Академический Документы
Профессиональный Документы
Культура Документы
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session Objectives
• Understand the ASR 1K and ISR 4x5y architecture
– software
– hardware
– relationship between these two
• Understand how features process packets through IOS-XE
• Understand how to easily debug the platform
– long journey
– presentation of recent serviceability enhancements
– spare memorizing – focus on understanding
– Not “tips & tricks” but debugging strategy and tools
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
ASR Series Hardware Architecture
Cisco ASR 1000 Series Routers: Overview
Compact, Powerful Router Business-Critical Resiliency Instant-on Services Delivery
Instant On
Service Delivery
Line-rate performance 2.5G to Fully separated control and Integrated firewall, VPN,
200G+ with services enabled forwarding planes encryption, DPI, CUBE
Investment protection with modular Hardware and software redundancy Scalable on-chip service
engines, IOS CLI and SPAs for I/O provisioning through software
In-service software upgrades
licensing
Hardware based QoS engine with
up to 472K queues
Active
FECP CPU CPU FECP
Stby
Active
Stby
QFP interconn. GE switch interconn. GE switch QFP
Crypto Crypto
QFP
Assist. PPE BQS Assist. PPE BQS
Route Processor
interconn. Handles control plane traffic interconn.
Manages system
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
System Architecture Control Plane
ESP RP RP ESP
Active
FECP CPU CPU FECP
Stby
Active
Stby
QFP interconn. GE switch interconn. GE switch QFP
Crypto Crypto
Assist. PPE BQS EOBC switch in Assist. PPE BQS
RP
interconn. interconn.
Midplane
Ethernet Out of Band Channel
(aka EOBC)
Inter Integrated Circuit (I2C) Bus 1Gbps Ethernet bus
SIP interconn. SIP interconn. SIP interconn. Used by RP to program system
Slow (few kbps)
Used for system monitoring Used by system to notify RP
(temp., OIR, fan speed,…)
SPA SPA SPA
IOCP IOCP IOCP
Aggreg. Aggreg. Aggreg.
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
System Architecture Forwarding Plane
Hypertransport
10 Gbps Ethernet
ESP RP RP ESP
Active
FECP CPU CPU FECP
Stby
Active
Stby
QFP interconn. GE switch interconn. GE switch QFP
Crypto Crypto
Assist. PPE BQS Assist. PPE BQS
Embedded Service Interconnect
aka ESI Bus
interconn. 11.2 – 40 Gbps Forwarding Bus interconn.
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
RP
CPU
clocks clocks
ESI, 11.2-40 Gbps
SPA-SPI, 11.2Gbps
Hypertransport, 10Gbps
Other
SIPs ESPs RP Misc ESPs SIPs ESPs RP SIPs SIPs RP
Ctrl
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
ESP
FECP
intercon.
EEPROM
QFP
DDRAM Packet Processor Engine BQS
PCI* E-RP*
Dispatcher
GE, 1Gbps
Packet Buffer
I2C
SPA Control
Crypto SPA Bus
(Nitrox-II CN2430) SPI Mux
Reset / Pwr Ctrl ESI, 11.2Gbps
SA table SPA-SPI, 11.2Gbps
DRAM Interconnect Interconnect Hypertransport, 10Gbps
Other
intercon.
Forwarding Engine Control Quantum Flow Processor
ProcessorReset / Pwr Ctrl OverallDRAM Packet Buffer
packet forwarding
TCAM Resource Part Len / BW
Manages board (10Mbit) (512MB)
DRAM
SRAM
Programs QBS,
TempPPE,
SensorCrypto (128MB)
Linux Kernel
EEPROM
QFP
Buffering Queuing & Scheduling
DDRAM Packet Processor Engine BQS
Executes complex QoS scheduling
(shapers, LLQ’s,…)
Boot Flash PPE1 PPE2 PPE3 PPE4 PPE5 Queues and schedules packets in
(OBFL,…) FECP E-CSR
due time
SPI MUX
TCAM Crypto
Engine
FECP
QFP Subsystem CPU
PPE + BQS
FECP
DRAM
PPE BQS
DRAM Packet
DRAM
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco “Quantum Flow Processor”
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP200 Block Diagram
Packet Buffer Packet Buffer
TCAM Resource DRAM Resource DRAM
DRAM DRAM
(80Mbit) (2GB) (2GB)
(512MB) (512MB)
Temp Sensor PPE PPE PPE PPE PPE PPE PPE PPE PPE PPE
1 2 3 4 5 1 2 3 4 5
Dispatcher Dispatcher
DDRAM Packet Buffer Packet Buffer
Dispatcher Dispatcher
Packet Buffer Packet Buffer
Memory Crypto
RPs RPs SIPs
ESP RPs
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
SIP intercon.
SPA
IOCP
Aggreg.
DDRAM Egress
Ingress
Buffer
Boot Flash IOCP Scheduler
Status
(OBFL,…) (SC854x SOC)
JTAG Ctrl
SPA Aggregation Network
clock
ASIC (Marmot) … distribution
…
SPA
IOCP
Aggreg.
DDRAM Egress
Ingress
Buffer
Boot Flash IOCP Scheduler SPA Aggregation
Status
(OBFL,…) (SC854x SOC) Queues packets in & out
Uses Ingress and Egress buffers
JTAG Ctrl
SPA Aggregation Network
IO Control Processor clock
ASIC (Marmot) … distribution
Manages SPA OIR & drivers
…
Linux Kernel Egress Packet Buffers
Ingress buffers Egress buffers Holds packets if SPA backpressures
(per port) (per port) (e.g. Pause frames)
Network
clocks
Ingress Packet Buffers Ingress Classifier
Reset / Pwr Ctrl SPA Agg. C2W
Holds packets to ESP
Hi & Lo priority queues (1K only)
ESI, 11.2 Gbps GE, 1Gbps
RPs RPs SPA-SPI, 11.2Gbps 4 SPAs 4 SPAs I2C 4 SPAs 4 SPAs 4 SPAs
Hypertransport, 10Gbps SPA Control
Other SPA Bus
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISR Series Hardware Architecture
ISR 4451-X Hardware Diagram
DDR3
DRAM
SVC2 SVC3 PPE6 PPE7 PPE8 PPE9 PPE10
10 Gbps XAUI
System 1xSGMI
FPGA DSP
Mgmt Ethernet Multi Gigabit
Fabric
Console / Aux 10 Gbps/slot
Peripheral SM-X
Interconnect SM-X
USB
2Gb/slot
Flash
NIM
NIM
NIM
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
ISR 4451-X Hardware Diagram (comments)
10 Cores, 1 thread / core Inline Cryptography
5 fwd cores by default No Crypto Assist chip
4 remaining cores license Crypto “locks” core
activated True run-to-completion
3 Services Core
No hardware TCAM
10 Gbps XAUI
System 1xSGMI
FPGA DSP
Mgmt Ethernet Multi Gigabit
Fabric
Console / Aux 10 Gbps/slot
Peripheral SM-X
Interconnect SM-X
USB
2Gb/slot
Flash
NIM
NIM
NIM
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
ISR 44xx System Layout (2RU Platform)
Dataplane DIMM (left)
and
Controlplane DIMM (2x right)
6 or 10 core
Dataplane 4 Cores Control and
Services Plane
Compact Flash
Multi Gig
Ethernet Fabric
1 SW-NIM or Dual HDD
Configurable Slot
Integrated
(@ factory only)
Services Card
(e.g. DSP)
4431 & 4451
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
The ISR 43xx Series
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
4351 Hardware Diagram (aka Utah)
PPE1 PPE2 PPE3 PPE4 PPE5 Mgmt Ethernet Console, Aux & USB
Front Panel Ethernet System Glue Logic Console
Front Panel Ethernet
Front Panel Ethernet FPGA
PPE6 PPE7 PPE8
I2C to Modules
SPI Flash GE Switch
eMMc
USB-to-SD
NIM Slots x 2 NGSM Slots x 2
NIM Slots x 2 NGSM slots x 2
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
4351 Hardware Diagram (aka Utah)
8 Cores @ 2.4 Ghz / 1 thread per core
1 core for RP/IOSd
1 core acting for Crypto & QoS
4 cores @ 1 thread/core for features
2 service cores
1 core
Rangeley as
CPU RP hosting IOSd mSATA
DRAM
(MO-300)
eMMc
USB-to-SD
NIM Slots x 2 NGSM Slots x 2 4331 and 4321 are similar; just less cores
NIM Slots x 2 NGSM slots x 2
and expansion slots
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP
FECP
intercon.
