所以我试图追踪BVI4上192.168.100.230/32 EZVPN接口(Virtual-Access 3)和192.168.100.20之间的ICMP对话。
# sh ip access-lists 199 10 permit icmp 192.168.100.0 0.0.0.255 host 192.168.100.20 20 permit icmp host 192.168.100.20 192.168.100.0 0.0.0.255 # sh debug Generic IP: IP packet debugging is on for access list 199 # sh ip route | incl 192.168.100 192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.100.0/24 is directly connected, BVI4 S 192.168.100.230/32 [1/0] via xxxx, Virtual-Access3 # sh log | inc Buff Buffer logging: level debugging, 2145 messages logged, xml disabled, Log Buffer (16384 bytes): 好的,所以从我的EZVPN客户端IP地址192.168.100.230,我ping 192.168.100.20。 我知道数据包通过VPN隧道到达路由器,因为:
policy exists on zp vpn-to-in Zone-pair: vpn-to-in Service-policy inspect : acl-based-policy Class-map: desired-traffic (match-all) Match: access-group name my-acl Inspect Number of Half-open Sessions = 1 Half-open Sessions Session 84DB9D60 (192.168.100.230:8)=>(192.168.100.20:0) icmp SIS_OPENING Created 00:00:05, Last heard 00:00:00 ECHO request Bytes sent (initiator:responder) [64:0] Class-map: class-default (match-any) Match: any Drop 176 packets, 12961 bytes
但是我没有debugging日志,debuggingACL没有匹配:
# sh log | inc IP: # # sh ip access-lists 198 Extended IP access list 198 10 permit icmp 192.168.100.0 0.0.0.255 host 192.168.100.20 20 permit icmp host 192.168.100.20 192.168.100.0 0.0.0.255
我疯了,还是我不希望看到这个debugging日志?
谢谢!
是的,可以debugging中转stream量。 但是,它只会出现在debugging中,它是'软件路由'。 来自路由器本身的stream量自动限定,但是通过“快速交换”或“思科快速转发”过境stream量通常是“stream程交换”,并且决不会由路由器CPU处理。
为了强制它在debugging中显示,需要在接口configuration模式下使用'no ip route-cache'和/或'no ip route-cache cef'来禁用快速切换。
请参阅如何validation思科快速转发交换