Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NAS
Question for access-list
acm at netuse
Apr 1, 2005, 9:01 AM
Post #1 of 7 (3146 views)
Permalink
Hi!

I have a question regarding access-list on cisco router
with 123-12a. I don't know, if this is the right mailing list,
but perhaps someone knows this problem and could help me.

The main question is how a cisco router use the access-list ?
I wannt to debug packets, which are originated by the router
itselves. Here the reason for my problem.
I use netflow on the cisco router and have some problems.
In my syslog I can see, that some packet are lost and want to know
why, because the connection between the router and the data collector
is really good. I create an access-list and put that on that
interface, which goes to the collector. The access-list is installed
for the oubound traffic.

Why I can't see the traffic matches in the access-list, whether
the IP Packets are sent to the collectot, which I can see
via a sniffer.

Any ideas ?

Best regards,
Ahmad

--
Ahmad Cheikh-Moussa
NetUSE AG
Dr.-Hell-Straße, 24107 Kiel, Germany
Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
Service: Service@NetUSE.DE -- http://NetUSE.DE/
RE: Question for access-list [ In reply to ]
oboehmer at cisco
Apr 1, 2005, 9:06 AM
Post #2 of 7 (3069 views)
Permalink
>
> The main question is how a cisco router use the access-list ?
> I wannt to debug packets, which are originated by the router
> itselves. [...]
>
> Why I can't see the traffic matches in the access-list, whether
> the IP Packets are sent to the collectot, which I can see
> via a sniffer.

packets originated by the router are not subject to access-list checks
on the outgoing/egress interface. This is why you don't "see" them in
the access-list counter..

Netflow export packets are a special case anyway, those are sent without
any output feature treatment in order to send them most efficiently..

oli
Re: Question for access-list [ In reply to ]
acm at netuse
Apr 1, 2005, 12:01 PM
Post #3 of 7 (3065 views)
Permalink
Hi Oliver,

thanks for your quick reply.
Any ideas how to debug such problems ?
Is there another way to debug packets, which are originated
from the router ?

How can I have packet loss on a link, which have
a really big realibility and average load which is
betwen 20 and 30 %

regards,
Ahmad

On Apr 01, 05, Oliver Boehmer (oboehmer) wrote:
>
> >
> > The main question is how a cisco router use the access-list ?
> > I wannt to debug packets, which are originated by the router
> > itselves. [...]
> >
> > Why I can't see the traffic matches in the access-list, whether
> > the IP Packets are sent to the collectot, which I can see
> > via a sniffer.
>
> packets originated by the router are not subject to access-list checks
> on the outgoing/egress interface. This is why you don't "see" them in
> the access-list counter..
>
> Netflow export packets are a special case anyway, those are sent without
> any output feature treatment in order to send them most efficiently..
>
> oli

--
Ahmad Cheikh-Moussa
NetUSE AG
Dr.-Hell-Straße, 24107 Kiel, Germany
Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
Service: Service@NetUSE.DE -- http://NetUSE.DE/
RE: Question for access-list [ In reply to ]
consultantjd16 at ridemetro
Apr 1, 2005, 12:06 PM
Post #4 of 7 (3074 views)
Permalink
So if you make a separate ACL X, not applied to the interface, for packets from your router's ip to Y destination, and run "debug ip pack X", you don't see them?