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Dispatcher
GE, 1Gbps
Packet Buffer
I2C
SPA Control
Crypto SPA Bus
SPI Mux
Reset / Pwr Ctrl ESI, 11.2Gbps
SA table SPA-SPI, 11.2Gbps
DRAM Interconnect Hypertransport, 10Gbps
Other
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software Architecture
ASR1K Software Architecture
RP
CPU
ESP
EOBC (1 Gbps) FECP
I2C
Crypto
QFP
Assist.
interconn.
ESI (10-40 Gbps)
SIP interconn.
SPA
IOCP
Aggreg.
SPA SPA
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR1K Software Architecture
RP
CPU
Chassis Manager
IOS
Linux Kernel
ESP
EOBC (1 Gbps) FECP
I2C
Crypto
QFP
Assist.
interconn.
ESI (10-40 Gbps)
SIP interconn.
SPA
IOCP
Aggreg.
SPA SPA
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR1K Software Architecture
RP
CPU
Chassis Manager
IOS
Linux Kernel
QFP
µ µµ Crypto
µ BQS
µ µ Assist.
ESI (10-40 Gbps)
SIP interconn.
SPA
IOCP
Aggreg.
SPA SPA
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASR1K Software Architecture
RP
CPU
Chassis Manager
IOS
Linux Kernel
QFP
µ µµ Crypto
µ BQS
µ µ Assist.
ESI (10-40 Gbps)
SIP
IOCP
SPA Driver Chassis
SPA Driver
SPA Driver Manager
Linux Kernel
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Chassis Manager (CM)
RP • CM on RP communicates with CM processes
CPU on ESP and SIP
ESI (10-40 Gbps)
IOS
Chassis Manager
– Distributed function
Forwarding Manager
• Initializes hardware and boots other processes
Linux Kernel – CM on SIP queries SPA type and load SPA
drivers
ESP FECP Chassis Manager
• Manages hardware components
– Manages EOBC on RP
EOBC (1 Gbps)
Drivers
Drivers
Forwarding Manager
– Manages ESI links on RP/ESP/SIP
Drivers
–
I2C
SIP
IOCP
SPA Driver Chassis
• Monitors environmental variables and alarms
SPA Driver
SPA Driver Manager
• Selects active/standby RP or ESP
Linux Kernel – Coordinates switchover in case of failure or
operator command
SPA SPA SPA
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Forwarding Manager (FMAN)
RP
CPU FMAN-RP
• FMAN on RP communicates with
Chassis Manager FMAN process on ESP
IOS
– Distributed function
ESI (10-40 Gbps)
Forwarding Manager
Drivers
Drivers
Forwarding Manager back to FMAN-RP
Drivers
I2C
SIP
both active & standby ESP’s
IOCP
SPA Driver
SPA Driver
Chassis
Manager
– Facilitates NSF after re-start with bulk
SPA Driver
download of state information
Linux Kernel
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
PPE Microcode
RP
CPU • Written in C
ESI (10-40 Gbps)
IOS
Chassis Manager
– proper features, no hack
Forwarding Manager
ESP FECP
• Processes packets
Chassis Manager
– run to completion
EOBC (1 Gbps)
Linux Kernel
QFP
– TCAM, DRAM,… various speeds
µ QFP
Packet Processor Engine BQS
µ
PPE PPE PPE PPE PPE
Crypto
µ µ… BQS
• Features applied via FIA
1 2 3 4 5
µ µ
7 8 N
Assist.
Dispatcher
Packet Buffer
ESI (10-40 Gbps)
SIP
– Feature Invocation Array
IOCP
SPA Driver Chassis
• FIA per interface
SPA Driver
SPA Driver Manager
Linux Kernel
– input FIA, output FIA
SPA SPA SPA – drop FIA (Null interface)
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Day in Life of Normal Packet
SIP intercon.
SPA
IOCP
Aggreg.
ESPs
DDRAM Egress
Ingress
Buffer
Boot Flash IOCP Scheduler
Status
(OBFL,…) (SC854x SOC)
…
JTAG Ctrl
SPA Aggregation Network
clock
ASIC (Marmot) … distribution
…
SPA
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP
FECP
intercon.
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
PPE2
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
PPE2
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
Input FIA
PPE2 QFP
Netflow
DDRAM Packet Processor EngineComplex BQS
Input ACL
Thread 1
Thread 2
Thread 4
(OBFL,…)
MQC Classify
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN
NAT
PBR
Dispatcher
Dialer IDLE Rst Packet Buffer
PPE2
URD
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
Input FIA
PPE2 QFP
Netflow
DDRAM Packet Processor EngineComplex BQS
Input ACL
Thread 1
Thread 2
Thread 4
(OBFL,…)
MQC Classify IP Unicast
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN
NAT IP Multicast
PBR
Dispatcher
Dialer IDLE Rst Packet For
Packet Buffer
Us PPE2
URD
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow Netflow
DDRAM Packet Processor EngineComplex BQS
Input ACL
NAT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP
Thread 1
Thread 2
Thread 4
(OBFL,…) NBAR Classify
MQC Classify IP Unicast
JTAG Ctrl … PPE6 PPE7 PPE8 … … N
PPE
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow Netflow
DDRAM Packet Processor EngineComplex BQS
Input ACL
NAT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…) NBAR Classify
MQC Classify IP Unicast
JTAG Ctrl … PPE6 PPE7 PPE8 … … N
PPE
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow Netflow
DDRAM Packet Processor EngineComplex BQS
BGP Accounting
NAT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP NBAR Classify
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify IP Unicast
JTAG Ctrl … PPE6 PPE7 PPE8 … …N
PPE
intercon.
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
SPA
IOCP
Aggreg.
ESPs
DDRAM Egress
Ingress
Buffer
Boot Flash IOCP Scheduler
Status
(OBFL,…) (SC854x SOC)
JTAG Ctrl
SPA Aggregation Network
clock
ASIC (Marmot) … distribution
…
SPA
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Debugging strategies
Everyday situations
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Everyday situations
IPsec ZBF NAT
WAAS SNMP
OTV
First Routing
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Everyday situations
Second
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Using statistics for troubleshooting packet drops
Not easy… not very practical either.
Let’s dig deeper before making it simpler
• SPA • ESP
• show platform hardware slot {slot} plim statistics • show platform hardware qfp active interface if-name <Interface-name> statistics
• show platform hardware slot {0|1|2} plim status internal • show platform hardware qfp active infrastructure punt statistics type per-cause | exclude _0_
• show platform hardware slot {0|1|2} serdes statistics • show platform hardware qfp active infrastructure punt statistics type punt-drop | exclude _0_
• show platform hardware qfp active infrastructure punt statistics type inject-drop | exclude _0_
• RP
• show platform hardware qfp active infrastructure punt statistics type global-drop | exclude _0_
• show platform hardware slot {r0|r1} serdes statistics
• show platform hardware qfp active infrastructure bqs queue output default all
• show platform software infrastructure lsmpi
• show platform hardware qfp active infrastructure bqs queue output recycle all
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Debugging Strategies to Date
Top Down
IOS Control Plane
Well Known
• ACL + show access-list,…
• show interface / ip route / bgp …
Rock bottom
69
IOS 3.7
The Embedded Packet Capture
One way of capturing packets…
0
0000: 01005E00 00020000 0C07AC1D 080045C0 ..^...........E.
0010: 00300000 00000111 CFDC091D 0002E000 .0..............
0020: 000207C1 07C1001C 802A0000 10030AFA .........*......
0030: 1D006369 73636F00 0000091D 0001 ..example....... Excellent tool but insufficient in many cases
1
0000: 01005E00 0002001B 2BF69280 080046C0 ..^.....+.....F.
0010: 00200000 00000102 44170000 0000E000 . ......D.......
0020: 00019404 00001700 E8FF0000 0000 .............. http://www.cisco.com/en/US/docs/ios-
xml/ios/epc/configuration/xe-3s/asr1000/nm-packet-capture-
2 xe.html
0000: 01005E00 0002001B 2BF68680 080045C0 ..^.....+.....E.
0010: 00300000 00000111 CFDB091D 0003E000 .0..............
0020: 000207C1 07C1001C 88B50000 08030A6E ...............n
0030: 1D006369 73636F00 0000091D 0001 ..example.......
