Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
3
Replies

Debugging ACL`s

lscholer
Level 1
Level 1

‎09-11-2002 11:16 PM - edited ‎02-20-2020 09:18 PM

Hello,

i have the following Problem:

I have greated an ACL.

When I debug this ACL (debug ip packet 101 detail), i see very much

Multicast Traffic.

This is on a Catalyst 3550 EMI.

If i debug the same ACL on a Router, i only see Traffic for this ACL.

What should i do to see only the ACL Traffic on the catalyst without

the Multicast Traffic.

Can i stop Multicast Traffic on the Catalyst, because I don`t need it.

Thanks

Lorenz

Labels:
0 Helpful
3 Replies 3

steve.barlow
Level 7
Level 7

‎09-12-2002 04:52 AM

When multicast fast switching is enabled (like unicast routing), debug messages are not logged. If you want to log debug messages, disable fast switching. Try ip mroute-cache.

If not, can you post the acl.

Hope it helps.

Steve

0 Helpful

lscholer
Level 1
Level 1
In response to steve.barlow

‎09-13-2002 04:19 AM

Hello Steve,

thanks for your Help, but this is not the Reason.

I have tested the same Procedure on a Cisco Router and there i only

the Output from the ACL saw.

Here is my ACL

permit icmp any any (16 matches)

permit tcp xxx.xxx.xxx.xxx 0.0.0.16 host xxx.xxx.xxx.xxx eq domain

permit udp xxx.xxx.xxx.xxx 0.0.0.16 host xxx.xxx.xxx.xxx eq domain

permit tcp xxx.xxx.xxx.xxx 0.0.0.16 host xxx.xxx.xxx.xxx eq domain

permit udp xxx.xxx.xxx.xxx 0.0.0.16 host xxx.xxx.xxx.xxx eq domain

permit tcp xxx.xxx.xxx.xxx 0.0.0.16 host xxx.xxx.xxx.xxx eq 3299

permit tcp xxx.xxx.xxx.xxx 0.0.0.16 host xxx.xxx.xxx.xxx eq 3299

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 3299

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 3299

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 22

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 22

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 3299

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 443

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx range 4029 4034

permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx range 4029 4034

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx range 4019 4024

permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx range 4019 4024

permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 8080

deny ip xxx.xxx.xxx.xxx 0.0.0.16 any

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx eq domain

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx eq domain

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx eq domain

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx eq domain

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx eq www

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx eq www

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx eq www

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx eq www

deny ip xxx.xxx.xxx.xxx 0.0.0.255 any

deny ip xxx.xxx.xxx.xxx 0.0.0.255 any

deny ip xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx

deny ip xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255 eq 3299

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255 eq 3299

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 eq lpd xxx.xxx.xxx.xxx 0.0.0.255 gt 700

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 eq lpd xxx.xxx.xxx.xxx 0.0.0.255 gt 700

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx range 4019 4024

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx range 4029 4034

permit udp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx range 4019 4024

permit udp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx range 4029 4034

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx range 4019 4024

permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx range 4029 4034

permit udp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx range 4019 4024

permit udp xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx range 4029 4034

permit ip xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.15.255.255

permit ip xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.15.255.255

deny ip xxx.xxx.xxx.xxx 0.0.0.255 any

deny ip xxx.xxx.xxx.xxx 0.0.0.255 any (15 matches)

Below is the Output from the debug command : debug ip packet 110 detail

01:29:20: datagramsize=66, IP 0: s=xxx.xxx.121.3 (Vlan5), d=224.0.0.2, totlen 48,

fragment 0, fo 0, rcvd 2

01:29:20: UDP src=1985, dst=1985

01:29:20: datagramsize=64, IP 0: s=xxx.xxx.135.41 (local), d=224.0.0.2 (Vlan8), t

otlen 48, fragment 0, fo 0, sending broad/multicast

01:29:20: UDP src=1985, dst=1985

01:29:20: datagramsize=62, IP 0: s=xxx.xxx.135.41 (local), d=224.0.0.2 (Vlan8), t

otlen 48, fragment 0, fo 0, sending full packet

01:29:20: UDP src=1985, dst=1985

01:29:20: datagramsize=66,u IP 0: s=xxx.xxx.120.3 (Vlan4), d=224.0.0.2, totlen 48

, fragment 0, fo 0, rcvd 2

01:29:20: UDP src=1985, dst=1985

01:29:21: datagramsize=48, IP 0: s=xxx.xxx.120.2 (local), d=224.0.0.2 (Vlan4), to

tlen 48, fragment 0, fo 0, sending broad/multicast

01:29:21: UDP src=1985, dst=1985

01:29:21: datagramsize=62, IP 0: s=xxx.xxx.120.2 (local), d=224.0.0.2 (Vlan4), to

tlen 48, fragment 0, fo 0, sending full packet

01:29:21: UDP src=1985, dst=1985

I hope this Information us helpfull for you.

Nice Weekend

Lorenz

0 Helpful

steve.barlow
Level 7
Level 7
In response to lscholer

‎09-13-2002 01:17 PM

UDP port 1985 is HSRP and the destination address of HSRP hello packets is the all routers multicast address (224.0.0.2). The source address is the router's primary IP address assigned to the interface.

Fast-switched packets do not generate messages.

I will try and find out why this is getting logged.

Have a great weekend.

Steve

0 Helpful
Customers Also Viewed These Support Documents