josh duffek network engineer
consultantjd16 at ridemetro.org

> -----Original Message-----
> From: cisco-nas-bounces@puck.nether.net [mailto:cisco-nas-
> bounces@puck.nether.net] On Behalf Of Ahmad Cheikh-Moussa
> Sent: Friday, April 01, 2005 1:02 PM
> To: Oliver Boehmer (oboehmer)
> Cc: cisco-nas@puck.nether.net
> Subject: Re: [cisco-nas] Question for access-list
>
> Hi Oliver,
>
> thanks for your quick reply.
> Any ideas how to debug such problems ?
> Is there another way to debug packets, which are originated
> from the router ?
>
> How can I have packet loss on a link, which have
> a really big realibility and average load which is
> betwen 20 and 30 %
>
> regards,
> Ahmad
>
> On Apr 01, 05, Oliver Boehmer (oboehmer) wrote:
> >
> > >
> > > The main question is how a cisco router use the access-list ?
> > > I wannt to debug packets, which are originated by the router
> > > itselves. [...]
> > >
> > > Why I can't see the traffic matches in the access-list, whether
> > > the IP Packets are sent to the collectot, which I can see
> > > via a sniffer.
> >
> > packets originated by the router are not subject to access-list checks
> > on the outgoing/egress interface. This is why you don't "see" them in
> > the access-list counter..
> >
> > Netflow export packets are a special case anyway, those are sent without
> > any output feature treatment in order to send them most efficiently..
> >
> > oli
>
> --
> Ahmad Cheikh-Moussa
> NetUSE AG
> Dr.-Hell-Straße, 24107 Kiel, Germany
> Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
> Service: Service@NetUSE.DE -- http://NetUSE.DE/
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
Re: Question for access-list [ In reply to ]
acm at netuse
Apr 1, 2005, 12:08 PM
Post #5 of 7 (3066 views)
Permalink
Hi Josh,

I tried this too, but unfortunately it didn't worked.

regards,
Ahmad

On Apr 01, 05, Josh Duffek wrote:
> So if you make a separate ACL X, not applied to the interface, for packets from your router's ip to Y destination, and run "debug ip pack X", you don't see them?
>
> josh duffek network engineer
> consultantjd16 at ridemetro.org
>
> > -----Original Message-----
> > From: cisco-nas-bounces@puck.nether.net [mailto:cisco-nas-
> > bounces@puck.nether.net] On Behalf Of Ahmad Cheikh-Moussa
> > Sent: Friday, April 01, 2005 1:02 PM
> > To: Oliver Boehmer (oboehmer)
> > Cc: cisco-nas@puck.nether.net
> > Subject: Re: [cisco-nas] Question for access-list
> >
> > Hi Oliver,
> >
> > thanks for your quick reply.
> > Any ideas how to debug such problems ?
> > Is there another way to debug packets, which are originated
> > from the router ?
> >
> > How can I have packet loss on a link, which have
> > a really big realibility and average load which is
> > betwen 20 and 30 %
> >
> > regards,
> > Ahmad
> >
> > On Apr 01, 05, Oliver Boehmer (oboehmer) wrote:
> > >
> > > >
> > > > The main question is how a cisco router use the access-list ?
> > > > I wannt to debug packets, which are originated by the router
> > > > itselves. [...]
> > > >
> > > > Why I can't see the traffic matches in the access-list, whether
> > > > the IP Packets are sent to the collectot, which I can see
> > > > via a sniffer.
> > >
> > > packets originated by the router are not subject to access-list checks
> > > on the outgoing/egress interface. This is why you don't "see" them in
> > > the access-list counter..
> > >
> > > Netflow export packets are a special case anyway, those are sent without
> > > any output feature treatment in order to send them most efficiently..
> > >
> > > oli
> >
> > --
> > Ahmad Cheikh-Moussa
> > NetUSE AG
> > Dr.-Hell-Straße, 24107 Kiel, Germany
> > Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
> > Service: Service@NetUSE.DE -- http://NetUSE.DE/
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas

--
Ahmad Cheikh-Moussa
NetUSE AG
Dr.-Hell-Straße, 24107 Kiel, Germany
Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
Service: Service@NetUSE.DE -- http://NetUSE.DE/
Re: Question for access-list [ In reply to ]
achatz at forthnet
Apr 2, 2005, 1:43 AM
Post #6 of 7 (3063 views)
Permalink
maybe disable route-cache?