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
IOS 3.10
The Packet Tracer and FIA Debugger
X-ConnectReset / Pwr Ctrl
L2 Switch IPv4 IPv6 MPLS
TCAM Resource DRAM
Packet Buffer Part Len / BW Packet # 16
Condition determines packets DRAM SRAM
Temp Sensor
to be traced Input ACL
EEPROM
Input FIA Output FIA
Optionally match on the
Pak Match ? PPE2 QFP egress FIA MQC Classify
DDRAM Input ACL Packet Processor EngineComplex BQS
Output ACL NAT
Boot Flash PPE1 PPE2 PPE3 PPE4 PPE5
FECP
MQC
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…) PBR
Classify NAT
JTAG Ctrl PPE6 PPE7 PPE8 … PPEN
Encaps Output ACL
NAT IP Unicast
Statistics and final action will be NAT
Dispatcher Crypto
collected (matched packets dropped,
Packet Buffer punted to RP, forwarded to output
PBR PPE2 Encaps
interface …)
Crypto Thread 3 Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
Optionally, FIA actions can logged per packet
System can capture several packets flows
RPs RPs ESP RPs SIPs Packet flows can be reviewed in show commands
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet Tracer Demonstration
Demo Network Diagram – Problem 1
This extranet site can not connect to the server in
the DMZ.
192.168.3.1
10.0.101.0/24 Spoke 1
Spoke 2
Spoke 3 IPv4 Internet
Spoke … Ipv6 Internet
GE 1 ASR1000 GE 2
10.0.112.0/24 Spoke 12 GE 3 2003:1::1
192.168.3.12
Spoke 13
2005:1::1/64
10.0.0.254
DMZ
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Demo Network Diagram – Problem 2
Spoke 2
Spoke 3 IPv4 Internet
Spoke … Ipv6 Internet
GE 1 ASR1000 GE 2
10.0.112.0/24 Spoke 12 GE 3 2003:1::1
192.168.3.12
Spoke 13
2005:1::1/64
10.0.0.254
DMZ
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
IPsec Packet Forwarding
ESP
FECP
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
QFP
DDRAM packetProcessor EngineComplex
PPE may be different butPacket BQS
processing continues where it
Boot Flash
stopped (right after crypto)
PPE1 PPE2 PPE3 PPE4 PPE5
(OBFL,…) FECP
JTAG Ctrl PPE6 PPE7 PPE8 … PPEN
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Zone Based Firewall
ZBF Quick Recap
Sample Config
zone security inside Zone Definition
zone security outside ip access-list extended ipacl
deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.127
interface GigabitEthernet0/0/2 deny ip 10.0.0.0 0.0.0.255 172.16.0.128 0.0.0.127
ip address 172.18.25.254 255.255.255.0 permit tcp any any
Apply zone to interfaces deny udp 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.127
zone-member security inside
permit udp any any
interface GigabitEthernet0/0/3 permit icmp any any
ip address 172.19.25.254 255.255.255.0
zone-member security outside
Class map to match traffic
class-map type inspect match-all ipv4acl
match access-group name ipacl
Policy map to determine
policy-map type inspect in2out action on matched traffic
class type inspect ipv4acl
inspect
class class-default
Apply policy between two
zone-pair security in2out source inside destination outside zones
service-policy type inspect in2out
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Simplifying the ZBF show commands
Three Commands for ZBF under the sky
Collects everything
show policy-firewall config platform but TCAM
--show platform software firewall FP active bindings--
--show platform software firewall RP active bindings--
--show platform software firewall FP active pairs--
--show platform software firewall RP active pairs--
--show platform software firewall FP active parameter-maps--
--show platform software firewall RP active parameter-maps--
--show platform software firewall FP active zones--
--show platform software firewall RP active zones--
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
ESP
FECP
intercon.
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow
DDRAM Packet Processor EngineComplex
... BQS
Input ACL
OUTPUT_INSPECT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP
Thread 1
Thread 2
Thread 4
(OBFL,…)
MQC Classify
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN
NAT IP Unicast
PBR
Dispatcher
Dialer IDLE Rst Packet Buffer
PPE2
URD
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
intercon.
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
intercon.
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
JTAG Ctrl …
show policy-firewall PPE6 PPE7
session platform tcp destination-port PPE8
80 detail
… PPEN
--show platform hardware qfp active feature firewall datapath scb any any any 80 6 L4 allInspection
any detail--
NAT IP Unicast
[s=session i=imprecise channel c=control channel d=data channel]
172.18.25.66
PBR 53471 213.94.72.66 80 proto 6 (0:0)[sc]
… Pass Dispatcher
nxt_timeout: 100,Rst
Dialer IDLE refcnt: 1, ha nak cnt: 0,Packet
rg: Buffer
0, sess id: 32584 L7 Parse
… 2 PPE
URD
ingress/egress intf: GigabitEthernet0/0/2 (1021), GigabitEthernet0/0/3 (65526)
Crypto
current time 1384744571498 create tstamp:
Imprecise
1384690046997
Channel
last access: 1384690179236L7 Inspection
Thread 3
SPI Mux
… Creation
Reset / Pwr Ctrl syncookie fixup: 0x0
SA table
Output … DRAM Interconnect IPV4 OUTPUT
THREAT
RPs RPs ESP RPs SIPs INSPECT
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESP
FECP
intercon.
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Drop
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow
DDRAM Packet Processor EngineComplex
... BQS
Input ACL
OUTPUT_INSPECT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP …
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
VFR_REFRAG
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN
L2_REWRITE
NAT IP Unicast
PBR
Dispatcher
Dialer IDLE Rst Packet Buffer
PPE2
URD
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
EEPROM
QFP
DDRAM Packet Processor EngineComplex BQS
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
interface GigabitEthernet0/0/2
ip nat inside
Apply role to interfaces
interface GigabitEthernet0/0/3
ip nat outside
Static NAT configuration
ip nat inside source static 172.16.89.32 10.0.0.1
Dynamic NAT configuration
ip nat inside source list pat interface GigabitEthernet0/0/3 overload (NAT Overload aka PAT)
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
ESP
FECP
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
DDRAM
Netflow Packet Processor EngineComplex
... BQS
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…) INPUT_VFR
JTAG Ctrl
MQC Classify
PPE6 PPE7 PPE8 … PPEN
…
IP Unicast
PBR
Dispatcher
URD Packet Buffer
PPE2
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Classification ACL
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN then Route-Map
Bind DB
NAT IP Unicast
PBR
Dispatcher Allocate Addr Drop
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…) Use config use CGM and
MQC Classify Classification ACL
TCAM to match packet
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN then Route-Map against configured rule
Bind DB
NAT Descriptor modification
SIP Media IP Unicast
+ RTPPBR
pinhole creation, FTP data
session fixup,… Dispatcher Allocate Addr Drop
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow
DDRAM Packet Processor EngineComplex
... BQS
Input ACL
OUTPUT_INSPECT
OUTPUT_NAT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP …
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
VFR_REFRAG
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN
L2_REWRITE
NAT IP Unicast
PBR
Dispatcher
Dialer IDLE Rst Packet Buffer
PPE2
URD
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
108
ESP Tracing aka Logging
TEMP RAM FS
RP RP logs are first written
CPU
Chassis Manager
here (efficiency)
IOS
NFS Shared Disk
ESP FECP
TEMP RAM FS
Chassis Manager
ESP logs are first written
EOBC (1 Gbps)
Drivers Forwarding Manager
here (efficiency)
Drivers
I2C Drivers
Linux Kernel
SIP
IOCP
SPA Driver Chassis
SPA Driver
SPA Driver Manager
Linux Kernel
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Important logs
RP
CPU
Chassis Manager
fman_rp_R[0|1]-0.log
IOS
SIP
IOCP
SPA Driver Chassis
SPA Driver
SPA Driver Manager
Linux Kernel
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
What log files are important?
• Important log files to get for security issues:
– fman_rp_R[0|1].log (under /tmp/rp/trace directory on RP)
– fman-fp_F[0|1]-0.log (under /tmp/fp/trace directory on ESP
– cpp_cp_F[0|1]-0.log (under /tmp/fp/trace directory on ESP)
• All these logs get rotated and are copied to /harddisk/tracelogs directory
on active RP.
