222240 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
        Lapsed time : 67200 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
        Lapsed time : 2240 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000084
        input vrf_idx         : 0
        calling feature       : FNF
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 5
        cft_bucket_number     : 1591662
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 443
        tuple.dst_port        : 57521
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 5
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
        Lapsed time : 22080 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
        Lapsed time : 136320 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e8c - IPV4_INPUT_VFR
        Lapsed time : 1280 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
        Lapsed time : 2560 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000080
        input vrf_idx         : 0
        calling feature       : CENT
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 5
        cft_bucket_number     : 1591662
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 443
        tuple.dst_port        : 57521
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 5
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
        Lapsed time : 40160 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7ff70 - IPV4_INPUT_PBR
        Lapsed time : 39520 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
        Lapsed time : 1120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
        Lapsed time : 4320 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
        Lapsed time : 1920 ns
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
        Lapsed time : 274240 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
        Lapsed time : 2400 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
        Lapsed time : 1120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
        Lapsed time : 2880 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
        Lapsed time : 1600 ns
      Feature: ZBFW
        Action  : Fwd
        Zone-pair name  : in-out1
        Class-map name  : CM-FW_in-out
        Input interface : GigabitEthernet0/0/0
        Egress interface: GigabitEthernet0/0/1.5
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
        Lapsed time : 989760 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
        Lapsed time : 2720 ns
      Feature: NAT
        Direction   : IN to OUT
        Action      : Translate Source
        Old Address : 192.168.20.8  00001
        New Address : 87.87.87.87 00036
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
        Lapsed time : 36800 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
        Lapsed time : 3200 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e9c - IPV4_VFR_REFRAG
        Lapsed time : 1120 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Output
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 7
        cft_bucket_number     : 1591662
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 87.87.87.87
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 443
        tuple.dst_port        : 57521
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 7
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
        Lapsed time : 141920 ns
      Feature: IPSec
        Result    : IPSEC_RESULT_DENY
        Action    : SEND_CLEAR
        SA Handle : 0
        Peer Addr : 8.8.8.8
        Local Addr: 87.87.87.87
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
        Lapsed time : 46080 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 2560 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81128eb8 - OUTPUT_DROP_EXT                  <=================
        Lapsed time : 3360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d4a144 - IPV4_OUTPUT_ACL                  <=================
        Lapsed time : 121760 ns

    В трейсах в самом конце мы обнаружим информацию о судьбе пакета: OUTPUT_DROP_EXT и IPV4_OUTPUT_ACL. Пакет практически вырвался из лап маршрутизатора, о чём свидетельствует прохождение большинства стадий обработки.

    Ситуация №3. Пакет отброшен межсетевым экраном

    cbs-4000#show platform packet-trace summary
    Pkt   Input             Output            State  Reason
    0     Gi0/0/0           Gi0/0/1.5         DROP   184 (FirewallPolicy)

    Пакет отброшен (DROP). Причина – политики межсетевого экрана (FirewallPolicy).

