Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
4
Helpful
3
Replies

Nothing appear for ACL Debug!

Ibrahim Jamil
Level 6
Level 6

‎03-23-2012 10:37 AM - edited ‎03-04-2019 03:46 PM

Hi Experts

i have 3 access-list configured IN | Out  on my Border router (MARTIAN) ,i have to look which one block some of  the traffic passing through ,for that matter i have enabled the below commands on my ISR 2900: with nothing output....

logging on

debug ip packet

term me

i have not see any output,even though they have generated traffic!!!


Labels:
0 Helpful
3 Replies 3

Nandan Mathure
Level 1
Level 1

‎03-23-2012 10:45 AM

@ Ibrahim Jamil

If the traffic is passing through the device and not originating or terminating at the device then please use:

In Interface mode:

R(config-if)#no ip route-cache

Also check if you have enabled "debug level" logging by using

R#show logging

this will disable cef on that interface. By default all the traversing traffic is cef switched. Please re-enable once this debugs have been disabled. If you are doing this in production this might overwhelm the router.

Edison Ortiz
Hall of Fame
Hall of Fame

‎03-23-2012 10:49 AM

The debug ip packet command is useful for  analyzing the messages traveling between the local and remote hosts.

IP  packet debugging captures the packets that are process switched including received, generated and forwarded packets.

IP packets that are  switched in the fast path are not captured.

0 Helpful

Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3

‎03-24-2012 08:33 AM

Hi Ibrahim,

You can add this entry "deny ip any any log" at the end of your three access-lists.e.g.

#ip access-list extended xxxx

#999 deny ip any any log     ->999 is the sequence number, should be the last entry

Then run the show ip  access-list command to see in which of the three access-lists the (last) deny entry captures packets (hits number increases)

You can see these packets by checking the log (show logging ).

Attention, if you do not need to log the denied packets do not use the log command at the end of the deny ip any any entry.

If several packets are denied, could may affect the performance of your 2900 router.

Hope that helps!

Vasilis

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card