You are on page 1of 1101

From the Library of Outcast Outcast

CCNP Routing and
Switching TSHOOT 300-135
Official Cert Guide

Raymond Lacoste
CCSI/CCNP
Kevin Wallace
CCIE No. 7945

Cisco Press
800 East 96th Street

Indianapolis, IN 46240

From the Library of Outcast Outcast

ii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

CCNP Routing and Switching TSHOOT 300-135
Official Cert Guide
Raymond Lacoste, CCSI/CCNP

Kevin Wallace, CCIE No. 7945

Copyright© 2015 Pearson Education, Inc.

Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a
review.

Printed in the United States of America

First Printing December 2014

Library of Congress Control Number: 2014950275

ISBN-10: 1-58720-561-0

ISBN-13: 978-1-58720-561-3

Warning and Disclaimer
This book is designed to provide information about the 300-135 Troubleshooting and Maintaining Cisco
IP Networks (TSHOOT) exam for the CCNP Routing and Switching certification. Every effort has been
made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall
have neither liability nor responsibility to any person or entity with respect to any loss or damages
arising from the information contained in this book or from the use of the discs or programs that may
accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems,
Inc.

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropri-
ately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information.
Use of a term in this book should not be regarded as affecting the validity of any trademark or service
mark.

From the Library of Outcast Outcast

iii

Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training goals,
marketing focus, or branding interests), please contact our corporate sales department at corpsales@pear-
soned.com or (800) 382-3419.

For government sales inquiries, please contact governmentsales@pearsoned.com.

For questions about sales outside the U.S., please contact international@pearsoned.com.

Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise
of members from the professional technical community.

Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.

We greatly appreciate your assistance.
Publisher: Paul Boger Copy Editor: Keith Cline

Associate Publisher: Dave Dusthimer Technical Editors: Ryan Lindfield, Diane Teare

Business Operation Manager, Cisco Press: Team Coordinator: Vanessa Evans
Jan Cornelssen
Designer: Mark Shirar
Executive Editor: Brett Bartow
Composition: Tricia Bronkella
Managing Editor: Sandra Schroeder
Indexer: Lisa Stumpf
Development Editor: Ellie Bru
Proofreader: The WordSmithery LLC
Project Editor: Mandie Frank

From the Library of Outcast Outcast

iv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

About the Authors
Raymond Lacoste is a Cisco Certified Systems Instructor (CCSI) who has dedicated his
IT career to teaching others. Starting out as a mentor at Skillsoft, he helped students with
their studies, explaining various Cisco, Microsoft, and industry-related concepts in ways
that improved the students understanding. Now he spends his days at Skillsoft teaching
the CCNA and CCNP Routing and Switching certification track. He has taught over 300
Cisco classes in addition to the countless practice labs, demonstrations, hands-on labs,
and student guides he has developed. However, it is not just about teaching, it is also
about learning. To date, Raymond has passed more than 100 IT certification exams as he
continues to keep his learning and knowledge up-to-date. His certification wall includes
various Cisco certifications, Microsoft certifications, CompTIA certifications, and the
ISC2 CISSP (Certified Information Systems Security Professional) designation. He was
also awarded the Cisco Sirius Top Quality Instructor award. His next goal is to achieve
the CCIE designation in Routing and Switching. Raymond lives in Atlantic, Canada, with
his wife, Melanie, and two children.

Kevin Wallace, CCIEx2 (Collaboration and R/S) #7945, CCSI #20061: With Cisco
experience dating back to 1989, Kevin has been a network design specialist for the Walt
Disney World Resort, an instructor of Cisco courses for Skillsoft, and a network man-
ager for Eastern Kentucky University.

Kevin currently produces video courses and writes books for Cisco Press/Pearson IT
Certification (http://kwtrain.com/books), and he lives in central Kentucky with his wife
(Vivian) and two daughters (Stacie and Sabrina).

Kevin can be followed on these social media platforms.

Blog: http://kwtrain.com

Twitter: http://twitter.com/kwallaceccie

Facebook: http://facebook.com/kwallaceccie

YouTube: http://youtube.com/kwallaceccie

LinkedIn: http://linkedin.com/in/kwallaceccie

Google+: http://google.com/+KevinWallace

From the Library of Outcast Outcast

v

About the Technical Reviewers
Ryan Lindfield is an instructor and technical consultant with Stormwind. On a typi-
cal day he’s broadcasting official Cisco training from a video studio. When not in the
virtual classroom, he can be found supporting customer networks. Ryan has nearly
20 years of technical consulting experience, and over a decade in the classroom. He
has delivered training for network, security, and data center technologies around the
world. Certifications include: CCNP Routing & Switching, CCNP Security, HP Master
Accredited Systems Engineer, VMware VCP, CEH, CISSP, SANS GFCA, CISSP, ECSA,
CHFI, CPTE, CPTC, OSWP, and many Microsoft and CompTIA certifications. Ryan
leads a 150 member Defcon user group in Tampa, FL, and has given presentations for
ISC2 and B-Sides computer security events.

Diane Teare, P.Eng, CCNP, CCDP, CCSI, PMP, is a professional in the networking,
training, project management, and e-learning fields. She has more than 25 years of
experience in designing, implementing, and troubleshooting network hardware and soft-
ware, and has been involved in teaching, course design, and project management. She
has extensive knowledge of network design and routing technologies. Diane is a Cisco
Certified Systems Instructor (CCSI), and holds her Cisco Certified Network Professional
(CCNP), Cisco Certified Design Professional (CCDP), and Project Management
Professional (PMP) certifications. She is an instructor, and the Course Director for the
CCNA and CCNP Routing and Switching curriculum, with one of the largest authorized
Cisco Learning Partners. She was the director of e-learning for the same company, where
she was responsible for planning and supporting all the company’s e-learning offerings in
Canada, including Cisco courses. Diane has a Bachelor’s degree in applied science in elec-
trical engineering and a Master’s degree in applied science in management science. She
authored or co-authored the following Cisco Press titles: the first and second editions
of Implementing Cisco IP Routing (ROUTE); the second edition of Designing Cisco
Network Service Architectures (ARCH); Campus Network Design Fundamentals; the
three editions of Authorized Self-Study Guide Building Scalable Cisco Internetworks
(BSCI); and Building Scalable Cisco Networks. Diane edited the first two editions
of the Authorized Self-Study Guide Designing for Cisco Internetwork Solutions
(DESGN), and also edited Designing Cisco Networks.

From the Library of Outcast Outcast

vi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Dedications
This book is dedicated to two very special people who supported me in my early years
of IT, without whom this book would not have been possible. I will forever be grateful
for the opportunity you gave me so many years ago to pursue my career. Thank you!

Raymond Lacoste

From the Library of Outcast Outcast

vii

Acknowledgments
A big thank you to my wife for encouraging me to write this book and supporting me
over the months that it took to complete it. Great big hugs to my two wonderful chil-
dren, ages 9 and 5, who had no idea why Daddy was always sitting at the computer; for
some strange reason, though, they knew that it was important and supported me in their
own mysterious ways. I love you guys!

An equally big thank you to my parents, without whom I would not be where I am or
who I am today, and to my sister, Terry-Anne, who always kicked me in the right direc-
tion.

Thanks to Dan Young, my mentor and the Director of Live Learning at Skillsoft, for all
the support and encouragement you have provided me all these years.

I’d like to thank Ellie Bru, my Development Editor, for organizing and putting into
action all the parts needed to develop this book (definitely not an easy task).

Thank you to Mandie Frank, my Production Editor, for putting all the final pieces of
this book together so nicely and making sure that it resembles a book.

Thank you to Diane Teare and Ryan Lindfield for reviewing the book and making sure
it’s technically sound.

Keith Cline, thank you for making sure all i’s were “crossed” and t’s “dotted” within the
book. (HaHaHa) You found some items in this book that I didn’t even know existed.
Thank you!

Thank you to Brett Bartow, my Executive Editor, for giving me the opportunity to write
this detailed book.

A big thank you to Kevin Wallace, the author of the previous edition of TSHOOT and a
friend, who passed the torch on to me for this edition. Thank you.

Lastly, thank you to the entire team at Cisco Press, their families and friends, who work
extremely hard to produce high-quality training materials.

—Raymond Lacoste

From the Library of Outcast Outcast

viii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Contents at a Glance
Introduction xxx

Part I Fundamental Troubleshooting and Maintenance Concepts
Chapter 1 Introduction to Troubleshooting and Network Maintenance 3

Chapter 2 Troubleshooting and Maintenance Tools 41

Chapter 3 Troubleshooting Device Performance 93

Part II Troubleshooting Cisco Catalyst Switch Features
Chapter 4 Troubleshooting Layer 2 Trunks, VTP, and VLANs 129

Chapter 5 Troubleshooting STP and Layer 2 EtherChannel 169

Chapter 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 209

Chapter 7 Troubleshooting Switch Security Features 247

Chapter 8 Troubleshooting First-Hop Redundancy Protocols 287

Part III Troubleshooting Router Features
Chapter 9 Troubleshooting IPv4 Addressing and Addressing Technologies 335

Chapter 10 Troubleshooting IPv6 Addressing and Addressing Technologies 367

Chapter 11 Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists 397

Chapter 12 Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels 423

Chapter 13 Troubleshooting RIPv2 and RIPng 463

Chapter 14 Troubleshooting EIGRP 513

Chapter 15 Troubleshooting OSPF 587

Chapter 16 Troubleshooting Route Maps and Policy-Based Routing 675

Chapter 17 Troubleshooting Redistribution 697

Chapter 18 Troubleshooting BGP 749

Part IV Troubleshooting Management
Chapter 19 Troubleshooting Management Protocols and Tools 815

Chapter 20 Troubleshooting Management Access 851

From the Library of Outcast Outcast

ix

Part V Final Preparation
Chapter 21 Additional Trouble Tickets 871

Chapter 22 Final Preparation 943

Part VI Appendixes
Appendix A Answers to the “Do I Know This Already” Quizzes 951

Appendix B TSHOOT Exam Updates 957

Index 960

CD-Only Appendixes and Glossary
Appendix C Memory Tables

Appendix D Memory Tables Answer Key

Appendix E Study Planner

Glossary

From the Library of Outcast Outcast

x CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Contents
Introduction xxx

Part I Fundamental Troubleshooting and Maintenance Concepts

Chapter 1 Introduction to Troubleshooting and Network Maintenance 3
“Do I Know This Already?” Quiz 3
Foundation Topics 9
Introduction to Troubleshooting 9
Defining Troubleshooting 9
The Value of Structured Troubleshooting 11
A Structured Approach 13
1. Problem Report 13
2. Collect Information 14
3. Examine Collected Information 15
4. Eliminate Potential Causes 16
5. Propose an Hypothesis 17
6. Verify Hypothesis 18
7. Problem Resolution 19
Popular Troubleshooting Methods 20
The Top-Down Method 21
The Bottom-Up Method 21
The Divide-and-Conquer Method 22
The Following the Traffic Path Method 23
The Comparing Configurations Method 23
The Component Swapping Method 24
Practice Exercise: Selecting a Troubleshooting Approach 25
Introduction to Network Maintenance 26
Defining Network Maintenance 26
Proactive Versus Reactive Network Maintenance 27
Well-Known Network Maintenance Models 28
Example of Adapting a Network Maintenance Model 28
Common Maintenance Procedures 29
Routine Maintenance Tasks 29
Scheduled Maintenance 30
Managing Network Changes 30
Maintaining Network Documentation 32

From the Library of Outcast Outcast

xi

Restoring Operations After a Failure 33
Measuring Network Performance 34
The Troubleshooting and Network Maintenance Relationship 34
Maintaining Current Network Documentation 35
Establishing a Baseline 36
Communication 36
Change Management 37
Exam Preparation Tasks 39
Review All Key Topics 39
Define Key Terms 39

Chapter 2 Troubleshooting and Maintenance Tools 41
“Do I Know This Already?” Quiz 41
Foundation Topics 45
The Troubleshooting and Network Maintenance Toolkit 45
Network Documentation Tools 46
Basic Tools 47
CLI Tools 47
GUI Tools 48
Recovery Tools 48
Logging Tools 53
Network Time Protocol as a Tool 56
Advanced Tools 57
Overview of SNMP and NetFlow 57
Creating a Baseline with SNMP and NetFlow 58
SNMP 58
NetFlow 59
Cisco Support Tools 64
Using Cisco IOS to Verify and Define the Problem 64
Ping 64
Telnet 67
Traceroute 67
Using Cisco IOS to Collect Information 68
Filtering the Output of show Commands 69
Redirecting show Command Output to a File 73
Troubleshooting Hardware 74

From the Library of Outcast Outcast

xii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Collecting Information in Transit 75
Performing Packet Captures 75
SPAN 76
RSPAN 78
Using Tools to Document a Network 80
Exam Preparation Tasks 85
Review All Key Topics 85
Define Key Terms 86
Complete Tables and Lists from Memory 86
Command Reference to Check Your Memory 86

Chapter 3 Troubleshooting Device Performance 93
“Do I Know This Already?” Quiz 93
Foundation Topics 96
Troubleshooting Switch Performance Issues 96
Cisco Catalyst Switch Troubleshooting Targets 96
TCAM Troubleshooting 101
High CPU Utilization Troubleshooting on a Switch 105
Troubleshooting Router Performance Issues 106
Excessive CPU Utilization 107
Understanding Packet-Switching Modes (Routers and Multilayer
Switches) 113
Troubleshooting Packet-Switching Modes 116
Excessive Memory Utilization 121
Exam Preparation Tasks 124
Review All Key Topics 124
Define Key Terms 124
Complete Tables and Lists from Memory 125
Command Reference to Check Your Memory 125

Part II Troubleshooting Cisco Catalyst Switch Features

Chapter 4 Troubleshooting Layer 2 Trunks, VTP, and VLANs 129
“Do I Know This Already?” Quiz 129
Foundation Topics 132
Frame-Forwarding Process 132
Troubleshooting Trunks 140
Encapsulation Mismatch 141
Incompatible Trunking Modes 143

From the Library of Outcast Outcast

xiii

VTP Domain Name Mismatch 146
Native VLAN Mismatch 146
Allowed VLANs 147
Troubleshooting VTP 148
Domain Name Mismatch 148
Version Mismatch 149
Mode Mismatch 149
Password Mismatch 151
Higher Revision Number 151
Troubleshooting VLANs 152
Incorrect IP Addressing 152
Missing VLAN 153
Incorrect Port Assignment 154
The MAC Address Table 155
Layer 2 Trouble Tickets 157
Trouble Ticket 4-1 158
Trouble Ticket 4-2 160
Exam Preparation Tasks 165
Review All Key Topics 165
Define Key Terms 165
Complete Tables and Lists from Memory 166
Command Reference to Check Your Memory 166

Chapter 5 Troubleshooting STP and Layer 2 EtherChannel 169
“Do I Know This Already?” Quiz 169
Foundation Topics 172
Spanning Tree Protocol Overview 172
Reviewing STP Operation 173
Determining Root Port 175
Determining Designated Port 176
Determining Nondesignated Port 176
Collecting Information About an STP Topology 177
Gathering STP Information 177
Gathering MSTP Information 179
STP Troubleshooting Issues 180
Corruption of a Switch’s MAC Address Table 180
Broadcast Storms 181

From the Library of Outcast Outcast

xiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Troubleshooting STP Features 182
PortFast 183
BPDU Guard 184
BPDU Filter 187
Root Guard 189
Loop Guard 190
STP Trouble Tickets 190
Trouble Ticket 5-1 191
Trouble Ticket 5-2 194
Trouble Ticket 5-3 196
Troubleshooting Layer 2 EtherChannel 199
Reviewing Layer 2 EtherChannel 199
EtherChannel Trouble Tickets 200
Trouble Ticket 5-4 201
Trouble Ticket 5-5 204
Exam Preparation Tasks 206
Review All Key Topics 206
Define Key Terms 206
Complete Tables and Lists from Memory 207
Command Reference to Check Your Memory 207

Chapter 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 209
“Do I Know This Already?” Quiz 209
Foundation Topics 212
Troubleshooting a Router-on-a-Trunk/Stick 212
Router-on-a-Trunk/Stick Trouble Tickets 213
Trouble Ticket 6-1 214
Trouble Ticket 6-2 218
Troubleshooting Switched Virtual Interfaces 221
Reviewing SVIs 221
Troubleshooting SVIs 223
SVI Trouble Tickets 224
Trouble Ticket 6-3 225
Trouble Ticket 6-4 230
Troubleshooting Routed Ports 233
Routed Ports Trouble Tickets 234
Trouble Ticket 6-5 235

From the Library of Outcast Outcast

xv

Troubleshooting Layer 3 EtherChannel 237
Layer 3 EtherChannel Trouble Tickets 239
Trouble Ticket 6-6 240
Exam Preparation Tasks 244
Review All Key Topics 244
Define Key Terms 244
Complete Tables and Lists from Memory 245
Show Command Reference to Check Your Memory 245

Chapter 7 Troubleshooting Switch Security Features 247
“Do I Know This Already?” Quiz 247
Foundation Topics 250
Troubleshooting Port Security 250
Common Port Security Issues 250
Port Security Configured but Not Enabled 250
Static MAC Address Not Configured Correctly 251
Maximum Number of MAC Addresses Reached 253
Legitimate Users Being Blocked Because of Violation 254
Running Configuration Not Saved to Startup Configuration 260
Port Security Trouble Tickets 261
Trouble Ticket 7-1 261
Troubleshooting Spoof-Prevention Features 265
DHCP Snooping 265
Dynamic ARP Inspection 267
IP Source Guard 268
Spoof-Prevention Features Trouble Tickets 270
Trouble Ticket 7-2 270
Troubleshooting Access Control 273
Protected Ports 273
Private VLANs 275
VACLs 279
Exam Preparation Tasks 281
Review All Key Topics 281
Define Key Terms 282
Command Reference to Check Your Memory 282

From the Library of Outcast Outcast

xvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Chapter 8 Troubleshooting First-Hop Redundancy Protocols 287
“Do I Know This Already?” Quiz 287
Foundation Topics 290
Troubleshooting HSRP 290
Reviewing HSRP 290
HSRP Converging After a Failure 291
HSRP Verification and Troubleshooting 292
Virtual Router MAC Address 293
Interface Tracking 293
Verifying First Hop 294
Debug 296
HSRP Trouble Tickets 297
Trouble Ticket 8-1 297
Trouble Ticket 8-2 300
Trouble Ticket 8-3 302
Troubleshooting VRRP 306
Reviewing VRRP 306
VRRP Verification and Troubleshooting 308
Virtual Router MAC Address 309
Object Tracking 309
Verifying First Hop 310
VRRP Trouble Tickets 312
Trouble Ticket 8-4 312
Trouble Ticket 8-5 315
Troubleshooting GLBP 318
Reviewing GLBP 319
GLBP Verification and Troubleshooting 321
Virtual Router MAC Addresses 323
GLBP Object Tracking 323
Verifying GLBP First Hop 325
GLBP Trouble Tickets 326
Trouble Ticket 8-6 327
Trouble Ticket 8-7 329
Comparing HSRP, VRRP, and GLBP 330
Exam Preparation Tasks 332
Review All Key Topics 332

From the Library of Outcast Outcast

xvii

Define Key Terms 333
Complete Tables and Lists from Memory 333
Command Reference to Check Your Memory 333

Part III Troubleshooting Router Features

Chapter 9 Troubleshooting IPv4 Addressing and Addressing Technologies 335
“Do I Know This Already?” Quiz 335
Foundation Topics 338
Troubleshooting IPv4 Addressing 338
IPv4 Addressing Issues 338
Determining IP Addresses Within a Subnet 341
Troubleshooting DHCP for IPv4 342
Reviewing DHCP Operations 342
Potential DHCP Troubleshooting Issues 347
DHCP Troubleshooting Commands 348
Troubleshooting NAT 350
Reviewing NAT 350
NAT Troubleshooting Issues 353
NAT Troubleshooting Commands 354
IPv4 Addressing and Addressing Technologies Trouble Tickets 356
Trouble Ticket 9-1 356
Trouble Ticket 9-2 358
Trouble Ticket 9-3 361
Exam Preparation Tasks 364
Review All Key Topics 364
Define Key Terms 365
Command Reference to Check Your Memory 365

Chapter 10 Troubleshooting IPv6 Addressing and Addressing Technologies 367
“Do I Know This Already?” Quiz 367
Foundation Topics 370
Troubleshooting IPv6 Addressing 370
IPv6 Addressing Review 370
Neighbor Solicitation and Neighbor Advertisement 370
EUI-64 373
Troubleshooting IPv6 Address Assignment 375
Stateless Address Autoconfiguration/SLAAC 375
Stateful DHCPv6 381

From the Library of Outcast Outcast

xviii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Stateless DHCPv6 382
DHCPv6 Operation 384
DHCPv6 Relay Agent 385
IPv6 Addressing Trouble Tickets 386
Trouble Ticket 10-1 386
Trouble Ticket 10-2 389
Exam Preparation Tasks 394
Review All Key Topics 394
Define Key Terms 395
Command Reference to Check Your Memory 395

Chapter 11 Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists 397
“Do I Know This Already?” Quiz 397
Foundation Topics 401
Troubleshooting IPv4 ACLs 401
Reading an IPv4 ACL 401
Using an IPv4 ACL for Filtering 403
Using a Time-Based IPv4 ACL 403
IPv4 ACL Trouble Tickets 405
Trouble Ticket 11-1 405
Troubleshooting IPv6 ACLs 407
Reading an IPv6 ACL 408
Using an IPv6 ACL for Filtering 409
IPv6 ACL Trouble Tickets 410
Trouble Ticket 11-2 410
Troubleshooting Prefix Lists 414
Reading a Prefix List 414
Prefix List Processing 415
Prefix List Trouble Tickets 416
Trouble Ticket 11-3 417
Exam Preparation Tasks 419
Review All Key Topics 419
Define Key Terms 419
Command Reference to Check Your Memory 419

From the Library of Outcast Outcast

xix

Chapter 12 Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels 423
“Do I Know This Already?” Quiz 423
Foundation Topics 427
Packet-Forwarding Process 427
Reviewing Layer 3 Packet-Forwarding Process 427
Troubleshooting the Packet-Forwarding Process 431
Troubleshooting Routing Information Sources 435
Data Structures and the Routing Table 436
Sources of Route Information 436
Troubleshooting Static Routes 438
IPv4 Static Routes 439
IPv6 Static Routes 443
Static Routing Trouble Tickets 445
Trouble Ticket 12-1 445
Trouble Ticket 12-2 448
Troubleshooting GRE Tunnels 450
Exam Preparation Tasks 459
Review All Key Topics 459
Define Key Terms 460
Complete Tables and Lists from Memory 460
Command Reference to Check Your Memory 460

Chapter 13 Troubleshooting RIPv2 and RIPng 463
“Do I Know This Already?” Quiz 463
Foundation Topics 466
Troubleshooting RIPv2 466
Missing RIPv2 Routes 466
Interface Is Shut Down 469
Wrong Subnet 469
Bad or Missing Network Statement 470
Passive Interface 471
Wrong Version 473
Max Hop Count Exceeded 475
Authentication 477
Route Filtering 479
Split Horizon 480
Autosummarization 482
Better Source of Information 483

From the Library of Outcast Outcast

xx CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

ACLs 485
Load Sharing 485
Other RIP Issues 486
Missing Default Route 486
Route Summarization 487
Troubleshooting RIPng 492
RIPv2 and RIPng Trouble Tickets 498
Trouble Ticket 13-1 498
Trouble Ticket 13-2 502
Trouble Ticket 13-3 506
Exam Preparation Tasks 509
Review All Key Topics 509
Define Key Terms 510
Command Reference to Check Your Memory 510

Chapter 14 Troubleshooting EIGRP 513
“Do I Know This Already?” Quiz 513
Foundation Topics 517
Troubleshooting EIGRP for IPv4 517
Troubleshooting EIGRP for IPv4 Neighbor Adjacencies 517
Interface Is Down 518
Mismatched Autonomous System Numbers 518
Incorrect Network Statement 520
Mismatched K Values 522
Passive Interface 523
Different Subnets 524
Authentication 525
ACLs 527
Timers 528
Troubleshooting EIGRP for IPv4 Routes 528
Bad or Missing Network Command 529
Better Source of Information 530
Route Filtering 534
Stub Configuration 535
Interface Is Shut Down 537
Split-horizon 537

From the Library of Outcast Outcast

xxi

Troubleshooting Miscellaneous EIGRP for IPv4 Issues 539
Feasible Successors 539
Discontiguous Networks and Autosummarization 542
Route Summarization 543
Load Balancing 544
EIGRP for IPv4 Trouble Tickets 546
Trouble Ticket 14-1 546
Trouble Ticket 14-2 553
Trouble Ticket 14-3 557
Troubleshooting EIGRP for IPv6 561
Troubleshooting EIGRP for IPv6 Neighbor Issues 561
Interface Is Down 561
Mismatched Autonomous System Numbers 562
Mismatched K Values 562
Passive Interfaces 562
Mismatched Authentication 562
Timers 563
Interface Not Participating in Routing Process 563
ACLs 564
Troubleshooting EIGRP for IPv6 Route 564
Interface Not Participating in Routing Process 564
Better Source of Information 565
Route Filtering 565
Stub Configuration 565
Split-horizon 566
EIGRP for IPv6 Trouble Tickets 567
Trouble Ticket 14-4 568
Troubleshooting Named EIGRP Configurations 572
Named EIGRP Verification Commands 573
Named EIGRP Trouble Tickets 577
Trouble Ticket 14-5 577
Exam Preparation Tasks 582
Review All Key Topics 582
Define Key Terms 583
Command Reference to Check Your Memory 583

From the Library of Outcast Outcast

xxii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Chapter 15 Troubleshooting OSPF 587 “Do I Know This Already?” Quiz 587 Foundation Topics 590 Troubleshooting OSPFv2 590 Troubleshooting OSPFv2 Neighbor Adjacencies 590 Interface Is Down 593 Interface Not Running the OSPF Process 593 Mismatched Timers 594 Mismatched Area Numbers 596 Mismatched Area Type 597 Different Subnets 598 Passive Interface 599 Mismatched Authentication Information 600 ACLs 601 MTU Mismatch 602 Duplicate Router IDs 603 Mismatched Network Types 604 Troubleshooting OSPFv2 Routes 606 Interface Not Running the OSPF Process 606 Better Source of Information 607 Route Filtering 611 Stub Area Configuration 613 Interface Is Shut Down 614 Wrong Designated Router Was Elected 615 Duplicate Router IDs 619 Troubleshooting Miscellaneous OSPFv2 Issues 620 Tracking OSPF Advertisements Through a Network 620 Route Summarization 622 Discontiguous Areas 624 Load Balancing 626 Default Route 627 OSPFv2 Trouble Tickets 627 Trouble Ticket 15-1 628 Trouble Ticket 15-2 635 Trouble Ticket 15-3 639 Troubleshooting OSPFv3 for IPv6 641 OSPFv3 Troubleshooting Commands 641 From the Library of Outcast Outcast .

xxiii OSPFv3 Trouble Tickets 647 Trouble Ticket 15-4 647 Trouble Ticket 15-5 650 Troubleshoot OSPFv3 Address Families 655 OSPFv3 Address Family Troubleshooting 655 OSPFv3 AF Trouble Tickets 664 Trouble Ticket 15-6 665 Exam Preparation Tasks 669 Review All Key Topics 669 Define Key Terms 670 Complete Tables and Lists from Memory 670 Command Reference to Check Your Memory 671 Chapter 16 Troubleshooting Route Maps and Policy-Based Routing 675 “Do I Know This Already?” Quiz 675 Foundation Topics 678 Troubleshooting Route Maps 678 How to Read a Route Map 678 Troubleshooting Policy-Based Routing 681 PBR 681 Policy-Based Routing Trouble Tickets 684 Trouble Ticket 16-1 685 Trouble Ticket 16-2 689 Trouble Ticket 16-3 691 Exam Preparation Tasks 693 Review All Key Topics 693 Define Key Terms 693 Command Reference to Check Your Memory 693 Chapter 17 Troubleshooting Redistribution 697 “Do I Know This Already?” Quiz 697 Foundation Topics 700 Troubleshooting IPv4 and IPv6 Redistribution 700 Route Redistribution Overview 700 Troubleshooting Redistribution into RIP 703 Troubleshooting Redistribution into EIGRP 706 Troubleshooting Redistribution into OSPF 710 Troubleshooting Redistribution into BGP 715 Troubleshooting Redistribution with Route Maps 718 From the Library of Outcast Outcast .

xxiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Redistribution Trouble Tickets 718 Trouble Ticket 17-1 719 Trouble Ticket 17-2 723 Trouble Ticket 17-3 727 Trouble Ticket 17-4 733 Troubleshooting Advanced Redistribution Issues 737 Troubleshooting Suboptimal Routing Caused by Redistribution 737 Troubleshooting Routing Loops Caused by Redistribution 739 Exam Preparation Tasks 745 Review All Key Topics 745 Define Key Terms 745 Command Reference to Check Your Memory 746 Chapter 18 Troubleshooting BGP 749 “Do I Know This Already?” Quiz 749 Foundation Topics 753 Troubleshooting BGP Neighbor Adjacencies 753 Interface Is Down 754 Layer 3 Connectivity Is Broken 754 Path to Neighbor Is via Default Route 755 Neighbor Does Not Have a Route to the Local Router 756 Incorrect neighbor Statement 757 BGP Packets Sourced from Wrong IP Address 758 ACLs 759 TTL of BGP Packet Expires 761 Mismatched Authentication 763 Misconfigured Peer Groups 764 Timers 765 Troubleshooting BGP Routes 766 Missing or Bad network mask Command 768 Next-Hop Router Not Reachable 770 BGP Split-Horizon Rule 772 Better Source of Information 773 Route Filtering 775 Troubleshooting BGP Path Selection 780 Understanding the Best Path Decision-Making Process 781 Private Autonomous System Numbers 784 Using debug Commands 784 From the Library of Outcast Outcast .

xxv Troubleshooting BGP for IPv6 786 BGP Trouble Tickets 790 Trouble Ticket 18-1 791 Trouble Ticket 18-2 796 Trouble Ticket 18-3 802 MP-BGP Trouble Tickets 807 Trouble Ticket 18-4 807 Exam Preparation Tasks 810 Review All Key Topics 810 Define Key Terms 811 Command Reference to Check Your Memory 811 Part IV Troubleshooting Management Chapter 19 Troubleshooting Management Protocols and Tools 815 “Do I Know This Already?” Quiz 815 Foundation Topics 818 Management Protocols Troubleshooting 818 NTP Troubleshooting 818 Syslog Troubleshooting 821 SNMP Troubleshooting 823 Management Tools Troubleshooting 826 Cisco IOS IPSLA Troubleshooting 827 Object Tracking Troubleshooting 833 SPAN and RSPAN Troubleshooting 835 Management Protocols and Tools Trouble Tickets 837 Trouble Ticket 19-1 838 Exam Preparation Tasks 845 Review All Key Topics 845 Define Key Terms 846 Command Reference to Check Your Memory 846 Chapter 20 Troubleshooting Management Access 851 “Do I Know This Already?” Quiz 851 Foundation Topics 854 Console and vty Access Troubleshooting 854 Console Access Troubleshooting 854 From the Library of Outcast Outcast .

xxvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide vty Access Troubleshooting 855 Telnet 855 SSH 857 Password Encryption Levels 858 Cisco IOS AAA Troubleshooting 858 Management Access Trouble Tickets 861 Trouble Ticket 20-1 862 Trouble Ticket 20-2 863 Trouble Ticket 20-3 865 Exam Preparation Tasks 868 Review All Key Topics 868 Define Key Terms 868 Command Reference to Check Your Memory 868 Part V Final Preparation Chapter 21 Additional Trouble Tickets 871 Introduction 871 Trouble Ticket 1 872 Suggested Solution 875 Trouble Ticket 2 876 Suggested Solution 879 Trouble Ticket 3 880 Suggested Solution 882 Trouble Ticket 4 884 Issue 1: Suggested Solution 891 Issue 2: Suggested Solution 897 Issue 3: Suggested Solution 897 Issue 4: Suggested Solution 898 Trouble Ticket 5 901 Suggested Solution 907 Trouble Ticket 6 910 Suggested Solution 916 Trouble Ticket 7 918 Issue 1: Forgotten Enable Secret Password 919 Issue 1: Suggested Solution 919 From the Library of Outcast Outcast .

xxvii Issue 2: An exec-timeout Parameter Set Too Low 921 Issue 2: Suggested Solution 921 Issue 3: ACL Misconfiguration 922 Issue 3: Suggested Solution 922 Trouble Ticket 8 923 Suggested Solution 926 Trouble Ticket 9 926 Issue 1: Adjacency Between Routers R1 and R2 927 Issue 1: Suggested Solution 930 Issue 2: Adjacency Between Routers R2 and BB2 930 Issue 2: Suggested Solution 931 Issue 3: Adjacency Between Routers BB1 and BB2 931 Issue 3: Suggested Solution 933 Trouble Ticket 10 934 Issue 1: Router R2 Not Load Balancing Between Routers BB1 and BB2 937 Issue 1: Suggested Solution 937 Issue 2: Backbone Routes Not Being Suppressed 938 Issue 2: Suggested Solution 939 Chapter 22 Final Preparation 943 Tools for Final Preparation 943 Exam Engine and Questions on the CD 943 Install the Exam Engine 944 Activate and Download the Practice Exam 944 Activating Other Exams 945 Premium Edition 945 The Cisco Learning Network 945 Memory Tables 945 Chapter-Ending Review Tools 946 Suggested Plan for Final Review/Study 946 Step 1: Review Key Topics and DIKTA Questions 947 Step 3: Hands-On Practice 947 Step 5: Subnetting Practice 948 Step 6: Use the Exam Engine 948 Summary 949 From the Library of Outcast Outcast .

xxviii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Part VI Appendixes Appendix A Answers to the “Do I Know This Already” Quizzes 951 Appendix B TSHOOT Exam Updates 957 Index 960 CD-Only Appendixes and Glossary Appendix C Memory Tables Appendix D Memory Tables Answer Key Appendix E Study Planner Glossary From the Library of Outcast Outcast .

In actual configuration examples and output (not general command syntax). ■ Italics indicate arguments for which you supply actual values. ■ Square brackets [ ] indicate optional elements. xxix Icons Used in This Book Workgroup Router Multilayer Switch Switch File/ Server PC Application Server Laptop Web IP Phone Server Phone Cisco Unified Network Cloud Communications Manager Server Serial Line Ethernet Line Command Syntax Conventions The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. ■ Braces { } indicate a required choice. The Command Reference describes these conven- tions as follows: ■ Boldface indicates commands and keywords that are entered literally as shown. boldface indicates commands that are manually input by the user (such as a show command). From the Library of Outcast Outcast . ■ Vertical bars (|) separate alternative. mutually exclusive elements. ■ Braces within brackets [{ }] indicate a required choice within an optional element.

in addition to real-world troubleshooting issues you might encounter ■ Providing practice exercises on exam topics. To that end. the book’s title would be mis- leading. This book would do you a disservice if it did not attempt to help you learn the material. but by helping you truly learn and understand the topics. the methods used in this book to help you pass the TSHOOT exam are designed to also make you much more knowledgeable about how to do your job. this book is for you. All other consid- erations held equal. and the knowledge contained within is vitally important to con- sider yourself a truly skilled routing and switching expert or specialist. the method in which they are used is not to simply make you memorize as many questions and answers as you possibly can. fully understand and remember exam topic details. if the primary objective of this book were different. From the Library of Outcast Outcast . If you want to pass the exam. the book can help you pass the TSHOOT exam by using the following methods: ■ Covering the exam topics and helping you discover which exam topics you have not mastered ■ Providing explanations and information to fill in your knowledge gaps ■ Supplying multiple troubleshooting case studies with diagrams and diagnostic out- put that enhance your ability to resolve trouble tickets presented in the exam envi- ronment. but the most popularly cited reason is that of credibility. however. The TSHOOT exam is typically your final journey in pursuit of the CCNP Routing and Switching certification. The methodology of this book helps you discover the exam topics about which you need more review. So. although it can be used for that purpose. Although this book and the accompanying CD-ROM have many exam preparation tasks and example test questions. the certified employee/consultant/job candidate is considered more valuable than one who is not. this book helps you pass not by memorization. In fact. presented in each chapter and on the enclosed CD-ROM Who Should Read This Book? This book is not designed to be a general networking topics book. and prove to yourself that you have retained your knowledge of those topics. Goals and Methods The most important and somewhat obvious goal of this book is to help you pass the 300-135 Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) exam.xxx CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Introduction Professional certifications have been an important part of the computing industry for many years and will continue to become more important. Although other objectives can be achieved from using this book. Many reasons exist for these certifications. the book is written with one goal in mind: to help you pass the exam. This book is intended to tremendously increase your chances of passing the Cisco TSHOOT exam.

