Frustrated old engineer =- DEBUG command not doing it !

Unanswered Question

Guys


yes im grey and losing it !


Basically im using a basic access-list and a debug command ....


eg access-list 101 permit ip any host 11.12.1.1

term mon

debug ip packet access-list 101


If i ping 11.12.1.1 from the router I can see the packets in debug , however if i ping through the router to the destination I do not get the packets in debug


am i losing it or what ?]


any help appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 06/11/2010 - 09:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Roger,


it is because you can intercept with this debug only packet that are process switched like the ones originated by the router itself


if CEF or older fast switching is enabled traffic going via the router is not process switched but processed by CEF or other


in case like this you can use


access-list 102 permit ip any host 11.12.1.1 log

access-list 102 permit any any


int fas0/0

ip access-group 102 out


this creates an exception to CEF and can be enough to demonstrate the ICMP packet is going to the destination


Hope to help

Giuseppe

HI Guiseppe and all


I thought this myself and disabled CEF ( no ip cef ).


then when i ping from the router itself i get


*Jun 14 08:38:08.168: IP: tableid=0, s=2.1.2.1 (local), d=172.24.33.242 (Serial0/1/0), routed via RIB
*Jun 14 08:38:08.168: IP: s=2.1.2.1 (local), d=172.24.33.242 (Serial0/1/0), len 100, sending.


which suggests FIB /CEF is off.


However when I ping form inside to the same destination I still see nothing in the debug - how strange


I have tried your suggestion and it worked as below - thank you


VH-BCA-Rtr(config)#int serial0/1/0
VH-BCA-Rtr(config-if)#ip access-group 102 out
VH-BCA-Rtr(config-if)#
*Jun 14 08:43:31.735: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 172.24.95.169 -> 172.24.33.242 (0/0), 1 packet


However how do i switch off cEF ? do i need to reatart the router with the command "no ip cef " .....i have tried the following and it does not work


"Before using debugging ip packet, note that the router is doing fast-switching by default, or may be doing CEF switching if configured to do so. This means that, once those techniques are in place, the packet is not provided to the processor, hence the debugging does not show anything. For this to work, you need to disable fast-switching on the router with no ip route-cache (for unicast packets) or no ip mroute-cache (for multicast packets). This should be applied on the interfaces where the traffic is supposed to flow. Verify this with the show ip route command. ""


any thoughts?

Actions

This Discussion