Saturday, November 1, 2025

Cisco Router Debug Using ACL

I was unable to debug an IP traffic using a named ACL so I used an extended numbered ACL instead. I also used an object group in order to group together public IP subnets and add more subnets as needed.

Router#debug ip packet ?      
  <1-199>      Access list
  <1300-2699>  Access list (expanded range)
  detail       Print more debugging detail
  <cr>         <cr>

Router#configure terminal          
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#object-group network MY-PUBLIC-IP 
Router(config-network-group)#202.8.6.0 255.255.255.0
Router(config-network-group)#exit
Router(config)#interface GigabitEthernet0/0/0
Router(config-if)#no ip access-group MY-PUBLIC-IP-IN in
Router(config-if)#ip access-list extended 101
Router(config-ext-nacl)# permit ip object-group MY-PUBLIC-IP any
Router(config-ext-nacl)# permit ip host 8.8.8.8 any 
Router(config-ext-nacl)#exit
Router(config)#interface GigabitEthernet0/0/0
Router(config-if)#ip access-group 101 in
Router(config-if)#end


Router#ping 8.8.8.8 source 192.168.14.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.14.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

Router#debug ip packet ?
  <1-199>      Access list
  <1300-2699>  Access list (expanded range)
  detail       Print more debugging detail
  <cr>         <cr>

Router#debug ip packet 101 ?
  detail  Print more debugging detail
  <cr>    <cr>

Router#debug ip packet 101 
IP packet debugging is on for access list 101

Router#terminal monitor   // DISPLAY DEBUG OUTPUT WHEN CONNECTED VIA SSH

I tried to ping to Internet (Google DNS 8.8.8.8) and the debug output displayed the traffic source and destination IP address.

 Router#ping 8.8.8.8 source 192.168.144.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.14.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms


Oct 26 09:53:48.164 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.169 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.175 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.181 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
MCT1-OOB-GW01#
Oct 26 09:53:48.186 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB

 

Posted by at No comments:
Subscribe to: Comments (Atom)