• Look for the relevant log files depending on the time of the failure
• By default, all ERR messages are logged, these should be the first things
to look for
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example log files
The timestamp…
My-ASR1000-2#dir harddisk:/tracelogs/cpp_cp_F0*
Directory of harddisk:/tracelogs/cpp_cp_F0*
Directory of harddisk:/tracelogs/
3768365 -rwx 1048934 Jan 6 2014 18:20:16 +00:00 cpp_cp_F0-0.log.7133.20140106182015
3768330 -rwx 551643 Jan 7 2014 09:27:51 +00:00 cpp_cp_F0-0.log.7133.20140107092751
3768335 -rwx 1048901 Jan 7 2014 08:56:44 +00:00 cpp_cp_F0-
0.log.7133.2014010708564339313059840 bytes total (30680653824 bytes free)
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Rotating the log files
My-ASR1000-2#dir harddisk:/tracelogs/cpp_cp_F0*
Directory of harddisk:/tracelogs/cpp_cp_F0*
Directory of harddisk:/traceMy-ASR1000-2#test platform software trace slot rp active forwarding-manager
rotate
Rotated file from: /tmp/rp/trace/stage/fman_rp_R0-0.log.13836.20140107094754, Bytes: 0, Messages:
6535
My-ASR1000-2#test platform software trace slot FP active cpp-control-process rotate
Rotated file from: /tmp/fp/trace/stage/cpp_cp_F0-0.log.7133.20140107093650, Bytes: 154027, Messages:
786
My-ASR1000-2#test platform software trace slot FP active forwarding-manager rotate
Rotated file from: /tmp/fp/trace/stage/fman-fp_F0-0.log.8247.20140107093738, Bytes: 20170, Messages:
210
OR use
My-ASR1000-2#request platform software trace rotate all Does not show the rotated file names w/
time stamp have to hunt them down
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Conditional Feature Debugging
114
IOS 3.10
The Packet Tracer and Conditional Debugger
Reset / Pwr Ctrl Packet Buffer Part Len / BW
TCAM Resource DRAM
DRAM SRAM
Temp Sensor
EEPROM
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
EEPROM
Input FIA
PPE2 QFP
DDRAM Packet Processor EngineComplex BQS
Thread 1
Thread 2
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
PPE2
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
Thread 1
Thread 2
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
PPE2
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
Thread 1
Thread 2
Thread 4
(OBFL,…)
Dispatcher
Packet Buffer
PPE2
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
The packet tracer collects statistics
and final action (matched packets
dropped, punted to RP, forwarded to
RPs RPs ESP RPs SIPs output interface …)
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
IOS 3.10
The Packet Tracer and Conditional Debugger
X-ConnectReset / Pwr Ctrl
L2 Switch IPv4 IPv6 MPLS
TCAM Resource DRAM
Packet Buffer Part Len / BW Packet # 16
Condition determines packets DRAM SRAM
Temp Sensor
to be traced
Input FIA Output FIA Input ACL
EEPROM
Ingress Match ? PPE2 QFP
MQC Classify
DDRAM Input ACL Packet Processor EngineComplex BQS
Output ACL NAT
Boot Flash PPE1 PPE2 PPE3 PPE4 PPE5
FECP
MQC
Thread 1
Thread 2
Thread 4
(OBFL,…)
NAT PBR
Classify
JTAG Ctrl PPE6 PPE7 PPE8 … PPEN
Encaps Output ACL
NAT IP Unicast
NAT
Dispatcher Crypto
Packet Buffer
PBR PPE2 Encaps
Crypto Thread 3 Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
The packet tracer collects statistics
and final action (matched packets
dropped, punted to RP, forwarded to
RPs RPs ESP RPs SIPs output interface …)
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
IOS 3.10
The Packet Tracer and Conditional Debugger
X-ConnectReset / Pwr Ctrl
L2 Switch IPv4 IPv6 MPLS
TCAM Resource DRAM
Packet Buffer Part Len / BW Packet # 16
Condition determines packets DRAM SRAM
Temp Sensor
to be traced
Input FIA Output FIA Input ACL
EEPROM
Ingress Match ? PPE2 QFP
MQC Classify
DDRAM Input ACL Packet Processor EngineComplex BQS
Output ACL NAT
Boot Flash PPE1 PPE2 PPE3 PPE4 PPE5
FECP
MQC
Thread 1
Thread 2
Thread 4
(OBFL,…)
NAT PBR
Classify
JTAG Ctrl PPE6 PPE7 PPE8 … PPEN
Encaps Output ACL
NAT IP Unicast
NAT
Dispatcher Crypto
Packet Buffer
PBR If feature conditional debugger is PPE2 Encaps
activated, these blocks will be
Crypto
debugged
Thread 3 Crypto
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
The packet tracer collects statistics
and final action (matched packets
Our focus now
dropped, punted to RP, forwarded to
RPs RPs ESP RPs SIPs output interface …)
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Conditional Debugger Demonstration
Demo Network Diagram – ZBF Problem
192.168.3.1
10.0.101.0/24 Spoke 1
Spoke 2
Spoke 3 IPv4 Internet
Spoke … Ipv6 Internet
GE 1 ASR1000 GE 2
10.0.112.0/24 Spoke 12 GE 3 2003:1::1
192.168.3.12
Spoke 13
2005:1::1/64
PC’s located in Spoke 12 are not able to reach
webserver in DMZ
10.0.0.254
DMZ
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Interesting ZBF Commands (summary)
• debug platform condition feature fw dataplane submode detail layer4 policy drop
– DO NOT use “event” – non conditional – HIGH CPU IMPACT
• In 3.14+: debug platform condition feature dw dataplane submode all
– In this release, “event” will be conditional “all” will be safe too
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Resource Monitoring
In IOS-XE near you now…
129
The vital signs…
RP
CPU
Chassis Manager
IOS
Forwarding Manager
Control Plane CPU’s
Linux Kernel
µ QFP
Data Plane CPU’s µ
µ µµ BQS
Crypto
µ Assist.
SIP
IOCP
SPA Driver Chassis
SPA Driver
SPA Driver Manager
Linux Kernel
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example: IOS Memory Usage vs IOSd RP Utilization
asr-1k#show mem stat
Load for five secs: 6%/1%; one minute: 5%; five minutes: 3% RP
Time source is NTP, 22:18:08.111 EDT Sat Apr 19 2014 CPU
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Chassis Manager
Processor 300AE008 1713127140 564269356 1148857784 1066242316 992444168 IOS
lsmpi_io 963791D0 6295088 6294120 968 968 968
Forwarding Manager
asr-1k#show process mem | inc BGP
523 0 2333028 51368 389076 313 313 BGP Router
Linux Kernel
asr-1k#show process cpu
…
Complex CLI, platform specific.
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
asr-1k#show platform hardware qfp active infrastructure exmem statistics
RP0 (active) H
Linux Kernel
Memory 1814MB 3783MB 90% 95% H
CPU 5.80% 100% 90% 95% H
FP0 (active) H
Memory 683MB 1962MB 90% 95% H
CPU 19.89% 100% 90% 95% H ESP FECP Chassis Manager
QFP H
DRAM 76244KB 524288KB 80% 90% H
IRAM 8817KB 131072KB 80% 90% H Drivers Forwarding Manager
SRAM 14KB 32KB 80% 90% H
Drivers
Drivers
TCAM 28cells 131072cells 80% 90% H Linux Kernel
FP1 (standby) H
Memory 683MB 1962MB 90% 95% H
CPU 19.89% 100% 90% 95% H µ QFP
µ Crypto
QFP H µ µµ BQS
Assist.
DRAM 76244KB 524288KB 80% 90% H µ
IRAM 8817KB 131072KB 80% 90% H
SRAM 14KB 32KB 80% 90% H
TCAM 28cells 131072cells 80% 90% H SIP
SIP0 (active) H IOCP
SPA Driver Chassis
Memory 307MB 460MB 90% 95% H SPA Driver
CPU 4.10% 100% 90% 95% H SPA Driver Manager
SIP1 (standby) H
Memory 160MB 460MB 90% 95% H
Linux Kernel
CPU 1.10% 100% 90% 95% H
**State Acronym: H - Healthy, W - Warning, C – Critical
SPA SPA SPA
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS 3.14
Other show commands improved too
Improves interaction with TAC RP
CPU
Chassis Manager
IOS
Forwarding Manager
Control Plane CPU’s
Linux Kernel
µ QFP
Data Plane CPU’s µ
µ µµ BQS
Crypto
µ Assist.
This command only shows processes inside the IOS daemon. Linux Kernel
Please use 'show <something> platform'
to show processes from the underlying operating system. SPA SPA SPA
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wrapping up…
135
ESP
FECP
QoS Mark/Police
General Feature Dependencies NAT sessions
IPSec SA
Crypto
Assist.
QFP
PPE BQS
Netflow Cache
Per session data (FW, Netflow) QoS Queuing intercon.
Class/Policy Maps: QoS, DPI NAT VFR re-assembly
ACL/ACE storage
Reset / Pwr Ctrl IPSec headers
Packet Buffer Part Len / BW
IPSec Traffic Selectors, classes, rules TCAM Resource DRAM
DRAM SRAM
NAT lists Temp Sensor
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Feature Invocation Array (FIA)
• A per protocol array of functions/features to be executed in sequence
• The FIA’s are executed in PPE for every packet
• Input interface Input FIA ; Output interface Output FIA
Example Input FIA Example Output FIA Example “Punt” FIA
Dst Lookup Consume Output Inspect
Output Inspect
For Us Martian WCCP RP seens as an external device
VFR Refrag from the ESP… connected to a
RPF NAT special interface. This interface
has its own FIA.