If you do intend to read them all. as you will see. Professional. For the CCNP Routing and Switching certification. Cisco Certifications and Exams Cisco offers four levels of routing and switching certification. The chap- ters are organized into parts. CCNP (Cisco Certified Network Professional) Routing and Switching. Each core chapter covers a subset of the topics on the CCNP TSHOOT exam. it is designed to be flexible and enable you to easily move between chapters to cover only the material that you need more work with. Cisco does not publish the scores needed for passing. the order in the book is an excellent sequence to use. For most exams. structures. and Expert. and TSHOOT exams. It identifies many popular models. you might take a different approach than someone who learned troubleshooting through on-the- job training. mainly based on the skills. However. go to Cisco. There you can find out other exam details such as exam topics and how to register for an exam. including the SWITCH. The chapters can be covered in any order. ROUTE. and tasks that should be considered by all organizations. and CCIE (Cisco Certified Internetworking Expert) Routing and Switching. xxxi Strategies for Exam Preparation The strategy you use to prepare for the TSHOOT exam might differ slightly from strate- gies used by other readers.com and click Training and Events. To see the most current requirements for the CCNP Routing and Switching certifica- tion. if you have attended a TSHOOT course. Associate. although some chapters are related and build upon each other. It is more of an art that you will master over time. there is no “one-stop shop for all your needs” when it comes to troubleshooting and network maintenance. From the Library of Outcast Outcast . For example. You need to take the exam to find that out for yourself. each with an increasing level of proficiency: Entry. CCNA (Cisco Certified Network Associate) Routing and Switching. this book is designed to help you gain the knowledge you need about the issues that can arise with different routing and switching technologies and get you to the point where you can apply that knowledge and pass the exam. covering the following topics: ■ Chapter 1. How This Book Is Organized Although this book can be read cover to cover. you must pass exams on a series of CCNP topics. Regardless of the strategy you use or the background you have. These are commonly known by their acronyms CCENT (Cisco Certified Entry Networking Technician). knowledge. “Introduction to Troubleshooting and Network Maintenance:” This chapter discusses the importance of having a structured troubleshooting approach and a solid network maintenance plan. and experience you have already obtained.

and GLBP. and VLANs:” This chapter begins by reviewing Layer 2 switch operations and builds from there with discus- sions on how to troubleshoot issues relating to trunks. The chapter then covers issues and troubleshooting tasks related to DHCPv4 and NAT. You will also discover how important the information in the MAC address table can be while troubleshooting. and CDP. “Troubleshooting First-Hop Redundancy Protocols:” This chapter dis- cusses the issues that might arise when implementing FHRPs such as HSRP. BPDU Guard. as they can be an initial indication of some type of issue. This includes port security. and VLANs. or default gateway. ■ Chapter 5. protected ports. BPDU Filter. The tools include ping. PVLANs. Root Guard. subnet mask. SPAN. you will focus on the configuration requirements for troubleshooting purposes. ■ Chapter 7. designated port selection. It identifies various elements that could cause these FHRPs not to func- tion as expected and that should be considered while you are troubleshooting. and VACLs. In addition. RSPAN. “Troubleshooting STP and Layer 2 EtherChannel:” This chapter reviews the operation of STP and focuses on troubleshooting STP topology issues such as root bridge selection. You will examine interface statistics. root port selection. You will also examine how to troubleshoot STP features such as PortFast. ■ Chapter 4. this chapter reviews how you can combine multiple physical Layer 2 switchports into a logical EtherChannel bundle and how you can troubleshoot issues related to them. Therefore. DHCP snooping. dynamic ARP inspection. ■ Chapter 8. and finally. From the Library of Outcast Outcast . VTP. “Troubleshooting Device Performance:” This chapter discusses common reasons for high CPU and memory utilization on routers and switches in addition to how you can recognize them. and UDLD. VTP. “Troubleshooting IPv4 Addressing and Addressing Technologies:” This chapter begins by reviewing IPv4 addressing and how you can identify if address- ing is the issue. Loop Guard. and issues related to Layer 3 EtherChannels. It also provides a collection of commands you can use to successfully troubleshoot issues related to each FHRP.xxxii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Chapter 2. IP Source Guard. “Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels:” This chapter focuses on how you can troubleshoot issues related to different inter- VLAN routing implementations (router-on-a-trunk/stick and SVIs). This is extremely important as you do not want to waste your time troubleshooting a service or feature when the issue is related to the device having an inappropriate IPv4 address. ■ Chapter 9. SNMP. Telnet. ■ Chapter 3. issues related to routed ports. “Troubleshooting Layer 2 Trunks. VRRP. You will also review the different types of packet switching modes on routers and multilayer switches. the blocked port. NetFlow. traceroute. “Troubleshooting Switch Security Features:” This chapter is dedicated to troubleshooting issues related to security features that can be implemented on switches. ■ Chapter 6. “Troubleshooting and Maintenance Tools:” This chapter introduces you to a sampling of Cisco IOS tools and features designed for network maintenance and troubleshooting. Most of the issues you will experience with these features are configuration based.

You will learn how a router choos- es which sources of routing information are more believable so that only the best routes are in the routing table. In addition. It breaks out the troubleshooting discussions into two differ- ent parts: troubleshooting neighbor adjacencies and troubleshooting missing routes. You will also learn how to recognize and troubleshoot issues related to static routing and GRE tunnels. It breaks out the troubleshooting discussions into two different parts: troubleshooting neighbor adjacencies and troubleshoot- ing missing routes. how they are read. ■ Chapter 12. “Troubleshooting RIPv2 and RIPng:” This chapter focuses on the issues that you may have to troubleshoot in a RIPv2 and RIPng domain. OSPFv3 address family troubleshooting is covered. It also covers the troubleshooting of various issues that are not directly related to neighborships or routes that might arise with EIGRP. “Troubleshooting IPv6 Addressing and Addressing Technologies:” This chapter covers how an IPv6-enabled device determines whether the destination is local or remote. “Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists:” This chap- ter covers the ins and outs of ACLs and prefix lists. ■ Chapter 16. “Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels:” This chapter covers the packet-delivery process and the various commands that enable you to troubleshoot issues related to the process. and what to look for while troubleshooting IPv6-related issues. and you will explore the various options for address assignment such as SLAAC and DHCPv6. Therefore. and how you can identify issues related to them. To wrap up the chapter. The rest of the chapter is dedicated to PBR. It also covers the troubleshooting of various issues that are not directly related to neighborships or routes that might arise with OSPF. ■ Chapter 14. It gives you the opportunity to review how route maps are read and the commands that you can use to verify a route map’s con- figuration. which allows you to override the router’s default routing behavior. To wrap up the chapter. From the Library of Outcast Outcast . “Troubleshooting Route Maps and Policy-Based Routing:” This chap- ter begins by examining route maps. you will discover what could cause PBR not to behave as expected and how you can troubleshoot it. This includes how you would recognize the issues based on the presented symptoms and the commands you would use to successfully verify the reason why the issue exists. You will also learn how MAC addresses are determined for known IPv6 address. ■ Chapter 15. ■ Chapter 11. You will learn the way they are processed. named EIGRP troubleshooting is covered. this chapter explains how you can use ACLs for traffic filtering and how a prefix list can be used for route filtering. “Troubleshooting OSPF:” This chapter covers troubleshooting of both OSPFv2 and OSPFv3. ■ Chapter 13. “Troubleshooting EIGRP:” This chapter covers troubleshooting of both EIGRP for IPv4 and EIGRP for IPv6. xxxiii ■ Chapter 10.

“Troubleshooting Management Protocols and Tools:” This chapter covers the issues you might encounter with management protocols such as NTP. “Troubleshooting BGP:” This chapter examines the various issues that you may face when trying to establish an IPv4 and IPv6 eBGP and iBGP neighbor adjacency and how you can identify them and troubleshoot them. Each chapter in the book uses several features to help you make the best use of your time in that chapter. ■ Chapter 21. Questions are all multiple-choice. configuration. to give a quick assessment of your knowledge. “Answers to the ‘Do I Know This Already?’ Quizzes. such as Cisco IOS IP SLA. sys- log. ■ Chapter 20. RIP. You also need to be very familiar with the decision-making process that BGP uses to be an efficient troubleshooter. In addition. “Additional Trouble Tickets:” This chapter is dedicated to showing you an additional ten trouble tickets and the various approaches that you can take to solve the problems that are presented. you will examine what could occur in environments that have multiple points of redistribution and how you can identify the issues and solve them. “Final Preparation:” This chapter identifies tools for final exam prepa- ration and helps you develop an effective study plan. If you intend to read the entire chapter. You will learn what to look out for while troubleshooting so that you can quickly solve any issues related to redistribution. In addition you will explore the issues that may arise when using Cisco IOS AAA authentication. ■ Chapter 19. and SNMP. you can save the quiz for later use. and how you can identify them. From the Library of Outcast Outcast . The features are as follows: ■ Assessment: Each chapter begins with a “Do I Know This Already?” quiz that helps you determine the amount of time you need to spend studying each topic of the chapter. SPAN. and RSPAN. OSPF. “Troubleshooting Management Access:” This chapter examines the different reasons why access to the console and vty lines might fail.:” This appen- dix has the answers to the “Do I Know This Already” quizzes. you will spend time exploring this process in the chapter as well. “Troubleshooting Redistribution:” This chapter explores the differences of redistributing into EIGRP. and BGP for both IPv4 and IPv6. Object Tracking. ■ Foundation Topics: This is the core section of each chapter that explains the pro- tocols. ■ Appendix A . and troubleshooting strategies for the topics in the chapter. ■ Chapter 18. and Appendix B. Therefore.xxxiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Chapter 17.” tells you how to find any updates should there be chang- es to the exam. “TSHOOT Exam Updates. concepts. It also covers the issues that you might encouter with management tools. ■ Chapter 22. You will also examine the issues that may arise when exchanging IPv4 and IPv6 eBGP and iBGP routes and how you can recognize them and troubleshoot them successfully.

or FHRPs in the exam objectives. Note that Cisco has occasionally changed exam topics without changing the exam number. references to memory table exercises to be completed as memorization practice. The CD also contains the Memory Table exercises and answer keys as well as over 60mins of video walking you through an exam strategy. we have included chapters dedicated to these to make sure that you are well prepared. identify and describe root cause) Design and implement valid solutions Verify and monitor resolution From the Library of Outcast Outcast . Also. Table I-1 CCNP TSHOOT Exam Topics Exam Topics Chapters Where Exam Topics Are Covered 1. you can develop a broader knowledge of the subject matter by reading and studying the topics presented in this book. When it is time to use what you have learned. Cisco indicates this when you view the exam topics on their web- site. so do not be alarmed if small changes in the exam topics occur over time. inter-VLAN routing. key terms to define. will help equip you with the tools needed to effectively troubleshoot the trouble tickets present- ed on the exam. Also. and a command reference that summarizes any relevant com- mands presented in the chapter. it is possible to receive questions on the exam that are not related to any of the exam topics listed. the companion CD-ROM contains practice CCNP Routing and Switching TSHOOT questions to reinforce your understanding of the book’s concepts. However. par- ticularly for clues to how deeply you should know each topic. this section collects key top- ics. as posted on Cisco. Table I-1 shows the official exam topics for the TSHOOT exam. CCNP TSHOOT Exam Topics Carefully consider the exam topics Cisco has posted on its website as you study. there is no mention of Layer 2 security. Be aware that the TSHOOT exam will primarily be made up of trouble tickets you need to resolve. xxxv ■ Exam Preparation Tasks: At the end of each chapter. Mastery of the topics covered by the CD-based questions. to ensure that you are well prepared for the exam. For example. Remember that it is in your best interest to become proficient in each of the CCNP Routing and Switching subjects. we have covered the exam topics as well as any additional topics that we considered to be necessary for your success. being well rounded counts more than being well tested. Therefore. however. com. Finally. conditional debug Chapters 1 and 2 Ping and trace route with extended options Diagnose the root cause of networking issues (analyze symptoms.0 Network Principles Debug.

5.0 Layer 3 Technologies Troubleshooting IPv4 addressing and Chapters 9.0 Layer 2 Technologies Troubleshooting switch administration Chapters 4.xxxvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Topics Chapters Where Exam Topics Are Covered 2. 12–18 subnetting Troubleshoot IPv6 addressing and subnetting Troubleshoot static routing Troubleshoot default routing Troubleshoot administrative distance Troubleshoot passive interfaces Troubleshoot VRF lite Troubleshoot filter with any protocol Troubleshoot between any routing protocols or routing sources Troubleshoot manual and autosummarization with any routing protocol Troubleshoot policy-based routing Troubleshoot suboptimal routing Troubleshoot loop prevention mechanisms Troubleshoot RIPv2 Troubleshoot EIGRP neighbor relationship and authentication From the Library of Outcast Outcast . 19 Troubleshooting Layer 2 protocols Troubleshoot VLANs Troubleshoot trunking Troubleshoot EtherChannels Troubleshoot spanning tree Troubleshoot other LAN switching technologies Troubleshoot chassis virtualization and aggregation technologies 3. 10.

area types.0 Infrastructure Services Troubleshoot device Management Chapters 2.0 VPN Technologies Troubleshoot GRE Chapter 12 5. and router types Troubleshoot OSPF path preference Troubleshoot OSPF operations Troubleshoot OSPF for IPv6 Troubleshoot BGP peer relationships and authentication Troubleshoot eBGP 4. 10. 10. 12–18 Troubleshoot EIGRP operations Troubleshoot EIGRP stubs Troubleshoot EIGRP load balancing Troubleshoot EIGRP metrics Troubleshoot OSPF neighbor relationship and authentication Troubleshoot network types.0 Infrastructure Security Troubleshoot IOS AAA using local database Chapters 11 and 20 Troubleshoot device access control Troubleshoot router security features 6. and 19 Troubleshoot SNMP Troubleshoot logging Troubleshoot Network Time Protocol (NTP) Troubleshoot IPv4 and IPv6 DHCP Troubleshoot IPv4 Network Address Translation (NAT) Troubleshoot SLA architecture Troubleshoot tracking objects From the Library of Outcast Outcast . 9. xxxvii Exam Topics Chapters Where Exam Topics Are Covered Troubleshoot loop free path selection Chapters 9.

From the Library of Outcast Outcast . ■ Popular Troubleshooting Methods: This section introduces you to various troubleshooting methods that can assist in narrowing your focus during your troubleshooting efforts. It also pro- vides you with some common steps to help you be more efficient. ■ The Troubleshooting and Network Maintenance Relationship: This section identifies the importance of aligning maintenance tasks with troubleshooting goals.This chapter covers the following topics: ■ Introduction to Troubleshooting: This section intro- duces you to troubleshooting and then focuses on a structured troubleshooting approach. ■ Introduction to Network Maintenance: This section introduces you to maintenance tasks and identifies a few well-known network maintenance models that you can adopt. ■ Common Maintenance Procedures: This section reviews the common network maintenance tasks that all organizations should perform.

Table 1-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. Similarly. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. It is more of an art that you will master over time. In addition. and troubleshooting can be more effective with a structured approach in place. However. the number of issues in a network can be reduced by following a maintenance plan. there is no “one-stop shop for all your needs” when it comes to troubleshooting and network mainte- nance. You can find the answers in Appendix A. However. This statement holds true regardless of the business size. and fluid top-offs are performed on a vehicle to ensure that problems do not arise and the life of that vehicle is maximized. This chapter discusses the importance of having a structured troubleshooting approach and a solid network maintenance plan. having a sound troubleshooting methodology in place helps ensure that when issues arise you are confident and ready to fix them. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. CHAPTER 1 Introduction to Troubleshooting and Network Maintenance Business operations. and tasks that should be considered by all organizations. it is taken to a mechanic so that they may troubleshoot the issue using a structured troubleshooting process and ultimately fix the vehicle. Consider a vehicle as an example. joint lubrica- tion. Regular maintenance such as oil changes. without a doubt. as you will see. if an issue does arise. structures.” Table 1-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Introduction to Troubleshooting 1–7 Popular Troubleshooting Methods 8–9 Introduction to Network Maintenance 10–12 From the Library of Outcast Outcast . It identifies many popular models. “Answers to the ‘Do I Know This Already?’ Quizzes. A structured and systematic maintenance approach significantly contributes to the uptime for all networks. read the entire chapter. depend on the reliable operation of data networks (which might also carry voice and video traffic).

If you do not know the answer to a question or are only partially sure of the answer. d. you should mark that question as wrong for purposes of the self-assessment. User A cannot reach the network. Problem resolution d. Collect information c. Which of the following is the best statement to include in a problem report? a. User B recently changed his PC’s operating system to Microsoft Windows 7. What troubleshooting step should you perform after a problem has been reported and clearly defined? a. What are the two primary goals of troubleshooters as they are collecting informa- tion? a.4 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Section Questions Identifying Common Maintenance Procedures 13–16 The Troubleshooting and Network Maintenance Relationship 17–20 Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter.1\Budget. b. Eliminate potential causes d. and he can reach the Internet.1. Identify the three steps in a simplified troubleshooting model. Identify indicators pointing to the underlying cause of the problem c. Problem diagnosis c. Find evidence that can be used to eliminate potential causes From the Library of Outcast Outcast . User C is unable to attach to an internal share resource of \\10. Eliminate potential causes from consideration b. a. 1.1. Propose an hypothesis about what is most likely causing the problem d. The network is broken. Propose an hypothesis b. Problem replication b. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. although he can print to all network printers. Problem report 2. Examine collected information 4. 3. c.

A troubleshooter is hypothesizing a cause for an urgent problem. This illustrates what approach to network trouble- shooting? a. Experienced troubleshooters with in-depth comprehension of a particular network might skip the examine information and eliminate potential causes steps in a struc- tured troubleshooting model. Instruct the user to report the problem to the proper department that is autho- rized to resolve the issue. Independent path 8. The danger of creating a new problem by implementing the proposed solution 6. The person who is authorized to configure the network device is unavailable. 7. What should the trouble- shooter do? a. based on the urgency. Wait for authorized personnel to address the issue. instead relying on their own insight to determine the most likely cause of a problem. The danger of causing disruptions in workflow by implementing the proposed solution d. Bottom-up b. When performing the “eliminate potential causes” troubleshooting step. Chapter 1: Introduction to Troubleshooting and Network Maintenance 5 5. b. The danger of drawing an invalid conclusion from the observed data b. Divide-and-conquer c. Ad hoc b. The danger of troubleshooting a network component over which the trouble- shooter does not have authority c. Override corporate policy. Attempt to find a temporary workaround for the issue. Shoot from the hip c. and configure the network device independently because authorized personnel are not currently available. Comparing configurations d. Top-down From the Library of Outcast Outcast . and her hypothesis involves a network device that she is not authorized to configure. Which of the following troubleshooting models requires access to a specific applica- tion? a. Crystal ball d. d. c. which cau- tion should the troubleshooter be aware of? a.

C c. A d.6 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 9. Component swapping 10. Divide-and-conquer d. F b. Bottom-up c. Planning for network expansion d. Attending training on emerging network technologies c. Recovery tasks b. Based on your analysis of a problem report and the data collected. Following the traffic path b.) a. Troubleshooting problem reports b. Structured tasks d. Which of the following are considered network maintenance tasks? (Choose the three best answers. Hardware installation 11. Interrupt-driven tasks c. P e. Which letter in the FCAPS acronym represents the maintenance area responsible for billing end users? a. Installation tasks 12. S From the Library of Outcast Outcast . Network maintenance tasks can be categorized into one of which two categories? a. Which of the following troubleshooting methods would be most appropriate? a. you want to use a troubleshooting model that can quickly eliminate multiple layers of the OSI model as potential sources of the reported problem.

IP address assignments From the Library of Outcast Outcast . to reduce unexpected workflow interruptions. Making sure that digital certificates used for PKI are renewed in advance of their expiration c. Maintenance tasks should only be performed based on a scheduled maintenance schedule. Who is responsible for authorizing various types of network changes? 16. Performing scheduled backups 14. Which of the following would be considered a com- mon task that should be present in any network maintenance model? a. Chapter 1: Introduction to Troubleshooting and Network Maintenance 7 13. Scheduled maintenance helps ensure that important maintenance tasks are not overlooked. some network maintenance tasks are common to most networks. 15. depending on the goals and characteristics of that network. The lists of tasks required to maintain a network can vary widely. What is the return on investment (ROI) of an upgrade? c. Which of the following statements is true about scheduled maintenance? a. because of the diversity of maintenance needs. d. Scheduled maintenance is more of a reactive approach to network maintenance. Which three of the following components would you expect to find in a set of net- work documentation? a. Listing of interconnections c. Copy of IOS image d. Using Cisco Prime to dynamically discover network device changes d. However. Performing database synchronization for a network’s Microsoft Active Directory b. as opposed to a proactive approach. c. Scheduled maintenance is not recommended for larger networks. Which of the following questions are appropriate when defining your change man- agement policies? a. What version of operating system is currently running on the device to be upgraded? b. Logical topology diagram b. What measureable criteria determine the success or failure of a network change? d. b.

Automate documentation 19. d. Networking maintenance and troubleshooting efforts should be conducted by different personnel. Which three troubleshooting phases require clear communication with end users? a. c.8 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 17. 18. What are two elements of a change management system? a. Which three of the following suggestions can best help troubleshooters keep in mind the need to document their steps? a. Determine when changes can be made b. Determine what change should be made From the Library of Outcast Outcast . Networking maintenance and troubleshooting efforts should complement one another. Information collection c. Problem resolution 20. Keep documentation in a hidden folder c. Hypothesis verification d. Networking maintenance is a subset of network troubleshooting. Determine who can authorize a change d. Determine potential causes for the problem requiring the change c. Schedule documentation checks d. Require documentation b. Problem report b. Networking maintenance and troubleshooting efforts should be isolated from one another. What is the ideal relationship between network maintenance and troubleshooting? a. b.

This section begins by introducing you to troubleshooting. On this day. there is definitely a more efficient and effective way to troubleshoot that all experienced troubleshooters follow.m. and as a result of this. at a luxury hotel in Las Vegas. From this information. When you have a clearly defined troubleshooting target. and resolving the problem. Although there is no right or wrong way to troubleshoot. you should be able to better define the issue. the network is being flooded with traffic. the more your skills will improve. diagnosing the underlying cause of the problem. you will get better at it the more you have to perform it. you can propose an hypothesis about what is most likely causing the issue. preventing registrations and keycards from being completed because the server is not accessible. Let’s look at an example. However. Then the evaluation of these likely causes leads to the identifica- tion of the suspected underlying root cause of the issue. and like all skills. Although you normally think of the troubleshooting process as beginning when a user reports an issue. It is 3:00 p. The permanent fix of replacing the failed equipment immediately would disrupt the network further and take a considerable amount of time. thus delaying the guest registrations further. Defining Troubleshooting Troubleshooting at its essence is the process of responding to a problem report (some- times in the form of a trouble ticket). don’t start wishing for issues to happen in your organization just so that you can get more experience. For example. the more your confidence will grow. Sometimes the best approach to resolving an issue cannot be implemented immediately. Chapter 1: Introduction to Troubleshooting and Network Maintenance 9 Foundation Topics Introduction to Troubleshooting Troubleshooting is a skill. After an issue is reported. The network team now has to decide on the best course of action at this point. you can begin gathering further information related to it. resulting in a Layer 2 topological loop. or a business’s workflow might be disrupted by implementing such an approach during working hours. After you identify a suspected underlying cause. Then based on your diagnosis. the hotel cannot register guests or create the keycards needed for guest rooms. After fol- lowing the documented troubleshooting procedures. It then focuses on a structured troubleshooting approach that provides you with some common methods to enhance your efficiency. a piece of equipment might need replacing. the network team discovers that Spanning Tree Protocol (STP) has failed on a Cisco Catalyst switch. Thus. you need to understand that through effec- tive network monitoring you may detect a situation that could become a troubleshooting issue and resolve that situation before it impacts users. you next define approaches to resolv- ing the issue and select what you consider to be the best approach. a troubleshoot- er might use a temporary fix until a permanent fix can be put in place. A temporary From the Library of Outcast Outcast . In such situations. the first step toward resolution is clearly defining the issue. The more troubleshooting situations you are placed in.

and your child indicates that the toaster does not get hot. he is left with one or more causes that are more likely to have resulted in the problem. For example. The troubleshooter hypothesizes what he considers to be the most likely cause of the problem. which depicts a simplified model of the troubleshooting steps previously described. most of a troubleshooter’s efforts are spent in the problem diagno- sis step. When the impact on guests and guest services is minimal. Table 1-2 Steps to Diagnose a Problem Key Topic Step Description Collect information Because a typical problem report lacks sufficient information to give a troubleshooter insight into a problem’s underlying cause. This is the problem diagnosis step. Propose an hypothesis After the troubleshooter eliminates multiple potential causes for the problem. you decide to take a look at the toaster and diagnose it. Verify hypothesis The troubleshooter then tests his hypothesis to confirm or refute his theory about the problem’s underlying cause. Problem diagnosis Step 3. perhaps using network maintenance tools or by interviewing impacted users. the network team can implement the permanent fix. the troubleshooter then examines that information. Table 1-2 describes key components of this problem diagnosis step. Eliminate potential causes Based on the troubleshooter’s knowledge of the network and his interrogation of collected information. which is broken up into multiple subcomponents. That is the problem report step. the troubleshooter should collect additional information. he can begin to eliminate potential causes for the problem. Consider Figure 1-1. Problem Report Problem Diagnosis Problem Resolution Figure 1-1 Simplified Troubleshooting Flow This simplified model consists of three steps: Key Topic Step 1. your child reports that the toaster won’t work. You have it clarified further. Problem report Step 2. So. From the Library of Outcast Outcast . perhaps comparing the information against previously collected baseline information. Examine collected information After collecting sufficient information about a problem. Problem resolution Of these three steps.10 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide fix would be to disconnect the redundant links involved in the loop so that the Layer 2 loop is broken and guests can be registered at that point.

From the Library of Outcast Outcast . Problem resolution The Value of Structured Troubleshooting Troubleshooting skills vary from administrator to administrator. Being fast comes with experience. Therefore. in the next instance you end up taking an unac- ceptable amount of time. This method. Although in one instance you might be fast at solving the issue. It also aids in communicating to someone else possibilities that you have already eliminated. you need to follow a structured troubleshooting method. communicating to that administrator the steps you have already gone through becomes a challenge. as a trouble- shooter. or the toast- er was too old and it broke. spending time methodically examining information and eliminating potential causes might actually be less efficient than immediately hypothesizing a cause after you collect information about the problem and review past documents. Problem report Key Topic Step 2. you find yourself repeating solutions you have already tried. A structured troubleshooting method might look like the approach depicted in Figure 1-2. To be efficient. and it is correct. All of your effort focused on the problem diagnosis step. you spent the majority of your time diagnosing the problem. Examine collected information Step 4. Collect information Step 3. In addition. your skills as a troubleshooter will get better with experience. With experience. you then had to consider whether the wall outlet was damaged. or the circuit breaker was off. it can become confusing to remember what you have tried and what you have not. Verify hypothesis Step 7. you get the following struc- tured troubleshooting procedure: Step 1. if another administrator comes to assist you. your primary goal is to be efficient. but even with a toaster. Propose an hypothesis Step 6. but it is not worth much if you are not efficient. you had to figure out whether it was plugged in. In addition. If you do not follow a structured approach. Also. Once you determined that there was no electricity to the toaster. illus- trated in Figure 1-3. You test your hypothesis. examining. following a structured troubleshooting approach helps you reduce the possibility of trying the same resolution more than once and inadvertently skipping a task. is often called the shoot from the hip method. and eliminating. Eliminate potential causes Step 5. you might find yourself moving around troubleshooting tasks in a fairly random way based on instinct. Chapter 1: Introduction to Troubleshooting and Network Maintenance 11 After collecting. If it was plugged in. Eventually. By combining the three main steps with the five substeps. you hypothesize that the power cable for the toaster is not plugged in. Problem solved. you should have excep- tional documentation on past network issues and the steps used to solve them. In such instances. you will start to see similar issues. and as mentioned earlier. This was a simple example. However. hoping it works.

12 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-2 Example of a Structured Troubleshooting Approach (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-3 Example of a Shoot from the Hip Troubleshooting Approach From the Library of Outcast Outcast .

having a structured troubleshooting approach helps ensure that the organiza- tion’s troubleshooting efforts are following a similar flow each time an issue arises no matter who is assigned the task. A Structured Approach Key Topic No single collection of troubleshooting procedures is capable of addressing all conceiv- able network issues because there are too many variables (for example.” If you receive such a vague report. and the problem is not solved. However. (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-4 A Structured Troubleshooting Approach 1. This section examines each step in a structured approach in more detail as shown in Figure 1-4. collect information). This will allow one troubleshooter to more efficiently take over for or assist another troubleshooter if required. user actions). Problem Report A problem report from a user often lacks sufficient detail for you to take that problem report and move on to the next troubleshooting process (that is. From the Library of Outcast Outcast . For example. “The network is broken. you probably need to contact the user and ask him exactly what aspect of the network is not functioning correctly. Therefore. Chapter 1: Introduction to Troubleshooting and Network Maintenance 13 The danger with the shoot from the hip method is that if your instincts are incorrect. you need to be able to revert back to the structured troubleshooting approach as needed and examine all col- lected information. you waste valuable time. a user might report.

the troubleshooter might switch troubleshooting models. routers. you might need to decide whether this issue is one you are authorized to address or if you need to forward the issue to someone else who is authorized. the troubleshooter might swap components or use a bottom-up trouble- shooting model. you should be able to construct a more detailed prob- lem report that includes statements such as. when all they had to do was point the user to the FTP client installed on the client’s computer. show. start collecting information so that the picture can become clearer. ping. For example. the troubleshooter might need to work with appropriate personnel who have access to that device. she observes Y. If you are not sure at this point. as the initial point of con- tact. Therefore.” After you have a clear understanding of the issue. For example. as shown in Figure 1-5. the troubleshooter could waste time wading through reams of irrelevant data. However. For example. (1) Problem Report (2) Collect Information Figure 1-5 A Structured Troubleshooting Approach (Collect Information) Efficiently and effectively gathering information involves focusing information gathering efforts on appropriate network entities (for example. servers. instead of following the traffic’s path. the user can successfully navigate to websites on her com- pany’s intranet. and traceroute commands. and be mindful that you might have to pass this information on to another member of your IT group at some point. Collect Information When you are in possession of a clear problem report. you might need to determine who is responsible for working on the hardware or software associated with that issue. and information needs to be collected from a network device over which the troubleshooter has no access. From the Library of Outcast Outcast . “When the user attempts to connect to a website on the Internet. the next step is gathering relevant information pertaining to the problem. perhaps your organization has one IT group tasked with managing switches and another IT group charged with managing routers. when the user does X.” Or. the troubleshooter needs to understand what is required to access the resources the end user is unable to access. At that point. Alternatively. the FTP resources are acces- sible through an FTP client. or clients) from which information should be collected. her browser reports a 404 error. so accurate documentation is important. the web browser reports the page can’t be displayed. Troubleshooters not aware of that might spend hours collect- ing irrelevant data with debug. to be efficient and effective. Otherwise. 2. “When the user attempts to connect to an FTP site using a web browser. switches. For example. perhaps a troubleshooter is using a troubleshooting model that follows the path of the affected traffic (as discussed in the “Popular Troubleshooting Methods” sec- tion of this chapter). In addition. With our FTP site problem report.14 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide After your interview with the user.

thus providing a clue as to the underlying cause of the problem under investigation. however. Accurate and up-to-date documentation can assist a troubleshooter in examining the collected data to determine whether anything has changed in relation to the setup or configuration. the troubleshooter attempts to find a balance between two questions: ■ What is occurring on the network? ■ What should be occurring on the network? The delta between the responses to these questions might give the troubleshooter insight into the underlying cause of a reported problem. using ping. However. If the troubleshooter is experienced with the applications and protocols being examined. or traceroute). if the troubleshooter lacks knowl- edge of specific protocol behavior. Chapter 1: Introduction to Troubleshooting and Network Maintenance 15 3. is for the trouble- shooter to know what currently should be occurring on the network. Documentation plays an extremely important role at this point. performing packet captures. for example. the output of show and debug commands issued on routers when the network was functioning properly. This implies that as part of a routine network maintenance plan. (1) Problem Report (2) Collect Information (3) Examine Information Figure 1-6 A Structured Troubleshooting Approach (Examine Information) A troubleshooter has two primary goals while examining the collected information: ■ Identify indicators pointing to the underlying cause of the problem ■ Find evidence that can be used to eliminate potential causes To achieve these two goals. By contrasting this baseline data with data collected after a problem occurred. baseline data should periodically be collected when the net- work is functioning properly. A challenge. Going back to From the Library of Outcast Outcast . Baseline data might contain. collecting output from show or debug commands. even an inexperienced troubleshooter might be able to see the difference between the data sets. the next structured troubleshooting step is to analyze the collected information as shown in Figure 1-6. the troubleshooter might be able to determine what is occurring on the network and how that differs from what should be occurring. Examine Collected Information After collecting information about the problem report (for example. she still might be able to effectively examine the col- lected information by contrasting that information with baseline data or documentation.

(1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes Figure 1-7 A Structured Troubleshooting Approach (Eliminate Potential Causes) It is imperative that you not jump to conclusions at this point. The troubleshooter examines output from the show cdp neighbor command on routers R1 and R2. The troubleshooter is using a troubleshooting method that follows the path of traffic through the network. if the troubleshooter was not aware that an FTP client was required. which results in wasted time: A problem report indicates that PC A cannot communicate with server A. a troubleshooter might jump to a conclusion based on the following scenario. the trouble- shooter leaps to the conclusion that Layer 2 and Layer 1 connectivity is down between R1 and R2. a troubleshooter can start to form conclu- sions based on that data. Eliminate Potential Causes Following an examination of collected data. Jumping to conclusions can make you less efficient as a troubleshooter as you start formulating hypotheses based on a small fraction of collected data.16 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the FTP example. Therefore. Reviewing further output and docu- mentation indicates that CDP is disabled on R1 and R2 interfaces for security rea- sons. which leads to more work and slower overall response times to problems. 4. As an example. whereas other conclusions eliminate certain causes from consideration (see Figure 1-7). a quick review of the documentation related to FTP connectivity would indicate so. only to see that all is fine. as shown in Figure 1-8. This would allow the troubleshooter to move on to the next step. the output of show cdp neighbors alone is insufficient to conclude that Layer 2 and 1 connectivity was the problem. Because those routers do not recognize each other as Cisco Discovery Protocol (CDP) neighbors. The troubleshooter then runs to the physical routers to verify physical connectivity. OSPF Area 0 PC A Switch Router Router Switch Server A SW1 R1 R2 SW2 CDP Figure 1-8 Scenario Topology From the Library of Outcast Outcast . Some conclusions might suggest a potential cause for the prob- lem.

explaining the rationale for your conclusions to a coworker can often help reveal faulty conclusions. As shown by the previous examples. Troubleshooters should then focus on the cause they believe is most likely to be the underlying one for the reported problem and propose an hypothesis. the troubleshooter might attempt From the Library of Outcast Outcast . a troubleshooter needs to assess whether the problem can wait until authorized personnel have an opportunity to resolve the issue. However. the troubleshooter leaps to the conclusion that these two routers see each other as Open Shortest Path First (OSPF) neighbors and have mutually formed OSPF adjacencies. In addition. At this point. If the problem is urgent and no authorized administrator is currently available. the show cdp neighbor output is insufficient to conclude that OSPF adjacencies have been formed between routers R1 and R2. troubleshooters should rank the potential causes from most likely to least likely. Because those routers recog- nize each other as Cisco Discovery Protocol (CDP) neighbors. (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an Hypothesis Figure 1-9 A Structured Troubleshooting Approach (Propose an Hypothesis) After proposing an hypothesis. a troubleshooter might reach a faulty conclusion based on the following scenario: A problem report indicates that PC A cannot communicate with server A. 5. a caution to be observed when drawing conclusions is not to read more into the data than what is actually there. In such a situation. as shown in Figure 1-9. Propose an Hypothesis By eliminating potential causes of a reported problem. continuing your troubleshooting efforts based on a faulty conclusion can dramatically increase the time required to resolve a problem. As an example. Chapter 1: Introduction to Troubleshooting and Network Maintenance 17 On another note. if time permits. troubleshooters should be left with one or a few potential causes that they can focus on. The troubleshooter is using a troubleshooting method that follows the path of traffic through the network. as described in the previous process. The troubleshooter examines output from the show cdp neighbor command on routers R1 and R2. as shown in Figure 1-8. troubleshooters might realize that they are not authorized to access a network device that needs to be accessed to resolve the problem report.

a troubleshooter might need to gather additional information or enlist the aid of a coworker or the Cisco Technical Assistance Center (TAC). implementing a plan that resolves a network issue often causes temporary net- work outages for other users or services. but such a document can serve as a rollback plan if the implemented solution fails to resolve the problem. the troubleshooter should execute the rollback plan. Therefore. as shown in Figure 1-10. After the network is returned to its previous state (that is. Although this approach does not solve the underlying cause. the troubleshooter must balance the urgency of the problem with the potential overall loss of productivity.18 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide to at least alleviate the symptoms of the problem by creating a temporary workaround. A key (and you should make it mandatory) component in implementing a problem solu- tion is to have the steps documented. perhaps the solution failed to resolve that cause. if the troubleshooter had iden- tified other causes and ranked them during the propose an hypothesis step. Therefore. the troubleshooter might wait until after business hours to execute the plan. Although the troubleshooter might have successfully identified the underlying cause. Not only does a documented list of steps help ensure the troubleshooter does not skip any. However. or if the execution of the plan resulted in one or more additional problems. the troubleshooter could create a different plan to address that cause. if the problem is not resolved after the troubleshooter implements the plan. 6. if troubleshooters decide to implement a workaround. it might help business oper- ations continue until the main cause of the problem can be appropriately addressed. Alternatively. she can focus her attention on the next most likely cause and create an action plan to resolve that cause and implement it. Alternatively. There should be a change management procedure in place that helps the troubleshooter determine the most appropriate time to make changes to the production network and the steps required to do so. Verify Hypothesis After troubleshooters propose what they believe to be the most likely cause of a prob- lem. which ultimately affects the financial bottom line. the state prior to deploying the proposed solution). At that point. they need to come up with a plan and implement it while noting that a permanent solution is still needed. they need to develop a plan to address the suspected cause and implement it. In that case. This process can be repeated until the troubleshooter has exhausted the list of potential causes or is unable to collect information that can point to other causes. the troubleshooter can then reevaluate her hypothesis. From the Library of Outcast Outcast . If the impact on workflow outweighs the urgency of the problem.