    Трассировка обработки пакета
    cbs-4000#show platform packet-trace packet 0
    Packet: 0           CBUG ID: 36
    Summary
      Input     : GigabitEthernet0/0/0
      Output    : GigabitEthernet0/0/1.5
      State     : DROP 184 (FirewallPolicy)
      Timestamp
        Start   : 6516783739710881 ns (02/18/2017 17:59:16.560339 UTC)
        Stop    : 6516783739809427 ns (02/18/2017 17:59:16.560438 UTC)
    Path Trace
      Feature: IPV4
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Source      : 192.168.20.8
        Destination : 8.8.8.8
        Protocol    : 1 (ICMP)
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
        Lapsed time : 8800 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 5440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
        Lapsed time : 1600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4a140 - IPV4_INPUT_ACL
        Lapsed time : 47360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
        Lapsed time : 1440 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 135
        cft_bucket_number     : 875224
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 56789
        tuple.dst_port        : 514
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 135
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
        Lapsed time : 202560 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
        Lapsed time : 63360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
        Lapsed time : 4640 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000084
        input vrf_idx         : 0
        calling feature       : FNF
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 135
        cft_bucket_number     : 875224
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 56789
        tuple.dst_port        : 514
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 135
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
        Lapsed time : 20640 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
        Lapsed time : 127360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e8c - IPV4_INPUT_VFR
        Lapsed time : 1440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
        Lapsed time : 2720 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000080
        input vrf_idx         : 0
        calling feature       : CENT
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 135
        cft_bucket_number     : 875224
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 56789
        tuple.dst_port        : 514
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 135
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
        Lapsed time : 43840 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7ff70 - IPV4_INPUT_PBR
        Lapsed time : 37120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
        Lapsed time : 1280 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
        Lapsed time : 4800 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
        Lapsed time : 1760 ns
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
        Lapsed time : 255680 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
        Lapsed time : 2240 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
        Lapsed time : 4160 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
        Lapsed time : 1760 ns
      Feature: ZBFW                                           <=================
        Action  : Drop                                        <=================
        Reason  : ICMP policy drop:classify result            <=================                 
        Zone-pair name  : in-out1                             <=================
        Class-map name  : class-default                       <=================
        Input interface : GigabitEthernet0/0/0                <=================
        Egress interface: GigabitEthernet0/0/1.5              <=================
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81128eb8 - OUTPUT_DROP_EXT            <=================
        Lapsed time : 640 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT        <=================
        Lapsed time : 639200 ns

    Наличие сообщений OUTPUT_DROP_EXT и IPV4_OUTPUT_INSPECT показывает, что пакет отброшен политиками инспектирования, которое выполняется как раз МСЭ. Детали находим в информации по ZFW:

    Feature: ZBFW
        Action  : Drop
        Reason  : ICMP policy drop:classify result
        Zone-pair name  : in-out1
        Class-map name  : class-default
        Input interface : GigabitEthernet0/0/0
        Egress interface: GigabitEthernet0/0/1.5

    Reason сообщает о том, что пакет был классифицирован, как ICMP. Класс, в который попал пакет и где он был отброшен, — class-default.

    Ситуация №4. Пакет маршрутизируется правилами PBR

    cbs-4000#show platform packet-trace summary
    Pkt   Input             Output            State  Reason
    0     Gi0/0/0           Gi0/0/1.6         FWD

    Пакет передан (FWD). Теперь исходящий интерфейс Gi0/0/1.6.

    Трассировка обработки пакета
    cbs-4000#show platform packet-trace packet 0
    Packet: 0           CBUG ID: 36
    Summary
      Input     : GigabitEthernet0/0/0
      Output    : GigabitEthernet0/0/1.6
      State     : FWD 
      Timestamp
        Start   : 6517659109765260 ns (02/18/2017 18:13:51.930393 UTC)
        Stop    : 6517659109927732 ns (02/18/2017 18:13:51.930556 UTC)
    Path Trace
      Feature: IPV4
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Source      : 192.168.20.8
        Destination : 8.8.8.8
        Protocol    : 1 (ICMP)
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
        Lapsed time : 10400 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 5440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
        Lapsed time : 1600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4a140 - IPV4_INPUT_ACL
        Lapsed time : 265600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 1120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
        Lapsed time : 3680 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 69
        cft_bucket_number     : 2000178
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 57521
        tuple.dst_port        : 443
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 69
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
        Lapsed time : 223360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
        Lapsed time : 85440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
        Lapsed time : 3040 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000084
        input vrf_idx         : 0
        calling feature       : FNF
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 69
        cft_bucket_number     : 2000178
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 57521
        tuple.dst_port        : 443
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 69
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
        Lapsed time : 19680 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
        Lapsed time : 153600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e8c - IPV4_INPUT_VFR
        Lapsed time : 1120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
        Lapsed time : 2560 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000080
        input vrf_idx         : 0
        calling feature       : CENT
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 69
        cft_bucket_number     : 2000178
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 57521
        tuple.dst_port        : 443
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 69
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
        Lapsed time : 49600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7ff70 - IPV4_INPUT_PBR              <=================
        Lapsed time : 69760 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
        Lapsed time : 1440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0                     <=================
        Output      : GigabitEthernet0/0/1.6                   <=================
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
        Lapsed time : 7840 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
        Lapsed time : 1600 ns
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
        Lapsed time : 280480 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
        Lapsed time : 3840 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
        Lapsed time : 3840 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
        Lapsed time : 5440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS
        Lapsed time : 1280 ns
      Feature: ZBFW
        Action  : Fwd
        Zone-pair name  : in-out2
        Class-map name  : CM-FW_in-out
        Input interface : GigabitEthernet0/0/0
        Egress interface: GigabitEthernet0/0/1.6
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
        Lapsed time : 789120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
        Lapsed time : 11200 ns
      Feature: NAT
        Direction   : IN to OUT
        Action      : Translate Source
        Old Address : 192.168.20.8
        New Address : 62.62.62.62
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
        Lapsed time : 38400 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
        Lapsed time : 4000 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x81131e9c - IPV4_VFR_REFRAG
        Lapsed time : 800 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Output
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 71
        cft_bucket_number     : 2000178
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 62.62.62.62
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 57521
        tuple.dst_port        : 443
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 71
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
        Lapsed time : 140160 ns
      Feature: IPSec
        Result    : IPSEC_RESULT_DENY
        Action    : SEND_CLEAR
        SA Handle : 0
        Peer Addr : 8.8.8.8
        Local Addr: 62.62.62.62
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
        Lapsed time : 66400 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 3840 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
        Lapsed time : 13440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 1120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x81131ec4 - IPV4_OUTPUT_FRAG
        Lapsed time : 2240 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
        Lapsed time : 18720 ns
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
        Lapsed time : 113440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1.6
        Entry       : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
        Lapsed time : 43680 ns

