In scenarios where packet drops are seen, it is often helpful touse the access-list accounting feature to trace flows in order to isolate problems.
Access-listaccountingworks by creating an access-list with specific clauses to count thespecific flows of interest as well as acatchall
permit any any clause which isessential to prevent the implicit deny clause fromactually dropping traffic. The
count argument is appended to a clausein order to make accounting take effect (This must infact be added toall clauses in the access-list or else counts will not be displayed).
Access-lists can be applied as L2 (mac access-lists), L3 (ip access-list) or L4 (ip access-list with udp/tcp clauses).
Generally, use L2 access-lists where theVDX is L2switching the flows and at least one-mac addressof the flow is an endhost. L2access-listsareusually not a good use case where a flow is routedand thesource/destination mac pair is not unique for this flow asit will be hard to isolate the flow in question.
Use L3 access-lists in routed environments, particularly when the problem is suspectedata network layer to a particular host versus the application layer. When a problem is suspected at the application layer it canmeancertain traffic between the same ip endpoints may be sent without loss (e.g pingtraffic) while upper layer traffic has drops (e.g tcp handshake). In such cases it is definitely better to use a specific layer-4 access list if possible.
Once the desired approach has been chosen, thenext stage is to configure the access-list and apply it to the interface connected to the endpoints. These should be identified by looking at themac/arp/routingtable through the
show mac-addresstable<address>,show ip arp or
show ip route <network> command.
An example below shows an access-list created to trace a flow and applied to a port-channel interface.
ip access-list extended traceflow1-2
switch(conf-ip-ext)# seq 10 permit ip host 22.214.171.124 host
switch(conf-ip-ext)# seq 20 permit ip host
switch(conf-ip-ext)# seq 30
permit any any count
ip access-group traceflow1-2 in
ip access-group traceflow1-2 out
Traffic is counted using the show statistics access-list command:
Switch# show statistics access-list ip traceflow1-2 interface port-channel 1 in
Switch# show statistics access-list ip traceflow1-2 interface port-channel 1 out
N.B Normal Access-list rules apply and access-lists cannot be applied to fabric ISL ports, only edge ports