Configuring a Device to Obtain Packet Headers Sent to its CPU

This section describes how to configure a device to obtain packet headers sent to its central processing unit (CPU).

Usage Scenario

When CPUs process a large number of packets, their usage becomes high and performance deteriorates. In this situation, the CPUs may not process services properly. To resolve this problem, configure the devices to obtain packet headers sent to their CPUs based on specified filter criteria. Then analyze the obtained packet headers to locate network faults.

Before using an access control list (ACL) as filter criteria, you must create it. For details about ACL configurations, see the chapter "ACL Configuration" in the NetEngine 8000 F Configuration Guide - IP Services.

Pre-configuration Tasks

Before configuring a device to obtain packet headers sent to its CPU, complete the following tasks:

Configure link layer protocol parameters for interfaces to ensure that the link layer protocol on the interfaces is Up.
Create an ACL.

Procedure

(Optional) Configure an ACL rule.
After an ACL rule is configured, the packet headers that match the ACL rule can be obtained.
With the packet header getting function, packets are processed as follows:
- If packets match the ACL rule with the permit action, the packet headers are obtained.
- If packets match the ACL rule with the deny action, the packet headers are dropped and are not forwarded, which causes service interruptions.
- If packets match no ACL rule, the packet headers are not obtained but forwarded.
- If an ACL rule that does not really exist or an ACL in which no rule is defined applies to a list, the packet headers to be sent to the CPU are not obtained but forwarded.
- If packets match an ACL rule, the vpn-instance vpn-instance-name parameter configured in the rule does not take effect.
- Configuring a Basic ACL
  1. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]
    A basic ACL is created and the view of the basic ACL is displayed.
  2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
    A rule for the basic ACL is configured.
- Configuring an Advanced ACL
  1. Run acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ]
    An advanced ACL is created and the view of the advanced ACL is displayed.
  2. Configuring rules for the advanced ACL.
    1. For TCP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established |{ ack [ fin | psh | rst | syn | urg ] ^* } | { fin [ ack | psh | rst | syn | urg ] ^* } | { psh [ fin | ack | rst | syn | urg ] ^* } | { rst [ fin | psh | ack | syn | urg ] ^* } | { syn [ fin | psh | rst | syn | urg ] ^* } | { urg [ fin | psh | rst | syn | urg ] ^* } } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
    2. For UDP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
    3. For ICMP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
    4. For other protocols, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] ^*
- Configuring a Layer 2 ACL
  1. Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-acl-number } [ match-order { config | auto } ]
    A Layer 2 ACL is created and the view of the Layer 2 ACL is displayed.
  2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ type type [ type-mask ] | source-mac source-mac [ source-mac-mask ] | destination-mac dest-mac [ dest-mac-mask ] | 8021p 8021p | cvlan-8021p cvlan-8021p | time-range time-name ] ^*
    A rule for the Layer 2 ACL is configured.
- Configuring a Basic ACL6
  1. Run acl ipv6 { name basic-acl6-name basic | [ number ] basic-acl6-number } [ match-order { config | auto } ]
    A basic ACL6 is created and the view of the basic ACL6 is displayed.
  2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
    A rule for the basic ACL6 is configured.
- Configuring an Advanced ACL6
  1. Run acl ipv6 { name advance-acl6-name [ advance | [ advance ] number advance-acl6-number ] | [ number ] advance-acl6-number } [ match-order { config | auto } ]
    An advanced ACL6 is created and the view of the advanced ACL6 is displayed.
  2. Configuring an Advanced ACL6
    1. For TCP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } ^* } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
    2. For UDP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
    3. For ICMP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] ^* ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmp6-type { icmp6-type-name | icmp6-type [ to icmp6-type-end ] [ icmp6-code ] } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
    4. For other protocols, Run:
      
      rule [ rule-id ] [ name rule-name ] { permit | deny } { hoport [ option-code option-value ] | 1 | 5 | protocol | gre | ipv6 | ipv6-frag | ipv6-ah | ipv6-esp | ospf | 7-16 | 18-42 | { 43 | ipv6-routing } [ routing-type routing-number ] | 44-57 | 59 | { 60 | ipv6-destination } [ option-code option-value ] | 61-255 } [ destination { destination-ipv6-address prefix-length | dest-ipv6-addr-prefix | any } | fragment | { source { source-ipv6-address prefix-length | src-ipv6-addr-prefix | any } | source-pool source-pool-name } | time-range time-name | [ dscp dscp | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] ^* ] | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] ^*
Run capture-packet local-host
The device is enabled to obtain packet headers sent to its CPU. For details about the command format, see Command Reference > Security Commands > Packet Header Obtaining Configuration Commands > capture-packet local-host.
- The timeout time (time-value) and number of obtained packet headers (packet-number) are set for a packet header obtaining instance. If the specified timeout time expires or if the device obtains the specified number of packet headers, packet header obtaining ends.
- When configuring parameters for a packet header obtaining instance, set the parameter values based on the traffic volume on the target interface. If the interface receives many packets, specify a small value for time-value and a large value for packet-number. If the interface receives only a few packet headers, specify a large value for time-value and a small value for packet-number.
- If you specify file, the device saves packet header obtaining information to a packet header obtaining file. If you specify terminal, the device displays packet header obtaining information on a terminal screen. When you specify file, the device can save packet header obtaining information only to one 2 MB packet header obtaining file each time packet header obtaining ends. If the size of packet header obtaining information exceeds 2 MB, the device discards excess information.
- Obtaining packet headers sent to CPUs has no impact on system performance.
(Optional) Run capture-packet file limit limit-value
The maximum number of packet header obtaining files (with a suffix name .cap) in the packet header obtaining directory is set. This command is supported only on the Admin-VS.

Result

Run the display capture-packet config-state command to check the configuration of obtaining packet headers sent to the CPU. The configuration includes the packet header getting index and packet header getting file name.
Run the display capture-packet file file-name [ original-packet ] command to check information about the packet header getting file.
Run the display capture-packet information [ instance-id instance-id [ from begin-packet-number [ to end-packet-number ] ] [ format-cap ] [ verbose ] ] command to check information about the packet header getting instance.