For example. rather than a tangential issue. From the Library of Outcast Outcast . the troubleshooter should report the problem resolution to the appropri- ate party or parties. the troubleshooter should get user confirmation that the observed symptoms are now gone. As a final task. if the solution involves reconfiguring a Cisco IOS router. Beyond simply notifying a user that a problem has been resolved. Although this is one of the most important steps. a backup of that new configuration should be made part of routine net- work maintenance practices. the troubleshooter should make sure that the solution becomes a documented part of the network. as shown in Figure 1-11. This task confirms that the troubleshooter resolved the specific issue reported in the problem report. Problem Resolution This is the final step of the structured approach. After the reported problem is resolved. This implies that routine network maintenance will maintain the implemented solution. it is often forgotten or overlooked. Chapter 1: Introduction to Troubleshooting and Network Maintenance 19 (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes Figure 1-10 A Structured Troubleshooting Approach (Verify Hypothesis) 7.

However. Depending on your situation and the issue you are trou- bleshooting. You can use several common troubleshooting methods to narrow the field of potential causes: ■ The top-down method Key Topic ■ The bottom-up method ■ The divide-and-conquer method ■ Following the traffic path ■ Comparing configurations ■ Component Swapping This section defines each of these methods in greater detail. you may use one or multiple methods.20 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-11 A Structured Troubleshooting Approach (Problem Resolution) Popular Troubleshooting Methods As shown in the structured approach. keep in mind that there is no single best method. From the Library of Outcast Outcast . the elimination of potential causes is a key step.

the physical layer. The bottom-up method seeks to narrow the field of potential causes by eliminating OSI layers beginning at Layer 1. you can assume that Layers 1–3 are functioning properly. when the troubleshooter encounters a layer that is functioning. A potential downside to this approach is that the troubleshooter needs access to the specific application experi- encing a problem to test Layer 7. the bottom-up method is often used after employing some other method to narrow the scope of the problem. as shown in Figure 1-12. Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-12 Top-Down Troubleshooting Method The Bottom-Up Method The reciprocal of the top-down method is the bottom-up method. your ping would have failed. if you can ping a remote IP address. Although this is a highly effective method. because ping uses Internet Control Message Protocol (ICMP). Therefore. The theory is. Chapter 1: Introduction to Troubleshooting and Network Maintenance 21 The Top-Down Method The top-down troubleshooting method begins at the top layer of the Open Systems Interconnection (OSI) seven-layer model. For example. the assumption can be made that all lower layers are also functioning. From the Library of Outcast Outcast . Otherwise. the bottom-up approach might not be effi- cient in larger networks because of the time required to fully test lower layers of the OSI model. The top layer is num- bered Layer 7 and is named the application layer. which is a Layer 3 protocol. as illustrated in Figure 1-13. The top-down method first checks the application residing at the application layer and moves down from there.

22 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-13 Bottom-Up Troubleshooting Method The Divide-and-Conquer Method After analyzing the information collected for a problem. the network administrator issued the ping 10.2. you might select the divide-and-conquer approach. you might not see a clear indi- cation as to whether the top-down or bottom-up approach would be most effective.3 Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-14 Divide-and-Conquer Troubleshooting Method In Figure 1-14. which begins in the middle of the OSI stack. From the Library of Outcast Outcast .2. In such a situation. as shown in Figure 1-14. the administrator could conclude that Layers 1–3 were operational.3 command. If the result was successful. if the ping failed.1. Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport ping 10. and a bottom-up approach could begin from that point. the admin- istrator could begin a top-down approach at Layer 3. However.1.

8.255.. you would check the link between router R1 and switch SW2.8.8.0 default-router 10. You can also look at the configuration stored in a document (Word. if the client depicted in Figure 1-15 is unable to reach its server.255. you could first check the link between the client and switch SW1. Clients at one of those remote offices cannot obtain an IP address via Dynamic Host Configuration Protocol (DHCP). For example.. However. Step 1 Step 2 Step 3 Step 4 Client Switch Router Switch Server SW1 R1 SW2 Figure 1-15 Following the Traffic Path Troubleshooting Method The Comparing Configurations Method Did you ever find yourself looking through a Highlights magazine as a child? This maga- zine often featured two similar pictures.8. One troubleshooting approach is to compare that site’s router configuration with the router configuration of another remote site that is working properly.8.. the problem is more likely to recur. In addition. each running the same model of Cisco router. This childhood skill can also prove valuable when troubleshooting some network issues. Therefore..1 10. in addition to the original issue. ip dhcp excluded-address 10. you could then check the connection between the switch SW1 and router R1. Next. there are addi- tional issues introduced based on an invalid configuration.8.0 255. and finally the link between switch SW2 and the server.10 ! ip dhcp pool POOL-A network 10. This methodology is often an appropri- ate approach for a less-experienced troubleshooter not well versed in the specifics of the network.OUTPUT OMITTED. Chapter 1: Introduction to Troubleshooting and Network Maintenance 23 The Following the Traffic Path Method Another useful troubleshooting approach is to follow the path of the traffic experiencing a problem. the problem might be resolved without a thorough understanding of what caused the problem. what if the documentation is outdated? Now.8. imagine that you have multiple remote offices. If everything looks good on that link.11 From the Library of Outcast Outcast . For example. and you were asked to spot the differences.8. Notepad) to see whether it is the same. Can you spot the difference in the outputs of Example 1-1a and Example 1-1b? Example 1-1a show run R1#show run .

checking for configuration or hardware issues. Although swapping out components in this fashion might not provide great insight into the specific problem..168. If the problem goes away.1. you could connect a different laptop to switch SW1.1.8.1.8.1.168.10/R1.11.0 default-router 10. Example 1-1b more tftp://10. you will want to undo the change you made and then move the cable from switchport 1 to switchport 2...cfg R1#more tftp://10.OUTPUT OMITTED.1.255.1 netbios-name-server 192.8.8... As a next step.168. The default router has been changed from 10.8.10 ! ip dhcp pool POOL-A network 10.cfg output displaying the archived configuration that was produced as a baseline and stored on a TFTP server.1.. For example.8. Example 1-1b has the more tftp://10.2 .0 255. ip dhcp excluded-address 10.255. In Example 1-1a.1. show run is displaying the current running configuration. From the Library of Outcast Outcast . if swapping out the switch resolved the issue.8. However. you can conclude that the old component was faulty (either in its hardware or its configuration). you might swap out the cable interconnecting these two devices with a known working cable..1 10.1 dns-server 192.1. As a first step. consider Figure 1-16. If a problem’s symptoms disappear after swapping out a particular component (for example.8.8.. you could start to investigate the configura- tion of the original switch.2 . it could help focus your troubleshooting efforts.1. undo the change.1.24 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide dns-server 192.8. a cable or a switch).cfg ..OUTPUT OMITTED. As an example. you could conclude that the issue is with laptop A. you could swap out switch SW1 with another switch (SW2 in this example). If the problem persists.1 to 10. The Component Swapping Method Yet another approach to narrowing the field of potential causes of a problem is to physi- cally swap out components..168..8. if the problem continues.1 netbios-name-server 192.OUTPUT OMITTED. As you test each component and find it is not the problem.10/R1.10/R1. A problem report states that the connection between laptop A and switch SW1 is not bringing up a link light on either the laptop or the switch..8.

To illustrate how you might select an appropriate troubleshooting approach. the other 24 PCs can. Currently. Consider which of the previously discussed troubleshooting models might be appropriate for an issue such as the one reported. a divide-and-conquer approach could be useful. Therefore. a proxy configuration) that prevents them from accessing the Internet. Therefore. it is reasonable to guess that there might be an issue with an Ethernet switch (perhaps with a port density of 24). ■ Bottom-up: Based on the symptom reported. Although it is possible that 24 of the PCs have some setting in their Internet browser (for example. consider the following rationale: ■ Top-down: Because the application is working on some PCs in the same location. a bottom-up approach stands a good chance of isolating the problem quickly. 24 of the PCs cannot access the Internet. ■ Divide-and-conquer: The problem seems to be related to a block of PCs. Starting at Layer 3 (that is. starting at the application layer will probably not be effective. The 24 PCs that cannot currently access the Internet were able to access the Internet yesterday. you could From the Library of Outcast Outcast . consider the following problem report: A computer lab at a university contains 48 PCs. and the problem is probably not application related. the network layer). After you reach your own conclusions about which method or methods would be most appropriate. Therefore. you might use one of the previously discussed troubleshooting methods or perhaps a combination of methods to eliminate causes. it is unlikely that these 24 PCs were all recently reconfig- ured with an incorrect application configuration. Chapter 1: Introduction to Troubleshooting and Network Maintenance 25 Port 1 Swap Cable Switch SW1 Laptop A Port 2 Swap Switch Port Switch SW1 Laptop A Port 1 Swap Laptop Switch SW1 L Laptop B Port 1 Swap Switch Switch SW2 Laptop A Figure 1-16 Component Swapping Practice Exercise: Selecting a Troubleshooting Approach As a troubleshooter. these PCs were work- ing yesterday.

As you can see from the analysis of the different methods. So. You will combine the dif- ferent methods to produce the most accurate picture possible. If the next-hop gateway is not reachable. You could think of regularly scheduled tasks. However. it is unlikely that swapping cables would be useful. swap- ping out the switch could help isolate the problem. you could start to troubleshoot Layer 2. comparing the configu- ration of those two switches could prove helpful. checking the Cisco Catalyst switch to which these 24 PCs are attached. to a switch) could prove useful. ■ Following the traffic path: The symptom seems to indicate that these 24 PCs might share a common switch. ■ Component swapping: Because the 24 PCs are experiencing the same problem with- in a short time frame (since yesterday). Therefore. at its essence. However. is doing whatever is required to keep the network functioning and meeting the business needs of an organization. following the traffic path to the other end of the cabling (that is. It concludes by discussing several procedures that are a must for maintenance success. these off-the-shelf models might not be a perfect fit for the organization. Spending more time on the important tasks can help reduce time spent on the urgent tasks (for example. or following the traffic path) reveals that the 24 PCs that are not working are connected to one Cisco Catalyst switch. divide-and-conquer. responding to user connectivity issues or troubleshooting a network outage). and the 24 PCs that are working are connected to another Cisco Catalyst switch. Perhaps the switch has lost power resulting in this connectivity issue for the 24 PCs. Introduction to Network Maintenance Network maintenance is an inherent component of a network administrator’s responsi- bilities. however. you will not usually rely on just one method while you are troubleshooting. It introduces us to standard network maintenance models. Therefore.26 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide issue a series of pings to determine whether a next-hop gateway is reachable. ■ Comparing configurations: If a previous troubleshooting method (for example. this section discusses how to adapt a well-known model to individual needs. Therefore. because unfore- seen issues do arise. you need to analyze the business needs of the organization and determine which maintenance tasks From the Library of Outcast Outcast . if these 24 PCs connect to the same Cisco Catalyst switch. This section begins by identifying several common network maintenance tasks that are seen in most organizations. each has the possibility of providing valuable information that will help you solve this issue. This reactive approach is unavoidable. However. as important but not urgent. the occurrence of these interrupt-driven maintenance tasks can be reduced by proactively performing regularly scheduled maintenance tasks. Defining Network Maintenance Network maintenance. that network administrator might be performing maintenance tasks in response to a reported problem. bottom-up. such as performing backups and software upgrades.

If you do have an unplanned net- work outage (interrupt-driven). In addition. you will also know which tools are required and how to use them to solve the problem. you can significantly reduce their occurrence when you have a stra- tegic structured approach in place. Chapter 1: Introduction to Troubleshooting and Network Maintenance 27 are necessary for the success of the business. however. From the Library of Outcast Outcast . Implementing a structured maintenance approach confers many benefits. Proactive Versus Reactive Network Maintenance Network maintenance tasks can be categorized as one of the following: ■ Interrupt-driven tasks: Involve resolving issues as they are reported ■ Structured tasks: Performed as a predefined plan Interrupt-driven tasks are not planned. You need to align your main- tenance tasks with your business needs. It reduces total network downtime because you are aware of problems and fix them before they become a major issue. resulting in less resources being consumed for problem resolution. reducing obsolescence of relatively new pur- chases. They result from something happening in the network that requires your attention. It is more cost-effective because fewer major problems occur. appropriate hardware and software purchases can be made early on. Interrupt-driven tasks can never be completely eliminated. It may be your immediate attention. this listing is only a sampling of network maintenance tasks. therefore. A structured maintenance approach also includes planning for future network capacity. or it may be something you can put off until later. For example. you can resolve it more quickly because a predefined plan is in place to handle that type of outage. Also. Time and money need to be spent wisely. are you going to back up each PC in the company on a nightly basis or are you going to have all users store resources on a central server and back up the central server? Some examples of the tasks that fall under the umbrella of network maintenance are as follows: ■ Hardware and software installation and configuration Key Topic ■ Troubleshooting problem reports ■ Monitoring and tuning network performance ■ Planning for network expansion ■ Documenting the network and any changes made to the network ■ Ensuring compliance with legal regulations and corporate policies ■ Securing the network against internal and external threats ■ Backing up files and databases Obviously. and critical business processes need more attention. keep in mind that the list of tasks required to maintain your network could differ significantly from the list of tasks required to maintain another network.

and expertise unique to your network. Once you choose the model. for example. Respond to incoming trouble tickets from the help desk. resourc- es. design. resources can be allocated that complement business drivers. performance management. and security management) is a network maintenance model defined by the International Organization for Standardization (ISO). ■ Cisco Lifecycle Services: The Cisco Lifecycle Services maintenance model defines distinct phases in the life of a Cisco technology in a network. However. that you have selected the ISO FCAPS model as the foundation for your maintenance model. Suppose. accounting management. configuration management. rather than starting from scratch. These phases are pre- pare. Example of Adapting a Network Maintenance Model The maintenance model you use in your network should reflect business drivers. the Cisco Lifecycle Services model is often referred to as the PPDIOO model. As a result. Configuration Require logging of any changes made to network hardware management or software configurations. Table 1-3 provides a sampling of tasks that might be categorized under each of the FCAPS management areas. Security vulnerabilities are more likely to be discovered through ongoing network monitoring. Implement a change management system to alert relevant personnel of planned network changes. Send an e-mail alert when processor utilization or bandwidth utilization exceeds a threshold of 80 percent. Well-Known Network Maintenance Models The subtleties of each network should be considered when constructing a structured net- work maintenance model. as discussed later in this chapter. you must adapt the model to your environment. which is another com- ponent of a structured maintenance approach. you might want to base your maintenance model on one of the well-known maintenance models and make adjustments as appropriate.28 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide A structured approach also takes into consideration underlying business goals. you should identify specific tasks to perform on your network for each element of the FCAPS model. The following is a sampling of some of the more well-known maintenance models: Key Topic ■ FCAPS: FCAPS (which stands for fault management. plan. To adapt the FCAPS model for your environment. Therefore. Table 1-3 FCAPS Management Tasks Type of Management Examples of Management Tasks Fault management Use network management software to collect information from routers and switches. operate. From the Library of Outcast Outcast . ■ ITIL: IT Infrastructure Library (ITIL) defines a collection of best practice recommen- dations that work together to meet IT business management goals. and optimize. implement.

weekly. and no two organizations will implement them in exactly the same way. However. is frequent and regular. infrequent. daily.m. and accounting (AAA) server to validate user credentials. where relocation of users from one office space to another. and new hires are commonplace. virtual private network (VPN). the routine can be frequent or infrequent. monthly. Performance management Monitor network performance metrics for both LAN and WAN links. Create a security policy dictating rules of acceptable network use. because of the different business drivers involved. Use an authorization. Chapter 1: Introduction to Troubleshooting and Network Maintenance 29 Type of Management Examples of Management Tasks Accounting management Invoice IP telephony users for their long-distance and international calls. there will be maintenance tasks in each organization that occur routinely. the addition of temporary staffers. By clearly outlining a maintenance methodology and defining actionable and measurable processes you can reduce network downtime and more effectively perform interrupt- driven tasks. This routine can be hourly. In response to organizational changes. The key with all these tasks is that they are routine regardless of them being frequent. while prioritizing mission-critical traffic. and intrusion prevention system (IPS) technologies to defend against malicious traffic. authentication. As you can see. Following is a listing of such common maintenance tasks: ■ Configuration changes: Businesses are dynamic environments. Routine Maintenance Tasks Regardless of the organization. and log user activity. However. Common Maintenance Procedures No two network maintenance models will be exactly the same. regular. per quarter. Deploy appropriate quality of service (QoS) solutions to make the most efficient use of relatively limited WAN bandwidth. This sec- tion discusses common maintenance tasks that all organizations should be performing. backing up a server on a daily basis at 10:00 p. or per year. Security management Deploy firewall. assign appropriate user privileges. there are tasks common to nearly all network maintenance models that will be implemented by all organizations regardless of the business drivers. network administra- From the Library of Outcast Outcast . We cannot have a regular schedule for these types of tasks because they are infrequent and irregular. For example. Keeping track of what is being done on the network and when it is being done. adding users or moving users and updating the network based on the user changes is going to be different each time. or irregular and should be present in a listing of procedures contained in a network maintenance model. but it can also be regular or irregular.

rank them in order of priority. After doing so. thus requiring immediate replacement. For example. a change to one network component might create a problem for another network component. Some tasks will undoubtedly be urgent in nature and need a quick response when things go wrong (for example. ■ Scheduled backups: Recovery from a major system failure can occur much quicker if network data and device configurations have been regularly backed up. and even network devices) are periodically released. New features are also commonly offered in software upgrades. network administrators are less likely to forget an important task. production devices fail. and changes. bandwidth utilization statistics. thus minimizing the impact on workflow. The updates often address perfor- mance issues and security vulnerabilities. a common task is the replace- ment of older hardware. due to maintenance windows. during which time you apply software patches. replacing a failed router that connects the business to the Internet). For example. Occasionally. Therefore. performing routine software updates becomes a key network maintenance task. Other tasks can be scheduled. you can better plan for future expansion (that is. because they were busy responding to urgent tasks. typically with better performing and more feature-rich devices. anticipate potential issues before they arise. perhaps a firewall From the Library of Outcast Outcast . clients. Therefore. capacity planning). and better understand the nature of the traffic flowing through your network. These backups can also be useful in recovering important data that was deleted. Scheduled Maintenance Take a moment and define the network maintenance tasks for your network. By having such a schedule for routine maintenance tasks. a common network maintenance task is to schedule. Managing Network Changes Making changes to a network often has the side effect of impacting the productivity of users relying on network resources. Therefore. Through effective network moni- toring (which might involve the collection and examination of log files or the imple- mentation of a high-end network management server). These processes are often referred to as moves. ■ Monitoring network performance: The collection and interpretation of traffic sta- tistics. and you might have a monthly maintenance window. ■ Updating software: Updates to operating system software (for servers. users can be made aware of when various network services will be unavailable. you might schedule weekly full backups of your network’s file servers. Also. In addition. monitor. their reliability and com- parable performance tend to deteriorate. and verify backups of selected data and configuration information. and resource utilization statistics for network devices are common goals of network monitoring. adds. ■ Replacement of older or failed hardware: As devices age.30 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide tors need to respond by performing appropriate reconfigurations and additions to network hardware and software.

HTTP. When defining a change management system for your organization. POP3. because a backup of remote data (that is. whereas another IT department is charged with performing network backups. the departments can work together to accommodate one another’s needs. such an opera- tion should probably be performed during off hours. where users could no longer reach their FTP server. Some organizations have a formalized change management process. suppose that one information technology (IT) department within an organization is responsible for maintaining WAN connections that interconnect various corporate offic- es. However. For example. The timing of network changes should also be considered. and what (if any) authorization is required for an override? From the Library of Outcast Outcast . one of the servers in the server farm acted as an FTP server. and determine whether the planned change will conflict with that department’s operations. where one depart- ment announces online their intention to perform a particular maintenance task during a specified time period. some network maintenance tasks are urgent (for example. Therefore. Other departments are then notified of this upcoming change. without going through a formalized change management notification process and allowing time for other departments to respond. data accessible over the WAN link to be upgraded) might be scheduled for that same time period. and who is responsible for the docu- mentation? ■ How will a rollback plan be created. Those tasks need timely responses. the installa- tion of a firewall to better secure a server farm resulted in a troubleshooting issue. in addition to com- mon protocols that were allowed to pass through the firewall (for example. and IMAP). backing up a router’s configuration prior to installing a new module in the router)? ■ What measurable criteria determine the success or failure of a network change? ■ How will a network change be documented. such that a configuration can be restored to its previous state if the changes resulted in unexpected problems? ■ Under what circumstances can formalized change management policies be overrid- den. Rather than taking a router down to upgrade its version of Cisco IOS during regular business hours. next Tuesday. DNS. If the WAN IT department plans to upgrade the WAN link between a couple of offices at 2:00 a. a widespread net- work outage). the IT department in charge of backups should be made aware of that planned upgrade. Of course. If a conflict is identified. HTTPS.m. SMTP. and the firewall configuration did not consider that server. Chapter 1: Introduction to Troubleshooting and Network Maintenance 31 was installed to provide better security for a server farm. consider the following: ■ Who is responsible for authorizing various types of network changes? Key Topic ■ Which tasks should only be performed during scheduled maintenance windows? ■ What procedures should be followed prior to making a change (for example. Making different organization areas aware of upcoming maintenance operations can also aid in reducing unforeseen problems associated with routine maintenance.

or entire sites) interconnect.32 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Maintaining Network Documentation Network documentation typically gets created as part of a network’s initial design and installation. a spreadsheet that lists which ports on which devices are used to interconnect network components or connect out to service provider networks. These types of IP addressing specifications would be included in a set of network documentation. a physical topology diagram shows how different geographical areas (for example. and modules installed. accurate documentation can prove to be valuable to designers who want to scale the network. and how end users interface with the net- work. to name a few. including such compo- nents as formalized change management procedures. and an organization’s asset tag number. the protocols used. this diagram is not concerned with the physical locations of network components. Alternatively. ■ Inventory of network equipment: An inventory of network equipment would include such information as the equipment’s manufacturer. an organization might have public IP addresses assigned to some or all of their internal devices. in addition to information about the licensing of the software. and IP addressing. resulting in subnets with a nondefault subnet mask. or a combination of both. However. Keeping documentation current helps more effectively isolate problems when trouble- shooting. The diagram reflects where various net- work components are physically located. and the rationale for each network change made. In addition. using EUI-64. version of software. model number. For IPv6 the orga- nization might be manually assigning the interface ID to each device. for service providers and points of contact in an organization’s various IT groups). in addition to a listing of network components and their configurations. reflecting all changes made since the network’s installation. While the specific components in a set of network documentation can vary. A classful IP address space (either public or private) might be subdivided within an organization. floors within a build- ing. ■ IP address assignments: An organization might use private IP address space internal- ly and use Network Address Translation (NAT) to translate those private IP address space numbers into publicly routable IP addresses. Circuit IDs for service pro- vider circuits might be included in this documentation. the following list outlines common ele- ments found in a set of network documentation: ■ Logical topology diagram: A logical topology diagram shows the interconnection Key Topic of network segments. From the Library of Outcast Outcast . buildings. At a basic level. ■ Listing of interconnections: A listing of interconnections could be. ■ Physical topology diagram: Unlike a logical topology diagram. However. just as the procedures in a network maintenance model vary. keeping that documentation current. should be part of any network maintenance model. network documentation could consist of physical and logical network diagrams. However. a listing of contact information (for example. network documentation can be much more detailed. deployed VLANs. serial number. for example.

As a few examples. Chapter 1: Introduction to Troubleshooting and Network Maintenance 33 ■ Configuration information: When a configuration change is made. consider one network administrator that configures IEEE 802. the trunk connection would never come up. For example. oth- ers by function.1Q trunk. To efficiently replace a failed (or damaged) device. and still others by a combination of both. the failure of an air conditioner unit could cause network equipment to overheat. With a copy of current configuration information.1Q trunking by setting a port’s trunk state to desirable. Beyond having a backup of current configuration information. For example. From the Library of Outcast Outcast . It is a good practice to name archival copies of previous configurations based on a certain format that makes sense to you. Another network administrator within the same company configures 802. some companies name their archival copies by date. Planning and provisioning hardware and software for such outages before they occur can accelerate recovery time.1Q trunk- ing on Cisco Catalyst switches by disabling Dynamic Trunking Protocol (DTP) frames and forcing a port to act as a trunk port. failures do occur from time to time. water leakage due to flooding or plumbing issues could cause hardware fail- ures. if different personnel troubleshoot using different approaches. ■ Original design documents: Documents created during the initial design of a net- work might provide insight into why certain design decisions were made and how the original designers envisioned future network expansion. Larger network environments often benefit from having step-by-step guidelines for troubleshooting a given network issue. the current con- figuration should be backed up. Restoring Operations After a Failure Although most modern network hardware is very reliable. in the event of an outage. Although a net- work issue might be successfully resolved through various means. you should be in possession or have the ability to acquire relatively quickly the following: ■ Duplicate hardware: The hardware can be stored locally or it can be attainable through a supplier that can get you the device within a certain time based on a ser- vice level agreement (SLA). at some point those approaches might conflict with one another. Such a structured approach to troubleshooting helps ensure that all troubleshooting personnel use a common approach. a device could be replaced quicker. This example illustrates the criticality of having clear communication among IT personnel and a set of standardized procedures to ensure consistency in network configuration and troubleshooting practices. resulting in further issues. which creates a trunk connection only if it receives a DTP frame from the far end of the connec- tion. and a fire could render the network equipment unusable. and if each of these two network admin- istrators configured different ends of what they intended to be an 802. These older configurations could prove useful when attempting to roll back to a previous configuration state or when trying to duplicate a previous configuration in a new location. Aside from hardware failures. some network administrators also maintain archival copies of previous configurations. environmental factors could cause a network outage. These two approaches are not compatible.

The Troubleshooting and Network Maintenance Relationship A structured troubleshooting approach provides step-by-step processes that offer a repeatable consistent plan that makes the troubleshooter more efficient and effective. documentation and baselines are created at a specific point in time for a device and provide a snapshot of the health and configuration of that device at that point. network performance monitoring can ensure that you are providing an appropriate service level to a customer. As a result. For example. network maintenance tasks often include troubleshooting tasks. It is ideal to have a backup of the configuration files on a server in the organization. when installing a new network component as part of ongoing network maintenance. the troubleshooter might use network documentation (for example. baselines. a physical topology diagram created as part of a network maintenance task) to help isolate a problem. change control. and communication were mentioned. they do not simply appear from the ether. enabling you to be alerted to trends and utilization statistics (as a couple of examples).34 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Operating system and application software (along with any applicable licensing) for the device: Although you can get this from the manufacturer (such as Cisco). ■ Backup of device configuration information: When a failure happens. it is advisable to have an exact copy of the operating systems and application software stored locally for each device you are using in the organization. However. and vice versa. You do not want to be caught in a situation where you have no information related to the configuration of a device being restored. if you are a customer of a service provider. All of these are fundamental assets to your success as a troubleshooter. if you work for a service provider. For example. an installer is often required to troubleshoot the installation until the new network component is functioning properly. Also. if that is not pos- sible. Also. From the Library of Outcast Outcast . as you have seen from the discussion of network maintenance. network monitoring can confirm that the ser- vice provider is conforming to the SLA for which you are paying. However. Conversely. Measuring Network Performance Network monitoring is a proactive approach to network maintenance. we will heavily rely on these resources when issues occur. allowing you to be proactive and fix problems before they affect network users. you need to restore your device to its last known good configuration. at a minimum have the configurations documented in Notepad somewhere. These statistics can forecast future issues. What happens if someone neglects to update the documentation or baselines based on changes that may have occurred during scheduled maintenance or some past issue? What happens if we have difficulty communicating with others or they withhold information from us? These assets become liabilities as they are unable to address the question: What should be occurring in the network? As you have seen. when troubleshooting a network issue. During our coverage of the structured approach you might have noticed that documen- tation.

■ Automate documentation: Because manual checks of documentation might not be feasible in larger environments. they must generate appropriate documentation. they have to create their own path. for example. A danger with relying on documentation is that if the documentation is dated (not main- tained). an urgent task) rather than documenting what they are doing at the time (that is. you might want to take proactive measures to ensure your structured maintenance and troubleshooting processes complement one another. Although few argue with the criticality of maintaining current documentation. For example. Because these tasks are so interrelated. To assist with the auto- mation of backups. often falls by the wayside. Any difference in the configurations indicates that someone failed to update the backup configuration of a device after making a configuration change to that device. Cisco IOS offers the Configuration Replace and Configuration Rollback feature and the Embedded Event Manager. automated processes could be used to. in practice. For example. This knowledge often motivates troubleshooters to perform some level of documentation (for exam- ple. Therefore. an important task). as opposed to later trying to recall what they did from memory. From the Library of Outcast Outcast . Such a scenario is often worse than not having documentation at all. physical and logical topology diagrams could help identify the next network component to check. the value of a centralized repository of documentation increases as a result of its use for both maintenance and troubleshooting efforts. scribbling notes on the back of a piece of paper) as they are performing their tasks. troubleshooters know that before a problem report or a trouble ticket Topic can be closed out. thus increas- ing the accuracy of the documentation. The lack of follow-through when it comes to documenting what happened during a troubleshooting scenario is understandable. ■ Schedule documentation checks: A structured maintenance plan could include a component that routinely requires verification of network documentation and when it was last updated based on timestamps. docu- menting troubleshooting efforts. troubleshooters are not led down the wrong path during the troubleshooting process. compare current and backup copies of device configurations. The troubleshooter’s focus is on resolving a reported issue in a timely manner (that is. troubleshooters could be led down an incorrect path because of their reliance on that documentation. Maintaining Current Network Documentation A set of maintained network documentation can dramatically improve the efficiency of troubleshooting efforts. because in the absence of documentation. Chapter 1: Introduction to Troubleshooting and Network Maintenance 35 This interrelationship between maintenance and troubleshooting suggests that the effec- tiveness of your troubleshooting efforts is influenced by the effectiveness of your routine network management tasks. if a troubleshooter is following the path that spe- cific traffic takes through a network. both network troubleshooting and maintenance include a documentation component. Following are a few suggestions to help troubleshooters keep in mind the need to document their steps: ■ Require documentation: By making documentation a component in the trouble- Key shooting flow.

.03% 0 Check heaps .. if she made any recent changes.. For example. However.00% 0 EDDRI_MAIN 5 43026 2180 19736 0.00% 4.36 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Establishing a Baseline As previously mentioned. and determining the difference between the two. with the out- Topic put logged and archived.00% 0 Load Meter 3 821 188 4367 0.09% 4. Collect information Some information collected might come from other parties (for example. five minutes: 22% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY process 1 0 1 0 0. From the Library of Outcast Outcast .00% 0 chunk Manager 2 4 167 23 0.00% 0. When troubleshooting a performance problem on a router. the user can be asked exactly what is not working correctly. you might not be able to draw a meaningful conclusion based on the command output.00% 0.00% 0.. the show processes cpu command demonstrates the 5-second.00% 0. To determine what should be happening on the network. a baseline of network performance should be measured as part of a routine maintenance procedure and updated on a regular basis. As shown in Example 1-2. troubleshooting involves knowing what should be happening on the network. Table 1-4 describes how communication plays a role in each troubleshooting phase.00% 0. clear communication with that user helps define the problem. For example. 1-minute. a routine network maintenance procedure might require that a show Key processes cpu command be periodically issued on all routers in a network.13% 0.00% 0.14% 0 Exec 4 4 1 4000 0. Clearly communicating with those other parties helps ensure collection of the proper data. without a baseline as a reference before troubleshooting. you could issue this command to determine how a router is currently operating. a service provider). Communication Each of the troubleshooting steps outlined in the structured approach requires clear com- munication. and when the problem started.OUTPUT OMITTED. Table 1-4 Importance of Clear Communication During Troubleshooting Troubleshooting Steps The Role of Communication Problem report When a user reports a problem. and 5-minute CPU utilization averages. Example 1-2 Monitoring Router CPU Utilization R1# show processes cpu cpu utilization for five seconds: 18%/18%. one minute: 22%.13% 0. observing what is currently happening on the network.

