Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

My access lists are not debugged, why?

Hello,

I'm trying to debug my access lists number 103

SWITCH_AREA_1#show access-lists

Extended IP access list 101

    10 permit ip any any log (3167272 matches)

    20 permit ip host 172.17.0.80 any log

    30 permit ip any host 10.0.1.100

    40 permit ip host 172.17.0.82 any log

    50 permit ip any host 10.0.1.100 log

Extended IP access list 102

    10 permit icmp any any log (5110 matches)

Extended IP access list 103

    10 permit ip any host 88.199.43.165 log

    20 permit ip host 172.17.0.200 any log (6080 matches)

To do so I type

SWITCH_AREA_1#debug ip packet 103 detail

IP packet debugging is on (detailed) for access list 103

But when I issue the

#show logging

I only see the debuging packet for the list 101 and not for the 103 which is the one I have enabled. Why do I get that? Is that due to the fact that the log isn't long enough to reach 103 list?

Thanks in advance,

regards!

Everyone's tags (2)
6 REPLIES
Purple

My access lists are not debugged, why?

Hi,

the command you entered will not debug the ACL but the referenced ACL will be applied as a filter to the debug command.

The logging buffer is a cyclical buffer that has a limited size by default  and also only process-switched packets will be seen by the debug( packets originated or destined to the router)

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

My access lists are not debugged, why?

Hi cadet alain, thanks for replying!

Could you tell me then how to debug the ACL? Or that is not possible?

Thanks again!

Purple

My access lists are not debugged, why?

Hi,

The router will send an administratively prohibited ICMP unreachable message  to the source of the offending packet by default so sniffing on the source if it is a PC or debugging ip icmp on a router will tell you if there was a hit for a deny clause in an ACL.

I've never seen a debug for Access-list so AFAIK it doesn't exist.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

My access lists are not debugged, why?

Hi,

Kindly try to increase the size of the logging buffer to a higher value & see if it helps. Also check by configuring "logging console" and see if the debug loggs get prined on the cli. You should definitely see the debug logs as the traffic according to your config would get process switched.

Thanks & Regards,

Vignesh R P

New Member

My access lists are not debugged, why?

Hi Vignesh Rajendran Praveen, thanks for replying,

I read on some Cisco references and forums that it is not too much advisable to debug in the console, since that can affect to system performance, isn't that true?

On the other hand, what would it be good buffer value?? Currently I'm using 13000 bytes, is that to low?

Regards

Silver

Re: My access lists are not debugged, why?

I read on some Cisco references and forums that it is not too much advisable to debug in the console, since that can affect to system performance, isn't that true?

That's right Juan. I rarely log to the console. It's easy enough to view the local log.

376
Views
0
Helpful
6
Replies