06-11-2010 05:28 AM - edited 03-06-2019 11:32 AM
Guys
yes im grey and losing it !
Basically im using a basic access-list and a debug command ....
eg access-list 101 permit ip any host 11.12.1.1
term mon
debug ip packet access-list 101
If i ping 11.12.1.1 from the router I can see the packets in debug , however if i ping through the router to the destination I do not get the packets in debug
am i losing it or what ?]
any help appreciated
06-11-2010 09:29 AM
Hello Roger,
it is because you can intercept with this debug only packet that are process switched like the ones originated by the router itself
if CEF or older fast switching is enabled traffic going via the router is not process switched but processed by CEF or other
in case like this you can use
access-list 102 permit ip any host 11.12.1.1 log
access-list 102 permit any any
int fas0/0
ip access-group 102 out
this creates an exception to CEF and can be enough to demonstrate the ICMP packet is going to the destination
Hope to help
Giuseppe
06-14-2010 01:46 AM
HI Guiseppe and all
I thought this myself and disabled CEF ( no ip cef ).
then when i ping from the router itself i get
*Jun 14 08:38:08.168: IP: tableid=0, s=2.1.2.1 (local), d=172.24.33.242 (Serial0/1/0), routed via RIB
*Jun 14 08:38:08.168: IP: s=2.1.2.1 (local), d=172.24.33.242 (Serial0/1/0), len 100, sending.
which suggests FIB /CEF is off.
However when I ping form inside to the same destination I still see nothing in the debug - how strange
I have tried your suggestion and it worked as below - thank you
VH-BCA-Rtr(config)#int serial0/1/0
VH-BCA-Rtr(config-if)#ip access-group 102 out
VH-BCA-Rtr(config-if)#
*Jun 14 08:43:31.735: %SEC-6-IPACCESSLOGDP: list 102 permitted icmp 172.24.95.169 -> 172.24.33.242 (0/0), 1 packet
However how do i switch off cEF ? do i need to reatart the router with the command "no ip cef " .....i have tried the following and it does not work
"Before using debugging ip packet, note that the router is doing fast-switching by default, or may be doing CEF switching if configured to do so. This means that, once those techniques are in place, the packet is not provided to the processor, hence the debugging does not show anything. For this to work, you need to disable fast-switching on the router with no ip route-cache (for unicast packets) or no ip mroute-cache (for multicast packets). This should be applied on the interfaces where the traffic is supposed to flow. Verify this with the show ip route command. ""
any thoughts?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide