Hi, I've done a lot of packet capture etc on the CX and I haven't found a way to analyse traffic at scale. To use the "diag utils tcpdump" etc requires the mirror to CPU which although I'm impressed with how much it can handle, a busy 10G link causes very high CPU. Which is fair enough.
In your case you want to see the nature of the ARP packets, and not necessarily count or find a needle-sized-packet in a haystack. So one possibility is to mirror to another port with a PC on it, run wireshark with a filter on the ingress (not display filter). While in theory you have a 100 to 1 ratio you only want to see some of the packets. It might be enough in a sampling kind of way to see the nature of the ARP.
I haven't tried it, but can ACLs be applied to the outbound of an interface that is the destination for mirrored traffic? If so you might be able to mirror the 100G to another, but filter all but frames you want using a L2 ACL?
If you find anything from TAC etc please report back for others.
Ian.
Original Message:
Sent: Dec 04, 2023 12:55 PM
From: David Williams
Subject: Debug or log CoPP?
I have a VSX pair of 8325 switches that are dropping arp-unicast with the CoPP set to 30,000 pps. I've been trying to find a way for a week now to log, debug, or capture that traffic to find out where it is coming from with no success. I have a TAC case open that has been escalated but they are struggling too it seems. I figured there would be a way to identify traffic being sent to the control plane. Does anyone have any need tricks on what to do in a production 100Gbps switch? It's not like I can port mirror to a laptop at that rate and I'm reluctant to mirror to CPU for fear of choking out the switch.