    Если мы сравним трассировку пакета при маршрутизации стандартными правилами (статическая маршрутизация) и при маршрутизации правилами PBR, мы не увидим разницы. Изменятся только исходящий интерфейс, и адрес, подставляемый в NAT’е.

    Ситуация №5. Пакет передаётся через VTI интерфейс

    В этом примере пингуем адрес 172.28.0.1.

    cbs-4000#show platform packet-trace summary
    Pkt   Input             Output            State  Reason
    0     Gi0/0/0           Gi0/0/1.5         FWD

    Пакет передан (FWD). Исходящий интерфейс Gi0/0/1.5.

    Трассировка обработки пакета
    cbs-4000#show platform packet-trace packet 0
    Packet: 0           CBUG ID: 50
    Summary
      Input     : GigabitEthernet0/0/0
      Output    : GigabitEthernet0/0/1.5
      State     : FWD 
      Timestamp
        Start   : 6665377802839987 ns (02/20/2017 11:15:48.257340 UTC)
        Stop    : 6665377803172303 ns (02/20/2017 11:15:48.257673 UTC)
    Path Trace
      Feature: IPV4
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Source      : 192.168.20.8
        Destination : 172.28.0.1
        Protocol    : 1 (ICMP)
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
        Lapsed time : 5600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 4160 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
        Lapsed time : 3040 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4a140 - IPV4_INPUT_ACL
        Lapsed time : 19840 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
        Lapsed time : 1280 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 186
        cft_bucket_number     : 407373
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 172.28.0.1
        tuple.src_port        : 6603
        tuple.dst_port        : 443
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 186
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
        Lapsed time : 296480 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
        Lapsed time : 43040 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
        Lapsed time : 2560 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000084
        input vrf_idx         : 0
        calling feature       : FNF
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 186
        cft_bucket_number     : 407373
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 172.28.0.1
        tuple.src_port        : 6603
        tuple.dst_port        : 443
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 186
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
        Lapsed time : 20160 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
        Lapsed time : 134400 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e8c - IPV4_INPUT_VFR
        Lapsed time : 1120 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
        Lapsed time : 3840 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000080
        input vrf_idx         : 0
        calling feature       : CENT
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 186
        cft_bucket_number     : 407373
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 172.28.0.1
        tuple.src_port        : 6603
        tuple.dst_port        : 443
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 186
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
        Lapsed time : 45440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7ff70 - IPV4_INPUT_PBR
        Lapsed time : 14080 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
        Lapsed time : 1280 ns
      Feature: FIA_TRACE             
        Input       : GigabitEthernet0/0/0                     <=================
        Output      : Tunnel1                                  <=================
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS   <=================
        Lapsed time : 5920 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL
        Lapsed time : 1600 ns
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: OCE_TRACE
        Type       : OCE_ADJ_IPV4
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL
        Lapsed time : 245440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE
        Lapsed time : 1760 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE
        Lapsed time : 4160 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
        Lapsed time : 3040 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d858a0 - IPV4_OUTPUT_TCP_ADJUST_MSS
        Lapsed time : 1280 ns
      Feature: ZBFW                                       <=================
        Action  : Fwd                                     <=================
        Zone-pair name  : N/A                             <=================
        Class-map name  : N/A                             <=================
        Input interface : GigabitEthernet0/0/0            <=================
        Egress interface: Tunnel1                         <=================
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
        Lapsed time : 30080 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
        Lapsed time : 2560 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
        Lapsed time : 1600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x81131e9c - IPV4_VFR_REFRAG
        Lapsed time : 800 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
        Lapsed time : 7360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x81131ec4 - IPV4_OUTPUT_FRAG
        Lapsed time : 640 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d6e1b8 - IPV4_TUNNEL_OUTPUT_FNF_AOR
        Lapsed time : 3520 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d6d8e4 - IPV4_TUNNEL_OUTPUT_FNF_FINAL
