Debug and ACL

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 04:19 PM - edited 03-08-2019 05:08 PM
I am trying to verify that my traffic is hitting the correct interface and going out but the output doesn't seem right to me.
Source: 10.97.10.32
Destination 52.49.24.30
ip route 52.49.24.30 255.255.255.255 89.202.127.77
access-list 199 permit ip host 10.97.10.32 host 52.49.24.30 log-input
access-list 199 permit ip host 52.49.24.30 host 10.97.10.32 log-input
debug ip packet 199 detail
term mon
once I do this and attempt a telnet from source to destination I see this
SW-FRCL-NTCORE1#pak 16816E3C consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 16833210 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 167F6DA8 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 167D5A18 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
does this mean it is going out the correct interface? this is on a cisco switch
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 12.2(54)SG1, RELEASE SOFTWARE (fc1)
thank you in advance!!!!
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 07:45 PM
Just to make sure you can get all information on your debug in order to see what is the outgoing interface, make sure you disabled fast switching/CEF and re-run a debug ip packet detail ACL.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 07:58 PM
Hi Francesco
I don't have CEF or fast switching configured, I have quick question just want to make sure I am not going
crazy. What I am trying to do is have my server take a particular route out the internet I need it to go as follows
server 10.97.10.32 => Core1 => NTCore1 => provider switch =internet 52.49.24.30
so I have static routes as follows
Core1
ip route 52.49.24.30/32 10.98.1.12 <- Interface on NTCore1
NTCore1
ip route 52.49.24.30 255.255.255.255 89.202.127.77<- interface on provider switch
so for static routes there is nothing special with them all you have to do is point it to the correct next hop right? When I do a traceroute from the server the last hop I see is the
NTCore1 interface 10.98.1.12
I just want to make sure I am not missing anything before I go tell the provider it is something on their end
bash-4.2$ traceroute 52.49.24.30
traceroute to 52.49.24.30 (52.49.24.30), 30 hops max, 60 byte packets
1 sw-frcl-core1.network.na.bluefirecap.net (10.97.10.254) 0.114 ms 0.124 ms 0.128 ms
2 10.98.1.12 (10.98.1.12) 513.833 ms 513.833 ms 513.829 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 09:01 PM
Can you re-run your traceroute with option -I?
I believe you have some nat before reaching your SP router? Have you checked everything is ok on this side.
Make sure your packet is able to reach your service provider router.
Where did you run your debug? On NTcore (last device managed by you before forwarding the packet to your SP)
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 09:34 PM
There is no NAT my IP enters the providers network via the ethernet hand off that is why I am thinking
it is on their side but wanted to get a second opinion from someone smarter than me I tried to do the
debug on NTCore1 which is the last device before it hits the provider but didn't see anything. I set up my debug as follows
access-list 199 permit ip host 10.97.10.32 host 52.49.24.30 log-input
access-list 199 permit ip host 52.49.24.30 host 10.97.10.32 log-input
debug ip packet 199 detail
term mon
but all i get is
SW-FRCL-NTCORE1#pak 16ADF474 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 16B7AB68 consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 16B5B26C consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
SW-FRCL-NTCORE1#pak 16B8D75C consumed in input feature , packet consumed, MCI Check(63), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 09:45 PM
If you do sh ip cef, you see nothing right as you said cef was disabled.
Anyways, have you tried pinging from your server your SP ip interface (ip of next hop static route you configured).
Does it answer your icmp packets?
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 11:00 PM
Yes it does
sv-frcl-crypto1 wgranada]# ping 89.202.127.77
PING 89.202.127.77 (89.202.127.77) 56(84) bytes of data.
64 bytes from 89.202.127.77: icmp_seq=1 ttl=45 time=205 ms
64 bytes from 89.202.127.77: icmp_seq=2 ttl=45 time=204 ms
64 bytes from 89.202.127.77: icmp_seq=3 ttl=45 time=206 ms
64 bytes from 89.202.127.77: icmp_seq=4 ttl=45 time=204 ms
64 bytes from 89.202.127.77: icmp_seq=5 ttl=45 time=204 ms
.77 is there end and .78 is my end
64 bytes from 89.202.127.77: icmp_seq=6 ttl=45 time=204 ms
64 bytes from 89.202.127.77: icmp_seq=7 ttl=45 time=204 ms

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 11:03 PM
is it safe to say the issue is on there side?
