Reset Search



How do you trace traffic flows using access-list accounting?

« Go Back


TitleHow do you trace traffic flows using access-list accounting?
NOS all versions
VDX 6710, 6720, 6730 Inboundonly
VDX6740, 8770 Inbound and Outbound

In scenarios where packet drops are seen, it is often helpful touse the access-list accounting feature to trace flows in order to isolate problems.
Access-listaccountingworks by creating an access-list with specific clauses to count thespecific flows of interest as well as acatchall permit any any clause which isessential to prevent the implicit deny clause fromactually dropping traffic. The count argument is appended to a clausein order to make accounting take effect (This must infact be added toall clauses in the access-list or else counts will not be displayed).

Access-lists can be applied as L2 (mac access-lists), L3 (ip access-list) or L4 (ip access-list with udp/tcp clauses).

Generally, use L2 access-lists where theVDX is L2switching the flows and at least one-mac addressof the flow is an endhost. L2access-listsareusually not a good use case where a flow is routedand thesource/destination mac pair is not unique for this flow asit will be hard to isolate the flow in question.

Use L3 access-lists in routed environments, particularly when the problem is suspectedata network layer to a particular host versus the application layer. When a problem is suspected at the application layer it canmeancertain traffic between the same ip endpoints may be sent without loss (e.g pingtraffic) while upper layer traffic has drops (e.g tcp handshake). In such cases it is definitely better to use a specific layer-4 access list if possible.

Once the desired approach has been chosen, thenext stage is to configure the access-list and apply it to the interface connected to the endpoints. These should be identified by looking at themac/arp/routingtable through the show mac-addresstable<address>,show ip arp or show ip route <network> command.

An example below shows an access-list created to trace a flow and applied to a port-channel interface.

switch(config)# ip access-list extended traceflow1-2
switch(conf-ip-ext)# seq 10 permit ip host host count
switch(conf-ip-ext)# seq 20 permit ip host count
switch(conf-ip-ext)# seq 30 permit any any count
switch(config)# interface PO1
switch(config-PO1)# ip access-group traceflow1-2 in
switch(config-PO1)# ip access-group traceflow1-2 out

Traffic is counted using the show statistics access-list command:
Switch# show statistics access-list ip traceflow1-2 interface port-channel 1 in
Switch# show statistics access-list ip traceflow1-2 interface port-channel 1 out

N.B Normal Access-list rules apply and access-lists cannot be applied to fabric ISL ports, only edge ports
Additional notes



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255