Ahmad Cheikh-Moussa wrote on 1/4/2005 10:08 μμ:
> Hi Josh,
>
> I tried this too, but unfortunately it didn't worked.
>
> regards,
> Ahmad
>
> On Apr 01, 05, Josh Duffek wrote:
>
>>So if you make a separate ACL X, not applied to the interface, for packets from your router's ip to Y destination, and run "debug ip pack X", you don't see them?
>>
>>josh duffek network engineer
>>consultantjd16 at ridemetro.org
>>
>>
>>>-----Original Message-----
>>>From: cisco-nas-bounces@puck.nether.net [mailto:cisco-nas-
>>>bounces@puck.nether.net] On Behalf Of Ahmad Cheikh-Moussa
>>>Sent: Friday, April 01, 2005 1:02 PM
>>>To: Oliver Boehmer (oboehmer)
>>>Cc: cisco-nas@puck.nether.net
>>>Subject: Re: [cisco-nas] Question for access-list
>>>
>>>Hi Oliver,
>>>
>>>thanks for your quick reply.
>>>Any ideas how to debug such problems ?
>>>Is there another way to debug packets, which are originated
>>>from the router ?
>>>
>>>How can I have packet loss on a link, which have
>>>a really big realibility and average load which is
>>>betwen 20 and 30 %
>>>
>>>regards,
>>> Ahmad
>>>
>>>On Apr 01, 05, Oliver Boehmer (oboehmer) wrote:
>>>
>>>>>The main question is how a cisco router use the access-list ?
>>>>>I wannt to debug packets, which are originated by the router
>>>>>itselves. [...]
>>>>>
>>>>>Why I can't see the traffic matches in the access-list, whether
>>>>>the IP Packets are sent to the collectot, which I can see
>>>>>via a sniffer.
>>>>
>>>>packets originated by the router are not subject to access-list checks
>>>>on the outgoing/egress interface. This is why you don't "see" them in
>>>>the access-list counter..
>>>>
>>>>Netflow export packets are a special case anyway, those are sent without
>>>>any output feature treatment in order to send them most efficiently..
>>>>
>>>> oli
>>>
>>>--
>>>Ahmad Cheikh-Moussa
>>>NetUSE AG
>>>Dr.-Hell-Straße, 24107 Kiel, Germany
>>>Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
>>>Service: Service@NetUSE.DE -- http://NetUSE.DE/
>>>_______________________________________________
>>>cisco-nas mailing list
>>>cisco-nas@puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/cisco-nas
>
>
RE: Question for access-list [ In reply to ]
oboehmer at cisco
Apr 2, 2005, 5:35 AM
Post #7 of 7 (3070 views)
Permalink
>
> thanks for your quick reply.
> Any ideas how to debug such problems ?

Use "show ip flow export" to watch the local Netflow export counters, "debug ip flow export" traces the export process..

> Is there another way to debug packets, which are originated
> from the router ?

"debug ip packet <acl>", but this might not work for netflow export packets since they bypass most of the features (I mentioned this already)

> How can I have packet loss on a link, which have
> a really big realibility and average load which is
> betwen 20 and 30 %

There could be several reasons Netflow packets won't make it to the collector.. link capacity is only one of them. Unless you see any drops on the interface or any errors in "show ip flow export", it could be safely assumed that the problem lies elsewhere..

If you are dealing with too many flows, Netflow aggregation could be evaluated..

oli



>
> On Apr 01, 05, Oliver Boehmer (oboehmer) wrote:
>>
>>>
>>> The main question is how a cisco router use the access-list ?
>>> I wannt to debug packets, which are originated by the router
>>> itselves. [...]
>>>
>>> Why I can't see the traffic matches in the access-list, whether
>>> the IP Packets are sent to the collectot, which I can see
>>> via a sniffer.
>>
>> packets originated by the router are not subject to access-list
>> checks on the outgoing/egress interface. This is why you don't "see"
>> them in the access-list counter..
>>
>> Netflow export packets are a special case anyway, those are sent
>> without any output feature treatment in order to send them most
>> efficiently..
>>
>> oli
>
> --
> Ahmad Cheikh-Moussa
> NetUSE AG
> Dr.-Hell-Straße, 24107 Kiel, Germany
> Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
> Service: Service@NetUSE.DE -- http://NetUSE.DE/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal