debug ip packet (was: RE: [c-nsp] Injecting Routes Remotely)

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Sat Feb 26 11:26:14 EST 2005


> BTW as a good question for list: is it ever feasible to use 'debug ip
> packet' with an access-list to limit the printed packets in a
> production environment.... Throughout all books I've ever read they
> say never use debug in a production environment but I can see how
> using this with an access-list could leverage the router like a
> packet sniffer and would enable you to view some traffic in some
> pretty tough areas of the network to get to... 

since ip packet debug (with or without an ACL) will only catch packets
being process switched, you won't be able to "sniff" transit packets
this way since those are usually interrupt-switched. And if you punt all
packets to the process path in order to possible catch/debug them, pps
performance goes down the drain. 
Given this fact, I usually find nothing wrong using "debug ip packet
<acl>" to troubleshoot control plane issues (i.e. pkts to/from the
router), even in a production environment..

	oli



More information about the cisco-nsp mailing list