• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1885
  • Last Modified:

How do you trace a packet through a router/switch?

I get confused trying to follow packets through a router/switch.

I use commands such as sh arp, sh mac-address-table etc.. but a lot of times I have trouble determining the exact ingress interface, the intermediate svi, etc.. and egress port.

Is there an easy way to do this?

For example I have ip 10.192.X.X and I sh arp and get the mac address and vlan xxx but the physical interface and int vlanxxx is not listed.
I then do sh mac-address-table | inc xxx.xxx.xxx to get the physical interface but it shows up as P09 an etherchannel port.
I then do sh etherchannel summary and find that P09 is ports gi1/2/14 and 15
9      Po9(SU)          -        Gi1/2/14(P)    Gi1/2/15(P)

Now I do a sh cdp neighbor gi1/2/14 and 15 to find out the destination switch.

To look at the svi I have to assume the interface is the same number as the vlan and use the command sh ip int br and look for the vlanxxx

I have come a long way just to do this but if someone could fill in any gaps I have or some tips on how to determine the path a packet would take through a switch that would be greatly appreciated.

0
Dragon0x40
Asked:
Dragon0x40
  • 5
  • 5
  • 3
6 Solutions
 
Don JohnstonInstructorCommented:
First off, if you're using private addressing, there's really no need to hide part of the address.

And what's the platform? Sounds like a multilayer switch but it would be nice to know for sure.

That said, the "sh arp" gives you the MAC and local layer 3 interface.

The "show mac.." tells you the device is out the Po9 etherchannel interface.

That's all you're going to be able to tell until you do a "show mac..." on whatever is connected to the Po9 interface. If these are Cisco devices and CDP is running, a "show cdp neighbor" will tell you what's out there.




0
 
Dragon0x40Author Commented:
thanks donjohnston,

I am slowly putting things together but what I am looking for is a step by step walk through a L3 switch tracing a packet and the associated commands to determine what that path would be. Something along the lines of http://warriorsofthe.net but it does not have to be as fancy.

I know if it is not already written then that is a lot of work but I assumed that somebody has probably already written it.

I have good days where I can trace macs around and find the device I am looking for and then bad days were severall macs show up on an interface or the vss switch confuses me as to what the physical interface is.
0
 
Don JohnstonInstructorCommented:
But you already have it...

The only piece that hasn't been covered is if the device is on a different network. Then you'll need to consult the routing table to determine the next hop address.

Unless I misunderstand what you want.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Dragon0x40Author Commented:
My understanding start breaking down when I try to visualize the process.
Say a packet comes into the router with a destination address of 10.10.10.10.
The route table says:
sh ip route xxx.xxx.xxx.10
Routing entry for 10.10.10.10/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Vlan10
      Route metric is 0, traffic share count is 1
How does that tell the packet where to go?
you can't do a sh ip route Vlan10?
Does the router then arp for who has 10.10.10.10 and discover the mac address?
Then with the mac consult the mac table to see what interface the packet should be sent out?
Is it a frame or a packet at that point?
When and how does the vlan 10 tag get put on the frame/packet?

These are the things that I need help understanding.
0
 
Don JohnstonInstructorCommented:
>How does that tell the packet where to go?

The packet doesn't "know" where to go. Anymore than an envelope "knows" where to go. The "knowing" is the job of the router.

The router takes the destination IP address and does a routing table lookup finding the longest match in the routing table. In the case of a destination IP address of 10.10.10.10, the router would match it (in your case) to the entry 10.10.10.0/24. Which would tell the router that the packet is going to a network that is "directly connected" to the VLAN10 interface.

At this point the router would need to build an ethernet frame around the packet with the destination MAC of the device.

The router will now look in it's ARP cache for an entry for the 10.10.10.10 device. If an entry is present, that MAC address will be the destination MAC of the frame. If it's not in the cache, the router will ARP the device and once it gets the response, it will build the frame.

>you can't do a sh ip route Vlan10?

No. VLAN10 isn't a network, it's an interface (that connects to a network). If you want to know what network, do a "show ip route conn" and see what network is "directly connected" to the VLAN 10 interface.