Security ACL (in) Refragment Drop Policy
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Zone Based Firewall
ZBF Quick Recap
Sample Config
zone security inside Zone Definition
zone security outside ip access-list extended ipacl
deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.127
interface GigabitEthernet0/0/2 deny ip 10.0.0.0 0.0.0.255 172.16.0.128 0.0.0.127
ip address 172.18.25.254 255.255.255.0 permit tcp any any
Apply zone to interfaces deny udp 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.127
zone-member security inside
permit udp any any
interface GigabitEthernet0/0/3 permit icmp any any
ip address 172.19.25.254 255.255.255.0
zone-member security outside
Class map to match traffic
class-map type inspect match-all ipv4acl
match access-group name ipacl
Policy map to determine
policy-map type inspect in2out action on matched traffic
class type inspect ipv4acl
inspect
class class-default
Apply policy between two
zone-pair security in2out source inside destination outside zones
service-policy type inspect in2out
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Zone Creation
RP
CPU
zone security inside
zone security outside Chassis Manager
IOS
Forwarding Manager
Linux Kernel
EOBC (1 Gbps)
Forwarding Manager Firewall Zone Configurations
Linux Kernel
EOBC (1 Gbps)
known when packet enters. Interface Interface Na Zone Name
show platform hardware qfp active interface if-name Gig0/0/0 --------------------------------------------
… 10 GigabitEthernet0/0/2 inside
11 GigabitEthernet0/0/3 outside
Protocol 1 - ipv4_output
FIA handle - CP:0x108f90e4 DP:0x8080e200
IPV4_OUTPUT_VFR ESP FECP Chassis Manager
IPV4_OUTPUT_INSPECT
IPV4_OUTPUT_THREAT_DEFENSE Drivers Forwarding Manager
… Drivers
Drivers
Linux Kernel
EOBC (1 Gbps)
service-policy type inspect in2out
EOBC (1 Gbps)
service-policy type inspect in2out show platform software firewall f0 pairs
Zone-Pair Name Source Zone Destination Zone Obj-id
-----------------------------------------------------------
in2out inside outside 2
EOBC (1 Gbps)
service-policy type inspect in2out
EOBC (1 Gbps)
service-policy type inspect in2out Mask: : ffffff00 00000000 00000000 ffffff80 ffff0009
Result: : 81000000 89435400 00000000 00000000
…
EOBC (1 Gbps)
service-policy type inspect in2out Mask: : ffffff00 00000000 00000000 ffffff80 ffff0009
Result: : 81000000 89435400 00000000 00000000
…
EOBC (1 Gbps)
service-policy type inspect in2out Mask: : ffffff00 00000000 00000000 ffffff80 ffff0009
Result: : 81000000 89435400 00000000 00000000
…
154
Simplifying the IPsec show commands
One show command to rule them all
------------------ show platform software ipsec fp active flow identifier 34130 ------------------
…
interface: Virtual-Access1002
Crypto map tag: Virtual-Access1002-head-0, local addr 172.18.0.1 ------------------ show platform hardware qfp active feature ipsec sa 1427 ------------------
…
protected vrf: (none)
local ident (addr/mask/prot/port): (172.18.0.1/255.255.255.255/47/0) ------------------ show platform software ipsec fp active encryption-processor context 6502aa4f ------------------
remote ident (addr/mask/prot/port): (17.0.0.26/255.255.255.255/47/0)
current_peer 17.0.0.26 port 500
…
PERMIT, flags={origin_is_acl,} ------------------ show platform software ipsec fp active flow identifier 34129 ------------------
#pkts encaps: 25227, #pkts encrypt: 25227, #pkts digest: 25227
#pkts decaps: 25237, #pkts decrypt: 25237, #pkts verify: 25237 …
#pkts compressed: 0, #pkts decompressed: 0 ------------------ show platform hardware qfp active feature ipsec sa 1867 ------------------
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0 …
#send errors 0, #recv errors 0 ------------------ show platform software ipsec fp active encryption-processor context 2e02aa4e -----------------
local crypto endpt.: 172.18.0.1, remote crypto endpt.: 17.0.0.26 …
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/2
current outbound spi: 0xA7B61FE5(2813730789)
PFS (Y/N): N, DH group: none
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Simplifying the ZBF show commands
Three Commands for ZBF under the sky
show policy-firewall config platform
--show platform hardware qfp active feature firewall datapath scb any any any any any all any --
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
An Advanced Example:
IPsec control plane programming
IPsec SA – from IOS to FMAN-FP
show crypto ipsec sa interface virtual-access 1002
RP
interface: Virtual-Access1002 CPU
Crypto map tag: Virtual-Access1002-head-0, local addr 172.18.0.1 Chassis Manager
protected vrf: (none)
IOS
local ident (addr/mask/prot/port): (172.18.0.1/255.255.255.255/47/0) Forwarding Manager
remote ident (addr/mask/prot/port): (17.0.0.26/255.255.255.255/47/0)
current_peer 17.0.0.26 port 500 Linuxplatform
Kernel software ipsec fp active flow identifier <flow_id>
… show
inbound esp sas:
spi: 0x956A1B11(2506758929) SPD id: 1008
… …
conn id: 30214, flow_id: HW:28214, sibling_flags QFP SA handle: 1892
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0 …
Crypto SA ctx id: 0x000000002e02b9b6
outbound esp sas:
EOBC (1 Gbps)
spi: 0x51E3FC8E(1373895822)
…
conn id: 30213, flow_id: HW:28213, sibling_flags
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0
…
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
EOBC (1 Gbps)
spi: 0x51E3FC8E(1373895822)
…
conn id: 30213, flow_id: HW:28213, sibling_flags
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0
…
show platform hardware qfp active classification feature-manager ESP FECP Chassis Manager
class-group tcam ipsec <SPD-id> global detail
Drivers Forwarding Manager
class-group [ipsec-cg:1008] (classes: 1, total number of vmrs: 4) Drivers
key name: 160_03 value size: 160 result size: 16 Drivers
region id: 1 vmr id: 698 number of vmrs: 4 tcam id: TCAM0 Linux Kernel
Value: : ac120001 2f000000 00000000 1100001a 12d70000
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000
Result: : 40000000 905a0400 00000000 00000000 µ QFP
µ Crypto
µ µµ BQS
Assist.