        Lapsed time : 1440 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x80d6e640 - IPV4_TUNNEL_OUTPUT_FNF_AOR_RELEASE
        Lapsed time : 800 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d86ce8 - IPV4_TUNNEL_OUTPUT_FINAL
        Lapsed time : 20640 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d86d30 - IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT <=================
        Lapsed time : 7200 ns
      Feature: IPSec                                     <=================
        Result    : IPSEC_RESULT_SA                      <=================
        Action    : ENCRYPT                              <=================
        SA Handle : 98                                   <=================
        Peer Addr : 188.188.188.188                      <=================
        Local Addr: 87.87.87.87                          <=================
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY_EXT
        Lapsed time : 44480 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d7641c - IPV4_OUTPUT_IPSEC_DOUBLE_ACL_EXT
        Lapsed time : 11200 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
        Lapsed time : 4960 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x8113ac50 - IPV4_OUTPUT_IPSEC_INLINE_FRAG_CHK_EXT
        Lapsed time : 7680 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d7635c - IPV4_OUTPUT_IPSEC_TUNNEL_RERUN_JUMP_EXT
        Lapsed time : 4480 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d764ac - IPV4_OUTPUT_IPSEC_POST_PROCESS_EXT
        Lapsed time : 12160 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
        Lapsed time : 1600 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d763ec - IPV4_IPSEC_FEATURE_RETURN_EXT
        Lapsed time : 1440 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d86cec - IPV4_TUNNEL_GOTO_OUTPUT
        Lapsed time : 11680 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d86d98 - IPV4_TUNNEL_FW_CHECK_EXT
        Lapsed time : 15040 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x81131e60 - IPV4_INPUT_DST_LOOKUP_ISSUE_EXT
        Lapsed time : 8480 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x81131eb8 - IPV4_INPUT_ARL_EXT
        Lapsed time : 5760 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x81131e6c - IPV4_INTERNAL_DST_LOOKUP_CONSUME_EXT
        Lapsed time : 2880 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : Tunnel1
        Entry       : 0x80d86dc8 - IPV4_TUNNEL_ENCAP_FOR_US_EXT
        Lapsed time : 5600 ns
      Feature: FIA_TRACE                         
        Input       : Tunnel1                                    <=================
        Output      : GigabitEthernet0/0/1.5                     <=================
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <=================
        Lapsed time : 4000 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131f20 - IPV4_TUNNEL_ENCAP_GOTO_OUTPUT_FEATURE_EXT
        Lapsed time : 11520 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e98 - IPV4_OUTPUT_VFR
        Lapsed time : 1440 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT
        Lapsed time : 5120 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d77188 - MC_OUTPUT_GEN_RECYCLE
        Lapsed time : 2240 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d7c390 - IPV4_NAT_OUTPUT_FIA
        Lapsed time : 6400 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE
        Lapsed time : 1440 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e9c - IPV4_VFR_REFRAG
        Lapsed time : 800 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Output
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01004104
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 186
        cft_bucket_number     : 407373
        cft_l3_payload_size   : 100
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 87.87.87.87
        tuple.dst_ip          : 188.188.188.188
        tuple.src_port        : 6603
        tuple.dst_port        : 443
        tuple.vrfid           : 0
        tuple.l4_protocol     : 50
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 186
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ipsec
        Classification ID: [CANA-L7:9]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d8359c - IPV4_OUTPUT_STILE_CLR_TXT
        Lapsed time : 138080 ns
      Feature: IPSec                                      <=================
        Result    : IPSEC_RESULT_DENY                     <=================
        Action    : SEND_CLEAR                            <=================
        SA Handle : 0
        Peer Addr : 188.188.188.188                       <=================
        Local Addr: 87.87.87.87                           <=================
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d761ac - IPV4_OUTPUT_IPSEC_CLASSIFY
        Lapsed time : 27840 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e70 - IPV4_OUTPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 2880 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81128eb0 - IPV4_OUTPUT_L2_REWRITE
        Lapsed time : 7520 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131e74 - IPV4_OUTPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81131ec4 - IPV4_OUTPUT_FRAG
        Lapsed time : 16800 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8111ea94 - L2_REWRITE_AFTER_FRAG_WITHOUT_CLIP_EXT
        Lapsed time : 11520 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY
        Lapsed time : 12000 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x80d6d914 - IPV4_OUTPUT_FNF_FINAL
        Lapsed time : 108320 ns
      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113bb40 - MARMOT_SPA_D_TRANSMIT_PKT
        Lapsed time : 49120 ns

