08-24-2020 06:23 PM - edited 08-24-2020 06:24 PM
Hi
I want to see the following packet in a switch debug command.
But it didn't work.
Communication between devices is good.
case 1
192.168.50.2 -> 192.168.50.1
192.168.60.2 -> 192.168.60.1
At this time the ICMP debugs were collected successfully.
Case-2
192.168.50.2 -> 192.168.50.3
192.168.50.2 -> 192.168.60.2
At this time, no debug came up.
I would like to know what kind of action is necessary to debug Case-2.
These are the steps I have taken.
access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255 log
debug ip packet 101
debug ip routing 101
debug ip icmp
debug ip routing detail
debug ip packet detail
Thank you.
08-24-2020 07:09 PM
access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255 ( removed Log here)
access-list 101 permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
debug ip packet 101 details
debug ip routing 101
debug ip icmp
debug ip routing detail
debug ip packet detail << - this command is very dangerous in production environment, you may lock your self due to debug - for testing ok
make sure you enable logging monitor debug to view.
08-24-2020 07:26 PM
Hi
set up loggiong monitor debug
acl was modified.
And I set up debug ip packet 101.
192.168.50.2 -> 192.168.50.1 when Ping is sent
The following log is created.
*Aug 25 02:09:11.842: IP: s=192.168.50.2 (Vlan1), d=192.168.50.1 (nil), len 60, input feature, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Aug 25 02:09:11.842: IP: s=192.168.50.2 (Vlan1), d=192.168.50.1 (nil), len 60, rcvd 2
*Aug 25 02:09:11.842: IP: s=192.168.50.2 (Vlan1), d=192.168.50.1 (nil), len 60, stop process pak for forus packet
*Aug 25 02:09:11.842: IP: tableid=0, s=192.168.50.1 (local), d=192.168.50.2 (Vlan1) nexthop=192.168.50.2, routed via FIB
However, 192.168.50.2->192.168.50.3 is still not generated.
Thanks
08-24-2020 08:57 PM
is ip route-cache enabled on the interface?
how about pinging from 192168.50.2 to 192.168.60.2 ? do you see debug output?
08-24-2020 09:22 PM
Hi
There is no ip route-cache command on the interface to which the PC is connected (Gi 1/0/1).
Instead, I put ip route-cache in the vlan interface.
When I ping from 192.168.50.2 to 192.168.60.2, no debug message is displayed.
Thanks
08-25-2020 01:10 AM
Can you post complete running configuration, along with show version.
08-26-2020 12:23 AM - edited 08-26-2020 12:24 AM
08-26-2020 01:14 AM
Look at the config : i found couple of them not correct.
as per the diagram you have device has IP address .2
1. But as per the configuration the VLAN has .2 IP adress as below :
2. You have 2 different Extend ACL for different source and destination.
3. are you debugging correct ACL with debug ip packet ACL details to get correct outcome.
4. Can you post end device config (by typing ipconfig /all ? ) they should point to gateway .2 IP address of VLAN interface.
interface Vlan1
ip address 192.168.50.2 255.255.255.0
!
interface Vlan2
ip address 192.168.60.2 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.50.1
!
!
ip access-list extended 101
10 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
ip access-list extended 102
10 permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255
make necessary changes and test and advise what you see ?
Note : another Observation i noticed was you have LITE IOS Image, i have never worked on that, as per LITE Image concern, ACL has Limitation (not sure, i only going with document)
I have tested with your scenario in my LAB all works as expected. - those are IP SERVICE advanced image, and Cat 9300 or higher - just to confirm.
08-26-2020 01:31 AM
1.But as per the configuration the VLAN has .2 IP adress as below:
Sorry, the diagram and IP have changed for the first time.
I will attach the modified diagram again.
Port 1 PC-50.3
Port 2 PC-60.3
Ping from 50.3 to 50.2/60.2 creates a log
Ping from 60.3 to 50.2/60.2 creates a log
However, 50.3 and 60.3 ping each other and no log is generated.
2.You have 2 different Extend ACL for different source and destination.
The reason for creating two ACLs is
The 101 ACL is what you want to debug when you ping between 50.3 and 50.4.
The 102 ACL is what I want to debug when I ping from 50.3 to 60.3.
3. are you debugging correct ACL with debug ip packet ACL details to get correct outcome.
yes..
4.Can you post end device config (by typing ipconfig /all?) They should point to gateway .2 IP address of VLAN interface.
It is difficult to capture, but I guarantee that I did it twice with the gateway address.
All devices communicate with each other Ping (50.3<->60.3)
Note: another Observation i noticed was you have LITE IOS Image, i have never worked on that, as per LITE Image concern, ACL has Limitation (not sure, i only going with document)
The 9200 seems to have all OS names with LITE.
The 9300 does not have a LITE on all OS names.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide