因此,我尝试跟踪 192.168.100.230/32 EZVPN 接口(Virtual-Access 3)和 BVI4 上的 192.168.100.20 之间的 ICMP 对话。
# sh ip access-lists 199
10 permit icmp 192.168.100.0 0.0.0.255 host 192.168.100.20
20 permit icmp host 192.168.100.20 192.168.100.0 0.0.0.255
# sh debug
Generic IP:
IP packet debugging is on for access list 199
# sh ip route | incl 192.168.100
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, BVI4
S 192.168.100.230/32 [1/0] via x.x.x.x, Virtual-Access3
# sh log | inc Buff
Buffer logging: level debugging, 2145 messages logged, xml disabled,
Log Buffer (16384 bytes):
好的,从 IP 地址为 192.168.100.230 的 EZVPN 客户端,我 ping 192.168.100.20。我知道数据包通过 VPN 隧道到达路由器,因为:
policy exists on zp vpn-to-in
Zone-pair: vpn-to-in
Service-policy inspect : acl-based-policy
Class-map: desired-traffic (match-all)
Match: access-group name my-acl
Inspect
Number of Half-open Sessions = 1
Half-open Sessions
Session 84DB9D60 (192.168.100.230:8)=>(192.168.100.20:0) icmp SIS_OPENING
Created 00:00:05, Last heard 00:00:00
ECHO request
Bytes sent (initiator:responder) [64:0]
Class-map: class-default (match-any)
Match: any
Drop
176 packets, 12961 bytes
但我没有收到调试日志,并且调试 ACL 尚未匹配:
# sh log | inc IP:
#
# sh ip access-lists 198
Extended IP access list 198
10 permit icmp 192.168.100.0 0.0.0.255 host 192.168.100.20
20 permit icmp host 192.168.100.20 192.168.100.0 0.0.0.255
我是不是疯了,或者我不应该期望看到这个调试日志?
谢谢!
答案1
是的,可以调试传输流量。但是,只有在“在软件中路由”时,它才会显示在调试中。往返于路由器本身的流量自动符合条件,但传输流量通常使用“快速交换”或“Cisco Express Forwarding”进行“进程交换”,并且从不由路由器 CPU 处理。
为了强制在调试中显示它,有必要在接口配置模式下使用“no ip route-cache”和/或“no ip route-cache cef”禁用快速切换。