>Does the router then arp for who has 10.10.10.10 and discover the mac  address?
 
If it doesn't already have the entry in the ARP cache.

>Then with the mac consult the mac table to see what interface the packet  should be sent out?

If it's a multilayer switch, yes.

>Is it a frame or a packet at that point?

Once the router builds the frame around the packet, it's a frame.

>When and how does the vlan 10 tag get put on the frame/packet?

If the physical interface is a trunk, the ethernet frame gets the tag added to it.

Here's what's complicating things. You're trying to understand switching, routing, and trunking simultaneously.  That would be like being a non-english speaker and learning english and math from textbooks written in english.

You would be MUCH better off to first understand layer 2 switching.

Then learning how trunking works in a switched environment.

And finally learning how routing works.


0
 
Dragon0x40Author Commented:
thanks donjohnston you explained that very well!

So once the router knows the next layer 3 hop address it then builds a frame around the packet?

dot1q tagging is put in the ethernet frame not the layer 3 packet! (I was confusing that)

If I deleted int vlan10 and then created interface vlan9 but gave it the ip address of 10.10.10.1 would the dot1q tags for frames be for vlan 9? In other words does the router know the vlan number associated with vlan interface by the name or is this configured somewhere?
0
 
OzNetNerdCommented:
"If I deleted int vlan10 and then created interface vlan9 but gave it the ip address of 10.10.10.1 would the dot1q tags for frames be for vlan 9?"

First you would also need to make sure the client is now in VLAN9 and not VLAN 10 using the "switchport access vlan 9" command. If the client is in VLAN 9 and you change VLAN 9's IP address to 10.10.10.1, the switch will encapsulate the frame with VLAN 9's dot1q tag.

Also, if you want to trace where a packet is coming from/going to, as per Don's message above:

"The "show mac.." tells you the device is out the Po9 etherchannel interface"

Log in to the device connected to Po9 and issue the "show mac..." command again and then the output will either tell you the port the device is connected to, or, it will tell you another Po interface or another interface where a switch is plugged in to. If it is connected to another Po or another switch, log in to that and issue the "show mac..." command again. Continue doing this until you reach the end of the line and the port in the output of the command will be the port the device is connected to.
0
 
Don JohnstonInstructorCommented:
>If I deleted int vlan10 and then created interface vlan9 but gave it the  ip address of 10.10.10.1 would the dot1q tags for frames be for vlan 9?

Assuming the frame was going over a trunk link, yes

> In other words does the router know the vlan number associated with  vlan interface by the name or is this configured somewhere?

The router knows the VLAN number because of the interface designation. So when you create "interface VLAN 9" and  assign the IP address 10.10.10.1/24 to that interface, the router knows that the 10.10.10.0/24 network is connected to interface VLAN 9.

0
 
Dragon0x40Author Commented:
That the switch knows what vlan tag number to put on the frame by the vlan interface number is something I have never heard before but it makes sense.

I looked at the config for the vlan interface and no vlan number or encapsulation is set just the ip address.

I looked at the physical interfaces and they are trunks but only the native vlan was specified so I was wondering how the vlan tag number was determined and how it got placed.

Now I know. Thanks!
0
 
Don JohnstonInstructorCommented:
>I looked at the config for the vlan interface and no vlan number or  encapsulation is set just the ip address.

The vlan number is after the interface type. i.e. "interface vlan 9"

>I looked at the physical interfaces and they are trunks but only the  native vlan was specified so I was wondering how the vlan tag number was  determined and how it got placed.

If you do a "show int trunk" and look at the second section of text from the top, you will see a section titled something like "allowed vlans". This is a listing of all the VLAN that are allowed on the trunk. The VLAN tag is determined by the VLAN membership of the frame. A frame leaving interface VLAN 9 is a member of VLAN 9 and will have a VLAN 9 tag inserted into the frame if it is sent out a trunking port.

0
 
OzNetNerdCommented:
Not a problem, glad we could help.
0
 
Dragon0x40Author Commented:
thanks bbd00 and donjohnston,

Your answers were very helpful.
0
 
OzNetNerdCommented:
All good :) By the way, don't forget to allocate the points :)

Cheers
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now