Value: : ac120001 2f000000 00000000 1100001a 12d70000 µ
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000
Result: : 20000000 8d458860 00000000 00000000
TCAM DRAM DRAM
…
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPsec SA – from FMAN-FP to Crypto Engine
show crypto ipsec sa interface virtual-access 1002
RP
interface: Virtual-Access1002 CPU
Crypto map tag: Virtual-Access1002-head-0, local addr 172.18.0.1 Chassis Manager
protected vrf: (none)
IOS
local ident (addr/mask/prot/port): (172.18.0.1/255.255.255.255/47/0) Forwarding Manager
remote ident (addr/mask/prot/port): (17.0.0.26/255.255.255.255/47/0)
current_peer 17.0.0.26 port 500 Linuxplatform
Kernel software ipsec fp active flow identifier <flow_id>
… show
inbound esp sas:
spi: 0x956A1B11(2506758929) SPD id: 1008
… …
conn id: 30214, flow_id: HW:28214, sibling_flags QFP SA handle: 1892
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0 …
Crypto SA ctx id: 0x000000002e02b9b6
outbound esp sas:
EOBC (1 Gbps)
spi: 0x51E3FC8E(1373895822)
… show platform software ipsec fp active
conn id: 30213, flow_id: HW:28213, sibling_flags encryption-processor context 2e02b9b6
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0
… =======Context id: 0x02b249
…
SA word 0: 0x5ae0460fc201aa5
action bits: 0x001f84
show platform hardware qfp active classification feature-manager ESP FECP direction: outbound
Chassis Manager
class-group tcam ipsec <SPD-id> global detail mode: transport
protocol: esp
Drivers Forwarding Manager authentication: SHA-1
class-group [ipsec-cg:1008] (classes: 1, total number of vmrs: 4) Drivers
key name: 160_03 value size: 160 result size: 16 Drivers confidentiality: AES-128
region id: 1 vmr id: 698 number of vmrs: 4 tcam id: TCAM0 Linux Kernel …
Value: : ac120001 2f000000 00000000 1100001a 12d70000 mfs: 1454
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 …
QFP sequence number: 306
Result: : 40000000 905a0400 00000000 00000000 µ µµ Crypto
…
µ BQS
µ µ Assist. byte count: 25704
Value: : ac120001 2f000000 00000000 1100001a 12d70000
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 packet count: 306
Result: : 20000000 8d458860 00000000 00000000
TCAM DRAM DRAM
…
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPsec SA – from FMAN-FP to QFP DRAM
show crypto ipsec sa interface virtual-access 1002
RP
interface: Virtual-Access1002 CPU
Crypto map tag: Virtual-Access1002-head-0, local addr 172.18.0.1 Chassis Manager
protected vrf: (none)
IOS
local ident (addr/mask/prot/port): (172.18.0.1/255.255.255.255/47/0) Forwarding Manager
remote ident (addr/mask/prot/port): (17.0.0.26/255.255.255.255/47/0)
current_peer 17.0.0.26 port 500 Linuxplatform
Kernel software ipsec fp active flow identifier <flow_id>
… show
inbound esp sas:
spi: 0x956A1B11(2506758929) SPD id: 1008
… …
conn id: 30214, flow_id: HW:28214, sibling_flags QFP SA handle: 1892
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0 …
Crypto SA ctx id: 0x000000002e02b9b6
outbound esp sas:
EOBC (1 Gbps)
spi: 0x51E3FC8E(1373895822)
… show platform software ipsec fp active
conn id: 30213, flow_id: HW:28213, sibling_flags encryption-processor context 2e02b9b6
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0
… =======Context id: 0x2e02b9b6
…
SA word 0: 0x5ae0460fc201aa5
action bits: 0x001f84
show platform hardware qfp active classification feature-manager ESP FECP direction: outbound
Chassis Manager
class-group tcam ipsec <SPD-id> global detail mode: transport
protocol: esp
Drivers Forwarding Manager authentication: SHA-1
class-group [ipsec-cg:1008] (classes: 1, total number of vmrs: 4) Drivers
key name: 160_03 value size: 160 result size: 16 Drivers confidentiality: AES-128
region id: 1 vmr id: 698 number of vmrs: 4 tcam id: TCAM0 Linux Kernel …
Value: : ac120001 2f000000 00000000 1100001a 12d70000 mfs: 1454
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 …
QFP sequence number: 306
Result: : 40000000 905a0400 00000000 00000000 µ µµ Crypto
…
µ BQS
µ µ Assist. byte count: 25704
Value: : ac120001 2f000000 00000000 1100001a 12d70000
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 packet count: 306
Result: : 20000000 8d458860 00000000 00000000
TCAM DRAM DRAM
…
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPsec SA – from FMAN-FP to QFP DRAM
show crypto ipsec sa interface virtual-access 1002
RP
interface: Virtual-Access1002 CPU
Crypto map tag: Virtual-Access1002-head-0, local addr 172.18.0.1 Chassis Manager
protected vrf: (none)
IOS
local ident (addr/mask/prot/port): (172.18.0.1/255.255.255.255/47/0) Forwarding Manager
remote ident (addr/mask/prot/port): (17.0.0.26/255.255.255.255/47/0)
current_peer 17.0.0.26 port 500 Linuxplatform
Kernel software ipsec fp active flow identifier <flow_id>
… show
inbound esp sas:
spi: 0x956A1B11(2506758929) SPD id: 1008
… …
conn id: 30214, flow_id: HW:28214, sibling_flags QFP SA handle: 1892
show platform hardware qfp active feature ipsec sa <qfp_sa_handle> …
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0
Crypto SA ctx id: 0x000000002e02b9b6
outbound esp sas: QFP ipsec sa Information
EOBC (1 Gbps)
spi: 0x51E3FC8E(1373895822)
… QFP sa id: 3623 show platform software ipsec fp active
conn id: 30213, flow_id: HW:28213, sibling_flags pal sa id: 32085 encryption-processor context 2e02b9b6
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0 QFP spd id: 3398
… QFP sp id: 1066 ======= Context id: 0x2e02b9b6
QFP spi: 0x51E3FC8E(1373895822) …
crypto ctx: 0x000000002e02b9b6 SA word 0: 0x5ae0460fc201aa5
… action bits: 0x001f84
show platform hardware qfp active classification feature-manager ESP FECP direction: outbound
Chassis Manager
class-group tcam ipsec <SPD-id> global detail mode: transport
protocol: esp
Drivers Forwarding Manager authentication: SHA-1
class-group [ipsec-cg:1008] (classes: 1, total number of vmrs: 4) Drivers
key name: 160_03 value size: 160 result size: 16 Drivers confidentiality: AES-128
region id: 1 vmr id: 698 number of vmrs: 4 tcam id: TCAM0 Linux Kernel …
Value: : ac120001 2f000000 00000000 1100001a 12d70000 mfs: 1454
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 …
QFP sequence number: 306
Result: : 40000000 905a0400 00000000 00000000 µ µµ Crypto
…
µ BQS
µ µ Assist. byte count: 25704
Value: : ac120001 2f000000 00000000 1100001a 12d70000
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 packet count: 306
Result: : 20000000 8d458860 00000000 00000000
TCAM DRAM DRAM
…
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPsec SA – from FMAN-FP to QFP DRAM
show crypto ipsec sa interface virtual-access 1002
RP
interface: Virtual-Access1002 CPU
Crypto map tag: Virtual-Access1002-head-0, local addr 172.18.0.1 Chassis Manager
protected vrf: (none)
IOS
local ident (addr/mask/prot/port): (172.18.0.1/255.255.255.255/47/0) Forwarding Manager
remote ident (addr/mask/prot/port): (17.0.0.26/255.255.255.255/47/0)
current_peer 17.0.0.26 port 500 Linuxplatform
Kernel software ipsec fp active flow identifier <flow_id>
… show
inbound esp sas:
spi: 0x956A1B11(2506758929) SPD id: 1008
… …
conn id: 30214, flow_id: HW:28214, sibling_flags QFP SA handle: 1892
show platform hardware qfp active feature ipsec sa <qfp_sa_handle> …
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0
Crypto SA ctx id: 0x000000002e02b9b6
outbound esp sas: QFP ipsec sa Information
EOBC (1 Gbps)
spi: 0x51E3FC8E(1373895822) Indexed by class-group
… QFP sa id: 3623 show platform software ipsec fp active
conn id: 30213, flow_id: HW:28213, sibling_flags pal sa id: 32085 encryption-processor context 2e02b9b6
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0 QFP spd id: 3398
… QFP sp id: 1066 ======= Context id: 0x2e02b9b6
QFP spi: 0x51E3FC8E(1373895822) …
crypto ctx: 0x000000002e02b9b6 SA word 0: 0x5ae0460fc201aa5
… action bits: 0x001f84
show platform hardware qfp active classification feature-manager ESP FECP direction: outbound
Chassis Manager
class-group tcam ipsec <SPD-id> global detail mode: transport
protocol: esp
Drivers Forwarding Manager authentication: SHA-1
class-group [ipsec-cg:1008] (classes: 1, total number of vmrs: 4) Drivers
key name: 160_03 value size: 160 result size: 16 Drivers confidentiality: AES-128
region id: 1 vmr id: 698 number of vmrs: 4 tcam id: TCAM0 Linux Kernel …
Value: : ac120001 2f000000 00000000 1100001a 12d70000 mfs: 1454
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 …
QFP sequence number: 306
Result: : 40000000 905a0400 00000000 00000000 µ µµ Crypto
…
µ BQS
µ µ Assist. byte count: 25704
Value: : ac120001 2f000000 00000000 1100001a 12d70000
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 packet count: 306
Result: : 20000000 8d458860 00000000 00000000
TCAM DRAM DRAM
…
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPsec SA – from FMAN-FP to QFP DRAM
