Why test service availability with live packets when you can use virtual packets instead? Next time you need a quick answer about network reachability, would you prefer partial information, or precise data that includes the root cause for traffic behavior? Athena's PathFinder network map software can can get any question about packet traversal answered in minutes using an offline model that is constructed from your configuration data.
Athena PathFinder offers powerful functionality for firewall troubleshooting and debugging packet flow problems caused by ACL, NAT or routing issues and for determining which devices in the network need their configurations to be modified to implement change requests.
Troubleshooting dropped packets
Using the Packet Tracer feature, your production environment can be interrogated for answers without any risk, because it does not insert any actual data into the network.
Using the device configurations, The Packet Tracer calculates all routable paths for the entered packet starting from the chosen starting network or device. A routable path is a sequence of networks and devices, each of which has a route that moves the packet from the entering interface of one device to the entering interface of the next hop device.
Once a routable path is calculated, the Packet Tracer evaluates each device along the path to identify those whose ACL, NAT, or default rules drops the packet. The specific rules within each device that are involved in allowing or dropping the packet are identified.
The calculated routable paths are also shown in a network topology diagram with the path segments highlighted in green or red with arrowheads to indicate direction. The green segment indicates a device whose ACL, NAT, reverse path, and route rules allow the packet through the device that is located at the base of the arrow. A red segment indicates that the device that is located at the base of the arrow has its ACL, NAT, or route rule dropping the packet.
For actionable information from the packet trace, PathFinder provides a results Explorer just below the network topology diagram. The Explorer shows the actual rules that act on the packet in each device along the path. You can also quickly look-up the rule in its native format in the device configuration.
The interactive explorer allows users to drill down from policies along the path to the specific rules in each device that allow the packed to pass through or to be dropped.
Determining where to make rule changes
The power of path analysis combined with that of the packet trace makes it easy to determine the optimal places to make rule changes. Used for this purpose, the Packet Tracer will tell you precisely which devices must be touched in order to enable a service to the destination, and even where to add the requisite rules in the device configurations.
When a change request is made to allow a certain service to a certain host, it becomes the responsibility of the network engineer to make the changes, and the first step is to determine whether a change is necessary at all, and if it is necessary, where and what changes to make.
For this scenario, the packet tracer can then be run for a packet whose source is an ip address of a host (say a client), and the destination is the ip address of the host that must be accessed through the service. The packet trace determines all the devices whose configuration needs to be changed to allow the packet through. In addition, the rules that cause the packet to be dropped indicate that they need to be modified.