    Трейсы изменились, так как маршрутизация пакета усложнилась. Сначала он передаётся на туннельный интерфейс:

    Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : Tunnel1
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
        Lapsed time : 5920 ns

    Далее срабатывают правила межсетевого экрана. Так как у нас входящий и туннельный интерфейсы находятся в одной зоне, проверки трафика не происходит (мы не попадаем ни в один из zone-pair):

    Feature: ZBFW
        Action  : Fwd
        Zone-pair name  : N/A
        Class-map name  : N/A
        Input interface : GigabitEthernet0/0/0
        Egress interface: Tunnel1

    После того как пакет попал в туннельный интерфейс, его необходимо зашифровать.

    IPV4_OUTPUT_TUNNEL_PROTECTION_ENCRYPT
      Feature: IPSec
        Result    : IPSEC_RESULT_SA
        Action    : ENCRYPT
        SA Handle : 98
        Peer Addr : 188.188.188.188
        Local Addr: 87.87.87.87

    Ещё раз происходит маршрутизация пакета, уже зашифрованного.

      Feature: FIA_TRACE
        Input       : Tunnel1
        Output      : GigabitEthernet0/0/1.5
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT
        Lapsed time : 4000 ns

    Пакет проходит через внешний интерфейс, где настроен IPSec (висит crypto-map). Хоть пакет уже зашифрован, система проверяет не попадает ли он в IPSec на исходящем интерфейсе.

    Feature: IPSec
        Result    : IPSEC_RESULT_DENY
        Action    : SEND_CLEAR
        SA Handle : 0
        Peer Addr : 188.188.188.188
        Local Addr: 87.87.87.87

    Ситуация №6. Пакет передаётся на несуществующий next-hop (или отказавший)

    cbs-4000#show platform packet-trace summary
    Pkt   Input             Output            State  Reason
    0     Gi0/0/0           internal0/0/rp:0  PUNT   10  (Incomplete adjacency)

    Статус PUNT означает, что пакет не может быть обработан CEF'ом и передаётся на обработку процессором (process switching). Причина – маршрутизатор не обнаружил нужной записи в таблице adjacency для передачи пакета на соседний next-hop (Incomplete adjacency). Что логично, так как его нет.