Because these troubleshooters might be focused on different tasks at different times. being able to quickly divert user requests for status reports to a manager helps minimize interruptions from users. collaboration with other IT personnel is often necessary. which illustrates how a maintenance change could be a clue while troubleshooting a problem report: Last week. Change Management Managing when changes can be made and by whose authority helps minimize network downtime. Problem resolution After a problem is resolved. when a change is allowed and who can authorize it) are the distinguishing factors between making a change as part of a routine maintenance plan and making a change as part of a troubleshooting process. This consultation could provide insight leading to the elimination of a potential cause. the nature and reason for an interruption should be communicated to the users impacted. Consider the following scenario. it is possible that no single administrator can report on the overall status of the problem. multiple network administrators could be involved in troubleshooting a problem. Therefore. Chapter 1: Introduction to Troubleshooting and Network Maintenance 37 Troubleshooting Steps The Role of Communication Examine collected information Because a troubleshooter is often not fully aware of all aspects of a network. these two factors (that is. a user reported that her PC could not access network resources. After clearly defining the problem. Eliminate potential causes The elimination of potential causes might involve consultation with others. Verify hypothesis Temporary network interruptions often occur when verifying an hypothesis. when managing a major outage. The process of change management includes using policies that dictate rules regarding how and when a change can be made and how that change is documented. the user originally reporting the problem should be informed. therefore. As a side benefit. depending on the severity of an issue. those involved in troubleshooting the outage should divert user inquiries to a manager who is in frequent contact with the troubleshooting personnel. This morning. In fact. and the user should confirm that the problem has truly been resolved. no physical layer connectivity to a device). a network administrator attempted to better secure a Cisco Catalyst switch by administratively shutting down any ports that were in the down/down state (that is. as part of the col- From the Library of Outcast Outcast . the troubleshooter asked whether anything had changed. Propose an Hypothesis The consultation a troubleshooter conducts with other IT personnel when eliminating potential causes might also help the troubleshooter more accurately hypothesize a problem’s underlying cause. Also.

the troubleshooter was able to find in the documentation that last week an administrator had adminis- tratively shut down this user’s switchport because it was down/down while the user was on vacation and his computer was shut off. she mentioned that she had just returned from vacation. Thanks to the network’s change management system. and a sound change management policy minimized the total time it took the troubleshooter to solve the problem. The previous scenario is an excellent example of how following a structured trouble- shooting approach.38 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide lect information troubleshooting phase. Even though the user was unaware of any changes. having accurate documentation. From the Library of Outcast Outcast . thus leading the troubleshooter to wonder if any network changes had occurred while the user was on vacation.

structured maintenance task. baseline.” and the exam simulation questions on the CD-ROM. Table 1-5 Key Topics for Chapter 1 Key Topic Key Topic Element Description Page Number List Outlines the simplified troubleshooting flow 10 Table 1-2 Identifies the five steps used while diagnosing a 10 problem List Outlines the structured troubleshooting flow 11 Section Provides details of each step during structured 13 troubleshooting List Lists the various troubleshooting methods that can 20 be used to narrow the field of potential causes List Lists examples of network maintenance tasks 27 List Lists examples of network maintenance models 28 List Identifies questions that need to be addressed while 31 implementing a change management system List Outlines various types of documents that should 32 exist and be maintained within an organization List Examples of how to help troubleshooters remember 35 the importance of documenting their steps Paragraph Identifies the importance of a baseline 36 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: interrupt-driven task. “Final Preparation. you have a couple of choices for exam preparation: the exercises here. comparing configurations method. Review All Key Topics Review the most important topics in this chapter. ITIL. following the traffic path method. bottom-up method. shoot from the hip. change management. Cisco Lifecycle Services. top-down method. compo- nent swapping method. divide-and-conquer method. FCAPS. documentation From the Library of Outcast Outcast . Chapter 22. Chapter 1: Introduction to Troubleshooting and Network Maintenance 39 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. Table 1-5 lists a reference of these key topics and the page num- bers on which each is found. noted with the Key Topic icon in the outer margin of the page.

■ Using Cisco IOS to Collect Information: This sec- tion focuses on how to use the CLI to collect infor- mation for troubleshooting and maintenance. telnet.This chapter covers the following topics: ■ The Troubleshooting and Network Maintenance Toolkit: This section introduces you to the essential tools for troubleshooting and maintenance tasks. and traceroute utilities. From the Library of Outcast Outcast . ■ Collecting Information in Transit: This section iden- tifies how you can configure switches to send copies of frames to packet capturing devices using SPAN and RSPAN. ■ Using CLI Tools to Document a Network: This sec- tion focuses on the steps and commands required to successfully document a network diagram. ■ Using Cisco IOS to Verify and Define the Problem: This section reviews the ping.

“Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. CHAPTER 2 Troubleshooting and Maintenance Tools Collecting network information is an ongoing process. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. You can find the answers in Appendix A. There is no argument that you will be collecting network information when there is an issue. you need to gather baseline data on a regular basis so that you have something to compare your current issue to. you need network information about the good times and the bad times. “Answers to the ‘Do I Know This Already?’ Quizzes. not later. and you need it now. Therefore. if that is the only time you collect network information. This chapter introduces you to a sampling of Cisco IOS tools and features designed for network maintenance and troubleshooting. However. read the entire chapter. In addition. so you have a snapshot of the device’s health at that point in time. you are missing the necessary key element of an efficient and effective troubleshooting process. to a syslog server).” Table 2-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions The Troubleshooting and Network Maintenance Toolkit 1–6 Using Cisco IOS to Verify and Define the Problem 7–9 Using Cisco IOS to Collect Information 10 Collecting Information in Transit 11 Using CLI Tools to Document a Network 12 From the Library of Outcast Outcast . processor utilization on a network server exceeding a specified threshold) could trigger the writing of log information (for exam- ple. the statistics related to certain network events (for example. Table 2-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. To be an efficient and effective trouble- shooter.

If you do not know the answer to a question or are only partially sure of the answer. The types of information collection used in troubleshooting fall into which three broad categories? a. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. show ftp: | begin archive From the Library of Outcast Outcast . Which command enables you to view archival copies of a router’s startup configura- tion? a. Which three of the following are components that would be most useful when recov- ering from a network equipment outage? a. Network event information collection 3. you should mark that question as wrong for purposes of the self-assessment. Duplicate hardware d. show backup b. Vlog c. Blog b. Wiki d.42 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. 1. Troubleshooting information collection b. Backup of device configuration information b. Podcast 4. Which of the following would be appropriate for a collaborative web-based docu- mentation solution? a. Baseline information collection c. show flash: | begin backup d. Physical topology c. show archive c. Operating system and application software (along with any applicable licensing) for the device 2. QoS information collection d.

Uses a push model 7. NBAR b. D 8. and tables to describe network traffic patterns? a. Collects detailed information about traffic flows b. traceroute d. Which command enables you to determine whether a routing loop exists? a. Which of the following is the ping response to a transmitted ICMP echo datagram that needed to be fragmented when fragmentation was not permitted? a. Which of the following is a Cisco IOS technology that uses a collector to take data from monitored devices and present graphs. M d. arp -a From the Library of Outcast Outcast . charts. ping c. telnet b. Which two of the following are characteristics of the NetFlow feature? (Choose the two best answers. c. ping c. telnet b. Collects detailed information about device statistics c. U b. Uses a pull model d.) a. Which command can be used to determine whether transport layer connectivity is functioning? a. NetFlow c. arp -a 9. traceroute d. QDM d. . IPS 6. Chapter 2: Troubleshooting and Maintenance Tools 43 5.

show version From the Library of Outcast Outcast . starting where the routing protocol configuration begins? a. show cdp neighbor d. RSPAN d. show running-config | tee router b. show ip interface brief b. SPRT 12. show running-config | begin router c. show interface status c. Which of the following commands displays a router’s running configuration. What feature available on Cisco Catalyst switches enables you to connect a network monitor to a port on one switch to monitor traffic flowing through a port on a dif- ferent switch? a. What IOS command enables you to discover the Cisco devices that are directly con- nected to other Cisco devices? a. SPAN c. RSTP b.44 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 10. show running-config | redirect router d. show running-config | append router 11.

you might be alerted to impending performance issues before users are impacted and report it. examine. Chapter 1. you are gathering more information that will help paint a clearer picture of the issue at hand. they need to know what normal net- work behavior looks like. At this point. Several of these steps involve the use of tools that will help gather. From the Library of Outcast Outcast . the tools we use for troubleshooting and mainte- nance will be very similar. and compare information. ■ Examine collected information: As troubleshooters investigate the information they collected during the troubleshooting process. in addition to fixing and possibly rolling back configurations. however. “Introduction to Troubleshooting and Network Maintenance. ■ Collect information: The collection of information when troubleshooting a problem can often be made more efficient through the use of specialized maintenance and troubleshooting tools. ■ Baseline information collection: This is the information collected when the network is operating normally. They can then contrast that normal behavior against what they are observing in their collected data. This information provides a frame of reference against which other data can be compared when we are troubleshooting an issue. Specialized maintenance tools can be used in a network to collect baseline data on an ongoing basis so that it is available and current when needed. he can also help roll back an attempted fix. troubleshooting and maintenance go hand and hand. If you look closely. if that fix proves unsuccessful. ■ Verify hypothesis: Specialized maintenance and troubleshooting tools help a troubleshooter implement his fix for an issue. the information that is collected essentially falls into one of three categories: ■ Troubleshooting information collection: This is the information collected while Key troubleshooting an issue that was either reported by a user or a network manage- Topic ment station (NMS). Let’s examine four of these steps: ■ Problem report: By proactively monitoring network devices with specialized report- ing tools. A relation- ship exists between the two.” introduced you to a series of steps that provide a structured troubleshooting process. Therefore. if not the same. Chapter 2: Troubleshooting and Maintenance Tools 45 Foundation Topics The Troubleshooting and Network Maintenance Toolkit As previously discussed.

be current. or server being exceeded). and this is especially true when you have a well-organized. Network Documentation Tools It is fitting that we start this chapter with a discussion on network documentation tools. The big reason is time. you can leverage that information and be more efficient and effective.wikipedia. A popu- lar example of a wiki is Wikipedia (http://www. The features you want the tool to provide will determine the overall cost. However. However. and archiving trouble reports (that is. Get free trials and work with them for a while. During the troubleshooting process. The true power of documentation is seen during the troubleshooting process. you should identify the tools required to carry out your maintenance processes based on how well targeted they are toward your specific business processes and tasks. A couple of documentation management system examples are as follows: ■ Trouble ticket reporting system: Several software applications are available for recording. searchable repository of information.com). At some point. To keep the documentation current is a chal- lenge for most people. you can make it less challenging and less time-consuming if it is easy to update with the proper tools. Because such a tight relationship exists between troubleshooting and network mainte- nance. Many solutions are available on the market. Chapter 1 discussed the importance of network documentation. configured utilization levels on a switch. These applications are often referred to as help desk applications. their useful- ness extends beyond the help desk environment. This type of wiki technology can also be used on your local network to maintain a central repository for documentation that is both easy to access and easy to update. Shop around and communicate with the vendors to see what they have to offer you and your business needs. These alerts can be simple notification messages or emergency messages. At From the Library of Outcast Outcast . trouble tickets). This section focuses on tools that are necessary for trou- bleshooting and maintenance tasks. However. all the other tools we use mean nothing if we are not document- ing their findings. do not forget to update the documentation after you solve the ticket. However. That is the only way you will be able to determine whether the product will work for you. Just because it was reported in the past and already had a resolution does not mean you can skip the documentation process. for this documentation to truly add value and be an asset. However. while helping you focus your troubleshooting efforts without having to wade through reams of irrelevant information. they will come in handy. if you have a searchable database of past issues that were solved.46 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Network event information collection: This is the information collected when our devices automatically generate alerts in response to specific conditions (for example. tracking. an Internet-based encyclopedia that can be updated by users. because without them. more important. you do not have to purchase the most expensive tool to get the best product. ■ Wiki: A wiki can act as a web-based collaborative documentation platform. and guides that can be followed to resolve issues. it should be easy to retrieve and. router.

a show command. In addition.067: OSPF: Rcv LS UPD from 10. store.4. which shows router R2 receiving Open Shortest Path First (OSPF) link-state updates from its OSPF neighbors as those updates occur. You need to select tools that balance your troubleshooting and maintenance needs while meeting your budgetary constraints. can display router configuration information and the routes that have been learned by a routing process.3 on Serial1/0. many network devices have a graphical user interface (GUI) to assist network administrators in their configuration and monitoring tasks. External servers (for example.4 on Serial1/0. Similarly. The debug command can provide real-time infor- mation about router or switch processes. logging servers. Regardless of budget. these tools vary in their levels of complexity and usefulness for troubleshooting and maintaining specific issues.3.2 length 124 LSA count 1 *Mar 1 00:06:06.4. Basic Tools Troubleshooting and network maintenance tools often range in expense from free to tens of thousands of dollars. all Cisco troubleshooting and network maintenance toolkits will contain the command-line interface (CLI) commands that are executable from a router or switch prompt. To illustrate.3 on Serial1/0. For example. CLI Tools Cisco IOS offers a wealth of CLI commands. Cisco IOS also has a CLI feature that allows a router to monitor events and automatically From the Library of Outcast Outcast . or provide valuable information for day-to-day network operations and for trouble- shooting and maintenance.4.2 length 124 LSA count 1 *Mar 1 00:06:07.679: OSPF: Rcv LS UPD from 10. The focus of this book is on those show and debug CLI commands that will assist us in solving trouble tickets. Chapter 2: Troubleshooting and Maintenance Tools 47 some point. we may need to rely on the number of entries in a ticket reporting system to determine whether some greater issue is lurking in the shadows and causing the reoccur- rence of the same minor issues over and over.691: OSPF: Rcv LS UPD from 10.3. and time servers) can also collect. which displays a static snap- shot of information.4 on Serial1/0.999: OSPF: Rcv LS UPD from 10.1 length 156 LSA count 2 This is one of many show and debug examples you will see throughout this book.4.1 length 124 LSA count 1 *Mar 1 00:06:06. which can prove invaluable when trouble- shooting a network issue. consider Example 2-1.3.3. backup servers. Example 2-1 Sample debug Output R2#debug ip ospf events OSPF events debugging is on R2# *Mar 1 00:06:06.

Figure 2-1 Cisco Configuration Professional Recovery Tools During the recovery process. GUI Tools Although Cisco has a great number of GUI tools. To illustrate. you will spend all your time in the CLI. which we cover in more detail later. External servers are often used to store archival backups of a device’s operating system (for example. or SCP server. Therefore. However. as an example. when it comes to router and switch configuration and troubleshooting for the CCNP Routing and Switching track. However. you can use the GUI tool known as Cisco Configuration Professional (CCP) to configure and troubleshoot your Integrated Services Routers (ISRs). you also need a backup of the failed devices configurations. do not get too comfortable with GUI tools for the Routing and Switching track. Figure 2-1 provides a sample of the CCP home page. FTP. Depending on your network device.48 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide respond to a specific event (such as a defined threshold being reached) with a predefined action. you might be able to back up your operating system and configuration information to a TFTP. HTTP. This feature is called Cisco IOS Embedded Event Manager (EEM). From the Library of Outcast Outcast . you need access to duplicate hardware and the IOS. a Cisco IOS image) and the configuration information. consider Example 2-2.

End with CNTL/Z. R1(config)#ip http client username cisco R1(config)#ip http client password cisco R1(config)#end From the Library of Outcast Outcast . one per line. you can avoid specifying the login credentials each time (for security purposes). router R1’s startup configuration is being copied to an FTP server with an IP address of 192. one per line. the username and password should be stronger and not easily guessed.349 secs (432 bytes/sec) In Example 2-2. Example 2-3 Adding FTP Server Login Credentials to a Router’s Configuration R1#configure terminal Enter configuration commands.74]? Destination filename [r1-confg]? Writing r1-confg ! 1446 bytes copied in 3. Example 2-5 Adding HTTP Server Login Credentials to a Router’s Configuration R1#configure terminal Enter configuration commands. Example 2-3 shows how to add FTP username and password cre- dentials to the router’s configuration.74. Compare this to the FTP configuration commands and notice the differ- ence.168.1.1.168. R1(config)#ip ftp username cisco R1(config)#ip ftp password cisco R1(config)#end Example 2-4 Backing Up a Router’s Startup Configuration to an FTP Server Without Specifying Login Credentials R1#copy startup-config ftp://192. Notice that the login credentials (that is.1. Chapter 2: Troubleshooting and Maintenance Tools 49 Example 2-2 Backing Up a Router’s Startup Configuration to an FTP Server Key Topic R1#copy startup-config ftp://cisco:cisco@192.74 Address or name of remote host [192. In a production environment.389 secs (427 bytes/sec) Example 2-5 shows how to add HTTP username and password credentials to the router’s configuration. If you intend to routinely copy backups to an FTP server.1. End with CNTL/Z.168.74]? Destination filename [r1-confg]? Writing r1-confg ! 1446 bytes copied in 3. username=cisco and password=cisco) for the FTP server are specified in the copy command. by adding those credentials to the router’s configuration. and Example 2-4 shows how the startup configura- tion can be copied to an FTP server without explicitly specifying those credentials in the copy command.74 Address or name of remote host [192.168.1.168.

OUTPUT OMITTED.168. The next archive file will be named ftp://192. You can view the files stored in a configuration archive by issuing the show archive com- mand.. Also. Specifically.74. which is part of the Cisco IOS Configuration Replace and Configuration Rollback feature..168.168. . as demonstrated in Example 2-7. Example 2-6 Automatic Archive Configuration R1#show run Building configuration..OUTPUT OMITTED.168.74/R1-config-3 Archive # Name 1 ftp://192.. the write- memory command causes the router to archive a copy of the configuration whenever the router’s running configuration is copied to the startup configuration using either the write-memory or copy running-config startup-config commands.1.. Example 2-7 Viewing a Configuration Archive Key Topic R1#show archive The maximum archive configurations allowed is 10.1..1. or an FTP server).74/R1-config-1 2 ftp://192. Example 2-6 illustrates a router configured to back up the running configuration every 1440 minutes to an FTP server with an IP address of 192... you can configure a Cisco IOS router to periodically (that is. the router’s flash. In addition.Most Recent 3 4 5 6 7 8 9 10 From the Library of Outcast Outcast . ip ftp username cisco ip ftp password cisco ! archive path ftp://192.168..50 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The process of backing up a router’s configuration can be automated using an archiving feature. The login creden- tials have already been configured in the router’s configuration..1.1.74/R1-config-2 <.74/R1-config write-memory time-period 1440 . the archive feature can be configured to create an archive every time you copy a router’s running configuration to the startup configuration. at intervals specified in minutes) back up a copy of the configuration to a specified location (for example.

Chapter 2: Troubleshooting and Maintenance Tools 51 Example 2-8 shows the execution of the copy run start command.168. Only the entry in show archive is removed to make space in the list.Most Recent 4 5 6 7 8 9 10 The output of show archive indicates that the maximum configurations allowed is ten..74/R1-config-4 Archive # Name From the Library of Outcast Outcast .168. Because the path is pointing to an FTP server.1. This is not entirely true. The show archive com- mand is then reissued. and the output confirms that an additional configuration archive (named R1-config-3) has been created on the FTP server because of the write-memory command we issued in config-archive configuration mode. which copies a rout- er’s running configuration to the router’s startup configuration. [OK] Writing R1-config-3 ! R1#show archive The maximum archive configurations allowed is 10.168. The next archive file will be named ftp://192. Example 2-9 Confirming Archive Configuration R1#copy run start Destination filename [startup-config]? Building configuration..1. [OK] Writing R1-config-3 ! R1#show archive The maximum archive configurations allowed is 10. If the archive list on the router fills up (maximum ten)..168.74/R1-config-3 <. Note that this does not delete anything from the FTP server. we are limited only by the amount of storage space on the server. and add the new entry to Archive 10. the output of show archive will erase the entry for Archive 1. as shown in Example 2-9. Example 2-8 Confirming Automated Backups R1#copy run start Destination filename [startup-config]? Building configuration..74/R1-config-2 3 ftp://192. the router will continue to create an archive of the running configuration at its scheduled interval. The next archive file will be named ftp://192. move all entries up the list one spot.168.74/R1-config-4 Archive # Name 1 ftp://192.1. Therefore.74/R1-config-1 2 ftp://192.1.1.

The Cisco IOS copy com- Topic mand treats this as a merge operation instead of a copy and replace operation.. Interfaces that were enabled do not have a no shutdown command in the startup configuration.. if you are storing the archive locally in flash as an example. You can change the maximum number of archives with the maximum command in config-archive configuration mode. Restoring a configuration backup requires copying the configuration file from its storage Key location to the running configuration on the router or switch.1..168. This merge is easily witnessed with the interfaces.168...168.1.74/R1-config-7 2 ftp://192. This means that copying anything into the running configuration from any source might not produce the result we desire.255.74/R1-config-14 9 ftp://192. Once the startup configuration is copied to (merged with) the running configuration. To fix this. the shutdown command prevails in the running configuration because there is not a no shutdown in the startup configuration that will overwrite that. which produces a merge.OUTPUT OMITTED. you have to issue the no shutdown command on all interfaces you want enabled. the older files will be deleted to make space..11 255. you copy the startup configuration into the running configuration.1.. Example 2-10 Comparing the Running Configuration and Startup Configuration Before Issuing the copy Command R1#show run .168.255.. During this process.. R1#show start .74/R1-config-12 7 ftp://192..74/R1-config-11 6 ftp://192.74/R1-config-10 5 ftp://192.OUTPUT OMITTED.168. This is illustrated in Example 2-10.OUTPUT OMITTED. From the Library of Outcast Outcast .168.OUTPUT OMITTED.1.74/R1-config-16 <.1.1. after you have copied the startup configuration to the running configuration.74/R1-config-13 8 ftp://192.1..168.74/R1-config-9 4 ftp://192.1.168. as shown in Example 2-11..1.168...0 ..Most Recent However. interface FastEthernet0/0 no ip address shutdown .74/R1-config-15 10 ftp://192.168. in addition to moving the entries listed in the show archive command output.52 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 1 ftp://192..74/R1-config-8 3 ftp://192.168.1. We can witness this with the password recovery process on a Cisco router.1. after you have loaded the router to factory defaults. and the factory default setting of a router interface is shutdown and includes a shutdown command. interface FastEthernet0/0 ip address 192.

. we are usually not staring at the console output or even connected to the console port.255. Enter Y if you are sure you want to proceed.. interface FastEthernet0/0 ip address 192.OUTPUT OMITTED. as indicated by the statement “Total number of passes: 1. R1# On the bright side. Notice how the IOS warns you that this is a copy replace function that completely overwrites the current configuration. there was only one small difference between the running configuration and the archive.OUTPUT OMITTED. which is assumed to be a complete configuration.. Chapter 2: Troubleshooting and Maintenance Tools 53 Example 2-11 Witnessing a Configuration Merge R1#copy start run Destination filename [running-config]? 1881 bytes copied in 1.1. you can restore a previously archived configuration using the Key configure replace command. but rather completely replaces the running configuration with the archived configuration. this does not merge the Topic archived configuration with the running configuration.255. In most cases. once in production. Example 2-12 shows the restora- tion of an archived configuration to a router.. a message is written to the console. Example 2-12 Restoring an Archived Configuration Router#configure replace ftp://192. However.168. For exam- ple.3113/4096 bytes] Total number of passes: 1 Rollback Done R1# Logging Tools Device logs offer valuable information when troubleshooting a network issue. we would connect to the device when needed using Telnet or Secure Shell (SSH).. not a partial configuration. Unlike the copy command..1.74/R1-config-3 This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file.168. if a router interface goes down or up... and these logging messages are not displayed via Telnet or From the Library of Outcast Outcast .444 secs (1303 bytes/sec) R1#show run . Many events that occur on a router are automatically reported to the router’s console. In this case. ? [no]: Y Loading R1-config-3 ! [OK .” It was the hostname.11 255.0 shutdown .

a step beyond logging messages to the console is logging messages to a router’s buffer (the router’s RAM). issue the clear logging command in privilege EXEC mode. For example. As part of that command. you can issue the logging buffered command. if you want to log level 6 and lower to the console and level 7 and lower to the buffer. or you might close your terminal emulator. create advanced alerts. older entries will be deleted to make room for newer entries. and produce statisti- cal graphs. vty lines. By default. you might be able to schedule automated log archiving. Logging severity levels range from 0 to 7. You can view the logging messages in the buffer by issuing the show logging command. the console. You can direct your router’s log output to a syslog server’s IP address using From the Library of Outcast Outcast . as shown in Table 2-2. You can also specify the severity level by name instead of number. Another logging option is to log messages to an external syslog server. A downside of solely relying on console messages is that those messages can scroll off the screen. with corresponding names. This is possible by using the logging console severity_level and logging buffered severity_level commands. you can specify how much of the router’s RAM can be dedicated to logging. Therefore.54 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide SSH by default. After the buffer fills to capacity. configure advanced script actions. you can keep a longer history of logging messages. By sending log messages to an external server. Notice that lower severity levels are more severe than those with higher levels. To cause mes- sages to be written to a router’s buffer. If you need to clear the logging messages in the buffer. debugs are logged only when they are turned on with debug commands. Table 2-2 Severity Levels Key Topic Severity Level Name 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warnings 5 Notifications 6 Informational 7 Debugging You might want to log messages of one severity level to a router’s console and messages of another severity level to the router’s buffer. after which those messages would no longer be visible as the session is reset. you have to enter the command terminal monitor in privilege EXEC mode. you enter logging console 6 and logging buffered 7 in global configuration mode. Depending on the syslog server software. However. and buffer will log all messages with a severity level of 7 and lower. If you are connected to a router through Telnet or SSH and want to see console messages.

Figure 2-2 shows logging messages being collected by a Kiwi Syslog Server (available from http://www. Figure 2-2 Syslog Server From the Library of Outcast Outcast .50 logging trap 6 ..50.. 0 to 4) are logged to the router’s buffer. ! logging buffered 4096 warnings logging console warnings ! logging 192.. The router can use a maximum of 4096 bytes of RAM for the buffered logging. the router is configured to log messages with a severity of 6 or lower to a syslog server with an IP address 192.. Example 2-13 Logging Configuration Key Topic R1#show run . This buffer can be viewed with the show logging com- mand.com).OUTPUT OMITTED.168... Building configuration. The console is configured for logging events of the same severity level.kiwisyslog.. events with a severity level of warning (that is. In addition. In Example 2-13..OUTPUT OMITTED.1. 4) or less (that is. Example 2-13 illustrates several of the logging configurations discussed here. Chapter 2: Troubleshooting and Maintenance Tools 55 the logging ip_address command.. and you can specify the severity level that will be sent to the syslog server by using the logging trap severity_level command.168..1.

or is it 5:30 p. Therefore. each device has its own time zone configu- ration. which is 5 hours behind GMT when daylight savings time is not in effect. one per line. Although you could individually set the clock on each of your devices. you will not be able to correlate the log entrees to the problem the users are reporting. You might have heard the saying that a man with one watch always knows what time it is. If they don’t. on the second Sunday in March and ends at 2:00 a. Users are complain- ing that the network is slow at 5:30 p. your search will be worthwhile only if the logs have time stamps. The problem ticket indicates that this happens every day.. This implies that devices need to have a common point of reference for their time. because the NTP server might be referenced by devices in different time zones. In addition. In such cases. time stamps are useless if they are not accurate. whereas a man with two watches is never quite sure. R1(config)#clock timezone EST -5 R1(config)#clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 R1(config)#ntp server 192.m.1. You are browsing the logs to see whether anything abnormal is occurring on the network at that time.m. or you can manually specify which is most reliable by adding the prefer option to the ntp server command.1. there may be a log entry for 2:25 p.150 R1(config)#ntp server 192. that reports high network utilization.m. However.S. Naval Observatory in Washington. You have just been assigned a trouble ticket. for redundancy. However.168. on the first Sunday in November. D.m. The Topic clock summer-time command defines when daylight savings time begins and ends. In this example. the U. Such a reference point is made possible by Network Time Protocol (NTP). you need to make sure the clocks are set correctly on all the devices. Note that a configuration can have more than one ntp server command. which indicates how many hours its time zone differs from Greenwich mean time (GMT). Stratum 1 time sources are the most reliable and accurate. For example. Therefore.56 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Network Time Protocol as a Tool Picture this scenario. Is that really 2:25 p. which allows network devices to point to a device acting as an NTP server (a time source).151 prefer R1(config)#end From the Library of Outcast Outcast . For example. The ntp server command is used to point to an NTP server. local time. daylight savings time begins at 2:00 a. NTP will decide based on its protocol which is the most reliable. is a stratum 1 time source.168. those clocks might drift over time and not agree causing variations in the log entries.? Time-stamp accuracy is paramount when it comes to troubleshooting.C. Example 2-14 shows an NTP configuration entered on a router located in the eastern Key time zone.m. Example 2-14 Configuring a Router to Point to an NTP Server R1#configure terminal Enter configuration commands. this must be a reliable time source. End with CNTL/Z.m.

Stratum 1 is the most reliable. a router or a switch) to run an SNMP agent that collects data such as utilization statistics for processors and memory. An SNMP server can then query the SNMP agent to retrieve those statistics to determine the overall health of that device. such as SNMP. you may not want all of your devices pointing to the stratum 1 time source that is connected to the Internet. ■ Troubleshooting performance issues: Performance issues can be difficult to trouble- shoot in the absence of a baseline. you need more than just basic show and debug commands. Advanced Tools Keeping an eye on network traffic patterns and performance metrics can help you antici- pate problems before they occur. NetFlow. From the Library of Outcast Outcast . Reasons to monitor network traffic include the following: ■ Ensuring compliance with an SLA: If you work for a service provider or are a cus- tomer of a service provider. bandwidth utilization and router CPU utilization) can help you recognize trends and forecast when upgrades will be required or if users are abusing the network resourc- es. fix it. Chapter 2: Troubleshooting and Maintenance Tools 57 NTP uses a hierarchy of time servers based on stratum levels from 1 to 15. charts.” To be proactive. This is in contrast to taking a reactive stance where you continually respond to problem reports as they occur. which are software applications that can take the NetFlow information reported from a Cisco device and convert that raw data into useful graphs. a baseline) against which you can compare perfor- mance metrics collected after a user reports a performance issue. Cisco IOS NetFlow can provide you with tremendous insight into your network traffic patterns. In these instances. and EEM. Several companies market NetFlow collectors. By routinely monitoring network performance. and tables reflecting traffic patterns. Your stance in this type of environment should be “If it appears that it will break. Because it is based on a hierarchy. ■ Trend monitoring: Monitoring resource utilization on your network (for example. you might want to confirm that performance levels to and from the service provider’s cloud are conforming to the agreed-upon service level agreement (SLA). The saying “If it ain’t broke don’t fix it” does not apply in a proactive network maintenance environment. you could set up a device or two in your organization to receive their time from the stratum 1 source (making them a stratum 2 source) and then configure the other devices in your organization to receive their time from these local devices in your organization (making them a stratum 3). Overview of SNMP and NetFlow Simple Network Management Protocol (SNMP) allows a monitored device (for example. You can then take the necessary measures to address them proactively before they become a major issue. you have a reference point (that is. You need advanced tools to proactively monitor the health of your devices and the health of your network traffic.

In the topology. the NMS must be configured with a community string that matches the managed device’s read-only community string. to establish a Topic baseline that can be used in a troubleshooting scenario or in proactive network manage- ment and maintenance. Before SNMPv3.58 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Creating a Baseline with SNMP and NetFlow SNMP and NetFlow are two technologies available on most Cisco IOS platforms that can Key automate the collection statistics. which used community strings for authentication. Specifically. For the NMS to change the information on the managed device. they target different fundamental functions. A network management system (NMS) can then query the agent for information in the MIB. you can create an access list that determines valid IP addresses or network addresses for NMS servers that are allowed to manage or collect information from the MIB of the device. SNMP A device being managed by SNMP runs a process called an SNMP agent. From the Library of Outcast Outcast . Table 2-3 contrasts these two technologies. router R1 is running an SNMP agent that the NMS server can query. and error counts) Uses a pull model (that is. Figure 2-3 shows a topology using SNMP. SNMP Version 3 (SNMPv3) supports encryption and hashed authentication of SNMP messages. which collects statistics about the device and stores those statistics in a Management Information Base (MIB). These statistics can be used. whereas NetFlow is primarily focused on traffic statistics (the health of network traffic). statistics pushed from the monitored device to a NetFlow collector) Available on routers and high-end switches Although both SNMP and NetFlow are useful for statistical data collection. statistics pulled from a monitored device by a network management station [NMS]) Available on nearly all enterprise network devices NetFlow Collects detailed information about traffic flows Uses a push model (that is. For example. for example. the most popular SNMP version was SNMPv2c. many SNMP deployments are still using version 2c because of its simplicity. SNMP is primarily focused on device sta- tistics (the health of a device). Table 2-3 Comparing SNMP and NetFlow Technology Characteristics SNMP Collects device statistics (for example. traffic counts. the NMS must be configured with a community string that matches the managed device’s read-write community string. for an NMS to be allowed to read data from a device running an SNMP agent. Today. platform resource utilization. using the SNMP protocol. To enhance the security available with SNMPv2c.

respectively. and a NetFlow collector is configured on a PC at IP address 192. they are entering the same interface on the device. times out. analysis software running on the NetFlow collector can produce reports detailing traffic statistics. From the Library of Outcast Outcast .168.1. notice the snmp-server ifindex persist command. This consistency is important when data is being collected for baselin- ing purposes. which is a software application running on a computer/ server in your network. rather than using just a standalone implementation of NetFlow. this device using SNMP. protocol numbers. port numbers. A flow is a series of packets. or read/write. The snmp-server community string [ro | rw] [access_list_number] commands specify a read-only (that is. Such a standalone configuration might prove useful for troubleshooting because you can observe flows being created as packets enter a router. all of which have shared header information such as source and destination IP addresses. After the NetFlow collector has received flow information over a period of time.local R1(config)#snmp-server location 3rd Floor of Lacoste Building R1(config)#snmp-server ifindex persist NetFlow NetFlow can distinguish between different traffic flows. you can export the entries in a router’s flow cache to a NetFlow collector. Contact and location information for the device is also specified. Figure 2-4 shows a sample topology in which NetFlow is enabled on router R4. or fills to capacity. Flow information is removed from a flow cache if the flow is terminated. In addi- tion. However. rw) community string of PRESS. Example 2-15 SNMP Sample Configuration R1#configure terminal R1(config)#snmp-server community CISCO ro 10 R1(config)#snmp-server community PRESS rw 11 R1(config)#snmp-server contact demo@ciscopress. NetFlow can keep track of the number of packets and bytes observed in each flow. Chapter 2: Troubleshooting and Maintenance Tools 59 SW1 R1 NMS Managed Device Running an SNMP Agent Figure 2-3 SNMP Sample Topology Example 2-15 illustrates the SNMPv2c configuration on router R1. Finally. You can use the NetFlow feature as a standalone feature on an individual router.50. This information is stored in a flow cache. ro) community string of CISCO and a read-write (that is. This command ensures that the SNMP interface index stays consistent during data collection. even if the device is rebooted. Only NMSs permitted in access list 10 and 11 will be able to read. and type of service (TOS) field information.

168.60 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 192. Finally. Because NetFlow does not have a standardized port number.8.1.0. Example 2-16 NetFlow Sample Configuration R4#configure terminal R4(config)#int fa 0/0 R4(config-if)#ip flow ingress R4(config-if)#exit R4(config)#int fa 0/1 R4(config-if)#ip flow ingress From the Library of Outcast Outcast . This ensures that all flows passing through the router.1. the ip flow-export destination 192. Although not required.50.6 IP Phone 192. You should check the documentation for your NetFlow collector software to confirm which version to configure. can be monitored.50 5000 command is issued to specify that the NetFlow collector’s IP address is 192.1. and communi- cation to the NetFlow collector should be done over UDP port 5000.168.1. regardless of direction.50. Notice that the ip flow ingress command is issued for both the Fast Ethernet 0/0 and Fast Ethernet 0/1 inter- faces. router R4 is configured to report its NetFlow infor- mation to a NetFlow collector at IP address 192.228 Cisco Unified Communications Manager Server Web Server Fa 0/1 Fa 0/0 SW1 SW2 R4 NetFlow Enabled Router 10. check your NetFlow collector’s documenta- tion when selecting a port.168.168.50 NetFlow Collector Figure 2-4 NetFlow Sample Topology Example 2-16 illustrates the NetFlow configuration on router R4.168. A NetFlow Version of 5 was specified.8. The ip flow-export source lo 0 command indicates that all communication between router R4 and the NetFlow collec- tor will be via interface Loopback 0.