show crypto ipsec sa interface virtual-access 1002
RP
interface: Virtual-Access1002 CPU
Crypto map tag: Virtual-Access1002-head-0, local addr 172.18.0.1 Chassis Manager
protected vrf: (none)
IOS
local ident (addr/mask/prot/port): (172.18.0.1/255.255.255.255/47/0) Forwarding Manager
remote ident (addr/mask/prot/port): (17.0.0.26/255.255.255.255/47/0)
current_peer 17.0.0.26 port 500 Linuxplatform
Kernel software ipsec fp active flow identifier <flow_id>
… show
inbound esp sas:
spi: 0x956A1B11(2506758929) SPD id: 1008
… …
conn id: 30214, flow_id: HW:28214, sibling_flags QFP SA handle: 1892
show platform hardware qfp active feature ipsec sa <qfp_sa_handle> …
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0
Crypto SA ctx id: 0x000000002e02b9b6
outbound esp sas: QFP ipsec sa Information
EOBC (1 Gbps)
spi: 0x51E3FC8E(1373895822) Indexed by class-group
… QFP sa id: 3623 show platform software ipsec fp active
conn id: 30213, flow_id: HW:28213, sibling_flags pal sa id: 32085 encryption-processor context 2e02b9b6
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0 QFP spd id: 3398
… QFP sp id: 1066 ======= Context id: 0x2e02b9b6
QFP spi: 0x51E3FC8E(1373895822) …
crypto ctx: 0x000000002e02b9b6 SA word 0: 0x5ae0460fc201aa5
… action bits: 0x001f84
show platform hardware qfp active classification feature-manager ESP FECP direction: outbound
Chassis Manager
class-group tcam ipsec <SPD-id> global detail mode: transport
protocol: esp
Drivers Forwarding Manager authentication: SHA-1
class-group [ipsec-cg:1008] (classes: 1, total number of vmrs: 4) Drivers
key name: 160_03 value size: 160 result size: 16 Drivers confidentiality: AES-128
region id: 1 vmr id: 698 number of vmrs: 4 tcam id: TCAM0 Linux Kernel …
Value: : ac120001 2f000000 00000000 1100001a 12d70000 mfs: 1454
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 …
QFP sequence number: 306
Result: : 40000000 905a0400 00000000 00000000 µ µµ Crypto
…
µ BQS
µ µ Assist. byte count: 25704
Value: : ac120001 2f000000 00000000 1100001a 12d70000
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 packet count: 306
Result: : 20000000 8d458860 00000000 00000000
TCAM DRAM DRAM
…
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPsec SA – from FMAN-FP to QFP DRAM
show crypto ipsec sa interface virtual-access 1002
RP
interface: Virtual-Access1002 CPU
Crypto map tag: Virtual-Access1002-head-0, local addr 172.18.0.1 Chassis Manager
protected vrf: (none)
IOS
local ident (addr/mask/prot/port): (172.18.0.1/255.255.255.255/47/0) Forwarding Manager
remote ident (addr/mask/prot/port): (17.0.0.26/255.255.255.255/47/0)
current_peer 17.0.0.26 port 500 Linuxplatform
Kernel software ipsec fp active flow identifier <flow_id>
… show
inbound esp sas:
spi: 0x956A1B11(2506758929) SPD id: 1008 FMAN-FP remembers
… … everything
conn id: 30214, flow_id: HW:28214, sibling_flags QFP SA handle: 1892
show platform hardware qfp active feature ipsec sa <qfp_sa_handle> …
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0
Crypto SA ctx id: 0x000000002e02b9b6
outbound esp sas: QFP ipsec sa Information
EOBC (1 Gbps)
spi: 0x51E3FC8E(1373895822) Indexed by class-group
… QFP sa id: 3623 show platform software ipsec fp active
conn id: 30213, flow_id: HW:28213, sibling_flags pal sa id: 32085 encryption-processor context 2e02b9b6
FFFFFFFF80000008, crypto map: Virtual-Access1002-head-0 QFP spd id: 3398
… QFP sp id: 1066 ======= Context id: 0x2e02b9b6
QFP spi: 0x51E3FC8E(1373895822) …
crypto ctx: 0x000000002e02b9b6 SA word 0: 0x5ae0460fc201aa5
… action bits: 0x001f84
show platform hardware qfp active classification feature-manager ESP FECP direction: outbound
Chassis Manager
class-group tcam ipsec <SPD-id> global detail mode: transport
protocol: esp
Drivers Forwarding Manager authentication: SHA-1
class-group [ipsec-cg:1008] (classes: 1, total number of vmrs: 4) Drivers
key name: 160_03 value size: 160 result size: 16 Drivers confidentiality: AES-128
region id: 1 vmr id: 698 number of vmrs: 4 tcam id: TCAM0 Linux Kernel …
Value: : ac120001 2f000000 00000000 1100001a 12d70000 mfs: 1454
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 …
QFP sequence number: 306
Result: : 40000000 905a0400 00000000 00000000 µ µµ Crypto
…
µ BQS
µ µ Assist. byte count: 25704
Value: : ac120001 2f000000 00000000 1100001a 12d70000
Mask: : ffffffff ff000000 00000000 ffffffff ffff0000 packet count: 306
Result: : 20000000 8d458860 00000000 00000000
TCAM DRAM DRAM
…
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Road to Simplification
Part III, Deep Data Plane Debugging
167
IOS 3.10
The Feature Conditional Debugger
X-ConnectReset / Pwr Ctrl
L2 Switch IPv4 IPv6 MPLS
TCAM Resource DRAM
Packet Buffer Part Len / BW Packet # 16
DRAM SRAM
Temp Sensor
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
NAT PBR
Classify
JTAG Ctrl PPE6 PPE7 PPE8 … PPEN
Encaps Output ACL
NAT IP Unicast
NAT
Dispatcher Crypto
Packet Buffer Cond Dbg ?
PBR PPE2 Encaps
Crypto If packet matches condition is on for Thread 3 Crypto
SPI Mux feature AND if packet needs to be
Reset / Pwr Ctrl
traced… feature will log its action step
SA table by step in cpp_cp_f0-0.log !!
DRAM Interconnect Logs will go straight to IOS
syslogs in the future – no
RPs RPs ESP RPs need to rotate logs anymore!
SIPs
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Feature Debugging
Step 2 – Define feature(s) to troubleshoot
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Feature Debugging (cont.)
Step 2 (cont.) – Define feature submodes to be troubleshot
asr-1k# debug platform condition feature fw dataplane submode drop layer4 policy
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conditional Debugger Demonstration
Platform Conditional Debugging
BGL.D.16-ASR1000-1# debug platform condition feature ?
atm ATM feature
atom ATOM feature
bridge-domain Layer2 bridging feature
cft CFT feature
cxsc CXSC feature
evc EVC feature
fw FW feature Debugs get populated in cpp_cp_F0-0.log
ipsec IPSEC feature
nbar NBAR feature
otv OTV feature
subscriber Subscriber feature
vpls VPLS feature
Same match statement as
packet tracer…
BGL.D.16-ASR1000-1#debug platform condition ipv4 172.19.2.1/32 ingress
BGL.D.16-ASR1000-1#debug platform condition feature ipsec dataplane submode cce level info
BGL.D.16-ASR1000-1#debug platform condition start
Tells which feature to
debug
Start and stop debugging
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT Control plane – config push RPESP
173
Interface Role Assignment
interface GigabitEthernet0/0/2 RP
ip nat inside CPU
Chassis Manager
interface GigabitEthernet0/0/3 IOS
ip nat outside Forwarding Manager
Linux Kernel
EOBC (1 Gbps)
ESP FECP Chassis Manager
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
Linux Kernel
EOBC (1 Gbps)
ESP FECP Chassis Manager
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
Linux Kernel
EOBC (1 Gbps)
Domain: DOMAIN_INSIDE, Static-host allowed: No
QFP handle: 9
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
Linux Kernel
EOBC (1 Gbps)
Domain: DOMAIN_INSIDE, Static-host allowed: No
QFP handle: 9
Linux Kernel
Features get installed in FIA when NAT roles Name: GigabitEthernet0/0/2, Inteface handle: 10
EOBC (1 Gbps)
are applied. Domain: DOMAIN_INSIDE, Static-host allowed: No
QFP handle: 9
Linux Kernel
EOBC (1 Gbps)
ESP FECP Chassis Manager
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
Mapping id: 8
Domain: INSIDE, Lookup: LOOKUP_LOCAL
Flags: overload
Interface name: GigabitEthernet0/0/3, IP address: 213.94.72.254
EOBC (1 Gbps)
IF handle: 11, QFP handle: 10
ACL name: pat
CGM class group: INSIDE_SRC_CG, CGM class id: 8
Dynamic PAT: No
Last stats update: 04/01 19:39:42.799
Last refcount value: 0
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
Mapping id: 8
Domain: INSIDE, Lookup: LOOKUP_LOCAL
Flags: overload
Interface name: GigabitEthernet0/0/3, IP address: 213.94.72.254
EOBC (1 Gbps)
IF handle: 11, QFP handle: 10
ACL name: pat
CGM class group: INSIDE_SRC_CG, CGM class id: 8
Dynamic PAT: No
Last stats update: 04/01 19:39:42.799
sh platform software nat f0 cgm Last refcount value: 0
Dump NAT CGM information
ESP FECP Chassis Manager
Current CGM tid: 0
Class group: INSIDE_SRC_CG (1), num_classes: 1, last class id: 8
First class created: Yes, first EA CGM attach pending: No Drivers Forwarding Manager
Drivers
Class id: 8, match_type: Match-ACL, acl: pat, refcnt: 1, in CGD: Yes Drivers
Class group: INSIDE_SRC_STATIC_CG (2), num_classes: 0, last class id: 0 Linux Kernel
First class created: No, first EA CGM attach pending: No
Class group: OUTSIDE_SRC_CG (3), num_classes: 0, last class id: 0 µ QFP
First class created: No, first EA CGM attach pending: No µ Crypto
µ µµ BQS
Assist.
