Cool Cisco Certification exam Debug Tricks - Syslog & AS Number

Home > Blogs > Cisco > Cool Cisco Certification exam Debug Tricks – Syslog & AS Number

Cool Cisco Certification exam Debug Tricks – Syslog & AS Number

Added by Mark Jacob October 1, 2012

If you are studying for a Cisco certification exam, odds are that you work in lab-type situations frequently. Maybe you use GNS3 or even one of the Virtual Lab solutions offered on the Cisco website. If that is the case, I have a couple of cool tricks to share with you.

One of them is related to syslog traffic. If you are not inclined to create an actual syslog server inside your virtual environment, but you still want to verify that syslog messages are being sent and received, try this process on one of your routers (the one you want to be your ‘fake’ syslog server).

First, create an extended access-list to match syslog traffic:

(config)# ip access-list extended 101
(config-ext-nacl)# permit udp any host 10.250.250.2 eq syslog

(The ip address 10.250.250.2 is assigned to a Loopback interface on the syslog-receiving router.)

Now create a debug command to watch for traffic matching that access-list:

# debug ip packet 101

Now if you go to another device in your virtual network (or real one too, this works either way) and configure it to send syslog messages to 10.250.250.2, you will see that traffic happens on the receiving device. Here’s a sample of output you can expect to see:

We are not really concerned here about deciphering the content, we just want to verify that syslog messages are being sent and received. The above output shows that we have succeeded!

A second cool trick is one for which I have been hunting myself for a while. I wanted to know how a person could retrieve the Autonomous System (AS) number in use if I wasn’t ‘in the know.’ For instance, I am on a router which is in the network, but on which the EIGRP routing protocol has not been configured. In this case, how can I determine the AS number in use? This is a trivial matter if my router IS running EIGRP and is already configured with the correct AS number. show ip eigrp topology will return the results I seek. Here is some sample output from that command:

The AS number is clearly evident. But when I am not configured, what can I do? I presented this challenge in a recent class and a student named Cara returned the next day with the following suggestion (she did not claim credit; she said someone told her, but I still appreciated her sharing).
First, create an extended access list to identify what you wish to observe. As EIGRP uses the multicast address of 224.0.0.10 to communicate, let’s latch on to that:

(config)# ip access-list extended 102
(config-ext-nacl)#permit ip any host 224.0.0.10

That’s all we need. Now we need to debug with the ‘dump’ keyword to push the raw data to the screen:

# debug ip packet detail 102 dump

Here is some sample output:

What we want to focus on here is the fifth hex chunk AFTER the E000000A. We can see above that the fifth chunk is hex 64. Some quick arithmetic will reveal that this is decimal value 100. Voila! There it is! The AS number in use is 100. That is so cool.

Now I have searched the net for that little gem, but I didn’t find that information until after Cara shared with me. But it is out there; apparently I need to refine my search engine skills even further. It must be a question of knowing what questions to ask. (Isn’t it always?!) Oh well, I am happy that I can sleep now that this persistent gnawing at my brain has been put to rest.

If you have any cool debug tricks you would like to share, I would love to hear about them!
Enjoy,