4 UDP-other 122 0.5 UDP-TFTP 225 0.50 5000 R4(config)#end Using your favorite search engine.8.9 15. for example.168.6 Fa0/0 192.6 06 07D0 C2DB 1 Fa0/0 192.8.8.9 15.228 (a Cisco Unified Communications Manager server).168. search for images of “NetFlow collector” (without the quotes) to see various sample images of what a NetFlow collector can provide you.. that traffic is flowing between IP address 10.6 (a Cisco IP Phone) and 192..8.0.8.0 13 91 0.8 9.0 15..2 06 38F2 0017 438 Providing Notifications for Network Events Whereas responding to problem reports from users is a reactive form of troubleshooting.2 0.8.3.3.2 18 255 3.0 114 284 3.1 15.3.2 TCP-WWW 12 0.2 Local 10.168.5 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa0/0 10.6 11 6002 6BD2 9166 Fa0/1 10.168.1 11. Although an external NetFlow collector is valuable for longer-term flow analysis and can provide detailed graphs and charts.168.50 11 6BD2 6002 9166 Fa0/0 10.10 58 0000 0000 62 Fa0/1 10.0.3.50 Fa0/1 10.4 ICMP 41 0.1.0 40 785 0.0.1 49.6 Fa0/0 192.0 1797.0 4 59 0..9 15.Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 12 0.8. Example 2-17 Viewing NetFlow Information R4#show ip cache flow .8.2 TCP-other 536 0.0 50 40 0.0.168. Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) ---------.7 14.1.1 1 55 0.3 10. monitoring network devices for significant events and responding to those events is a From the Library of Outcast Outcast .1.228 Fa0/1 10.1.1 Null 224.1.228 06 C2DB 07D0 2 Fa0/0 192.4 Total: 949 0.8.1 3. as shown in Example 2-17.6 IP-other 1 0.4 12.0.1 7.0 389 60 0.1 6.OUTPUT OMITTED. you can issue the show ip cache flow command at a router’s CLI prompt to produce a summary of flow information.8. A troubleshooter can look at the output displayed in Example 2-17 and be able to confirm. Chapter 2: Troubleshooting and Maintenance Tools 61 R4(config-if)#exit R4(config)#ip flow-export source lo 0 R4(config)#ip flow-export version 5 R4(config)#ip flow-export destination 192.

via e-mail) when a network event is logged. The SNMP server is con- figured for SNMP version 2c and a community string of CISCOPRESS.62 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide proactive form of troubleshooting. The redundant link can then be repaired.168. If an interface goes down. for example. third-party software is avail- able that can selectively alert appropriate personnel when specific events are logged.1. snmp-server enable traps bgp).168.50 version 2c CISCOPRESS command points router R4 to Topic an SNMP server (that is. From the Library of Outcast Outcast .. However.. Example 2-18 demonstrates how to enable a router to send SNMP traps to an NMS.1.168. Both syslog and SNMP are protocols that can report the occurrence of specific events on a network device. the SNMP agent on a managed network device can send a message containing informa- tion about the interface state change to an NMS.150 version 2c CISCOPRESS R4(config)#snmp-server enable traps R4(config)#end R4#show run | include traps snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps ds1 snmp-server enable traps gatekeeper snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps xgcp snmp-server enable traps ds3 . this section discussed how a network device running an SNMP agent can be que- ried for information from an NMS.50. thus resolving the problem without users being impacted. Although these protocols by themselves lack a mechanism to alert a network administra- tor (for example. and NetFlow can report events related to network traffic flows. a router that is dual-homed to the Internet might report the event of one of its Internet connections going down. The Key snmp-server host 192. a network device running an SNMP agent can also initiate communication with an NMS. an NMS) at IP address 192. Example 2-18 Enabling SNMP Traps R4#configure terminal R4(config)#snmp-server host 192. in response to the notification. therefore. For example. from the agent to the NMS. The snmp-server enable traps command is used to enable all traps on the router. are called traps. you may do so by adding the individual trap keyword to the snmp-server enable traps command (for example.1. You can view the enabled traps by using the show run | include traps command. before a user loses connectivity with the Internet. These messages.. we include that information on the router for communication purposes with the NMS. Earlier. readable format. These traps require the NMS to interpret them because they are not in an easy.. and then the NMS can notify a network administrator via e-mail.OUTPUT OMITTED. If you only need to enable specific traps.

Note that the clear counters command would be detected even if a shortcut (for example. consid- Key er Example 2-19. The specific action to be taken is producing this informational message saying: Please update network documentation to record why the counters were reset. the CLI command will be executed). From the Library of Outcast Outcast . includ- ing sending an SNMP trap to an NMS. The event command specifies what you are looking for in your custom-defined event. writing a log message to a syslog server. resulting in generation of a syslog message reminding an administrator to document the reason they cleared the interface counters. the action is given a locally significant name of A and is assigned a syslog priority level of informational. To verify the operation of the EEM configuration presented in Example 2-19. Notice that entering the clear counters command triggers the custom-defined event. the EEM policy will not be executed before the CLI command executes. sending an e-mail to an appropriate party. SNMP trap. In Example 2-19. An event can be defined and triggered based on a sys- log message. and even the issuing of a specific Cisco IOS command. In this example. you can already see how powerful the EEM can be. The action command is then entered to indicate what should be done in response to the defined event. the clear counters command is executed in Example 2-20. The purpose of this configuration is to create a syslog message that will Topic be displayed on the router console when someone clears the router’s interface counters using the clear counters command. The sync no parameter says that the EEM policy will run asynchronously with the CLI command." R4(config-applet)#end The event manager applet COUNTER-RESET command creates an EEM applet named COUNTER-RESET and enters applet configuration mode. Although this is a rather large collection of predefined messages and should accommodate most network management requirements. To illustrate the basic configuration steps involved in configuring an EEM applet. cle co) were used. In response to a defined event. Example 2-19 EEM Sample Configuration R4#configure terminal R4(config)#event manager applet COUNTER-RESET R4(config-applet)#event cli pattern "clear counters" sync no skip no occurs 1 R4(config-applet)#action A syslog priority informational msg "Please update network documentation to record why the counters were reset. Chapter 2: Troubleshooting and Maintenance Tools 63 The messages received via syslog and SNMP are predefined within Cisco IOS. EEM can perform various actions. capturing output of specific show commands. From this short list. The message reminds the administrator to update the network documentation and lists the rationale for clearing the interface counters. as just a few examples. Finally. you are looking for the CLI command clear counters. The skip no param- eter says that the CLI command will not be skipped (that is. Cisco IOS also supports a feature called Embedded Event Manager (EEM) that enables you to create your own event definitions and specify custom responses to those events. Specifically. the occurs 1 parameter indicates that the EEM event is triggered by a single occurrence of the clear counters command being issued. or executing a tool command language (Tcl) script. executing specified Cisco IOS commands.

Three easy-to-use tools built in to the Cisco IOS can help you verify connectivity and further define the problem. The same holds true in reverse with an unsuccessful ping.cisco. and traceroute. troubleshooting. and so you can focus your attention on higher OSI layers.4. an exclamation point appears in the output. which you can use to check network connectivity. is the ping com- Key mand. your first couple of tasks should be to verify and define the problem. as shown in Example 2-21. and maintenance tools available on its website: http://www. and 3 of Topic the OSI model are functioning. This section discusses how ping. Sending 5. A basic ping command sends Internet Control Message Protocol (ICMP) echo messages to a specified destination. Some relatively simple tasks can confirm the issue reported and in most cases help to focus your troubleshooting efforts. If it is unsuccessful. Using Cisco IOS to Verify and Define the Problem When you receive a trouble ticket.64 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-20 Testing EEM Configuration R4#clear counters Clear "show interface" counters on all interfaces [confirm] R4# %HA_EM-6-LOG: COUNTER-RESET: Please update network documentation to record why the counters were reset. R4# Cisco Support Tools Cisco has several other configuration.html Some of the tools available at this website require login credentials with appropriate privilege levels. timeout is 2 seconds: !!!!! The ping command does have several options that can prove useful during troubleshoot- ing. a successful ping indicates that Layer 1. Telnet.4. For every ICMP echo reply received from that specified desti- nation. and traceroute can verify the problem and help focus our efforts. They are ping.4. you focus your troubleshooting on the lower layers of the OSI model.4. 100-byte ICMP Echos to 10. Ping A common command. 2.com/en/US/support/tsd_most_requested_tools. Telnet. including the following: From the Library of Outcast Outcast .4 Type escape sequence to abort.4. Example 2-21 Basic ping Command R1#ping 10. If you recall from Chapter 1.

.4 size 1500 repeat 9999 timeout 0 Type escape sequence to abort.... The df-bit option instructs a router to drop this datagram rather than fragmenting it if fragmentation is required....... Notice the M in the ping responses......4........ we do not care that it failed...... generic routing encapsulation (GRE) tunnels............... The router did not wait before considering the ping to have failed and sending another ICMP echo message. and even Point-to-Point Protocol over Ethernet (PPPoE) interfaces.. You can also use the ping command to create a load on the network to troubleshoot the network under heavy use... Traffic flowing across one path is successful.... ...... an MTU less than 1500 bytes).. For example.. ... Remember....... in this case.... as shown in Example 2-22.. you can specify a datagram size of 1500 bytes. we are doing this for the artificial load generated for testing purposes..... if the ping results indicate alternating failures and successes (that is......................4. Example 2-22 Creating a Heavy Load on the Network R1#ping 10... To ver- ify your suspicion..!)... which is commonly seen with Q-n-Q tunnels............ ...... which indicates that fragmentation was required but could not be performed because the do not fragment bit was set...... timeout is 0 seconds: .. you could send ICMP echo messages across that interface using the df-bit and size options of the ping command to specify the size of the datagram to be sent.....OUTPUT OMITTED.4..4...... Chapter 2: Troubleshooting and Maintenance Tools 65 ■ size: Specifies the number of bytes per datagram (defaults to 100 bytes on Cisco IOS) ■ repeat: Specifies the number of ICMP echo messages sent (defaults to 5) ■ timeout: Specifies the number of seconds to wait for an ICMP echo reply (defaults to 2) ■ source: Specifies the source of the ICMP echo datagrams ■ df-bit: Sets the do not fragment bit in the ICMP echo datagram Not only can a ping command indicate that a given IP address is reachable....... From the Library of Outcast Outcast .... Example 2-23 shows the sending of pings with the do not fragment bit set. a troubleshooter might conclude that traffic is being load balanced between the source and destination IP addresses. whereas traffic flowing over the other path is failing.!.. along with a large byte count (repeat value) and a timeout of 0 seconds............ These failures occurred because of the 0-second timeout..... you can conclude that a link between the source and destination is using a nonstandard MTU (that is...4............. but the response to a ping command might provide insight into the nature of a problem.. Notice that all the pings failed........ 1500-byte ICMP Echos to 10... For example. Therefore... Sending 9999....... Perhaps you suspect that an interface has a nondefault maximum transmission unit (MTU) size.................... !........

M. in Example 2-24 you could deter- mine that the MTU across at least one of the links from the source to the destination IP address was set to 1450 bytes. Specifically. Consider Example 2-24.M. because the M ping responses begin after 51 ICMP echo datagrams were sent (with datagram sizes in the range of 1400 to 1450 bytes).M.M. round-trip min/avg/max = 60/125/232 ms From the Library of Outcast Outcast . Timestamp.M. The extended ping feature enables you to granularly customize your pings.M. Example 2-24 Extended Ping Performing a Ping Sweep R1#ping Protocol [ip]: Target IP address: 10. which issues the ping command without command-line parameters.M.M. An extended ping can help with such a scenario.M .M.M.M. Success rate is 50 percent (51/101). Sending 101.M. you could specify a range of datagram sizes to use in your pings to help determine the size of a nondefault MTU.4.4. Strict.M.M.M.4.4.M.4.M.M The challenge is how to determine the nondefault MTU size without multiple manual attempts.4 size 1500 df-bit Type escape sequence to abort.M.M..M.4. [1400. Record. Sending 5.M. Verbose[none]: Sweep range of sizes [n]: y Sweep min size [36]: 1400 Sweep max size [18024]: 1500 Sweep interval [1]: Type escape sequence to abort.1500]-byte ICMP Echos to 10.4. 1500-byte ICMP Echos to 10. For example.M. timeout is 2 seconds: Packet sent with the DF bit set !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!M.M.4 Repeat count [5]: 1 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: yes Validate reply data? [no]: Data pattern [0xABCD]: Loose. timeout is 2 seconds: Packet sent with the DF bit set M. This invokes the extended ping feature.4.4.M.66 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-23 Pinging with the Do Not Fragment Bit Set R1#ping 10.4.

1..168. 25 . The mail server uses SMTP port 25.1.168.168.4 command to get an idea of where the ping is failing. if we issue the command ping 10.168.4.1.168.1. the Topic transport layer) and Layer 7 (that is.168. If the trace completes successfully. however. This command causes router R1 to attempt a TCP connection with 192. the application layer).168. By default.51.51 25 Trying 192.4. the network Key layer) connectivity.50 using port 80 (the HTTP port).4 and it fails.4. you may want to start by checking whether the server is operational and verifying that no access control lists (ACLs) are denying connectivity to port 25.4. 80 . we have Topic verified Layer 3 connectivity. Therefore..1.. you can specify an alternate port number to see whether a particular TCP Layer 4 service is running at a destination IP address. The second valuable piece of information is the path that the trace took through the network. The telnet command is useful for troubleshooting Layer 4 (that is. Open Let’s consider a situation where users indicate that they are unable to connect to the mail server at 192. we could then issue the traceroute 10. which is what the ping command provides us.4.168. Telnet uses TCP port 23. Chapter 2: Troubleshooting and Maintenance Tools 67 Telnet As you just read.1. At this point. Such an approach might prove useful if you are using a divide-and-conquer approach. The result of using Telnet to test the transport layer shows that port 25 is not responding on the mail server as shown in Example 2-26. The first is verified connectivity. This is something that the ping command does not provide. To illustrate. The response of Open indicates that 192.50 80 command issued in Example 2-25..4.51. Example 2-25 Using Telnet to Test the Transport Layer (Success) R1#telnet 192. Therefore. starting at Layer 3 (which was determined to be operational as a result of a successful ping). % Connection refused by remote host Traceroute The traceroute command provides valuable information during the troubleshooting Key process.1. notice the telnet 192. Example 2-27 displays the output of a successful trace to the router that has the IP address 10.4.1. Example 2-26 Using Telnet to Test the Transport Layer (Failure) R1#telnet 192. you could use telnet to test the transport layer.50 is indeed running a service on port 80.50 80 Trying 192.50. or a bottom-up approach (which has also confirmed Layer 3 to be operational). From the Library of Outcast Outcast . the ping command is useful for testing Layer 3 (that is.

4. 10.1.1. We then use traceroute to get a better picture of where this ping is failing so we can focus our attention around that part of the network.4. vrf out name/id) 1 10. If you see a repeating pattern of IP addresses in the output of traceroute (for example. the first step in diagnosing that problem is col- lecting information.4.4. or would you prefer to use the biggest strongest magnet in the world and attract the needle out of the haystack? I choose the magnet.4 Type escape sequence to abort.1.2.1..2 24 msec 64 msec 36 msec 3 10.4 Type escape sequence to abort..2 68 msec 88 msec 88 msec 3 * * * 4 * * * 5 * * * 6 * * * .4.1.1.4. Because the collection of information can be one of the most time-consuming of the troubleshooting processes. Success rate is 0 percent (0/5) R1#traceroute 10.4. you have a routing loop..2 44 msec 36 msec 44 msec 2 10..2. 10. as described in Chapter 1.1. Sending 5. Example 2-28 Using Traceroute to Follow The Path R1#ping 10. 100-byte ICMP Echos to 10.4..2.. Using Cisco IOS to Collect Information After a problem has been clearly defined.2.4.4 Type escape sequence to abort. Tracing the route to 10. Tracing the route to 10.4 100 msec * 72 msec Example 2-28 shows an unsuccessful ping from R1 to 10..4. timeout is 2 seconds: .2.2 24 msec 44 msec 28 msec 2 10.4.3. the ability to quickly collect appropriate information becomes a valuable troubleshooting skill.2 64 msec 52 msec 84 msec 4 10.OUTPUT OMITTED.2.3. 10. 10.2.4 VRF info: (vrf in name/id.1.4.1.. Time is valuable.1.1.2). 10.4.4.1. 10.1. This section introduces basic Cisco From the Library of Outcast Outcast . vrf out name/id) 1 10.1.4 VRF info: (vrf in name/id.2.4.4.2.2. You do not want to spend your time looking for the needle in a haystack.68 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-27 Using Traceroute R1#traceroute 10. Would you prefer to search for the needle in a haystack by moving one piece of straw at a time.4.3.3.

00% 0.00% 0.00% 0 Chunk Manager 2 7245 1802 4020 0. Because you know that the content of the one line you are looking for contains the text Check heaps.00% 0.00% 0.08% 0..00% 0.OUTPUT OMITTED.00% 0.00% 0. Also included in this section are com- mands helpful in diagnosing connectivity and hardware issues..00% 0 RTPSPI 177 4 17599 0 0..00% 0.00% 0.00% 0 Media Record 174 0 1 0 0.00% 0.00% 0.00% 0 APR Input .00% 0.00% 0.00% 0.00% 0.00% 0 Crash Writer 9 0 302 0 0. Throughout this book.00% 0 CEF Scanner Perhaps you were only looking for CPU utilization statistics for the Check heaps process.00% 0.00% 0. you could take the output of the show processes cpu command and pipe From the Library of Outcast Outcast .00% 0.. However.00% 0. Chapter 2: Troubleshooting and Maintenance Tools 69 IOS commands useful in gathering information and discusses the filtering of irrelevant information from the output of those commands.00% 0 Environmental mo 10 731 1880 388 0.00% 0 Voice Player 173 0 1 0 0.00% 0 Resource Measure 175 12 6 2000 0.08% 0 Load Meter 3 56 2040 27 0. Filtering the Output of show Commands Cisco IOS offers multiple show commands and debug commands that are useful for gath- ering information.00% 0.00% 0.00% 0 lib_off_app 172 4 2 2000 0. The output from the show processes cpu command generated approximately 180 lines of output.00% 0. one minute: 0%.00% 0 Session Applicat 176 12 151 79 0.00% 0.00% 0. Consider the output shown in Example 2-29.00% 0. making it challenging to pick out a single process.00% 0.32% 0. you will be introduced to a considerable num- ber of show and debug commands. five minute: 0% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTy process 1 4 3 1333 0.00% 0 Timers 8 0 1 0 0.00% 0.00% 0.00% 0 Pool Manager 7 0 2 0 0.00% 0.00% 0.00% 0.00% 0 EDDRI_MAIN 5 21998 1524 14434 0.00% 0. many of these commands produce a large quantity of output.25% 0 Check heaps 6 0 1 0 0. 171 0 1 0 0.00% 0 IP NAT WALN 179 8 314 25 0. Example 2-29 show processes cpu Command Output R1#show processes cpu CPU Utilization for five seconds: 0%/0%.08% 0.00% 0.00% 0.00% 0 OSPF Hello 1 4 4 1 4000 0.00% 0 IP NAT Ager 178 0 1 0 0.00% 0.

The ^ is a regular expression that represents “begins with. This allows you to place in descend- ing order those processes that are consuming the most CPU resources. we have to tweak our command so that we can receive the column headers as shown in Example 2-31. these additions state to include any line that begins with CPU or (space)PID.26% 0. Therefore. the show ip interfaces brief command can display IP addresses and interface status information for interfaces on a router and switch.14% 0. Example 2-30 Filtering the show processes cpu Command Output R1#show processes cpu | include Check heaps 5 24710 1708 14467 1. The piping of the output causes the output to be filtered to only include lines that include the text Check heaps. For example. Therefore. you will notice column headers that were omitted in Example 2-30. one minute: 4%.24% 0 Check heaps In Example 2-31 we modified the show processes cpu | include Check heaps command to include |^CPU|^ PID. This type of filtering can help trouble- shooters more quickly find the data they are looking for. five minutes: 4% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 5 24710 1708 14467 1. From the Library of Outcast Outcast . In addition. The exclude option can display all lines of the output except lines con- taining the string you specify. Notice that when specifying the additional pipes (|) there is no space because it is an “or” operation. you could alternatively pipe output to the exclude option.” Therefore.24% 0 Check heaps Example 2-30 gave us some interesting values. and 5-minute utilization with the sorted parameter. realize the information you are looking for is case sensitive. 1-minute. with the show processes cpu command. check heaps is not the same as Check heaps. as demonstrated in Example 2-30.14% 0. use the | character) to the include Check heaps statement.26% 0. However. you can sort by 5-second. as shown in Example 2-32. Example 2-31 Filtering the show processes cpu Command Output with Column Headers R1#show processes cpu | include Check heaps|^CPU|^ PID CPU utilization for five seconds: 3%/100%. but what do they mean? If you go back to Example 2-29.70 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide that output (that is. Similar to piping output to the include option. Now those interesting values have meaning because the column headers are included.

Chapter 2: Troubleshooting and Maintenance Tools 71 Example 2-32 show ip interface brief Command Output R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192. you can pipe the output of the show ip interface brief command to exclude unassigned.255 area 0 . skips the initial portion of the show running-config output and begins displaying the output where the first instance of router is seen in the running configuration.. as shown in Example 2-34.168.0.0.168.0.1.1 YES NVRAM up up Notice in Example 2-32 that some of the interfaces have an IP address of unassigned.OUTPUT OMITTED.1. Example 2-34 Filtering Output from the show running-config Command Using begin R1#show running-config | begin router router eigrp 100 network 10.168.255. Example 2-33 Filtering Output from the show ip interface brief Command Using exclude R1#show ip interface brief | exclude unassigned Interface IP-Address OK? Method Status Protocal FastEthernet0/0 192. From the Library of Outcast Outcast .0 network 192..1.11 YES NVRAM up up Serial0/1 unassigned YES NVRAM administratively down down NVI0 unassigned YES unset up up Loopback0 10.255. If you want to only view information pertaining to interfaces with assigned IP addresses.1.1 YES NVRAM up up As another example.0 router ospf 1 log-adjacency-changes network 0.0 255.0...0.1. Piping the output of the show running-config command to begin router.1.11 YES NVRAM up up Loopback0 10.0. you might be troubleshooting an OSPF routing protocol issue and want to see the section of your running configuration where the routing protocol config- uration begins.11 YES NVRAM up up Serial0/0 unassigned YES NVRAM administratively down down FastEthernet0/1 192.168.1.11 YES NVRAM up up FastEthernet0/1 192. as illustrated in Example 2-33.168.

if the first instance of router appears in the running configuration before the router ospf section (as in Example 2-34).0.2.168. * .ODR.168.16. and section Gi0/1 do not work. IA . EX .IS-IS. FastEthernet0/1 O 10.0/30 is subnetted. O . 00:50:58.0. M . 00:50:57. su .1.168.16.EIGRP external.22.0/24 is directly connected.255. P . 6 subnets. FastEthernet0/1 C 10.0. E2 . we can pipe the output to a section. FastEthernet0/1 C 192. N2 .. you need to specify the exact case and the exact spacing.IS-IS level-2 ia .2.168.0/30 [110/129] via 192.0.IS-IS inter area.168.22. S .1. In Example 2-35.EIGRP.. section Gigabitethernet0/1.0. especially in larger environ- ments.2.0.. Example 2-35 Filtering Output from the show running-config Command Using section R1#show running-config | section router ospf router ospf 1 log-adjacency-changes network 0.255 area 0 .0/24 is directly connected.1.1.0. 2 subnets O 172. Consider. L1 . for example. 00:50:57.OSPF.4. when piping. 3 masks O 10. FastEthernet0/1 O 10. 00:50:57.mobile.3/32 [110/66] via 192.1/32 is directly connected.OSPF external type 1.per-user static route o .255. Loopback0 O 10.OSPF inter area N1 .. 00:50:57.OSPF external type 2 i .3.0/24 [110/75] via 192.168.static.4.16.22.0. FastEthernet0/1 10.0 255.3. FastEthernet0/0 From the Library of Outcast Outcast .0. B . Example 2-36 Sample show ip route Command Output R1#show ip route Codes: C .IS-IS summary.1.168.22. Because we are trying to find a specific section (in this case OSPF) in the running configuration. U .72 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide However.0.BGP D . L2 .168. For example.candidate default. is the show ip route command.connected. FastEthernet0/1 C 192. the output of show ip route presented in Example 2-36. section GigabitEthernet0/1 works.RIP. R . you will still have to sift through the running configuration until you get to the router ospf section. 00:50:57.1.2/32 [110/2] via 192.0.0.IS-IS level-1.22.4/32 [110/66] via 192.3. Another command that often generates a lengthy output.OUTPUT OMITTED.0/8 is variably subnetted.0.OSPF NSSA external type 1.OSPF NSSA external type 2 E1 .22.periodic downloaded static route Gateway of last resort is not set 172.0 [110/65] via 192. we pipe the output of the show running-config command to section router ospf and only get output from the router ospf section.2.22.168. As stated earlier. FastEthernet0/1 O 172.0 [110/65] via 192. 00:50:58. FastEthernet0/1 O 10. but section GigabitEthernet 0/1.

IS-IS inter area.22. some IP routing tables contain hundreds or even thousands of entries.0. M .22.IS-IS.16. su .RIP. However. via FastEthernet0/1 Route metric is 65.1.0 longer-prefixes Codes: C . shows all subnets of net- work 172. 00:52:08 ago Routing Descriptor Blocks: * 192.OSPF. From the Library of Outcast Outcast .0. Are you going to issue the command and then copy and paste it from your terminal window to a text editor? That is one option.2.0/16. Such a command.0 is present in a routing table.1.2. you could specify the subnet mask and the longer-prefixes argument as part of your command. Chapter 2: Troubleshooting and Maintenance Tools 73 Although the output shown in Example 2-36 is relatively small. * . 00:52:08 ago.OSPF external type 2 i . FastEthernet0/1 O 172.168. as depicted in Example 2-37. B . distance 110.0 [110/65] via 192.BGP D .OSPF NSSA external type 1. 00:51:39.16.0 [110/65] via 192. as demonstrated in Example 2-38.16. you could issue the com- mand show ip route 172.16.OSPF NSSA external type 2 E1 .0.0/30 Known via "ospf 1".168. E2 .16. L1 .candidate default. O . metric 65.0. 00:51:39.IS-IS level-1.16.1. EX .0 Routing entry for 172. L2 . Example 2-37 Specifying a Specific Route with the show ip route Command R1#show ip route 172.OSPF inter area N1 .EIGRP external.0/16 address space.2.0. In that event. for instance.16. traffic share count is 1 Perhaps you are looking for all subnets of the 172. If you want to determine whether a route for network 172.0.2.16. P .per-user static route o .0.0.0.22 on FastEthernet0/1. 2 subnets O 172.mobile.ODR.1.255.IS-IS level-2 ia .1.0/30 is subnetted. Example 2-39 shows how you can use the | redirect option to send output from a show command to a file. FastEthernet0/1 Redirecting show Command Output to a File Imagine that you are working with Cisco Technical Assistance Center (TAC) to trouble- shoot an issue.OSPF external type 1.16.IS-IS summary.connected. S .22.periodic downloaded static route Gateway of last resort is not set 172.static.16. and they want a file containing output from the show tech-support command issued on your router. Example 2-38 Filtering Output from the show ip route Command with the longer-prefixes Option R1#show ip route 172. type intra area Last update from 192.168. In this case.EIGRP. it is the show tech-support command being sent to a file on a TFTP server. N2 . U .0.0 255.168. IA . R . from 10.

you can pipe the output of your show command with the append option. as demonstrated in Example 2-40. Note that this does not overwrite the existing file. From the Library of Outcast Outcast . Table 2-4 offers a collection of Cisco IOS com- mands used to investigate hardware performance issues.168. As a reference. If you want the show command to be displayed onscreen and stored to a file. Example 2-41 Appending Output to an Existing File R1#show ip interface brief | append tftp://192. as shown in Example 2-39. RELEASE SOFTWARE (fc3) Technical Support: http://www. In situations where you already have an output file created and you want to append the output of another show command to your existing file. you can pipe the output with the tee option. Example 2-41 shows how to use the append option to add the output of the show ip interface brief command to a file named base- line.1. Example 2-39 Redirecting Output to a TFTP Server R1#show tech-support | redirect tftp://192. a network’s underlying hardware often becomes a troubleshooting target.50/baseline.com/techsupport Copyright (c) 1986-2005 by Cisco Systems. Version 12.168.. Compiled Thu 08-Dec-05 17:35 by alnguyen .1..4(3b).txt that was created at an earlier time and already contains information.. Inc.168.txt ! R1# Troubleshooting Hardware In addition to software configurations.txt ! ---------------------show version--------------------- Cisco IOS Software.txt ! R1# Example 2-40 Redirecting Output While Also Displaying the Output Onscreen R1#show tech-support | tee tftp://192.OUTPUT OMITTED. C2600 Software (C2600-IPVOICE_IVS-M).cisco.74 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Notice that directing output to a file suppresses the onscreen output.. it simply adds the new information to it.50/tshoot.1.50/tac.

1-minute. Performing Packet Captures You can use dedicated appliances or PCs running packet capture software to collect and store packets flowing across a network link. a cyclic redundancy check (CRC) error occurred). the type of connected cable might be displayed for a serial interface and whether it is the DCE side or DTE side of the cable) show platform Provides detailed information about a router or switch hardware platform Collecting Information in Transit Information you collect while troubleshooting is not always going to be at rest. in addition to a listing of processes running on a platform along with each process’s utilization statistics show memory Displays summary information about processor and I/O memory. perhaps indicating a cabling problem or a duplex mismatch output errors: Indicates frames were not transmitted correctly. When troubleshooting. You will sometimes need to collect information while it is in transit. followed by a more comprehensive report of memory utilization show interfaces Shows Layer 1 and Layer 2 interface status. Chapter 2: Troubleshooting and Maintenance Tools 75 Table 2-4 Cisco IOS Commands for Hardware Troubleshooting Key Topic Command Description show processes cpu Provides 5-second. show controllers Displays statistical information about an interface (for example. interface load information. perhaps due to a duplex mismatch Note Prior to collecting statistics. and error statistics including the following: input queue drops: Indicates a router received information faster than the information could be processed by the router output queue drops: Indicates a router is not able to send information out the outgoing interface because of congestion (perhaps because of an input/output speed mismatch) input errors: Indicates frames were not received correctly (for example. analysis of captured From the Library of Outcast Outcast . error statistics). interface counters can be reset using the clear coun- ters command. where the information varies for different interface types (for example. This section discusses how we can capture packets on the network that are flowing through our switches. and 5-minute CPU utilization statistics.

By default.wireshark. A switch is designed to forward frames based on the destination MAC address of a frame. you should understand how to use your packet capture application’s filtering features. For example. if the frame is not destined (based on the From the Library of Outcast Outcast . When a frame is received.org). Capturing and analyzing packets. the packets traveling between Topic those two devices will not be seen by your packet-capturing device. Therefore. traffic flow between Key two network devices connected to a switch. This is because of how the switch is designed to behave.76 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide packets can provide insight into how a network is treating traffic flow. presents two major obstacles. You can also look inside Layer 2. Therefore. as shown in Figure 2-5. a packet capture data file can show whether packets are being dropped or if sessions are being reset. for example. the switch looks in the MAC address table to determine which port the frame should be forwarded out based on the destination MAC address. An example of a popular and free packet-capture utility you can download is Wireshark (http://www. however. you can view a packet’s Layer 3 header to determine that packet’s Layer 3 quality of service (QoS) priority marking. the vol- ume of data collected as part of a packet capture can be so large that finding what you are looking for can be a challenge. 3. and 4 headers using a packet-capture application. Figure 2-5 Wireshark Packet-Capture Application SPAN A second challenge occurs when you want to monitor. For example. First.

entering and exiting) port Gigabit Ethernet 0/1. as shown in Example 2-42. Notice that Example 2-42 uses the monitor session id source interface interface_type interface_number command to indicate that a SPAN monitoring session with a locally significant identifier of 1 will copy packets crossing (that is. A laptop running packet capture software connected to port Gigabit Ethernet 0/3 will now receive a copy of all traffic the server is sending or receiving. the frame will not be sent out the port connected to that device. A troubleshooter inserts a packet capture device into Gigabit Ethernet 0/3. End with CNTL/Z. as shown in Figure 2-6. the laptop running the packet capture application will not see any of these frames. one per line. SPAN instructs a switch to send copies of packets seen on one port (or one VLAN) to another port where the packet capturing device is connected. However. To cause port Gigabit Ethernet 0/3 to receive a copy of all frames sent or received by the server. This behavior ensures that end-user devices do not see frames that are not intended for them. Cisco IOS supports a feature known as Switched Port Analyzer (SPAN). Gig 0/1 Gig 0/2 Gig 0/3 Server Client Copy of Traffic Copy of Traffic Sent To Sent From the Server the Server Laptop Running Packet Capture Application Figure 2-6 Cisco Catalyst Switch Configured for SPAN Notice that Figure 2-6 depicts a client (connected to Gigabit Ethernet 0/2) communicat- ing with a server (connected to Gigabit Ethernet 0/1). Fortunately. Example 2-42 SPAN Configuration SW1#conf term Enter configuration commands. SW1(config)#monitor session 1 source interface gig 0/1 SW1(config)#monitor session 1 destination interface gig 0/3 SW1(config)#end SW1#show monitor From the Library of Outcast Outcast . Chapter 2: Troubleshooting and Maintenance Tools 77 MAC address) for the device with the packet-capturing software. Then the monitor session id destination interface interface_type interface_number command is used to specify port Gigabit Ethernet 0/3 as the destina- tion port for those copied packets. SPAN is configured on the switch. because the switch’s default behav- ior prevents frames that are flowing between the client and server from being sent out any other port.

) The show monitor command is then used to verify the RSPAN source and destination. (Note that the reflector-port parameter is not required on all switches [for example. Also. where a troubleshooter has her laptop running a packet capture application connected to port Fast Ethernet 5/2 on switch SW2. The traf- fic that needs to be captured is traffic coming from and going to the server connected to port Gigabit Ethernet 0/1 on switch SW1. VLAN 20) and to specify that RSPAN should monitor port Gigabit Ethernet 0/1 and send packets sent and received on that port out of Gigabit Ethernet 0/3 on VLAN 20. a trunk exists between switches SW1 and SW2 to carry the SPAN VLAN in addition to a VLAN carrying user data. A VLAN is configured whose purpose is to carry captured traffic between the switches.78 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Session 1 ------------ Type : Local Session Source Ports : Both : Gi0/1 Destination Ports : Gi0/3 Encapsulation : Native Ingress : Disabled RSPAN In larger environments. a network capture device connected to one switch might need to Key Topic capture packets flowing through a different switch. a 2960]. Consider Figure 2-7. Therefore. Example 2-43 shows the configuration on switch SW1 used to create the RSPAN VLAN (that is. Example 2-43 RSPAN Configuration on Switch SW1 SW1#conf term SW1(config)#vlan 20 SW1(config-vlan)#name SPAN SW1(config-vlan)#remote-span SW1(config-vlan)#exit SW1(config)#monitor session 1 source interface gig 0/1 SW1(config)#monitor session 1 destination remote vlan 20 reflector-port gig 0/3 SW1(config)#end SW1#show monitor Session 1 ------------ Type: Remote Source Session Source Ports: Both: Gi0/1 Reflector Port: Gi0/3 Dest RSPAN VLAN: 20 From the Library of Outcast Outcast . Remote SPAN (RSPAN) makes such a scenario possible. note that by default the monitor session id source command monitors both incoming and outgoing traffic on the monitored port.

Chapter 2: Troubleshooting and Maintenance Tools 79 Gig 0/1 Gig 0/2 SW1 Gig 0/3 Trunk Carrying Server SPAN VLAN Client Fa 5/1 SW2 Fa 5/2 Copy of Traffic Copy of Traffic Sent To Sent From the Server the Server Laptop Running Packet Capture Application Figure 2-7 Cisco Catalyst Switch Configured for RSPAN Example 2-44 shows the configuration on switch SW2 used to create the RSPAN VLAN to specify that RSPAN should receive captured traffic from VLAN 20 and send it out port Fast Ethernet 5/2. Example 2-44 RSPAN Configuration on Switch SW2 SW2#conf term SW2(config)#vlan 20 SW2(config-vlan)#name SPAN SW2(config-vlan)#remote-span SW2(config-vlan)#exit SW2(config)#monitor session 2 source remote vlan 20 SW2(config)#monitor session 2 destination interface fa 5/2 SW2(config)#end SW2#show monitor Session 2 ------------ Type : Remote Destination Session Source RSPAN VLAN : 20 Destination Ports : Fa5/2 From the Library of Outcast Outcast .

As stressed throughout this book. Your network currently has no network diagram.1.1 YES manual up up Serial0/0/1 unassigned YES NVRAM administratively down down Serial0/2/0 unassigned YES NVRAM administratively down down Serial0/2/1 unassigned YES NVRAM administratively down down You can gather from the output in Example 2-45 that R1 has Fast Ethernet 0/0 up/up with an IP address of 192.1 R1 Figure 2-9 Discovered Ethernet and Serial Interfaces on R1 From the Library of Outcast Outcast . as shown in Figure 2-9.168. You can add this information to your diagram.1. It also has Serial 0/0/0 up/up with an IP address of 172.1.80 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Using Tools to Document a Network An important undertaking for every network team is documenting the existing network.168.16. accurate documentation is a must. this sec- tion covers the CLI commands that enable you to build a network diagram. You are connected to R1 via the console Key port. and the IP addresses associated with them. To accomplish this.1 YES manual up up FastEthernet0/1 unassigned YES TFTP administratively down down Serial0/0/0 172.1.1. R1 Figure 2-8 Connected to R1 via the Console Port Example 2-45 Output of show ip interface brief Command on R1 R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1. FastEthernet 0/0 Serial 0/0/0 192.1 172. as shown in Example 2-45. you issue the show ip interface brief command.16. as shown in Figure 2-8. Therefore.1.16. Your first task is to find out the types of interfaces that are Topic up/up.1.

