Configuring a Device to Obtain Forwarded Packet Headers
This section describes how to configure a device to obtain forwarded packet headers.
Usage Scenario
If you notice that voice or video quality deteriorates during network maintenance, configure the devices to obtain forwarded packet header based on specified filter criteria. Then analyze the obtained packet headers to locate network faults.
Before using an access control list (ACL) as filter criteria, you must create it. For details about ACL configurations, see the chapter "ACL Configuration" in the NetEngine 8000 F Configuration Guide - IP Services.
Pre-configuration Tasks
Before configuring a device to obtain forwarded packet headers, complete the following tasks:
- Configure link layer protocol parameters for interfaces to ensure that the link layer protocol on the interfaces is Up.
- Create an ACL.
Procedure
- (Optional) Configure an ACL rule.
After an ACL rule is configured, the packet headers that match the ACL rule can be obtained.
With the packet header getting function, packet headers are processed as follows:- If packets match the ACL rule with the permit action, the packet headers are obtained.
- If packets match the ACL rule with the deny action, the packet headers are dropped and are not forwarded, which causes service interruptions.
- If packets match no ACL rule, the packet headers are not obtained but forwarded.
- If an ACL rule that does not really exist or an ACL in which no rule is defined applies to a list, the packet headers to be sent to the CPU are not obtained but forwarded.
- If packets match an ACL rule, the vpn-instance vpn-instance-name parameter configured in the rule does not take effect.
Configuring a Basic ACL
- Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]
A basic ACL is created and the view of the basic ACL is displayed.
- Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
A rule for the basic ACL is configured.
- Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]
Configuring an Advanced ACL
- Run acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ]
An advanced ACL is created and the view of the advanced ACL is displayed.
- Configuring rules for the advanced ACL.
For TCP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established |{ ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh | rst | syn | urg ] * } } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *
For UDP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *
For ICMP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *
For other protocols, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *
- Run acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ]
Configuring a Layer 2 ACL
- Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-acl-number } [ match-order { config | auto } ]
A Layer 2 ACL is created and the view of the Layer 2 ACL is displayed.
- Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ type type [ type-mask ] | source-mac source-mac [ source-mac-mask ] | destination-mac dest-mac [ dest-mac-mask ] | 8021p 8021p | cvlan-8021p cvlan-8021p | time-range time-name ] *
A rule for the Layer 2 ACL is configured.
- Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-acl-number } [ match-order { config | auto } ]
Configuring an MPLS-based ACL
- Run acl { name mpls-acl-name { mpls | [ mpls ] number mpls-acl-number } | [ number ] mpls-acl-number }
An MPLS-based ACL is created and the view of the MPLS-based ACL is displayed.
- Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ exp { exp-value | any } &<1-4> | label { label-value | any } &<1-4> | ttl { { lt | eq | gt } ttl-value | range ttl-value1 ttl-value2 | any } &<1-3> ] *
A rule for the MPLS-based ACL is configured.
- Run acl { name mpls-acl-name { mpls | [ mpls ] number mpls-acl-number } | [ number ] mpls-acl-number }
Configuring a Basic ACL6
- Run acl ipv6 { name basic-acl6-name basic | [ number ] basic-acl6-number } [ match-order { config | auto } ]
A basic ACL6 is created and the view of the basic ACL6 is displayed.
- Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
A rule for the basic ACL6 is configured.
- Run acl ipv6 { name basic-acl6-name basic | [ number ] basic-acl6-number } [ match-order { config | auto } ]
Configuring an Advanced ACL6
- Run acl ipv6 { name advance-acl6-name [ advance | [ advance ] number advance-acl6-number ] | [ number ] advance-acl6-number } [ match-order { config | auto } ]
An advanced ACL6 is created and the view of the advanced ACL6 is displayed.
Configuring an Advanced ACL6
For TCP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } * } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
For UDP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
For ICMP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmp6-type { icmp6-type-name | icmp6-type [ to icmp6-type-end ] [ icmp6-code ] } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
For other protocols, Run:
rule [ rule-id ] [ name rule-name ] { permit | deny } { hoport [ option-code option-value ] | 1 | 5 | protocol | gre | ipv6 | ipv6-frag | ipv6-ah | ipv6-esp | ospf | 7-16 | 18-42 | { 43 | ipv6-routing } [ routing-type routing-number ] | 44-57 | 59 | { 60 | ipv6-destination } [ option-code option-value ] | 61-255 } [ destination { destination-ipv6-address prefix-length | dest-ipv6-addr-prefix | any } | fragment | { source { source-ipv6-address prefix-length | src-ipv6-addr-prefix | any } | source-pool source-pool-name } | time-range time-name | [ dscp dscp | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] * ] | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *
- Run acl ipv6 { name advance-acl6-name [ advance | [ advance ] number advance-acl6-number ] | [ number ] advance-acl6-number } [ match-order { config | auto } ]
- Run capture-packet forwarding interface { interface-type interface-num | interface-name } [ inbound | outbound ] [ vlan vlan-id [ to vlan-id ] | pvlan pe-vlan-value cvlan ce-vlan-vlaue [ to vlan-id ] ] [ [ ipv6 ] acl { acl-number | name acl-name } ] [ [ time-out time-out ] | [ packet-num packet-number ] | [ overwrite ] | [ packet-len length ] | { [ file file-name [ filesize ] ] | [ buffer-only ] } ] *
The device is enabled to obtain forwarded packet headers.
- The timeout time (time-value) and number of obtained packet headers (packet-number) are set for a packet header obtaining instance. If the specified timeout time expires or if the device obtains the specified number of packets, packet header obtaining ends.
To control the rate at which a device obtains forwarded packet headers, set the cir parameter in the car command to restrict a packet header forwarding bandwidth. The default value of the cir parameter is 2 Mbit/s. A larger value of the cir parameter indicates a higher packet header forwarding bandwidth and a higher packet header obtaining rate.
- When configuring parameters for a packet header obtaining instance, set the parameter values based on the traffic volume on the target interface. If the interface receives many packets, specify a small value for time-value and a large value for packet-number. If the interface receives only a few packets, specify a large value for time-value and a small value for packet-number.
Enabling the function of obtaining forwarded packet headers affects device forwarding performance. Therefore, exercise caution when you enable the device to obtain forwarded packet headers.
- (Optional) Run capture-packet file limit limit-value
The maximum number of packet header obtaining files (with a suffix name .cap) in the packet header obtaining directory is set.
Result
Run the display capture-packet config-state command to check the configuration of getting forwarded packet headers. The configuration includes the packet header getting index and packet header getting file name.
Run the display capture-packet file file-name [ original-packet ] command to check information about the packet header getting file.
- Run the display capture-packet information [ instance-id instance-id [ from begin-packet-number [ to end-packet-number ] ] [ format-cap ] [ verbose ] ] command to check information about the packet header getting instance.