Is it safe using of command "ip debug packet "acl"" in enterprise environment ?

zayalaksme · ‎03-15-2015

if i use debug at packet level using acl in production/enterprise environment is there any problem/is it safe?

Ashok Kumar · ‎03-15-2015

Hi

if your normal CPU is below 10-20%, & if if you're aware of the volume of the traffic going to hit the ACL, coz higher the volume of traffic, higher your CPU going to spike.

With less volume of traffic hit for ACL, it's okay to log the ACL.

best option is to have maintenance window in lean business hours.

- Ashok

******************************************************************************************************

Please rate the post or mark as correct answer as it will help others looking for similar information

******************************************************************************************************

zayalaksme · ‎03-15-2015

for example: there is a rechability issue. I want to debug at packet level. So by using ACL control the output generated by "debug packet acl" command.

My question is:

ACL is applied before processing the debug command (end result is uses low cpu)

or

ACL is applied while displaying output after debug command processed. ????

could you give me any suggestion/pitfall/experience while using the debug packet acl".

Is it good to use in production/enterprise environment ?

johnlloyd_13 · ‎03-16-2015

hi,

are you referring to the debug ip packet <ACL> command?

if yes, then it's practically safe. i've personally use this to debug ping/routing issues.

but i would recommend narrowing down your ACL to specific hosts or subnet.

Richard Burts · ‎03-16-2015

The original poster asks a good question about the operation of debug with an access list. The answer is that debug still looks at every packet. The access list controls and limits what debug will report but debug still examines every packet.

Like John I have used debug ip packet <acl> in an enterprise production environment. But be aware that debug is going to put some additional load on your device. The advice about making your access list as precise as possible is good advice. I would add that another thing to consider to limit the impact of debug is to control where debug output is sent. Writing debug output to the logging buffer (and viewing the output using the show log command) is the lowest impact way to run debug. Writing the debug output to your terminal session (using terminal monitor) is only slightly higher impact. Writing debug output to a syslog server increases the impact significantly. And the absolutely highest impact debug is if you write the debug output to the console.

HTH

Rick

HTH

Rick

paul.blawrence · ‎05-30-2018

Guess what, I ran a debug ip packet sometime ago in my rookie years. It shut down my router. It was a small site setup not yet in production. I was in luck.

Richard Burts · ‎05-30-2018

You tell us that you ran debug ip packet. But it is not clear whether you used an ACL to limit the effect of the debug.

A point that I would like to make is that using an ACL with debug ip packet makes it safer but does not automatically make it safe. You need to consider what the effect of the ACL will be. Think about an example like this: you have a router with one inside network which is 192.168.10.0 and an outside interface which is 1.2.3.4. And think about using this ACL with debug ip packet 100

access-list 100 permit 192.168.10.0 0.0.0.255 any

The amount of debug output suppressed would be minimal. And it might very well take down your router.

HTH

Rick

HTH

Rick