1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 2811 Figure 2-10 Adding SW1 and R2 to the Diagram You need to discover the IP address of Serial 0/0/0 on R2 and the management IP address on SW1. as shown in Example 2-46. D . Example 2-47 Output of the show cdp neighbors Command on R1 R1#show cdp neighbors detail ------------------------- Device ID: SW1 Entry address(es): IP address: 192. as shown in Example 2-47. You add this information to the diagram.1 172.16.Switch. You also observe that R1 is connected to a 2811 series router named R2 out Serial 0/0/0 and that R2 is using Serial 0/0/0 to connect to R1.1.1.IGMP. You can also use the IEEE standard Link Layer Discovery Protocol (LLDP) to discover neighboring Cisco and Non-Cisco devices if you have enabled it.Router.Repeater. FastEthernet 0/0 Serial 0/0/0 192.2 and that the management IP address on SW1 is 192. B .Source Route Bridge S .2. You accomplish this using the show cdp neighbors command.Host. the show cdp neighbors detail command will also provide the Cisco IOS Software version that is running on the neighbor. It also indicates that SW1 is using Fast Ethernet 0/24 to connect to R1. as shown in Figure 2-10.CVTA.1.168. To accomplish this. P . T .168.168.Trans Bridge. r . you use the show cdp neighbors detail command.Remote. You observe from the output that Serial 0/0/0 on R2 has the IP address 172. Chapter 2: Troubleshooting and Maintenance Tools 81 Next.16. H . C . Example 2-46 Output of the show cdp neighbors Command on R1 R1#show cdp neighbors Capability Codes: R .1.1. you want to determine which Cisco devices are connected to R1.2 From the Library of Outcast Outcast .Fas 0/24 R2 Ser 0/0/0 133 S I 2811 Ser 0/0/0 You observe from the output in Example 2-46 that R1 is connected to a Catalyst 2960 switch named SW1 out Fast Ethernet 0/0. In addition. M . You add this infor- mation to the diagram. as shown in Figure 2-11.Phone. I .Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Fas 0/0 139 S I WS-C2960.

payload len=27. Compiled Sat 28-Jul-12 00:29 by prod_rel_team advertisement version: 2 Protocol Hello: OUI=0x00000C.1.com/techsupport Copyright (c) 1986-2012 by Cisco Systems.82 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Platform: cisco WS-C2960-24TT-L. Port ID (outgoing port): FastEthernet0/24 Holdtime : 153 sec Version : Cisco IOS Software.cisco.168.16. Version 15. Protocol ID=0x0112. Capabilities: Switch IGMP Interface: Serial0/0/0. C2960 Software (C2960-LANBASEK9-M). Capabilities: Switch IGMP Interface: FastEthernet0/0.1. Compiled Tue 04-Sep-12 15:56 by prod_rel_team advertisement version: 2 VTP Management Domain: '' FastEthernet 0/0 Serial 0/0/0 192.cisco.0(2)SE. Inc.1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 172.2 Platform: Cisco 2811.1.2 Figure 2-11 Updating IPs in Diagram for SW1 and R2 From the Library of Outcast Outcast .com/techsupport Copyright (c) 1986-2012 by Cisco Systems.2 2811 Management IP 192.1(4)M5. Port ID (outgoing port): Serial0/0/0 Holdtime: 127 sec Version : Cisco IOS Software. Version 15.1 172.16.1. RELEASE SOFTWARE (fc1) Technical Support: http://www. 2800 Software (C2800NM-ADVENTERPRISEK9-M). value=00000000FFF FFFFF010220FF000000000000081FF34EB800FF0000 VTP Management Domain: '' Native VLAN: 1 Duplex: full ------------------------- Device ID: R2 Entry address(es): IP address: 172. RELEASE SOFTWARE (fc1) Technical Support: http://www.1.168.16. Inc.

1(4)M5. 125440K bytes of ATA CompactFlash (Read/Write) .output omitted. RELEASE SOFTWARE (fc1) . as shown in Example 2-48.output omitted.... Configuration register is 0x2102 You add the type of router to your diagram as shown in Figure 2-12. the system bootstrap version.bin" Last reload type: Normal Reload . You can also verify the Cisco IOS Software version.. the number of inter- faces. You use the show version command.output omitted.0) with 247808K/14336K bytes of memory. 2800 Software (C2800NM-ADVENTERPRISEK9-M)... 239K bytes of non-volatile configuration memory. ROM: System Bootstrap. you need to include the type of router R1 is. ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO2811 .. Example 2-48 Output of the show version Command on R1 R1#show version Cisco IOS Software. Chapter 2: Troubleshooting and Maintenance Tools 83 Finally.output omitted. From the Library of Outcast Outcast . Version 12.. Cisco 2811 (revision 1.151-4.. which indicates it is also a 2811 series router.. and the configuration register.... Processor board ID FTX1023A49D 2 FastEthernet interfaces 4 Serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled.4(1r) [hqluong 1r].... RELEASE SOFTWARE (fc1) R1 uptime is 14 minutes System returned to ROM by power-on System image file is "flash:c2800nm-adventerprisek9-mz. Version 15.M5.

16. From the Library of Outcast Outcast .168.1.16.1.1. show cdp neighbors detail.2 2811 Management IP 192. and show version.2 Figure 2-12 Updating R1’s Router Type in the Diagram As you can see.1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 2811 172.168.84 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide FastEthernet 0/0 Serial 0/0/0 192. Your next step in the process of building your diagram is to connect to SW1 and R2 via their console ports or via Telnet/SSH and issue the same four commands to gather infor- mation about the devices connected to them.1 172. you were able to gather quite a bit of information from just four com- mands: show ip interface brief.1. show cdp neighbors.

Chapter 22. noted with the Key Topic icon in the outer margin of the page. Table 2-5 Key Topics for Chapter 2 Key Topic Key Topic Element Description Page Number List Identifies the three categories that collected 45 information essentially falls into Example 2-2 Backing up a router’s startup configuration to an 49 FTP server Example 2-7 Viewing a configuration archive 50 Paragraph Reviews how copying configurations into RAM is a 52 merge operation Paragraph Identifies how the configure replace command is 53 used to restore an archived configuration Table 2-2 Severity levels 54 Example 2-13 Logging configuration 55 Paragraph Identifies the importance of an NTP server and how 56 to configure your device to use one Paragraph Discusses how you can use SNMP and NetFlow to 58 establish baselines Paragraph Discusses how to set a device to send SNMP traps 62 to an SNMP server Paragraph Discusses how you can use EEM to monitor and 63 maintain a device Section Ping 64 Section Telnet 67 Section Traceroute 67 Table 2-4 Cisco IOS commands for hardware troubleshooting 75 From the Library of Outcast Outcast . Chapter 2: Troubleshooting and Maintenance Tools 85 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. Table 2-5 lists a reference of these key topics and the page numbers on which each is found.” and the exam simulation questions on the CD-ROM. “Final Preparation. you have a couple of choices for exam preparation: the exercises here. Review All Key Topics Review the most important topics in this chapter.

The 300-135 TSHOOT exam focuses on practical. RSPAN. Table 2-6 CLI Configuration Commands Task Command Syntax Global configuration mode command. archive. includes completed tables and lists to check your work. syslog. cover the right side of Tables 2-6 and 2-7 with a piece of paper. but you should be able to remember the basic keywords that are needed. “Memory Tables.” also on the disc. configure replace. Command Reference to Check Your Memory This section includes the most important configuration and EXEC commands covered in this chapter. read the description on the left side. GUI. traceroute. running configuration. It might not be necessary to memorize the complete syntax of every com- mand. FTP. ping. NTP. CDP Complete Tables and Lists from Memory Print a copy of Appendix C. To test your memory of the commands. TFTP. hands-on skills that are used by a net- working professional. wiki. or at least the section for this chapter.86 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Key Topic Element Description Page Number Paragraph Identifies the need for SPAN when collecting data in 76 transit through a switch Paragraph Identifies the need for RSPAN when collecting data 78 in transit through multiple switches Paragraph Discuss the commands and procedures needed to 80 document a network diagram Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: CLI. and complete the tables and lists from memory. Cisco TAC. EEM. Appendix D. Telnet. you should be able to identify the commands needed to configure and troubleshoot routers and switches. and then see how much of the com- mand you can remember. SNMP. “Memory Tables Answer Key. Therefore.” (found on the disc). merge. NetFlow. used to archive enter archive configuration mode Archive configuration mode command that path ftp://IP_address/filename_prefix specifies the IP address of an FTP server and filename prefix a router uses to write its archival configuration files From the Library of Outcast Outcast . SPAN. HTTP.

which no longer necessitates the user entering the password Global configuration mode command used to ip http client username username specify an HTTP username credential. {minimum_severity_level} optionally with a maximum number of bytes to be used by the buffer and optionally the minimum severity level of an event to be logged Global configuration mode command used logging console {minimum_severity_level} to log events to a router’s console. which no longer necessitates the user entering the username Global configuration mode command used ip ftp password password to specify an FTP password credential. which no longer necessitates the user entering the username Global configuration mode command used to ip http client password password specify an HTTP password credential. which no longer necessitates the user entering the password Global configuration mode command used logging buffered {max_buffer_size} to log events to a router’s internal buffer. Chapter 2: Troubleshooting and Maintenance Tools 87 Task Command Syntax Archive configuration mode command write-memory that causes an archival backup of a router’s configuration to be written each time the router’s running configuration is copied to its startup configuration Archive configuration mode command that time-period seconds specifies the interval used by a router to automatically back up its configuration Global configuration mode command used to ip ftp username username specify an FTP username credential. optionally with a minimum severity level of an event to be logged Global configuration mode command used logging ip_address to specify the IP address of a syslog server to which a router’s log files are written Global configuration mode command used to clock timezone time_zone_name {+ | -} specify a router’s local time zone and number hours of hours the time zone varies from Greenwich mean time (GMT) From the Library of Outcast Outcast .

even if a device is rebooted Interface configuration mode command that ip flow ingress | egress enables NetFlow for that interface inbound or outbound. which specifies the source or interface interface_type interface_number destination interface for traffic monitoring VLAN configuration mode command that remote-span indicates a VLAN is to be used as an RSPAN VLAN Global configuration mode command that monitor session id destination remote vlan configures RSPAN on a monitored switch.port port_id where the RSPAN VLAN is specified in addition to the port identifier for the port being used to flood the monitored traffic to the monitoring switch Note The reflector-port parameter is not required on all switches (for example. VLAN_id where the RSPAN VLAN is specified Global configuration mode command that snmp-server community community_ defines an SNMP server read only or read/write string {ro | rw} community string Global configuration mode command that snmp-server contact contact_info specifies SNMP contact information Global configuration mode command that snmp-server location location specifies SNMP location information Global configuration mode command that snmp-server ifindex persist forces an SNMP interface index to stay consistent during data collection. VLAN_id reflector.88 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Global configuration mode command used clock summer-time time_zone_name to specify a router’s time zone when daylight recurring {1-4} beginning_day beginning_ savings time is in effect. Global configuration mode command that monitor session id source remote vlan configures RSPAN on a monitoring switch. a 2960). and when daylight month time {1-4} ending_day ending_ savings time begins and ends month time Global configuration mode command used to ntp server ip_address specify the IP address of an NTP server Global configuration mode command that monitor session id {source | destination} configures SPAN. Global configuration mode command that ip flow-export source interface_type specifies the source interface used when interface_number communicating with an external NetFlow collector From the Library of Outcast Outcast .

and 5-minute CPU show processes cpu utilization averages. 1-minute. in addition to a listing of running processes with their CPU utilization Shows all subnets within the specified address space show ip route network_address in the routing table subnet_mask longer-prefixes From the Library of Outcast Outcast . where the ftp://username:password@ip_ login credentials are provided by the username and address password parameters Performs a backup of a router’s startup configuration copy startup-config ftp://ip_ to an FTP server at the specified IP address. Chapter 2: Troubleshooting and Maintenance Tools 89 Task Command Syntax Global configuration mode command that ip flow-export version {1 | 5 | 9} specifies the NetFlow version used by a device Global configuration mode command that ip flow-export destination ip_address specifies the IP address and port number of an port external NetFlow collector Global configuration mode command that snmp-server host ip_address version {1 | specifies the IP address. where the address login credentials have previously been added to the router’s configuration Displays files contained in a router’s configuration show archive archive Replaces (as opposed to merges) a router’s running configure replace ftp://ip_address/ configuration with a specified configuration archive filename Displays 5-second. SNMP version. and 2c | 3} community_string community string of an NMS Global configuration mode command that snmp-server enable traps enables all possible SNMP traps Global configuration mode command that event manager applet name creates an embedded event manager applet and enters applet configuration mode Table 2-7 CLI EXEC commands Task Command Syntax Performs a backup of a router’s startup configuration copy startup-config to an FTP server at the specified IP address.

From the Library of Outcast Outcast . a CRC error occurred). ping ip_address {size bytes} {repeat with options that include number} {timeout seconds} {df-bit} size: The number of bytes in the ICMP echo packet repeat: The number of ICMP echo packets sent timeout: The number of seconds the router waits for an ICMP echo reply packet after sending an ICMP echo packet df-bit: Sets the do not fragment bit in the ICMP echo packet Connects to a remote IP address via Telnet using TCP telnet ip_address {port} port 23 by default or optionally through a specified TCP port Displays summary information about processor and show memory I/O memory. and error statistics. including input queue drops: Indicates a router received information faster than the information could be processed by the router output queue drops: Indicates a router is not able to send information out the outgoing interface because of congestion (perhaps because of an input/output speed mismatch) input errors: Indicates frames were not received correctly (for example. interface show interfaces load information. perhaps indicating a cabling problem or a duplex mismatch output errors: Indicates frames were not transmitted correctly. followed by a more comprehensive report of memory utilization Shows Layer 1 and Layer 2 interface status.90 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Sends ICMP echo packets to the specified IP address. perhaps due to a duplex mismatch Note Prior to collecting statistics. interface counters can be reset using the clear coun- ters command.

Chapter 2: Troubleshooting and Maintenance Tools 91 Task Command Syntax Displays statistical information for an interface (for show controllers example. the type of connected cable might be displayed for a serial interface) Provides detailed information about a router or switch show platform hardware platform From the Library of Outcast Outcast . error statistics) where the information varies for different interface types (for example.

■ Troubleshooting Router Performance Issues: This section identifies common reasons why a router might not be performing as expected. From the Library of Outcast Outcast .This chapter covers the following topics: ■ Troubleshooting Switch Performance Issues: This section identifies common reasons why a switch might not be performing as expected.

The storage of these tables and structures is in some form of memory. You can find the answers in Appendix A. The building of the tables and structures is done by the CPU. read the entire chapter. Therefore. such as routing. and various interfaces. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. or the interface buffers are full. For example. They are also responsible for performing many different tasks. they contain a processor. “Answers to the ‘Do I Know This Already?’ Quizzes. the memory is over- loaded. and building all the necessary tables and structures needed to perform various tasks. The routers and switches forward traffic from one interface to another interface based on these tables and structures. these devices will experience performance issues. This chapter also covers interface statistics because they sometimes provide the initial indication of some type of issue. CHAPTER 3 Troubleshooting Device Performance Switches and routers consist of many different components. if a router’s or switch’s CPU is constantly experiencing high utilization. memory (volatile such as RAM and nonvolatile such as NVRAM and flash).” Table 3-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting Switch Performance Issues 1–4 Troubleshooting Router Performance Issues 5–8 From the Library of Outcast Outcast . in addition to how we can recognize them. This chapter discusses common reasons for high CPU and memory utilization on rout- ers and switches. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. switching.

b. 3. Forwarding logic 2. what percent of the switch’s CPU is being consumed with interrupts? a. you should mark that question as wrong for purposes of the self-assessment. 1. OSPF sends a multicast routing update. 7 percent c. 4. What are good indications that you have a duplex mismatch? (Choose two. d. The half-duplex side of the connection has a high number of FCS errors. CPU d. An ACL is applied to a switchport. one minute: 12%.94 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter.) a. c. Backplane b.) a. 12 percent d. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. b. A switch’s TCAM has reached capacity. c. An administrator telnets to a switch. The full-duplex side of the connection has a high number of FCS errors. d. The full-duplex side of the connection has a high number of late collisions. The half-duplex side of the connection has a high number of late collisions. 10 percent b. What are the components of a switch’s control plane? (Choose two. The output of a show processes cpu command on a switch displays the following in the first line of the output: CPU utilization for five seconds: 10%/7%. Memory c. If you do not know the answer to a question or are only partially sure of the answer. Which of the following are situations when a switch’s TCAM would punt a packet to the switch’s CPU? (Choose the three best answers. five minutes: 6% Based on the output.) a. 6 percent From the Library of Outcast Outcast .

Cisco IOS bug b.) a. show ip route d. Identify common reasons that a router displays a MALLOCFAIL error. Process switching 7. TCP Timer process b. the most CPU intensive) of a router’s packet-switching modes? a. show ip cef 8. show ip cache b. ARP Input process 6. Net Background process d. QoS issue d. Fast switching b. Optimum switching d. (Choose the two best answers. Chapter 3: Troubleshooting Device Performance 95 5. Which of the following is the least efficient (that is. CEF c. show processes cpu c. IP Background process c. BGP filtering From the Library of Outcast Outcast . What command is used to display the contents of a router’s FIB? a. Security issue c. Which router process is in charge of handling interface state changes? a.

a continuous load on the control plane could. ■ Backplane: A switch’s backplane physically interconnects a switch’s ports. Therefore. network performance might very well be operating at a level that is hamper- ing productivity and at a level that is indeed below its normal level of operation. Therefore. impact the rate at which the switch forwards frames. Figure 3-1 depicts these components within a switch. you should isolate the source of the problem and diag- nose the problem on that device. If you do determine that the network performance is not meeting technical expectations (as opposed to user expectations). Key These ports (also known as interfaces) allow a switch to receive and transmit traffic. and different hardware. For example. Topic ■ Forwarding logic: A switch contains hardware that makes forwarding decisions based on different tables in the data plane. if the forwarding hardware is operating at maximum capac- From the Library of Outcast Outcast . you need to determine what network component is responsible for the poor performance. flow across the switch’s backplane. frames flowing through a switch enter through a port (that is. an indirect relationship exists between frame forwarding and the control plane. differ- ent levels of performance. Cisco Catalyst Switch Troubleshooting Targets Cisco offers a variety of Catalyst switch platforms. Also. as part of the troubleshooting process. however. an egress port). ■ Control plane: A switch’s CPU and memory reside in the control plane. Therefore. However. As a result. This control plane is responsible for running the switch’s operating system and building the neces- sary structures used to make forwarding decisions—for example. This section assumes that you have isolated the device causing the performance issue. Notice that the control plane does not directly participate in the frame-forwarding process. At that point. if a user reports that the network is running “slowly. or application could be the cause of the performance issue. However.” the user’s perception might mean that the network is slow compared to what he expects. all Cisco Catalyst switches include the following components: ■ Ports: A switch’s ports physically connect the switch to other network devices. and that device is a Cisco Catalyst switch. troubleshooting switches will be platform dependent. the ingress port). with different port densities. Many similarities do exist. Rather than a switch or a router. and are forwarded out of another port (that is. the MAC address table and the spanning-tree topology to name a few. the forwarding logic contained in the forwarding hardware comes from the control plane. For example. the user’s client. depending on the specific switch architecture. over time.96 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting Switch Performance Issues Switch performance issues can be tricky to troubleshoot because the problem reported is often subjective. server.

Port Errors When troubleshooting a suspected Cisco Catalyst switch issue. a troubleshooter could leverage the show interfaces command. Although dropped frames are most often attributed to network congestion. To check port statistics. packet drops for a UDP flow used for voice or video could result in noticeable quality degradation. If a TCP application is run- ning slowly. of TCP flows to be reduced. a good first step is to check port statistics. Similarly. another pos- sibility is that the cabling could be bad. Consider Example 3-1. A common reason that a TCP flow enters slow start is packet drops. which shows the output of the show interfaces gig 1/0/9 counters command on a Cisco Catalyst 3750-E switch. which causes the window size. Control Plane Memory CPU Ingress Data Plane Egress Port Forwarding Hardware Port Forwarding Logic Backplane Figure 3-1 Cisco Catalyst Switch Hardware Components The following are two common troubleshooting targets to consider when diagnosing a suspected switch issue: ■ Port errors ■ Mismatched duplex settings The sections that follow evaluate these target areas in greater detail. the control plane begins to provide the forwarding logic. For example. examining port statistics can let a troubleshooter know whether an excessive number of frames are being dropped. From the Library of Outcast Outcast . although the control plane does not architecturally appear to impact switch performance. because dropped UDP segments are not retransmitted. it should be consid- ered when troubleshooting. Chapter 3: Troubleshooting Device Performance 97 ity. So. and therefore the bandwidth efficiency. the reason might be that TCP flows are going into TCP slow start. Notice that this output shows the number of inbound and outbound frames seen on the specified port.

Rcv-Err A receive error (that is. Congestion on a switch’s backplane could cause the receive buffer on a port to fill to capacity. most likely. an FCS-Err often points to a Layer 1 issue. you could add the keyword of errors after the show interfaces interface_type interface_number counters command. a Rcv-Err is indicating a duplex mismatch. Example 3-2 show interfaces gig 1/0/9 counters errors Command Output SW1#show interfaces gig 1/0/9 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize Gi1/0/9 0 0 0 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/0/9 5603 0 5373 0 0 0 0 Table 3-2 provides a reference for the specific errors that might show up in the output of the show interfaces interface_type interface_number counters errors command. This issue suggests that a connected host is sourcing invalid frame sizes. Rcv-Err) occurs when a port’s receive buffer overflows. FCS-Err A frame check sequence (FCS) error occurs when a frame has an invalid checksum.98 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-1 show interfaces gig 1/0/9 counters Command Output SW1#show interfaces gig 1/0/9 counters Port InOctets InUcastPkts InMcastPkts InBcastPkts Gi1/0/9 31265148 20003 3179 1 Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts Gi1/0/9 18744149 9126 96 6 To view errors that occurred on a port. Like the Align-Err error. but it also occurs when there is a duplex mismatch. Xmit-Err) occurs when a port’s transmit buffer overflows. From the Library of Outcast Outcast . A speed mismatch between inbound and outbound links often results in a transmit error. while simultaneously having a bad cyclic redundancy check (CRC). However. although the frame has no framing errors. Xmit-Err A transmit error (that is. Table 3-2 Errors in the show interfaces interface_type interface_number counters errors Key Command Topic Error Counter Description Align-Err An alignment error occurs when frames do not end with an even number of octets. as frames await access to the switch’s backplane. such as cabling or port (either switchport or network interface card [NIC] port) issues. UnderSize An undersize frame is a frame with a valid checksum but a size less than 64 bytes. An alignment error normally suggests a Layer 1 issue. Example 3-2 illustrates sample output from the show interfaces gig 1/0/9 counters errors command.

this is an extremely common error seen in mismatched duplex conditions. Multi-Col A Multi-Col error occurs when more than one collision occurs before a port successfully transmits a frame. Two justifications for this recommendation are as follows: ■ If a connected device supports only half-duplex. Typically. The jumbo frame has a frame size greater than 1518 bytes. Mismatched Duplex Settings As shown in Table 3-2. Carri-Sen The Carri-Sen counter is incremented when a port wants to send data on a half-duplex link. all devices should be run- ning in full-duplex mode. From the Library of Outcast Outcast . or too many devices on a segment. A runt could result from a duplex mismatch or a Layer 1 issue. Cisco Catalyst switchports should be configured to autonegotiate both speed and duplex. Keep in mind that almost all network devices. Excess-Col The Excess-Col error occurs when a frame experiences 16 successive collisions. Giants A giant is a frame size greater than 1518 bytes (assuming that the frame is not a jumbo frame) that has a bad FCS. Full-duplex connections. a giant is caused by a problem with the NIC in an attached host. which is the default setting. can run in full- duplex mode. common reasons for a Multi-Col error include high bandwidth utilization on an attached link or a duplex mismatch. but it has a valid FCS. Common reasons for a Single-Col error include high bandwidth utilization on an attached link or a duplex mismatch. duplex mismatches can cause a wide variety of port errors. While a Late-Col error could indicate that the connected cable is too long. because the port is checking the wire to make sure that no traffic is present prior to sending a frame. which would result in multiple errors. after which the frame is dropped. This operation is the carrier sense procedure described by the carrier sense multiple access with collision detect (CSMA/CD) operation used on half-duplex connections. Late-Col A late collision is a collision that is not detected until well after the frame has begun to be forwarded. This is normal and expected on a half-duplex port. This error could result from high bandwidth utilization. Chapter 3: Troubleshooting Device Performance 99 Error Counter Description Single-Col A Single-Col error occurs when a single collision occurs before a port successfully transmits a frame. other than shared media hubs. do not use CSMA/CD. Runts A runt is a frame that is less than 64 bytes in size and has a bad CRC. Similar to the Single-Col error. if you have no hubs in your network. Therefore. it is better for a switchport to negotiate down to half-duplex and run properly than to be forced to run full-duplex. a duplex mismatch. however.

link type is auto. which display output based on the topol- ogy depicted in Figure 3-2. 100Mb/s. In a mismatched duplex configuration. The frames it receives will not be complete because SW1 did not send the entire frame. Gig 0/9 Fa 5/47 SW1 Half-Duplex Full-Duplex SW2 Figure 3-2 Topology with Duplex Mismatch Example 3-3 Output from the show interfaces gig 1/0/9 counters errors and the show interfaces gig 1/0/9 | include duplex Commands on a Half-Duplex Port SW1# show interfaces gig 1/0/9 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize Gi1/0/9 0 0 0 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/0/9 5603 0 5373 0 0 0 0 SW1#show interfaces gig 1/0/9 include duplex Half-duplex. The half-duplex end sends a frame because it thinks it is safe to send based on the CSMA/CD rule. To illustrate. SW2 will continue to send and receive frames. You can enable this feature in interface configuration mode with the mdix auto command on some models of Cisco Catalyst switches. the FCS (mathemati- cal checksum) of the frame does not match. media type is 10/100/1000BaseTX SW1# From the Library of Outcast Outcast . When the collision occurs in this example. and Example 3-4 shows the full-duplex end of a connection. However. The full-duplex end sends a frame because it is always safe to send and a collision should not occur. examine Examples 3-3 and 3-4. SW1 will cease to transmit the remainder of the frame (because the port is half-duplex) and will record that a late collision occurred.100 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ The automatic medium-dependent interface crossover (auto-MDIX) feature can automatically detect whether a port needs a crossover or a straight-through cable to interconnect with an attached device and adjust the port to work regardless of which cable type is connected. However. a switchport at one end of a connection is config- ured for full-duplex. Example 3-3 shows the half-duplex end of a connection. a high FCS-Err counter is common to find on the full-duplex end of a connection with a mismatched duplex. two of the biggest indicators of a duplex mismatch are a high FCS-Err counter and a high Late-Col counter. whereas a high Late-Col counter is common on the half-duplex end of the connection. Therefore. whereas a switchport at the other end of a connection is configured for half-duplex. Among the different errors previously listed in Table 3-2. the auto-MDIX feature requires that the port autonegotiate both speed and duplex. Specifically. and we have FCS errors on the full-duplex side.

A multilayer switch’s forwarding logic can impact switch performance. where each card in the chassis supports the highest combination of port densities and port speeds. TCAM works with a switch’s Cisco Express Forwarding (CEF) feature in the data plane (hardware) to provide extreme- ly fast forwarding decisions. However. A switch’s backplane. Therefore. if a switch’s TCAM is unable to forward traffic (for From the Library of Outcast Outcast . you might be able to conclude that the problem has been resolved by correcting a mismatched duplex configuration. as illustrated in Figure 3-3. you could clear the interface counters to see whether the errors continue to increment. is rarely the cause of a switch performance issue. you might experience a performance gain by simply moving a cable from one switchport to another. is populated into the TCAM tables at the data plane (hardware). 100Mb/s SW2# In your troubleshooting. the two primary components of forwarding hardware are forwarding logic and backplane. performing a file transfer) that the user was performing when he noticed the performance issue. Chapter 3: Troubleshooting Device Performance 101 Example 3-4 Output from the show interfaces fa 5/47 counters errors and the show interfaces fa 5/47 | include duplex Commands on a Full-Duplex Port SW2#show interfaces fa 5/47 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Fa5/47 0 5248 0 5603 27 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Fa5/47 0 0 0 0 0 227 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Fa5/47 0 0 0 0 0 SW2#show interfaces fa 5/47 include duplex Full-duplex. the backplane will not have the throughput to support a fully populated chassis. you must be very familiar with the architecture of the switch with which you are working. This is accomplished because information from the control plane relating to routing processes such as unicast routing. The architecture of some switches allows groups of switchports to be handled by sepa- rate hardware. Then. However. However. as well as information related to traffic policies such as security and qual- ity of service (QoS) access control lists (ACLs). it is conceivable that in a modular switch chassis. you could change the duplex settings on the switch over which you do have control. to strategically take advantage of this design characteristic. because most Cisco Catalyst switches have high-capacity backplanes. and policy- based routing. A switch’s forwarding logic is compiled into a special type of memory called ternary content- addressable memory (TCAM). You could also perform the same activity (for example. if you suspect a duplex mismatch. even if you only have access to one of the switches. TCAM Troubleshooting As previously mentioned. however. By comparing the current performance to the performance experienced by the user. multicast routing.

in addition to other control plane protocols such as Spanning Tree Key Protocol (STP). This is not generally a good practice. the TCAM table is full and does not have the information needed to forward the traffic). TCAMs cannot be upgraded.102 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide example. if you conclude that a switch’s TCAM is the source of the performance problems being reported. additional packets are punted to the CPU. that send multicast or broadcast traffic will have that traffic sent to Topic the CPU for processing. This is usually the case when you attempt to use a lower-end switch in place of a higher-end switch to save money. ■ If a switch’s TCAM has reached capacity. which has a limited forwarding capability. On most switch platforms. From the events listed. so make sure to check the documentation for your switch model. Therefore. TCAM verification commands vary among platforms. packets traveling over a generic routing encapsulation [GRE] tunnel) are sent to the CPU for process- ing. establishing a Telnet or Secure Shell [SSH] session with the switch) will have his packets sent to the CPU for processing. when troubleshooting switch performance. ■ Someone connecting to a switch administratively (for example. Therefore. Control Plane Routing Processes Traffic Policies Data Plane TCAM Figure 3-3 Populating the TCAM The process of the TCAM sending packets to a switch’s CPU is called punting. you could either use a switch with higher-capacity TCAMs or reduce the number of entries From the Library of Outcast Outcast . Consider a few reasons why a packet might be punted from a TCAM to its CPU: ■ Routing protocols. that traffic is sent (punted) to the CPU so that it can be forwarded by the switch’s CPU. the event most likely to cause a switch performance issue is a TCAM filling to capacity. A TCAM might reach capacity if it has too many installed routes or configured access control lists. you might want to investigate the state of the switch’s TCAM. ■ Packets using a feature not supported in hardware (for example.

The selected template optimizes the resources in the switch to support this level of features for From the Library of Outcast Outcast . or 3750 series switches) enable you to change the amount of TCAM memory allocated to different switch features. it will be punted to the CPU. indicates that the current SDM template is “desktop default. optimizing the resources on the switch. IPv4 unicast and multicast routes. Notice how a finite amount of resources has been reserved for various services and features on the switch. Refer to Example 3-5. Therefore. Chapter 3: Troubleshooting Device Performance 103 in a switch’s TCAM. as well as QoS and security access control entries. Example 3-6 show sdm prefer Command Output on a Cisco Catalyst Switch SW2#show sdm prefer The current template is "desktop default" template. you can change the SDM template. In this case. The above information is meant to provide an abstract view of the current TCAM utilization To reallocate more resources to IPv4 routing. more resources need to be reserved for IPv4 routing. some switches (for example. There is a maximum value for unicast MAC addresses. For example. This can be accomplished by changing the Switch Database Management (SDM) template on the switch. as shown in Example 3-6. which displays the TCAM resource utilization on a Catalyst 3750E switch. Example 3-5 show platform tcam utilization Command Output on a Cisco Catalyst Switch SW2#show platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 6364/6364 35/35 IPv4 IGMP groups + multicast routes: 1120/1120 1/1 IPv4 unicast directly-connected routes: 6144/6144 9/9 IPv4 unicast indirectly-connected routes: 2048/2048 2048/2048 IPv4 policy based routing aces: 442/442 12/12 IPv4 qos aces: 512/512 21/21 IPv4 security aces: 954/954 42/42 Note: Allocation of TCAM entries per feature uses a complex algorithm. 3560. It appears from this example that SW2 has maxed out the amount of resources that are reserved for IPv4 unicast indirectly connected routes. if a packet needs to be forwarded and the needed information is not in the TCAM. you could try to optimize your ACLs by being more creative with the entries or leverage route summarization to reduce the number of route entries maintained by a switch’s TCAM. This allows you to “borrow” TCAM memory that was reserved for one feature and use it for another feature. Using the show sdm prefer command on SW2. Cisco Catalyst 2960. there- fore. the template needs to be changed.” which is the default template on a 3750E Catalyst switch. Also.

such as unicast MAC addresses. Save? [yes/no]: yes Building configuration. the SDM template is being changed to routing so that more resources will be used for IPv4 unicast routing.875k Using the global configuration command sdm prefer. Use 'show sdm prefer' to see what SDM preference is currently active. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0. notice how the SDM template is listed as “desktop routing” in Example 3-8 and that more resources are now dedicated to IPv4 indirect routes. End with CNTL/Z.5K number of IPv4/MAC security aces: 0. In this case. However. From the Library of Outcast Outcast . Example 3-7 Changing the SDM Template on a Cisco 3750E Catalyst Switch SW2#config t Enter configuration commands. one per line. fewer resources are allocated to other resources. SW2(config)#sdm prefer ? access Access bias default Default bias dual-ipv4-and-ipv6 Support both IPv4 and IPv6 indirect-ipv4-and-ipv6-routing Supports more V4 and V6 Indirect Routes lanbase-routing Supports both IPv4 and IPv6 Static Routing routing Unicast bias vlan VLAN bias SW2(config)#sdm prefer routing Changes to the running SDM preferences have been stored. SW2(config)#exit SW2#reload System configuration has been modified. After the reload.. also notice that while more resources are allocated to IPv4 unicast routes. Reload Reason: Reload command. [OK] Proceed with reload? [confirm] %SYS-5-RELOAD: Reload requested by console.. allows you to change the SDM template. as shown in Example 3-7.104 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 8 routed interfaces and 1024 VLANs. but cannot take effect until the next reload.

The show processes cpu command can be used on a Cisco Catalyst switch to display CPU utilization levels. the used masks/values are now 3148. Chapter 3: Troubleshooting Device Performance 105 Example 3-8 Verifying That the SDM Template Was Changed After Reload SW2#show sdm prefer The current template is "desktop routing" template. thanks to the Key TCAM.5K number of IPv4/MAC security aces: 1K In Example 3-9. number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K number of directly-connected IPv4 hosts: 3K number of indirect IPv4 routes: 8K number of IPv4 policy based routing aces: 0. the TCAM can for- ward traffic without having to punt the packets to the CPU.5K number of IPv4/MAC qos aces: 0. they were 2048. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. Because the TCAM maintains a switch’s forwarding logic at the data plane. the Topic CPU is rarely tasked to forward traffic. From the Library of Outcast Outcast . Example 3-9 Verifying the tcam utilization on the 3750E Catalyst Switch SW2#show platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 3292/3292 35/35 IPv4 IGMP groups + multicast routes: 1120/1120 1/1 IPv4 unicast directly-connected routes: 3072/3072 8/8 IPv4 unicast indirectly-connected routes: 8144/8144 3148/3148 IPv4 policy based routing aces: 490/490 13/13 IPv4 qos aces: 474/474 21/21 IPv4 security aces: 964/964 42/42 Note: Allocation of TCAM entries per feature uses a complex algorithm. before. even under high utilization. In addition. and therefore. the output of show platform tcam utilization shows that the max masks/ values are now 8144/8144 for IPv4 unicast indirectly connected routes. The above information is meant to provide an abstract view of the current TCAM utilization High CPU Utilization Troubleshooting on a Switch The load on a switch’s CPU is often low. as demonstrated in Example 3-10.