    Трассировка обработки пакета
    cbs-4000#show platform packet-trace packet 0
    Packet: 0           CBUG ID: 55
    Summary
      Input     : GigabitEthernet0/0/0
      Output    : internal0/0/rp:0
      State     : PUNT 10  (Incomplete adjacency)
      Timestamp
        Start   : 6668916530895154 ns (02/20/2017 12:14:46.985396 UTC)
        Stop    : 6668916530979351 ns (02/20/2017 12:14:46.985480 UTC)
    Path Trace
      Feature: IPV4
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Source      : 192.168.20.8
        Destination : 8.8.8.8
        Protocol    : 1 (ICMP)
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x8112bfbc - DEBUG_COND_INPUT_PKT
        Lapsed time : 9760 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e84 - IPV4_INPUT_SRC_LOOKUP_ISSUE
        Lapsed time : 5920 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e64 - IPV4_INPUT_DST_LOOKUP_CONSUME
        Lapsed time : 3200 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4a140 - IPV4_INPUT_ACL
        Lapsed time : 15040 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e88 - IPV4_INPUT_SRC_LOOKUP_CONSUME
        Lapsed time : 960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e68 - IPV4_INPUT_FOR_US_MARTIAN
        Lapsed time : 1440 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x0000008c
        input vrf_idx         : 0
        calling feature       : STILE
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 74
        cft_bucket_number     : 769995
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 443
        tuple.dst_port        : 55391
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 74
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: NBAR
        Packet number in flow: N/A
        Classification state: Final
        Classification name: ping
        Classification ID: [CANA-L7:479]
        Number of matched sub-classifications: 0
        Number of extracted fields: 0
        Is PA (split) packet: False
        TPH-MQC bitmask value: 0x0
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d83558 - IPV4_INPUT_STILE_LEGACY
        Lapsed time : 252800 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7b508 - IPV4_INGRESS_MMA_LOOKUP
        Lapsed time : 48960 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d59618 - IPV4_INPUT_FME_PROCESS
        Lapsed time : 4000 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000084
        input vrf_idx         : 0
        calling feature       : FNF
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 74
        cft_bucket_number     : 769995
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.8
        tuple.src_port        : 443
        tuple.dst_port        : 55391
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 74
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6dc84 - IPV4_INPUT_FNF_AOR_FIRST
        Lapsed time : 20640 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d6d9d4 - IPV4_INPUT_FNF_FIRST
        Lapsed time : 127520 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x81131e8c - IPV4_INPUT_VFR
        Lapsed time : 1280 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b660 - IPV4_INPUT_CENT_SMP_PROCESS
        Lapsed time : 2560 ns
      Feature: CFT
        API                   : cft_handle_pkt
        packet capabilities   : 0x00000080
        input vrf_idx         : 0
        calling feature       : CENT
        direction             : Input
        triplet.vrf_idx       : 0
        triplet.network_start : 0x01003f8e
        triplet.triplet_flags : 0x00000000
        triplet.counter       : 74
        cft_bucket_number     : 769995
        cft_l3_payload_size   : 40
        cft_pkt_ind_flags     : 0x00000000
        cft_pkt_ind_valid     : 0x00000931
        tuple.src_ip          : 192.168.20.8
        tuple.dst_ip          : 8.8.8.7
        tuple.src_port        : 443
        tuple.dst_port        : 55391
        tuple.vrfid           : 0
        tuple.l4_protocol     : ICMP
        tuple.l3_protocol     : IPV4
        pkt_sb_state          : 0
        pkt_sb.num_flows      : 0
        pkt_sb.tuple_epoch    : 74
        returned cft_error    : 14
        returned fid          : 0x00000000
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d4b62c - IPV4_INPUT_CENT_RC_PROCESS
        Lapsed time : 39360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d7ff70 - IPV4_INPUT_PBR
        Lapsed time : 43680 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/0
        Entry       : 0x80d858d0 - IPV4_INPUT_TCP_ADJUST_MSS
        Lapsed time : 1120 ns
      Feature: FIA_TRACE                                          
        Input       : GigabitEthernet0/0/0                      <=================
        Output      : GigabitEthernet0/0/1                      <=================
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS    <=================
        Lapsed time : 135360 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0                       <=================
        Output      : internal0/0/rp:0                           <=================
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT <=================
        Lapsed time : 30240 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x80d6dc88 - IPV4_INPUT_FNF_AOR_FINAL_EXT
        Lapsed time : 8640 ns
      Feature: OCE_TRACE
        Type       : OCE_ADJ_PUNT
      Feature: OCE_TRACE
        Type       : OCE_ADJ_PUNT
      Feature: OCE_TRACE
        Type       : OCE_ADJ_PUNT
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x80d6d974 - IPV4_INPUT_FNF_FINAL_EXT
        Lapsed time : 277600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x80d6dc8c - IPV4_INPUT_FNF_AOR_RELEASE_EXT
        Lapsed time : 6720 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x81131e94 - IPV4_INPUT_IPOPTIONS_PROCESS_EXT
        Lapsed time : 2560 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x8113ac44 - IPV4_INPUT_GOTO_OUTPUT_FEATURE_EXT
        Lapsed time : 11200 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x81131ef4 - IPV4_INTERNAL_ARL_SANITY_EXT
        Lapsed time : 10560 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x80d70b28 - IPV4_OUTPUT_INSPECT_EXT
        Lapsed time : 12160 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x80d85d30 - IPV4_OUTPUT_THREAT_DEFENSE_EXT
        Lapsed time : 1600 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x81131e9c - IPV4_VFR_REFRAG_EXT
        Lapsed time : 2240 ns
      Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x81133e50 - IPV4_OUTPUT_DROP_POLICY_EXT
        Lapsed time : 24320 ns
      Feature: FIA_TRACE          
        Input       : GigabitEthernet0/0/0                   <=================
        Output      : internal0/0/rp:0                       <=================
        Entry       : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT <=================
        Lapsed time : 137440 ns