Class group: INSIDE_DST_CG (4), num_classes: 0, last class id: 0 µ
First class created: No, first EA CGM attach pending: No
… TCAM DRAM DRAM
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Interface Role Assignment
ip nat inside source list pat interface GigabitEthernet0/0/3 overload RP
CPU
Mapping id: 8
Domain: INSIDE, Lookup: LOOKUP_LOCAL
Flags: overload
Interface name: GigabitEthernet0/0/3, IP address: 213.94.72.254
These are the Class Groups for various NAT types.
EOBC (1 Gbps)
IF handle: 11, QFP handle: 10
Class groups are “Hardware ACL’s” (sorta) and ACL name: pat
have a TCAM representation CGM class group: INSIDE_SRC_CG, CGM class id: 8
Dynamic PAT: No
Last stats update: 04/01 19:39:42.799
sh platform software nat f0 cgm Last refcount value: 0
Dump NAT CGM information
ESP FECP Chassis Manager
Current CGM tid: 0
Class group: INSIDE_SRC_CG (1), num_classes: 1, last class id: 8
First class created: Yes, first EA CGM attach pending: No Drivers Forwarding Manager
Drivers
Class id: 8, match_type: Match-ACL, acl: pat, refcnt: 1, in CGD: Yes Drivers
Class group: INSIDE_SRC_STATIC_CG (2), num_classes: 0, last class id: 0 Linux Kernel
First class created: No, first EA CGM attach pending: No
Class group: OUTSIDE_SRC_CG (3), num_classes: 0, last class id: 0 µ QFP
First class created: No, first EA CGM attach pending: No µ Crypto
µ µµ BQS
Assist.
Class group: INSIDE_DST_CG (4), num_classes: 0, last class id: 0 µ
First class created: No, first EA CGM attach pending: No
… TCAM DRAM DRAM
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Interface Role Assignment
ip nat inside source list pat interface GigabitEthernet0/0/3 overload RP
CPU
Linux Kernel
EOBC (1 Gbps)
ESP FECP Chassis Manager
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
Linux Kernel
EOBC (1 Gbps)
ESP FECP Chassis Manager
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
Linux Kernel
EOBC (1 Gbps)
sh platform software nat f0 cgm
Dump NAT CGM information
ESP FECP Chassis Manager
Current CGM tid: 0
Class group: INSIDE_SRC_CG (1), num_classes: 1, last class id: 8
First class created: Yes, first EA CGM attach pending: No Drivers Forwarding Manager
Drivers
Class id: 8, match_type: Match-ACL, acl: pat, refcnt: 1, in CGD: Yes Drivers
Class group: INSIDE_SRC_STATIC_CG (2), num_classes: 0, last class id: 0 Linux Kernel
First class created: No, first EA CGM attach pending: No
Class group: OUTSIDE_SRC_CG (3), num_classes: 0, last class id: 0 µ QFP
First class created: No, first EA CGM attach pending: No µ Crypto
µ µµ BQS
Assist.
Class group: INSIDE_DST_CG (4), num_classes: 0, last class id: 0 µ
First class created: No, first EA CGM attach pending: No
… TCAM DRAM DRAM
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Interface Role Assignment
ip nat inside source list pat interface GigabitEthernet0/0/3 overload RP
CPU
EOBC (1 Gbps)
match vrf 0
(3) filter: logical operator [1001.8.3] (rules: 0)
logical operation: type: AND, id: 3
EOBC (1 Gbps)
match vrf 0
(3) filter: logical operator [1001.8.3] (rules: 0)
logical operation: type: AND, id: 3
EOBC (1 Gbps)
match vrf 0
(3) filter: logical operator [1001.8.3] (rules: 0)
logical operation: type: AND, id: 3
EOBC (1 Gbps)
match vrf 0
(3) filter: logical operator [1001.8.3] (rules: 0)
logical operation: type: AND, id: 3
sh platform hardware qfp active classification feature-manager class-group tcam nat 1001 detail
QFP classification class group TCAM
ESP FECP Chassis Manager
class-group [nat-cg:1001] (classes: 1, total number of vmrs: 2)
key name: NAT_01 value size: 160 result size: 16 Drivers Forwarding Manager
region id: 1 vmr id: 4 number of vmrs: 2 tcam id: TCAM0 Drivers
Drivers
Value: : ac121900 00000000 00000000 00000000 00140000 Linux Kernel
Mask: : ffffff00 00000000 00000000 00000000 ffffffff
Result: : 00000001 00000000 00000000 00000000
µ QFP
µ Crypto
Value: : 00000000 00000000 00000000 00000000 00140000 µ µµ BQS
Assist.
Mask: : 00000000 00000000 00000000 00000000 ffff0000 µ
Result: : 00000000 00000000 00000000 00000000
TCAM DRAM DRAM
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT Pool Management
RP
CPU
Chassis Manager
IOS
Forwarding Manager
Linux Kernel
EOBC (1 Gbps)
ESP FECP Chassis Manager
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
Linux Kernel
EOBC (1 Gbps)
ESP FECP Chassis Manager
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
EOBC (1 Gbps)
ESP FECP Chassis Manager
µ QFP
µ Crypto
µ µµ BQS
Assist.
µ
EOBC (1 Gbps)
sh platform hardware qfp active feature nat datapath pool
pool_id 1 type 1 addroute 0 mask 0xfffffff0 allocated 0 misses 0 rotary idx
ESP FECP Chassis Manager
0x0 ahash sz 8 size 6 next 0x0 hash_index 0xd7, hilo ports 0x0 pool mem
0x8de7f860 flags 0x1 pat_wl 0 no_ports_wl 0 num_maps 0
Conf block info Drivers Forwarding Manager
start 172.18.25.10 end 172.18.25.15 flags 0x0 next 0x0 Drivers
Drivers
Free block info Linux Kernel
start 172.18.25.10 end 172.18.25.15 flags 0x0 next 0x0
TCP PAT block info QFP
UDP PAT block info µ µ Crypto
ICMP PAT block info µ µµ BQS
Assist.
µ
GRE PAT block info
Alloced addr info
TCAM DRAM DRAM
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
NAT Pool Management
RP f0 pool-stats id 1
show platform software nat CPU
EOBC (1 Gbps)
Start: 172.18.25.10, End: 172.18.25.15
Last stats update: 04/03 15:50:56.944
Last refcount value: 0
intercon.
EEPROM
Input FIA Output FIA
PPE2 QFP
Netflow
DDRAM Packet Processor EngineComplex
... BQS
Input ACL
OUTPUT_NAT
Boot Flash NBAR Classify PPE1 PPE2 PPE3 PPE4 PPE5
FECP
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN
NAT IP Unicast
PBR
Dispatcher
Dialer IDLE Rst Packet Buffer
PPE2
URD
Crypto Thread 3
SPI Mux
Reset / Pwr Ctrl
SA table
DRAM Interconnect
intercon.
Thread 1
Thread 2
Thread 3
Thread 4
(OBFL,…)
MQC Classify Classification ACL
JTAG Ctrl … PPE6 PPE7 PPE8 … PPEN then Route-Map
Bind DB
NAT IP Unicast
PBR
Dispatcher Allocate Addr Drop
202
IOS 3.14
Unified show memory platform summary
show memory platform summary
• Simplified memory consumption
Total number of processes: 134 • Currently limited to RP memory
Virtual memory : 2822197248
Pages resident : 360197 • This is a Linux level view; no
Major page faults: 1921 process details
Minor page faults: 1290831
Memory (kB)
Physical : 4127744
Total : 3874992
Used : 2231964
Free : 1643028
Active : 1438412
Inactive : 694176
…
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS 3.14
Unified show process memory platform
Will display control plane memory usage
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Linux memory mapping
Not a sinecure
Source: https://techtalk.intersec.com/2013/07/memory-part-2-understanding-process-memory/
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
IOS 3.14
View of a Linux process memory
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS 3.14
Process memory mapping
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS 3.14
Unified show process CPU platform
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
A Unix “top” command
IOS 3.14
ASR-1006# show processes cpu platform monitor location <the CPU you want>
ASR-1006# show processes cpu platform monitor location fp active
Here: the FECP
BRKCRS-2021 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public