Troubleshooting Router Performance Issues As you have seen.00% 0 Chunk Manager 2 0 610 0 0. If the high CPU utilization is primarily the result of processes. take the time to investigate those specific processes. Recall that an STP failure could lead to a broadcast storm. ■ Simple Network Management Protocol (SNMP) is being used to poll network devices. one minute: 20%.00% 0.106 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-10 show processes cpu Command Output on a Cisco Catalyst Switch SW1#show processes cpu CPU utilization for five seconds: 19%/15%. this value might be normal for your organization based on baseline information.00% 0 crypto sw pk pro 4 2100 315 6666 0. From the Library of Outcast Outcast . five minutes: 13% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 1 0 4 0 0. a router performance issue can impact user data flowing through the network. the output given in Example 3-10 shows a 15 percent utiliza- tion.00% 0. Although such load utilization values might not be unusual for a router. Of course.00% 0.00% 0.. with 15 percent of the CPU load used for interrupt processing. take time to look into the reason why.00% 0.05% 0. A value as high as 10 percent is consid- ered acceptable. ■ The administrator is issuing a debug command (or other processor-intensive com- mands). Such a level implies that the switch’s CPU is actively involved in forwarding packets that should normally be handled by the switch’s TCAM. these values might be of concern for a switch. where Layer 2 broadcast frames endlessly circulate through a network. even though according to Cisco it is a cause for concern. Periodic spikes in processor utilization are also not a major cause for concern if such spikes can be explained. Notice in the output in Example 3-10 that the switch is reporting a 19 percent CPU load.00% 0. when troubleshooting a performance issue. realize that a switch’s high CPU utilization might be a symptom of another issue. If you determine that a switch’s high CPU load is primarily the result of interrupts. Specifically. Therefore. a Cisco Catalyst switch’s performance can be the source of network problems. Consider the following reasons that might cause a switch’s CPU utilization to spike: ■ The CPU is processing routing updates. However. Similarly.. If the interrupt percent is greater than 10.. a typical CPU load percentage dedicated to interrupt processing is no more than 5 percent.00% 0 Load Meter 3 128 5 25600 0.. which is considered high for a Catalyst switch.OUTPUT OMITTED.00% 0.05% 0 Check heaps . exam- ine the switch’s packet-switching patterns and check the TCAM utilization. A high CPU utilization on a switch might be a result of STP.

this appears harmless. such a configura- tion should be avoided because an ARP Request has to be sent for every destination IP address in every packet that is received by the router and forwarded out Fa0/1. network performance issues might result.0.0. Therefore. This process can consume an inordinate per- Topic centage of CPU resources if the router has to send numerous ARP requests. CPU) utilization escalating to a high level but only remaining at that high level for a brief time could represent normal behavior. the router’s CPU is so busy it does not have time to respond to your Telnet session or the pings you have sent. resulting in some net- works becoming unreachable. One configuration that can cause such a high number of ARP requests is having a default route configured that points to an Ethernet interface. In these examples. many of the ARP requests will go unanswered and result in dropped packets. you ARP for the MAC address of the destination IP address in each packet. however. This section investigates three potential router issues.0) are reachable through the directly connected interface fastethernet 0/1. a router whose CPU is overtaxed might not send routing protocol messages to neighboring routers in a timely fashion. For example. perhaps a router had the ip route 0. The better option is to specify the next-hop IP address because the router will only have From the Library of Outcast Outcast . Processes That Commonly Cause Excessive CPU Utilization One reason that the CPU of a router might be overloaded is that the router is running a process that is taking up an unusually high percentage of its CPU resources. you might experience longer- than-normal ping response times from a router. Chapter 3: Troubleshooting Device Performance 107 As an administrator.0. which will cause strain on the CPU.0. each of which might result in poor router performance ■ Excessive CPU utilization ■ The packet-switching mode of a router ■ Excessive memory utilization Excessive CPU Utilization A router’s processor (that is.0 fastethernet 0/1 command entered in global con- figuration mode so that all packets with no explicit route in the routing table will be forwarded out Fa0/1. if a router’s CPU utilization continually remains at a high level. you might notice a sluggish response to Telnet sessions or SSH sessions that you attempt to establish with a router. Such symptoms might indicate a router performance issue. At first. instead of ARPing for the MAC address of a next-hop IP address. Following are four such processes that can result in excessive CPU utilization: ■ ARP Input process: The ARP Input process is in charge of sending Address Key Resolution Protocol (ARP) requests. routing protocol adjacencies can fail. In addition.0.0 0. That will result in an excessive number of ARP requests. This is because the ip route command is stating that all IP addresses (0. As a result. Aside from latency that users and administrators can experience.0.0.0. However. Or.0 0.

Therefore. ignored. Another example of state change is an interface’s IP address changing. However. From the Library of Outcast Outcast . For example. a ping sweep) of a subnet. If the throttles. A state change might be an interface going from an Up state to a Down state. ■ IP Background process: The IP Background process handles an interface changing its state. the underlying cause might be the Net Background process consuming too many CPU resources. the server is in the embryonic state (waiting for an ACK from the client to complete the three-way handshake and establish the connec- tion). If several entries are in the Incomplete state. such as bad cabling. These buffers are sometimes referred to as the queue of an interface. if the client does not send the ACK back. An established TCP connection is one that has successfully completed the three-way handshake. Table 3-3 Commands for Troubleshooting High CPU Utilization Key Topic Command Description show ip arp Displays the ARP cache for a router. the server will sit in the embryonic state until it times out.108 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide to ARP for the MAC of the next-hop IP address when forwarding the packets out Fa0/1. ■ TCP Timer process: The TCP Timer process runs for each TCP router connection. many connections can result in high CPU utilization by the TCP Timer process. or you have a route pointing out an Ethernet interface as described in our ARP Input process discussion. or vice versa. might result in the IP Background process consuming a high percentage of CPU resources. ■ Net Background process: An interface has a certain number of buffers available to store packets. the interface can pull from a main pool of buffers that the router maintains. At this point. The pro- cess that allows an interface to allocate one of these globally available buffers is Net Background. If an interface needs to store a packet in a buffer but all interface buffers are in use. anything that can cause repeated state changes. Therefore. This could be due to connectivity issues or mali- cious intent. Cisco IOS Commands Used for Troubleshooting High Processor Utilization Table 3-3 offers a collection of show commands that can be valuable when troubleshoot- ing high CPU utilization on a router. you might suspect a malicious scan (for example. and then the server sends a SYN/ACK back. the client sends the SYN packet to the server. whether they are established or embryonic. An embryonic con- nection occurs when the TCP three-way handshake is only two-thirds completed. and overrun parameters are incrementing on an interface.

3. in addition to listing all the router processes and the percentage of CPU resources consumed by each of those processes.06fe. In the output. If you see an excessive number of embryonic connections.1. show processes cpu Displays average CPU utilization over 5-second. established. However. and ignored counters. you might suspect that the Net Background process is attempting to allocate buffer space for an interface from the main buffer pool of the router. Note the throttles.9ea0 ARPA Ethernet0/0 Internet 192. 00d0. interface_number overruns. or ignored counters continually increment.1 .50 0 Incomplete ARPA Example 3-12 shows sample output from the show interface interface_type interface_ number command. the Net Background process might be consuming excessive CPU resources while it allocates buffers from the main buffer pool of the router.2 61 0009. accepted. you might be under a denial-of-service (DoS) attack. 1 hour. From the Library of Outcast Outcast . A high number of connections can explain why the TCP Timer process might be consuming excessive CPU resources. Example 3-11 show ip arp Command Output R2#show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.b7fa. and 5-minute intervals. and 3 days. including the number of connections initiated. This graphical view can indicate whether an observed high CPU utilization is a temporary spike in utilization or whether the high CPU utilization is an ongoing condition.3.d1e0 ARPA Ethernet0/0 Internet 10. Chapter 3: Troubleshooting Device Performance 109 Command Description show interface interface_type Displays a collection of interface statistics. If the throttles.168.3.3. which might indicate malicious reconnaissance traffic or that you have a route pointing out an Ethernet interface instead of to a next-hop IP address. show processes cpu history Displays a graphical view of CPU utilization over the past 60 seconds. and closed. If these counters continue to increment. overrun. Example 3-11 shows sample output from the show ip arp command. show tcp statistics Provides information about the number of TCP segments a router sends and receives. 1-minute. a high number of such entries can suggest the scanning of network resources. only a single instance exists of an Incomplete ARP entry.

0 too short 474 packets (681 bytes) in sequence 0 dup packets (0 bytes) 0 partially dup packets (0 bytes) 0 out-of-order packets (0 bytes) 0 packets (0 bytes) with data after window 0 packets after close 0 window probe packets. ARP Timeout 04:00:00 Last input 00:00:02.3. BW 10000 Kbit. rxload 1/255 Encapsulation ARPA. 0 ignored 0 input packets with dribble condition detected 2155 packets output. If you have a high number of initiated connections with a low number of established connections. it indi- cates that the three-way handshake is not being completed. 0 bad offset. 0 underruns 0 output errors. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). address is 00d0.06fe. 164787 bytes. 0 no port 0 checksum error. line protocol is up Hardware is AmdP2. 7 interface resets 0 babbles. 0 throttles 0 input errors. output 00:00:02.9ea0 (bia 00d0.06fe. 0 collisions. loopback not set Keepalive set (10 sec) ARP type: ARPA. 0 packets/sec 2156 packets input. Example 3-13 show tcp statistics Command Output R2#show tcp statistics Rcvd: 689 Total.110 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-12 show interface interface_type interface_number Command Output R2#show interface ethernet 0/0 Ethernet0/0 is up. 212080 bytes. 0 no buffer Received 861 broadcasts. 0 late collision.3. the TCP Timer process might be consuming excessive CPU resources while simultaneously maintaining all those connections. 0 frame.9ea0) Internet address is 10. txload 1/255. If the output indicates numerous connections. 0 no carrier 0 output buffer failures.1/24 MTU 1500 bytes. 0 CRC. 0 output buffers swapped out Example 3-13 shows sample output from the show tcp statistics command. 1 packets/sec 5 minute output rate 0 bits/sec. 0 overrun. reliability 255/255. This might be due to a DoS attack that is attempting to consume all the TCP connection slots. 0 deferred 0 lost carrier. 0 window update packets From the Library of Outcast Outcast . 0 giants. 0 runts. Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec. DLY 1000 usec.

00% 0 ARP Input 13 0 1 0 0.00% 0 HTTP CORE 51 12 5 2400 0.00% 0..00% 0 PPP IP Route 52 4 5 800 0. Individual processes running on the router are also shown. Net Background.00% 0 DDR Timers 15 12 2 6000 0.00% 0.00% 0.00% 0 TCP Timer 48 4 3 1333 0.00% 0. Example 3-14 show processes cpu Command Output R2#show processes cpu CPU utilization for five seconds: 34%/13%.00% 0..OUTPUT OMITTED.00% 0. 1 connections established 0 Connections closed (including 0 dropped.OUTPUT OMITTED. 0 keepalive probe.00% 0.00% 0.00% 0.00% 0 Socket Timers 50 0 15 0 0.00% 0.00% 0 Entity MIB API 16 4 2 2000 0.. 0 window update packets 0 Connections initiated.00% 0.00% 0.00% 0 Dialer event 20 0 1 0 0. Note the ARP Input.00% 0 Critical Bkgnd 21 132 418 315 0.00% 0. The output also shows the 1-minute CPU utilization average as 36 percent and the 5-minute average as 32 percent.00% 0.00% 0 GraphIt 19 0 2 0 0.00% 0 SSS Test Client 47 84 711 118 0.. 0 embryonic dropped) 0 Total rxmt timeout. one minute: 36%.00% 0.00% 0.00% 0.00% 0..00% 0.00% 0 TCP Protocols 49 0 1 0 0.00% 0.00% 0. TCP Timer. with 13 percent of CPU resources being spent on interrupts.00% 0 PPP IPCP From the Library of Outcast Outcast .00% 0. 0 ack packets with unsend data 479 ack packets (14205 bytes) Sent: 570 Total. 0 urgent packets 1 control packets (including 0 retransmitted) 562 data packets (14206 bytes) 0 data packets (0 bytes) retransmitted 0 data packets (0 bytes) fastretransmitted 7 ack only packets (7 delayed) 0 window probe packets. and IP Background processes referred to in this section.00% 0..00% 0.00% 0.00% 0.00% 0 Logger .00% 0. five minutes: 32% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process . 0 connections dropped in rxmt timeout 0 Keepalive timeout.00% 0.00% 0. Chapter 3: Troubleshooting Device Performance 111 1 dup ack packets. 0 Connections dropped in keepalive Example 3-14 shows sample output from the show processes cpu command.00% 0 SERIAL A'detect 18 0 3892 0 0. 46 0 521 0 0.00% 0. The out- put in this example indicates a 34 percent CPU utilization in the past 5 seconds.00% 0 Net Background 22 0 15 0 0.00% 0. along with their CPU utilization levels. 1 connections accepted.00% 0 ATM Idle Timer 17 0 1 0 0.00% 0.00% 0. 12 4 69 57 0.00% 0.00% 0.00% 0 HC Counter Timer 14 0 5 0 0.00% 0...

5.1...4........2...5....5....00% 0..00% 0 IP Background 54 0 74 0 0....1..6 0 5 0 5 0 5 0 5 0 5 0 From the Library of Outcast Outcast .112 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 53 273 157 1738 0.00% 0....2..4...5.2.......00% 0 IP RIB Update .00% 0..1.... Example 3-15 shows sample output from the show processes cpu history command..3..4............ Example 3-15 show processes cpu history Command Output R2#show processes cpu history 4 11111 4444411111 11111 944444555554444444444777775555588888888887777755555777775555 100 90 80 70 60 50 * ***** 40 * ***** 30 * ***** 20 * ***** ********** ***** 10 * ***** ************************************* 0..6 0 5 0 5 0 5 0 5 0 5 0 CPU% per second (last 60 seconds) 611111111112111221131111111111111121111111111111211111111111 376577846281637117756665771573767217674374737664008927775277 100 90 80 70 60 * 50 * 40 * * 30 * * 20 ******* * *** ************ ** *** **** * * *** * ** **** 10 ########################################################## 0.4.5.3.....1..3.3......2...5.OUTPUT OMITTED..00% 0.......... The graphical output produced by this command is useful in determining whether a CPU spike is temporary or whether it is an ongoing condition...

... Cisco routers and multilayer switches support the following three primary modes of packet switching: ■ Process switching Key Topic ■ Fast switching (route caching) ■ Cisco Express Forwarding (topology-based switching) Packet switching involves the router making a decision about how a packet should be for- warded and then forwarding that packet out of the appropriate router interface...... and decides how to forward From the Library of Outcast Outcast ... a router’s packet- switching mode can impact router performance.3.3.6. In general. for real-world trouble- shooting. however....2.6.5... consult the documentation for your router to determine how it implements packet switching.. Therefore..1.4... examines the Layer 3 addressing.5. Before discussing the most common switching modes.1....2....... realize that the way a router handles packets (or is capable of handling packets) largely depends on the router’s architecture......7... the router removes the packet’s Layer 2 header..5. Chapter 3: Troubleshooting Device Performance 113 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 56434334644444334443442544453443 46868692519180723579483247519306 100 90 80 70 * * 60 * * 50 *** * * * * ** * * *** 40 *************** ****** ********* 30 ********************** ********* 20 ******************************** 10 ################################ 0..4... performs packet switching). Operation of Process Switching When a router routes a packet (that is.... 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% Understanding Packet-Switching Modes (Routers and Multilayer Switches) In addition to the high CPU utilization issues previously discussed..

The fast cache con- tains information about how traffic from different data flows should be forwarded. As a result. After the router determines how to forward the first packet of a data flow. With process switching. and then the packet is forwarded out of the appropriate interface. Operation of Fast Switching (Route Caching) Fast switching uses a fast cache maintained in a router’s data plane. the performance of a router configured for process switching can suffer significantly. fast switching reduces a router’s CPU utilization when compared to process switching. The interface configuration mode command used to disable fast switch- ing and CEF at the same time is no ip route-cache. As shown in Figure 3-5. Subsequent packets in that same data flow are forwarded based on information in the fast cache. as illustrated in Figure 3-4. the router’s CPU becomes directly involved with packet-switching decisions. that forward- ing information is stored in the fast cache. From the Library of Outcast Outcast . You can enable fast switching by turning off CEF in interface configuration mode with the no ip route-cache cef command. As a result.114 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the packet. The Layer 2 header is then rewritten (which involves changing the source and destination MAC addresses and computing a new FCS). as opposed to being process-switched. Incoming Packets Outgoing Packets Control Plane CPU Pa ow ck Fl et et Fl ck ow Ingress Egress Pa Interface Interface Data Plane Figure 3-4 Data Flow with Process Switching An interface can be configured for process switching by disabling fast switching and CEF on that interface. the first packet in a data flow is process-switched by a router’s CPU.

populated from a router’s IP routing table and ARP cache. whereas the Adjacency Table maintains Layer 2 information for next hops listed in the FIB. Specifically. an entire data flow can be for- warded at the data plane. Rather. as shown in Figure 3-6. CEF can efficiently make forwarding decisions. Unlike fast switching. Chapter 3: Troubleshooting Device Performance 115 Incoming Packets Outgoing Packets Control Plane CPU in Pac #1 w a D ke k et Flo ata t #1 c ta Forwarding Information Pa Da Flo a w in Subsequent Subsequent Ingress Packets in a Packets in a Egress Interface Data Flow Fast Data Flow Interface Cache Data Plane Figure 3-5 Data Flow with Fast Switching Operation of Cisco Express Forwarding (Topology-Based Switching) Cisco Express Forwarding (CEF) maintains two tables in the data plane. Using these tables. the Forwarding Information Base (FIB) maintains Layer 3 forwarding information. Incoming Packets Outgoing Packets Control Plane IP Routing CPU ARP Cache Table La n ye io r3 CEF Data at rm Inf Structures or fo ma In tio FIB r2 n ye Ingress Egress La Interface Adjacency Interface Data Flow Data Flow Table Data Plane Figure 3-6 Data Flow with Cisco Express Forwarding From the Library of Outcast Outcast . CEF does not require the first packet of a data flow to be process-switched.

As you can see from this example. show ip cef Displays the contents of a router’s FIB. just give them more without calling us. you can globally enable it with the ip cef command. If the children ask ten times. number including information about the packet- switching mode of an interface. If we are “Process Switching” with the babysitter. If it is not. date night is better when we use CEF. From the Library of Outcast Outcast .116 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide On many router platforms. show adjacency detail Provides information contained in the adjacency table of a router. she has to call us to ask for permission to give the children a cookie. Table 3-4 Commands for Troubleshooting a Router’s Packet-Switching Modes Key Topic Command Description show ip interface interface_type interface_ Displays multiple interface statistics. including protocol and timer information. if we are using “CEF” with the babysitter. The CPU utilization for this process might show a high value if the CPU of a router is actively engaged in process-switching traffic because you turned off fast switching and CEF. the first time she calls us. we say yes and then create a “route cache” for the babysitter that states. CEF is enabled by default. she has to call us ten times. “if the kids want more. If we are “Fast Switching” with the babysitter. show ip cef adjacency egress_interface_id Displays destinations reachable through the next_hop_ip_address detail combination of the specified egress interface and next-hop IP address. every time our children ask the babysitter for a cookie. Troubleshooting Packet-Switching Modes Table 3-4 provides a selection of commands that you can use when troubleshooting the packet-switching modes of a router. Date Night Example of Process-Switching Modes Let’s pretend that my wife and I are going out to dinner and we are leaving our two chil- dren with a babysitter. before we leave for dinner. you can enable CEF for a specific interface with the interface configuration mode command ip route-cache cef. place it on the counter. and tell her to have an awesome evening with the kids. show ip cache Displays the contents of the route cache from a router if fast switching is enabled. show processes cpu | include IP Input Displays information about the IP input process on a router. we take out the cookie jar. Alternatively.” Finally.

a high percentage value might indicate that a router was performing process switching.. The output indicates that fast switching and CEF switching are enabled on interface Fast Ethernet 0/0.OUTPUT OMITTED..8. Example 3-17 show ip cache Command Output R4#show ip cache IP routing cache 3 entries. 0 in last 3 seconds Last full cache invalidation occurred 04:13:57 ago Prefix/Length Age Interface Next Hop 10.. This command shows the contents of a router’s route cache.4/32 00:00:07 FastEthernet0/1 10. The reference to flow switching being disabled refers to the Cisco IOS NetFlow feature.OUTPUT OMITTED.8. 588 bytes 12 adds. where the CPU was directly involved in packet switching. the IP input process was using only 0.1 Example 3-18 shows sample output from the show processes cpu | include IP Input command.0/24 00:00:10 FastEthernet0/0 10.168.8. quiet interval 3 seconds. In the output.. ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast.6 192. Example 3-16 show ip interface interface_type interface_number Command Output R4#show ip interface fastethernet 0/0 FastEthernet0/0 is up..8.8. Chapter 3: Troubleshooting Device Performance 117 Example 3-16 shows sample output from the show ip interface interface_type interface_number command..6/32 00:00:10 FastEthernet0/1 10. If fast switching is enabled and CEF is disabled..8.0. From the Library of Outcast Outcast . 9 invalidates. Example 3-17 shows sample output from the show ip cache command. threshold 0 requests Invalidation rate 0 in last second.08 percent of its router’s CPU capacity during the last 5-second interval.3.4 10. line protocol is up . which you can use to collect traffic statistics.8. CEF .. 0 refcounts Minimum invalidation interval 2 seconds. a router begins to populate its route cache.8.3. However. maximum interval 5 seconds.

Example 3-19 show ip cef Command Output R4#show ip cef Prefix Next Hop Interface 0.8.3.1 FastEthernet0/0 10.04% 0 IP Input Example 3-19 shows sample output from the show ip cef command.8.6 FastEthernet0/1 10.0/24 receive 255.7.3.8.0.8.8.8.3.3.0.8.1.8.4/32 10.3.2/32 10.0.0.5/32 10.7.8.3.0/24 10.1 FastEthernet0/0 10.0.1/32 10.3.1.0.168.8.8.5 FastEthernet0/1 10.7 FastEthernet0/1 10.3.8.3.8.1/32 receive 10. and then the interface that will be used to reach it.0/4 drop 224.1 FastEthernet0/0 224.2/32 receive 10. and any packets destined to that specific IP will be processed by the CPU of the router.0/24 attached FastEthernet0/1 10.7.3.0/32 receive 10.8.3.5.8.4 FastEthernet0/1 10.0/0 drop Null0 (default route handler entry) 0.3. Notice that the prefix is listed.3.8.255/32 receive 10.0/24 10.1.0/24 10.3.0/32 receive 10.1.0. and broadcast addresses.0/24 attached FastEthernet0/0 10.8. Examining the output closely. The attached next hop indicates that the net- work is a directly connected route on the router.1 FastEthernet0/0 10.0/24 10.3.3.5.8.3.2/32 10. you will see that the receive entries are subnet IDs. local host IP addresses.0.06% 0.3.1 FastEthernet0/0 10.118 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-18 show processes cpu | include IP Input Command Output R4#show processes cpu | include IP Input 63 3178 7320 434 0. The output con- tains the contents of the FIB for a router.3.8.4.7/32 10. followed by the next hop that will be used to reach the prefix.255.255/32 receive From the Library of Outcast Outcast . that network/ IP is local to the router.3.3.0/24 10.0/32 receive 10.6/32 10.8.0.3.1 FastEthernet0/0 10.8.3.8. ensuring that they are processed by the router and not forwarded.08% 0.3.255/32 receive 192.4.8.255.3.3. Note that if a next hop of the network prefix is set to receive.8.7.1 FastEthernet0/0 10.1 FastEthernet0/0 10.

21 nodes.6.8. Therefore.8.8. 90 inserts. This command shows the IP addresses that the router knows how to reach using the specified combination of next-hop IP address and egress interface. you can issue this command to confirm that the router has information about how to reach that adjacency.6 with an egress interface of Fast Ethernet 0/1.8. In this case. 65 invalidations 0 load sharing elements.6 detail IP CEF with switching (Table Version 25). 0 dependencies next hop 10. id 24360DB1 5(2) CEF resets.8. we will send the packet out Fast Ethernet 0/0. 0 bytes via 10.6 is the IP address of a host and not a router.8. FastEthernet0/1 valid cached adjacency Example 3-21 shows sample output from the show adjacency detail command.8.6 0 packets. 0 new). flags=0x0 25 routes. Chapter 3: Troubleshooting Device Performance 119 Example 3-20 shows sample output from the show ip cef adjacency egress_interface_id next_hop_ip_address detail command.8. These MAC addresses are already listed in the adjacency table.8. no other IP addresses are known to have a next-hop IP address of 10. The value 00D006FE9EA00009B7FAD1E00800 can be broken into three parts: ■ 00D006FE9EA0 = Destination MAC address ■ 0009B7FAD1E0 = Source MAC address ■ 0800 = Well-know Ethertype value for IP From the Library of Outcast Outcast . version 10. which requires a Layer 2 frame with a source and destination MAC address. Example 3-20 show ip cef adjacency egress-interface-id next-hop-IP-address detail Command Output R4#show ip cef adjacency fa 0/1 10. epoch 0. When you see a particular adjacency listed in the FIB.6. 10. 0 bytes. 5632 node Table epoch: 0 (25 entries at this epoch) Adjacency Table has 5 adjacencies 10.1. cached adjacency 10.8.6/32. In this example.3. 25640 bytes. 0 reresolve. if we need to send a packet to 10. 0 references universal per-destination load sharing algorithm. 1 revisions of existing leaves Resolution Timer: Exponential (currently 1s.8. 0 unresolved (0 old.3. peak 0 25 leaves. FastEthernet0/1. peak 1s) 0 in-place/0 aborted modifications refcounts: 5702 leaf.8.8.8.

you can then confirm that the router knows the MAC address associated with the next-hop IP address shown in the out- put from Step 6. Step 7. use the show processes cpu command to see the CPU utilization of that router and iden- tify any processes that might be consuming an unusually high percentage of the CPU.6(5) 4 packets. Step 4.3. With the show ip arp command. Now that you have reviewed the different packet-switching options for a router. along with the egress interface used to send traffic to that next hop. Use the show ip route ip_address command to verify that the router has a route to the destination IP address. After you identify a router that is causing unusually high delay.8. Use the show ip cef command to determine whether all the router interfaces are configured to use CEF.8.OUTPUT OMITTED.. Use the show ip cef ip_address 255.. Step 6.1(19) 32 packets.255. Part of the output from this command will be the next-hop adjacency to which traffic should be forwarded. 1920 bytes 00D006FE9EA00009B7FAD1E00800 ARP 03:53:01 Epoch: 0 IP FastEthernet0/1 10. Following is a list of trouble- shooting steps that you can follow if you suspect that network traffic is being impacted by a performance problem on one of the routers along the path from the source to the destination: Step 1. Topic Step 2.. From the Library of Outcast Outcast . you can better analyze how a router is forwarding specific traffic.120 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-21 show adjacency detail Command Output R4#show adjacency detail Protocol Interface Address IP FastEthernet0/0 10. Step 5. Issue the show adjacency interface_type interface_number detail command to verify that CEF has an entry in its adjacency table for the egress interface identified in Step 5. Step 3.3.255 command to verify that CEF has an entry in its FIB that can reach the specified IP address.. 264 bytes 0008A3B895C40009B7FAD1E10800 ARP 03:53:35 Epoch: 0 .255. Use the traceroute command to determine which router along the path is Key causing excessive delay.

.. From the Library of Outcast Outcast . Excessive Memory Utilization Much like a PC. requiring an upgrade of the router’s Cisco IOS image. router performance can suffer if it lacks sufficient available memory. When the process completes. the process should return its allocated memory to the router’s pool of memory. perhaps you install a version of Cisco IOS on a router. The Head column in the output refers to the address (in hexadecimal) of the memory allocation chain. You can repeat these steps on the next-hop device or on another router whose response time displayed in the output from Step 1 is suspect.OUTPUT OMITTED. Example 3-22 shows sample output from the show memory allocating-process totals command. Even though the router might load the image and function. Assuming that a router does have the recommended amount of memory for its installed Cisco IOS image. and that router does not Topic have the minimum amount of memory required to support that specific Cisco IOS image. that process can allocate a block of memory. This command can help identify memory leaks. consider the following as potential memory utilization issues. a memory leak occurs. Such a condition usually results from a bug in the Cisco IOS version running on the router. The output shows information about memory availability on a router after the Cisco IOS image of the router has been decompressed and loaded. The Total column is the total amount of memory available in bytes. Memory Leak When a router starts a process. Chapter 3: Troubleshooting Device Performance 121 Step 8.. You can then connect to the next-hop device and verify that the MAC address identified in Step 7 is indeed correct. For Key example. If not all allocated memory is returned to the router’s main memory pool. Example 3-22 show memory allocating-process totals Command Output R4#show memory allocating-process totals Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 83D27480 67463064 15347168 52115896 50311080 50127020 I/O 7C21800 4057088 2383016 1674072 1674072 1674044 Allocator PC Summary for: Processor PC Total Count Name 0x809D7A30 1749360 180 Process Stack 0x80A7F664 918024 10 Init 0x81CEF6A0 882576 4 pak subblock chunk 0x81C04D9C 595344 54 TCL Chunks 0x800902A4 490328 6 MallocLite . its performance might be sluggish. and the total amount of memory that is being used by the various processes..

a MALLOCFAIL error might result from a bug in the router’s version of Cisco IOS.. Following this summary information.. it is likely because of a memory leak. the router does not for- ward traffic coming into the wedged interface.. and another instance when I tried to load the complete Intrusion Prevention System (IPS) Signature Definition File on another ISR when I knew it could not handle it. The Lowest column shows the lowest amount of free memory (in bytes) that has been available since the router last booted.com/cgi-bin/Support/Bugtool/ launch_bugtool. From the Library of Outcast Outcast . Input queue: 76/75/780/0 (size/max/drops/flushes). a buffer leak occurs when a process does not return a buffer to the router when the process has finished using the buffer. in which a process does not return all of its allocated memory to the router upon terminating..OUTPUT OMITTED. The best solution is to upgrade the Cisco IOS Software to a version that fixes the issue. memory leaks result from bugs or poor coding in the Cisco IOS Software. Example 3-23 Identifying a Wedged Interface R4#show interfaces . These values indicate that an input queue of the interface has a capacity of 75 packets and that the queue currently has 76 packets. In such a condition. and Free indicates how much is remaining.pl) to research any such known issues with the version of Cisco IOS run- ning on a router. You can use the Cisco Bug Toolkit (available from www. Buffer Leak Similar to a memory leak.cisco. Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) . A memory leak occurs when a process does not free the memory that it is finished using. Memory-Allocation Failure A memory-allocation failure (which produces a MALLOCFAIL error message) occurs when a process attempts to allocate a block of memory and fails to do so..OUTPUT OMITTED. the output shows detailed memory allocation information for each process running on a router. I have witnessed the MALLOCFAIL error message when using an Integrated Services Router (ISR) that was running Network Address Translation (NAT). For example. Alternatively. These values indicate an oversubscription of the queue space.. Personally. One com- mon cause for a MALLOCFAIL error is a security issue. The Largest column indicates the larg- est block of available memory.122 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The Used column indicates how much has been used.. Typically. a virus or a worm that has infested the network can result in a MALLOCFAIL error. Therefore. the block of memory remains reserved and will be released only when the router is reloaded. If a process is consuming a larger-than-normal amount of memory.. An interface in this condition is called a wedged interface. Consider the output of the show interfaces command shown in Example 3-23. Notice the numbers 76 and 75 highlighted in the output.

. your router might have multiple line cards with differ- ent amounts of memory available on each line card. Chapter 3: Troubleshooting Device Performance 123 The show buffers command can also help to diagnose a buffer leak. Excessive BGP Memory Use If a router is running Border Gateway Protocol (BGP). 104 bytes (total 71. 21 created 0 failures (0 no memory) Middle buffers. can show you how much memory the various BGP processes of a router are consuming. as shown in Example 3-25. To illustrate. Like a memory leak. 0 trims. perhaps because that line card is running BGP. 0 misses. 7 misses. If BGP is consuming a large percentage of your router memory. be aware that BGP runs multiple pro- cesses and can consume significant amounts of router memory. 1119 created Public buffer pools: Small buffers. The show processes memory | include BGP command. permanent 50. 8 misses. consider the output of the show buffers command shown in Example 3-24.. you might consider filtering out unneeded BGP routes. 0 trims... The show diag command can help you isolate a specific line card that is running low on memory. permanent 25. Example 3-25 show processes memory | include BGP Command Output R1#show processes memory | include BGP|^ PID PID TTY Allocated Freed Holding Getbufs Retbufs Process 184 0 0 0 7096 0 0 BGP Task 198 0 0 0 10096 0 0 BGP Scheduler 229 0 38808 0 11520 0 0 BGP Router 231 0 0 0 10096 0 0 BGP I/O 262 0 0 0 10096 0 0 BGP Scanner 284 0 0 0 7096 0 0 BGP Event Depending on the router platform. but only 5 of those 49 buffers are available.OUTPUT OMITTED. Such a result might indicate a process allocating buffers but failing to deallocate them. peak 71 @ 00:21:43): 53 in free list (20 min. peak 49 @ 00:21:43): 5 in free list (10 min. 150 max allowed) 122 hits. 24 created . 600 bytes (total 49. Example 3-24 show buffers Command Output R4#show buffers Buffer elements: 1118 in free list (500 max allowed) 570 hits. or running BGP on a different platform that has more memory. This output indicates that the router has 49 middle buffers. 150 max allowed) 317 hits. From the Library of Outcast Outcast . a buffer leak might require updating the Cisco IOS image of a router. upgrading the memory on that router.

memory leak. you have sev- eral choices for exam preparation: the exercises here. Net Background process.” and the exam simulation questions on the CD-ROM. Table 3-5 Key Topics for Chapter 3 Key Topic Key Topic Element Description Page Number List Components in a Catalyst switch 96 Table 3-2 Errors in the show interfaces interface_type 98 interface_number counters errors command List Reasons why a packet could be punted from a 102 switch’s TCAM to its CPU Section High CPU utilization troubleshooting on a switch 105 List Identifies processes that cause excessive router CPU 107 utilization Table 3-3 Commands for troubleshooting high CPU utilization 108 List Three primary modes of packet switching 113 Table 3-4 Commands for troubleshooting a router’s packet. ingress port. CEF. full-duplex. egress port. buffer leak From the Library of Outcast Outcast . Table 3-5 lists a reference of these key topics and the page numbers on which each is found. 116 switching modes Step list Example of troubleshooting the forwarding of 120 packets Section Excessive memory utilization 121 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: backplane. fast switching. Chapter 22. control plane. forwarding logic. half-duplex.124 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. “Final Preparation. memory-allocation failure. Review All Key Topics Review the most important topics in this chapter. process switching. IP Background process. TCAM. TCP Timer process. ARP Input process. noted with the Key Topic icon in the outer margin of the page.