    Для пакета определён исходящий интерфейс:

    Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : GigabitEthernet0/0/1
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS
        Lapsed time : 135360 ns

    Но так как в CEF нет нужных записей, он отправляется на обработку процессором (internal0/0/rp:0):

    Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x8113ac40 - IPV4_INPUT_LOOKUP_PROCESS_EXT
        Lapsed time : 30240 ns

    Запись, свидетельствующая о факте передаче пакета процессору (INTERNAL_TRANSMIT):

    Feature: FIA_TRACE
        Input       : GigabitEthernet0/0/0
        Output      : internal0/0/rp:0
        Entry       : 0x8112ce90 - INTERNAL_TRANSMIT_PKT_EXT
        Lapsed time : 137440 ns

    Packet Trace предоставляет нам данные по обработке пакета в QFP. Это значит, что как только пакет попал в распоряжение ЦПУ, наши трейсы больше не помогут. В этом случае можно попробовать использовать debug ip packet. Но с этим отладчиком нужно быть очень аккуратными.

    Заключение

    Приведенные примеры наглядно демонстрируют, что IOS XE Packet Trace во многих ситуациях позволит нам достаточно оперативно понять, где засахарилось. Дальше, владея такой информацией, можно уже более детально разбираться с проблемой, жонглируя различными вариациями команд show и debug.

    При диагностике не стоит забывать ещё об одном средстве – захвате пакетов (packet capture). На IOS XE этот функционал сделали более удобным по сравнению с обычным IOS.

    Packet capture
    Активация захвата пакетов:
    monitor capture CAP access-list 199
    monitor capture CAP interface GigabitEthernet0/0/0 in
    monitor capture CAP start
    Выключение, выгрузка дампа на внешний ПК, деактивация:
    monitor capture CAP stop
    monitor capture CAP export tftp://10.0.0.1/CAP.pcap
    no monitor capture CAP
    • +20
    • 5,3k
    • 2
    CBS 51,65
    Компания
    Поделиться публикацией
    Похожие публикации
    Комментарии 2
    • 0
      Спасибо за информацию! А возможность использовать MPA осталась?
      • +1
        Если речь про Mini Protocol Analyzer, то в IOS XE такого функционала нет. Это всё-таки специфика 6500/7600. В IOS XE любой трафик (и транзитный CEF, и обрабатываемый CP) кепчерится через EPC.

      Только полноправные пользователи могут оставлять комментарии. Войдите, пожалуйста.

      Самое читаемое