(Note: If a large number show ip arp of the entries are in the Incomplete state. The 300-135 TSHOOT exam focuses on practical. or at least the section for this chapter. A Cisco Catalyst switch command that can be used to show sdm prefer display the current SDM template being used on the switch. Appendix D. (Note: If the show interface interface_type throttles.” also on the disc. a ping sweep] of a subnet. but you should be able to remember the basic keywords that are needed. you might suspect that the Net Background process is attempting to allocate buffer space for an interface from the router’s main buffer pool. Table 3-6 EXEC Commands Task Command Syntax A Cisco Catalyst 3750E series switch command that show platform tcam utilization can be used to verify the maximum and used TCAM resources for various services and features on the switch.” (found on the disc).) Shows a collection of interface statistics. you should be able to identify the commands needed to verify router and switch configurations. and complete the tables and lists from memory. Displays a router’s ARP cache. includes completed tables and lists to check your work. It might not be necessary to memorize the complete syntax of every command. you might suspect a malicious scan [for example. accepted. read the description on the left side. or ignored counters continually interface_number increment.) Provides information about the number of TCP seg. Chapter 3: Troubleshooting Device Performance 125 Complete Tables and Lists from Memory Print a copy of Appendix C. established. Therefore. show tcp statistics ments a router sends and receives. (Note: A high number of connections might explain why the TCP Timer process is consuming excessive CPU resources. and closed. cover the right side of Table 3-6 with a piece of paper. including the number of connections initiated. hands-on skills that are used by a net- working professional. and then see how much of the command you can remember. Command Reference to Check Your Memory This section includes the most important EXEC commands covered in this chapter. overruns. “Memory Tables Answer Key. “Memory Tables. To test your memory of the commands.) From the Library of Outcast Outcast .

bgp Shows the memory available on the line cards of a show diag router. broadcast. (Note: This graphical view can indicate whether an observed high CPU utili- zation is a temporary spike in utilization or whether the high CPU utilization is an ongoing condition. and local IP addresses. (Note: The CPU utilization for this process Input might show a high value if the CPU of a router is active- ly engaged in process-switching traffic. detail Provides information contained in a router’s adjacency show adjacency detail table. interface_number Shows the contents of the fast cache for a router if fast show ip cache switching is enabled.show ip interface interface_type tion about the packet-switching mode of an interface. (Note: This command can be helpful in diagnos- ing a buffer leak.126 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Displays average CPU utilization over 5-second. (Note: This command can help identify memory leaks. show ip cef adjacency egress_ tion of the specified egress interface and next-hop IP interface_id next_hop_ip_address address. Verifies that a valid adjacency exists for a connected show adjacency host.show buffers ly free. Displays destinations reachable through the combina.) Displays multiple interface statistics.) Displays the router’s Layer 3 forwarding information. Shows a graphical view of CPU utilization over the past show processes cpu history 60 seconds.) Shows how much memory is being consumed by the show processes memory | include various BGP processes of a router. From the Library of Outcast Outcast . 1-min. and 5-minute intervals. Displays information about packets forwarded by the show cef not-cef-switched router using a packet-switching mechanism other than CEF. in addition to listing all the router processes and the percentage of CPU resources consumed by each of those processes. Shows information about memory availability on a show memory allocating-process router after the router’s Cisco IOS image has been totals decompressed and loaded. show processes cpu ute. Displays information about the IP Input process on show processes cpu | include IP a router. and 3 days.) Shows how many buffers (of various types) are current. including informa. including protocol and timer information. in show ip cef addition to multicast. 1 hour.

This page intentionally left blank From the Library of Outcast Outcast .

■ Layer 2 Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem. ■ Troubleshooting Trunks: This section focuses on how to troubleshoot Layer 2 trunking issues.This chapter covers the following topics: ■ Frame-Forwarding Process: This section reviews the Layer 2 frame-forwarding process. ■ Troubleshooting VLANs: This section identi- fies how to troubleshoot general issues relating to VLANs and end-user port assignments. ■ Troubleshooting VTP: This section focuses on how to troubleshoot issues relating to VLAN Trunking Protocol. To success- fully troubleshoot Layer 2 issues. From the Library of Outcast Outcast . you need to have a complete understanding of this process. ■ The MAC address table: This section reviews how to use the MAC address table during your trouble- shooting process.

you need to have the skills necessary to troubleshoot these Layer 2 technologies. read the entire chapter. However. If your campus design has any Layer 2 links from the distribution layer to the access layer. This chapter sets the stage by reviewing basic Layer 2 switch operations. you need to have an understanding of Ethernet switch operations at Layer 2. In addition. and virtual local-area net- works (VLANs). which will factor into discus- sions in future chapters. before you master the skills for troubleshooting these Layer 2 technologies.” Table 4-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Frame-Forwarding Process 1–3 Troubleshooting Trunks 4–6 Troubleshooting VTP 7 Troubleshooting VLANs 8 The MAC Address Table 9–10 From the Library of Outcast Outcast . VTP. and VLANs Most enterprise LANs rely on some flavor of Ethernet technology (for example. “Answers to the ‘Do I Know This Already?’ Quizzes. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. Dynamic Trunking Protocol (DTP). It then moves on to troubleshooting trunks. and VLANs. Virtual Trunking Protocol (VTP). your overall campus design will deter- mine whether you need to worry about Layer 2 technologies such as trunks. CHAPTER 4 Troubleshooting Layer 2 Trunks. Table 4-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. VTP. Fast Ethernet. Ethernet. or Gigabit Ethernet).

Destination MAC address 2. Which header information is used by switches to learn which MAC address is reach- able out a specific interface? a. Use ARP to determine the MAC address of the IP address in the packet d. Destination IP address c. Incompatible trunking modes c. What does a switch do with an unknown unicast frame? a. Forward it out the port it is associated with c. Which header information is used by switches to forward frames? a. you should mark that question as wrong for purposes of the self-assessment. 1. If you do not know the answer to a question or are only partially sure of the answer. Source IP address b. Missing VLAN 5. Drop it b. Destination MAC address 3. Which two are examples of issues that could prevent a trunk from forming? a. Trunk – Trunk nonegotiate From the Library of Outcast Outcast . Flood it out all ports except the port it was received on 4. Which two of the trunk mode examples will successfully form a trunk? a.130 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. Source MAC address d. Encapsulation mismatch b. Access – Dynamic desirable b. Source MAC address d. Source IP address b. Trunk – Dynamic auto d. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. Dynamic Auto – Dynamic auto c. Destination IP address c. Password mismatch d.

The port a MAC address was learned on b. Chapter 4: Troubleshooting Layer 2 Trunks. show mac address-table dynamic 9. Which command enables you to verify the administrative mode and operational mode of an interface? a. show interfaces trunk d. show vlan brief b. show vtp configurations 8. show interfaces trunk d. The administrative and operational mode of an interface d. The number of devices physically connected to an interface From the Library of Outcast Outcast . Which two commands enable you to verify which VLAN a port is assigned to? a. VTP. show run b. Which command enables you to verify VTP configurations? a. show mac address-table dynamic 10.) a. show interfaces trunk b. and VLANs 131 6. show interfaces interface_type interface_number switchport c. show vlan brief b. show interfaces 7. Which command enables you to verify which port a MAC address is being learned on? a. show vtp status d. show interfaces c. The VLAN the MAC address is associated with c. show run interface interface_type interface_number c. What can we confirm when examining the MAC address table of a switch? (Choose two answers. show interfaces interface_type interface_number switchport d. show interfaces interface_type interface_number switchport c.

132 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Foundation Topics

Frame-Forwarding Process
To successfully troubleshoot Layer 2 forwarding issues, you need a solid understand-
ing of how a switch operates. You would have learned this back in CCNA Routing and
Switching. However, we spend time here reviewing switch operations because our trou-
bleshooting efforts will be based on this knowledge. This section reviews how a switch
populates its MAC address table and how it decides what to do with a frame based on
the information in the MAC address table.

Unlike Ethernet hubs, which take bits in one port and send those same bits out all other
Key ports, Ethernet switches learn about the devices connected to their ports. Therefore,
Topic
when an Ethernet switch sees a frame destined for a particular MAC address, the switch
can consult its MAC address table to determine which port to forward the newly arrived
frame out. This behavior results in more-efficient bandwidth utilization and improved
security on a LAN. In addition, it eliminates the concern of collisions. Specifically, in a
hub environment, if two endpoints each transmitted a data frame at the same time, those
two frames would collide, resulting in both frames being corrupted because all ports on
a hub are in a common collision domain. This collision would require each endpoint to
retransmit its data frame. This is not a concern with switches because every port on an
Ethernet switch is in its own collision domain.

Ethernet switches can dynamically learn the MAC addresses attached to various switch-
ports by looking at the source MAC address on frames coming into a port. For example,
if switchport Gigabit Ethernet 1/1 received a frame with a source MAC address of
DDDD.DDDD.DDDD, the switch could conclude that MAC address DDDD.DDDD.
DDDD resided off of port Gigabit Ethernet 1/1. As a result, it places an entry in the
MAC address table indicating so. In the future, if the switch received a frame destined for
a MAC address of DDDD.DDDD.DDDD, the switch would only send that frame out of
port Gigabit Ethernet 1/1 because of the entry in the MAC address table.

Initially, however, a switch is unaware of what MAC addresses reside off of which
ports (unless MAC addresses have been statically configured). Therefore, when a switch
receives a frame destined for a MAC address not yet present in the switch’s MAC address
table, the switch floods that frame out of all the switchports in the same VLAN, other
than the port on which the frame was received. Similarly, broadcast frames (that is,
frames with a destination MAC address of FFFF.FFFF.FFFF) are always flooded out all
switchports in the same VLAN except the port on which the frame was received. The
reason broadcast frames are always flooded is that no endpoint will have a MAC address
of FFFF.FFFF.FFFF, meaning that the FFFF.FFFF.FFFF MAC address will never be
learned dynamically in the MAC address table of a switch. In addition, if you look at the
output of the MAC address table, you will notice that the all F’s MAC address is stati-
cally bound to the CPU, ensuring that it can never be learned dynamically, as shown in
Example 4-1.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 133

Example 4-1 show mac address-table Command Output
SW1#show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
10 0050.b60c.f258 DYNAMIC Gi0/1
10 0800.2757.1b86 DYNAMIC Gi0/1
10 0800.275d.06d6 DYNAMIC Fa0/1
10 0800.27a2.ce47 DYNAMIC Fa0/2
10 2893.fe3a.e301 DYNAMIC Gi0/1
...output omitted...

To illustrate how a switch’s MAC address table becomes populated, consider an endpoint
named PC1 that wants to form a Telnet connection with a server, as shown in Figure 4-
1. Also, assume that PC1 and its server reside on the same subnet (that is, no routing is
required to get traffic between PC1 and its server) and are therefore in the same VLAN,
in this case VLAN 100. Before PC1 can send a Telnet segment to its server, PC1 needs to
know the IP address (that is, the Layer 3 address) and the MAC address (that is, the Layer
2 address) of the server. The IP address of the server is typically known or is resolved
via a Domain Name System (DNS) lookup. In this example, assume that the server’s
IP address is known. To properly communicate over Ethernet, PC1 needs to know the
server’s Layer 2 MAC address. If PC1 does not already have the server’s MAC address in
its Address Resolution Protocol (ARP) cache, PC1 can send an ARP request to learn the
server’s MAC address.

From the Library of Outcast Outcast

134 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

ARP
Gig 0/3 Gig 0/3
Request
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
Gig 0/1 Empty Gig 0/1 Empty
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-1 Endpoint Sending an ARP Request

When switch SW1 sees PC1’s ARP request enter port Gig0/1, the PC1 MAC address of
AAAA.AAAA.AAAA is added to the MAC address table of switch SW1 and associ-
ated with interface Gig0/1. Because Gig0/1 is a member of VLAN 100, the MAC is also
associated with VLAN 100. Because the ARP request is a broadcast, its destination
MAC address is FFFF.FFFF.FFFF (all F’s). As discussed earlier, frames with a destination
of all F’s will be copied and flooded out all switchports except the port on which the
frame was received. However, notice that port Gig0/1 on switch SW1 belongs to VLAN
100, whereas port Gig0/4 belongs to VLAN 200. This is important because frames are
constrained to the VLAN from which they originated unless routed by a Layer 3 device.
Therefore, the broadcast frame in this case is not flooded out Gig0/4 because Gig0/4 is a
member of a different VLAN. Port Gig0/2, however, is a trunk port, and a trunk can carry
traffic for multiple VLANs. Therefore, the ARP request is flooded out of port Gig0/2
and Gig0/3, as illustrated in Figure 4-2. Because the ARP request is for the MAC of the
server, PC2 will ignore the ARP request.

When switch SW2 receives the ARP request inbound on its Gig0/1 trunk port, the source
MAC address of AAAA.AAAA.AAAA is added to switch SW2’s MAC address table,
associated with Gig0/1 and VLAN 100. Also, similar to the behavior of switch SW1,
switch SW2 floods the broadcast frame out of port Gig0/3 (a member of VLAN 100) and
out of port Gig0/2 (also a member of VLAN 100), as depicted in Figure 4-3.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 135

PC2 PC4

ARP
Request
ARP Gig 0/3 Gig 0/3
Request VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
ARP
VLAN 200 VLAN 200
AAAA.AAAA.AAAA Request BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA Gig 0/1 Empty
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-2 Switch SW1 Flooding the ARP Request

PC2 PC4

ARP ARP
Request Request
ARP Gig 0/3 Gig 0/3 ARP
Request VLAN 100 VLAN 100 Request
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 ARP VLAN 200
AAAA.AAAA.AAAA Request BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-3 Switch SW2 Flooding the ARP Request

The server receives the ARP request and responds with an ARP reply, as shown in Figure
4-4. In addition, the server updates its ARP cache with a mapping of the IP and MAC
address of PC1. Unlike the ARP request, the ARP reply frame is not a broadcast frame; it
is a unicast frame. The ARP reply in this case has a destination MAC address of AAAA.
AAAA.AAAA and a source MAC address of BBBB.BBBB.BBBB.

From the Library of Outcast Outcast

136 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

ARP
Gig 0/3 Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-4 ARP Reply Sent from the Server

Upon receiving the ARP reply from the server, switch SW2 adds the server’s MAC
address of BBBB.BBBB.BBBB to its MAC address table, as shown in Figure 4-5. Also, the
ARP reply is sent out only port Gig0/1 because switch SW2 knows that the destination
MAC address of AAAA.AAAA.AAAA is reachable out port Gig0/1.

PC2 PC4

ARP ARP
Gig 0/3 Reply Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-5 Switch SW2 Forwarding the ARP Reply

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 137

When receiving the ARP reply in its Gig0/2 port, switch SW1 adds the server’s MAC
address of BBBB.BBBB.BBBB to its MAC address table. Also, like switch SW2, switch
SW1 now has an entry in its MAC address table for the frame’s destination MAC address
of AAAA.AAAA.AAAA. Therefore, switch SW1 forwards the ARP reply out port Gig0/1
to the endpoint of PC1, as illustrated in Figure 4-6.

PC2 PC4

ARP ARP ARP
Reply Gig 0/3 Reply Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-6 Switch SW1 Forwarding the ARP Reply

After receiving the server’s ARP reply, PC1 now knows the MAC address of the server.
Therefore, PC1 can send a properly constructed Telnet segment destined for the server,
as depicted in Figure 4-7. The source MAC of the Layer 2 frame will be AAAA.AAAA.
AAAA, and the destination MAC will be BBBB.BBBB.BBBB.

Switch SW1 has the server’s MAC address of BBBB.BBBB.BBBB in its MAC address table.
Therefore, when switch SW1 receives the frame from PC1, that frame is forwarded out of
the Gig0/2 port of switch SW1, as shown in Figure 4-8.

From the Library of Outcast Outcast

138 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

Telnet Gig 0/3 Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-7 PC1 Sending a Telnet Segment

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-8 Switch SW1 Forwarding the Telnet Segment

Similar to the behavior of switch SW1, switch SW2 forwards the frame out its Gig0/2
port. This forwarding, shown in Figure 4-9, is possible because switch SW2 has an entry
for the segment’s destination MAC address of BBBB.BBBB.BBBB in its MAC address
table.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 139

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3 Telnet
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-9 Switch SW2 Forwarding the Telnet Segment

Finally, the server responds to PC1, and a bidirectional Telnet session is established between
the PC and the server, as illustrated in Figure 4-10. Because PC1 learned the MAC address
of the server and the server learned the MAC address of PC1, as a result of PC1’s earlier
ARP request, both devices stored the MAC addresses in their local ARP caches; therefore,
the transmission of subsequent Telnet segments does not require additional ARP requests.
However, if unused for a period of time, entries in a devices ARP cache will time out.

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3 Telnet
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-10 Bidirectional Telnet Session Between PC1 and the Server

From the Library of Outcast Outcast

140 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

When troubleshooting an issue involving Layer 2 switch communication, a thorough
understanding of the preceding steps can help you identify potential problems quickly
and efficiently. Take a moment and review Figure 4-10. Consider where issues might arise
in the topology that would prevent PC1 and Server from communicating. The following
list outlines a few potential issues that could arise:

■ PC1 and Server have IP addresses in different subnets because of incorrect address
Key or subnet mask.
Topic
■ Interface Gig0/1 on SW1 or Gig0/2 on SW2 are not members of the correct VLAN.

■ VLAN 100 is missing on SW1 or SW2.

■ The trunk between SW1 and SW2 is not passing traffic for the necessary VLANs
(VLAN 100 in this case).

■ The trunk is not formed between SW1 and SW2.

■ A VACL is denying PC1 from communicating with Server.

■ Interface Gig0/1 on SW1, Gig0/2 on SW2, or the trunk interfaces are shut down or in
the err-disabled state.

Troubleshooting Trunks
Trunks support multiple VLANs on a single physical link. A trunk can be between two
switches, a switch and a router, and a switch and a server that is providing services for
multiple VLANs. This section focuses on issues that prevent a trunk from being formed
or passing traffic for a VLAN. Figure 4-11 serves as the topology for all of the examples.

PC2 PC4

Gig 0/3 Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-11 Troubleshooting Trunks

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 141

Encapsulation Mismatch
Two types of trunking encapsulations are supported by Cisco Catalyst switches: 802.1Q,
which is an IEEE standard; and ISL (Inter-Switch Link), which is Cisco proprietary. 802.1Q
adds a 4-byte tag to the Ethernet frame, whereas ISL encapsulates the entire Ethernet
frame, resulting in an additional 30 bytes. Not all switches support both. For example,
a Catalyst 2960 switch supports only 802.1Q, whereas a Catalyst 3560 and a Catalyst
3750-E support both. To form a trunk between two switches, the interfaces that will be
forming the trunk must be using the same encapsulation type. By default, Cisco Catalyst
switches that support only 802.1Q will use 802.1Q, Catalyst switches that support both
802.1Q and ISL will autonegotiate the encapsulation using DTP. Therefore, if you connect
a Catalyst 2960 and a Catalyst 3750-E together, they will use 802.1Q because that is all
the Catalyst 2960 can support. However, if you connect two 3750-Es together, they will
negotiate the use of ISL because it is Cisco proprietary. If you are required to use 802.1Q
trunks in your environment, you must manually change it from ISL to 802.1Q in that situ-
ation.

Because autonegotiation of encapsulation works very well, you will usually only have an
encapsulation mismatch if someone is manually setting the trunking encapsulation. To
verify the encapsulation type used on an interface, issue the show interfaces interface_
type interface_number switchport command, as shown in Examples 4-2 and 4-3.

Example 4-2 Output of show interfaces switchport Command on SW1 to Verify
Key Encapsulation
Topic
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-3 Output of show interface switchport Command on SW2 to Verify
Key Encapsulation
Topic
SW2#show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: isl

From the Library of Outcast Outcast

142 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Operational Trunking Encapsulation: isl
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

From the show interfaces switchport output of Example 4-2 and Example 4-3, you can
see that SW1 and SW2 are not using the same trunking encapsulation. SW1 is using
802.1Q, and SW2 is using ISL. Therefore, a trunk will not successfully form in this case.

You can also verify which trunking encapsulation is being used by looking at the output
of show interfaces trunk, as shown in Example 4-4 and Example 4-5.

Example 4-4 Output of show interfaces trunk Command on SW1 to Verify
Encapsulation
SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/2 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/2 1-4094

Port Vlans allowed and active in management domain
Gi0/2 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/2 1,100,200

Example 4-5 Output of show interface trunk Command on SW2 to Verify
Encapsulation
SW2#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 on isl trunking 99
Port Vlans allowed on trunk
Gi0/1 1-4094

Port Vlans allowed and active in management domain
Gi0/1 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,100,200

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 143

Incompatible Trunking Modes
There are different administrative trunking modes an interface can be configured to use
when forming a trunk, as follows:

■ Access: In this administrative mode, a switchport is manually configured to never
become a trunk even if DTP messages are received. This mode is designed for ports
that are connecting to, for example, end stations, servers, and printers, where a trunk
should never be required because only a single VLAN is needed. This mode can be
verified as shown in Example 4-6.

■ Trunk: In this administrative mode, a switchport is manually configured to always be
a trunk. This mode can be verified as shown in Example 4-7.

■ Dynamic desirable: In this administrative mode, a switchport is aggressively try-
ing to become a trunk by negotiating with the other end of the link to form a
trunk using DTP. If the other end of the link agrees then a trunk is formed; if not, it
remains an access port that will listen for DTP messages in addition to periodically
sending DTP messages as it continues to try and form a trunk. This mode can be
verified as shown in Example 4-8.

■ Dynamic auto: In this administrative mode, a switchport is passively waiting for DTP
messages to arrive asking it to form a trunk. If it receives them, it will form a trunk.
If it does not receive any, it remains an access port that will listen for DTP messages.
This mode can be verified as shown in Example 4-9.

Example 4-6 Verifying Trunking Administrative Mode (Access)
Key
Topic SW1#show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 100 (VLAN100)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-7 Verifying Trunking Administrative Mode (Trunk)
Key
Topic SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q

From the Library of Outcast Outcast

144 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-8 Verifying Trunking Administrative Mode (Dynamic Desirable)
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-9 Verifying Trunking Administrative Mode (Dynamic Auto)
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

The default administrative mode varies by Catalyst switch model. To verify the default
administrative mode on your model, issue the show interfaces interface_type interface_
number switchport command for an interface that is still using factory default settings.
Example 4-10 shows that interface Gigabit Ethernet 0/1 is using factory default settings,
because no other configurations have been applied to the interface, as shown in the show
run interface gigabitethernet 0/1 output. The output of show interfaces gigabitethernet
0/1 switchport | include Administrative Mode indicates that the trunking administrative

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 145

mode is dynamic auto. Therefore, we can conclude dynamic auto is the default on this
switch because there is no command in the running configuration that indicates other-
wise.

Example 4-10 Verifying Default Trunking Mode on SW2
SW2#show run interface gigabitethernet 0/1
Building configuration...

Current configuration : 50 bytes
!
interface GigabitEthernet0/1
end

SW2#show interfaces gig 0/1 switchport | include Administrative Mode
Administrative Mode: dynamic auto

Some of these administrative modes are compatible with each other and will form a
trunk, whereas others are not, as shown in Table 4-2. While you are looking at Table 4-12,
remember that dynamic auto, dynamic desirable, and trunk all use DTP by default.

Table 4-2 Comparing Trunking Administrative Modes

SW1
Dynamic Dynamic Trunk Trunk Access
Auto Desirable Nonegotiate
Dynamic Access Trunk Trunk Limited Access
Auto connectivity
Dynamic Trunk Trunk Trunk Limited Access
Desirable connectivity
SW2
Trunk Trunk Trunk Trunk Trunk Limited
connectivity
Trunk Limited Limited Trunk Trunk Limited
Nonegotiate connectivity connectivity connectivity
Access Access Access Limited Limited Access
connectivity connectivity

As you can see in Table 4-2, if both switchports are configured as dynamic auto, a trunk
will not form. The switchports will remain as access ports and pass traffic for the VLAN
the port is a member of. To form a trunk with a switchport that is dynamic auto, the
other switchport must be using dynamic desirable or trunk (using DTP). Limited con-
nectivity is a result of one side being operationally a trunk and the other side being
operationally an access port. Connectivity will occur only if the access port VLAN on
one switch happens to be the same as the native VLAN for the 802.1Q trunk on the other

From the Library of Outcast Outcast

146 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

switch. If not, connectivity will be broken. The reason is because the access port sends
the frames untagged, and once the trunk port receives them at the other end, it considers
them as part of the native VLAN because of the lack of a tag. If these VLAN numbers
match, the frames can be successfully forwarded without a problem. However, if the
native VLAN does not match with the VLAN configured on the access port, the frames
when entering or leaving the trunk port on the switch will be part of a different VLAN
than the access port and the frames are no longer forwarded correctly, and connectivity is
broken. Memorizing Table 4-2 will definitely prove beneficial if you ever have to trouble-
shoot trunk links that are not forming.

VTP Domain Name Mismatch
We will cover VTP in detail shortly. However, if you are using DTP to dynamically form
trunks and the VTP domain name does not match between the two switches, a trunk will
not be formed, as shown in Example 4-11.

Example 4-11 VTP Domain Name Mismatch Causes Trunk Not to Form
SW1#
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/2 because of
VTP domain mismatch.

Native VLAN Mismatch
Trunk issues with the native VLAN only surface when we are using IEEE 802.1Q trunk-
ing encapsulation. The concept of a native VLAN does not exist with Cisco ISL trunking
encapsulation. The native VLAN by default is VLAN 1 and is used to carry untagged
traffic across an 802.1Q trunk. It is imperative that the native VLAN matches on both
sides of a trunk link. If it does not, it is possible for traffic to leak from one VLAN to
another, resulting in an undesired forwarding behavior and possible errors with Spanning
Tree Protocol.

With a native VLAN mismatch, the trunk forms, and syslog messages are generated, as
shown in Example 4-12. From the example, you can see that Cisco Discovery Protocol
(CDP) is warning you about the native VLAN mismatch; however, if CDP is not enabled,
this message would not appear. Example 4-13 displays the output of show interfaces
trunk on SW1 and SW2, confirming that we have a native VLAN mismatch.

Example 4-12 Result of a Native VLAN Mismatch on a Trunk
Key
Topic SW1#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/2
(1), with SW2 GigabitEthernet0/1 (99).
SW2#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1
(99), with SW1 GigabitEthernet0/2 (1).

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 147

Example 4-13 Confirming the Native VLAN Mismatch with the show interfaces trunk
Command
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/2 desirable n-802.1q trunking 1
...output omitted...

SW2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 desirable n-802.1q trunking 99
...output omitted...

Allowed VLANs
By default, traffic for all VLANs will be forwarded on a trunk. You can modify this
Key behavior by identifying which VLANs are allowed on the trunk. You can accomplish
Topic
this manually or dynamically. If you are using VTP to propagate VLAN configuration
information, you can use the VTP pruning feature, which dynamically determines which
VLANs are needed on each of the trunks. You can enable VTP pruning with the vtp
pruning global configuration command. Many prefer to control the VLANs allowed on
trunks manually with the switchport trunk allowed vlans vlan_id command in interface
configuration mode. You can verify which VLANs are allowed on a trunk a few differ-
ent ways. You can use the show interfaces trunk command, the show interface inter-
face_type interface_number switchport command, or review the interface configuration
in the running configuration. Example 4-14 displays the output from these three com-
mands. Focus on the highlighted text because it identifies which VLANs are allowed on
the trunk. If traffic is not flowing across a trunk for a specific VLAN, make sure that the
VLAN is allowed on the trunk.

Example 4-14 Verifying Allowed VLANs on a Trunk
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/2 desirable n-802.1q trunking 99

Port Vlans allowed on trunk
Gi0/2 100,200

Port Vlans allowed and active in management domain
Gi0/2 100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/2 100,200

SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled

From the Library of Outcast Outcast

148 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

...output omitted...
Trunking VLANs Enabled: 100,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
...output omitted...

SW1#show run interface gigabitethernet 0/2
Building configuration...

Current configuration : 167 bytes
!
interface GigabitEthernet0/2
switchport trunk native vlan 99
switchport trunk allowed vlan 100,200
switchport mode dynamic desirable
end

Troubleshooting VTP
Picture a network with 50 switches and 75 VLANs. You have been tasked with deploying
these 75 VLANs to all 50 switches. This is a large task that is definitely prone to human
error. VLAN Trunking Protocol (VTP) is designed to ease the deployment of VLAN
configuration information between switches across trunk links. This section explains
the reasons why VTP might not be sharing VLAN configuration information with other
switches in the domain. Figure 4-11 is used as the topology for the examples. SW1 and
SW2 need to have the same VLAN database.

Domain Name Mismatch
Switches that will learn VLAN configuration information from each other using VTP
need to be in the same VTP domain. The VTP domain is identified by a name known as
the VTP domain name, and it can be anything you want it to be. However, it must match
on the devices that will be exchanging VLAN configuration information. Suppose, for
example, that SW1 in Figure 4-11 is using a VTP domain name of TSHOOT and SW2 is
using a VTP domain name of TSHOOT. Obviously, they match. What about SW1 using
TSHOOT and SW2 using TSHO0T? It looks like they match, but they do not. The VTP
domain name for SW2 has a zero (0) in it instead of the letter O. Compare Examples 4-15
and 4-16, which display the output of show vtp status on SW1 and SW2. Are SW1 and
SW2 in the same VTP domain?

Example 4-15 Verifying the VTP Domain Name on SW1
Key
Topic SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : Tshoot

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 149

VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 001c.57fe.f600
...output omitted...

Example 4-16 Verifying the VTP Domain Name on SW2
Key
Topic SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : TSHOOT
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100
...output omitted...

Note that case does matter for the VTP domain name. Therefore, SW1 and SW2 are in
completely different VTP domains and will not share VLAN configuration information
with each other. In addition, as mentioned earlier, if you are using DTP to form a trunk
and you have a VTP domain name mismatch, a trunk will not form.

Version Mismatch
There are three versions of VTP: VTPv1, VTPv2, and VTPv3. VTPv1 is the default. If you
are running VTPv1, all switches need to be using VTPv1 to successfully exchange VLAN
configuration information. If you are running VTPv2 or VTPv3 the switches can be using
VTPv2 or VTPv3 because they are compatible. However, to reduce the possibility of
issues, it is recommended that you avoid mixing VTP versions. To verify the VTP version
in use on a switch, issue the show vtp status command, as shown in Example 4-17. Also
notice in the output that SW2 is capable of running all three versions of VTP.

Example 4-17 Verifying the VTP Version on SW2
SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : TSHOOT
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100
...output omitted...

Mode Mismatch
VTP has four modes of operation: Server, Client, Transparent, and Off. For a switch to
use the VLAN configuration information in a VTP message, it must be in Server or Client
mode. A switch operating in Transparent mode will ignore the information contained in

From the Library of Outcast Outcast

150 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

a VTP message; however, it will still forward on the message to other switches. In Off
mode, the switch behaves the same as Transparent mode, except that it will not forward
on VTP messages that it receives. Therefore, if you are troubleshooting an issue that
involves missing VLANs on a switch and you are using VTP, check whether the switch
is in VTP Transparent mode or Off. To verify the VTP mode used on a switch, issue
the show vtp status command, as shown in Examples 4-18 and 4-19. In addition, with
VTPv3, only the VTP primary server can add or delete VLANs.

Example 4-18 Verifying the VTP Mode on SW1
SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100

Feature VLAN:
--------------
VTP Operating Mode : Server
Number of existing VLANs : 10
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 1005
Configuration Revision : 3
...output omitted...

Example 4-19 Verifying the VTP Mode on SW2
SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 001c.57fe.f600

Feature VLAN:
--------------
VTP Operating Mode : Client
Number of existing VLANs : 10
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 255
Configuration Revision : 3
...output omitted...

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 151

Password Mismatch
To ensure that a switch only uses VTP configuration information from legitimate sources,
it is recommended that a VTP password is set. When a switch receives a VTP message
from another switch, it will verify that the attached message digest 5 (MD5) algorithm
hash matches its local hash. If it matches, the VTP message is from a legitimate source
and is processed. If not, the VTP message is discarded. Remember that the VTP password
is case sensitive. Example 4-20 shows how you can verify the password that is configured
with the show vtp password command and the hash value that will be used with the
show vtp status command.

Example 4-20 Verifying VTP Passwords
SW1#show vtp password
VTP Password: CCNP

SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100

Feature VLAN:
--------------
VTP Operating Mode : Server
Number of existing VLANs : 11
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 1005
Configuration Revision : 2
Primary ID : 2893.fe3a.e300
Primary Description : DSW1
MD5 digest : 0x98 0x29 0xB8 0x5D 0x4D 0x48 0x71 0xE3
0x8A 0x93 0x8E 0x82 0x2B 0xEA 0xA0 0x45
...output omitted...

Higher Revision Number
When a switch in VTP server mode makes a change to the VLAN database, it incre-
ments the configuration revision number shown in Example 4-20. Currently it is 2, but if
another VLAN were added or a modification were made that affected the VLAN data-
base, VTP would increment the configuration revision number. This number is extremely
important because the switch with the higher configuration revision number is consid-
ered to have the most up-to-date and valid VLAN database. However, this might not
always be the case. For example, suppose that you are preparing for the TSHOOT exam
and you are troubleshooting VLANs. You keep adding and deleting VLANs while using

From the Library of Outcast Outcast

152 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

VTPv1 to propagate your changes to the other switches in your lab pod. Now you have
a really high configuration revision number. The next day a coworker plugs your lab pod
into the production network, and your lab VLAN database overwrites the VLAN data-
base of the production network because you were using the same domain name and pass-
word on your lab devices and the lab had a higher configuration revision number than the
production network. Now you need to rebuild the production VLAN database or restore
it from backup, if you have one.

You need to prevent this from ever happening by ensuring no one uses the same VTP
domain name or password on other devices and then plugs them into the produc-
tion network. However, that is hard to control. So, it is better to run all the switches in
Transparent mode and only use Server or Client mode when you are building the VLAN
database or making significant changes that have to be propagated to all the other switch-
es. This is because Transparent mode switches will not update their VLAN information
from VTP messages, protecting you from having your VLAN database overwritten. You
may also want to consider having all switches in VTP Transparent mode when they are
added to the domain so that their configuration revision number is 0, which it always is
for Transparent mode. Your best option is to use VTPv3 because only the VTP primary
server will be considered a trusted source of VTP messages within the VTP domain, and
any other VTP messages will be ignored, ensuring that your database is not overwritten
by a rouge switch.

Troubleshooting VLANs
Our discussions have led us to this important point in this chapter: Being able to identify
and solve issues with VLANs. This is an important task for any troubleshooter. Some of
these issues could be a result of a trunk or VTP issue, as previously discussed. This sec-
tion identifies the issues that might arise with VLANs and how you can fix them. The
discussion is based on Figure 4-11.

Incorrect IP Addressing
It all starts with the client configuration. If the IP address, subnet mask, or default gate-
way are not configured correctly, frames will not flow as expected. Example 4-21 dis-
plays the output of ipconfig on PC1 and Server. If you look closely, you will notice that
Server is not addressed correctly, and therefore not in the same subnet. When PC1 needs
to send data to Server, because they are not on the same subnet, PC1 will send the frame
to its default gateway so that it can be routed to a different subnet. However, this pro-
cess will fail at some point because both PC1 and Server cannot be in the same Layer 2
VLAN (as Figure 4-11 shows), within different IP networks. They need to be in the same
subnet if they are in the same VLAN so that frames can be sent from PC1 directly to
Server based on the Layer 2 MAC addresses.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 153

Example 4-21 Verifying End-User IP Addresses
PC1>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.100.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.100.1

Server>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.10.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.10.1

Missing VLAN
For a switch to associate switchports with VLANs or to pass traffic over a trunk for a
VLAN, the switch needs to know about the VLAN. The command show vlan brief, as
shown in Example 4-22, displays the VLANs that are known by the switch.

Example 4-22 Verifying VLANs on a Switch
Key
Topic SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/5, Gi0/6, Gi0/7, Gi0/8,
Gi0/9, Gi0/10, Gi0/11, Gi0/12,
Gi0/13, Gi0/14, Gi0/15, Gi0/16,
Gi0/17, Gi0/18, Gi0/19, Gi0/20,
Gi0/21, Gi0/22, Gi0/23, Gi0/24,
Te1/0/1, Te1/0/2
99 NATIVE active
100 10.1.100.0/24 active Gi0/1, Gi0/3
200 10.1.200.0/24 active Gi0/4
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

From the Library of Outcast Outcast

it is important to remember that if you are using VTPv1 or 2 and a switch is added to the domain with the correct pass- word. if you are missing VLANs. in Figure 4-11. This is a great sign that the interface belongs to a VLAN that does not currently exist on the switch. and Gig0/4 has been statically assigned to VLAN 200. the VLAN database in your VTP domain will be overwritten by this switch. Notice in brackets the name of the VLAN. the answer is one of two reasons: Someone forgot to configure the VLAN on the switch. However. If the creation and deletion of VLANs is learned by other switches though VTP. Note that even though the port is up/up. you need to troubleshoot why VTP is not propagating the VLAN information to the other switches. By default. PC1. and the switch would not be able to for- ward the frames successfully between the devices within the same VLAN. focus on the highlighted text. and Server have to be in the same logical subnet because they are all connected to ports in VLAN 100. PC4. you need to find out why. this could be the reason why. From the Library of Outcast Outcast . In Example 4-23. which identifies the VLANs ports are assigned to. or some- one deleted the VLAN on the switch. the VLAN to switchport assignments would be incorrect. and default gateway). PC3 and PC5 have to be in the same subnet (but different from the other devices) because they are connected to ports in VLAN 200. and has a higher revision number. For example. If VLANs are configured manually in your organization. subnet mask. Therefore. Example 4-23 Identifying Missing VLANs on a Switch SW1#show interfaces gigabitethernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 100 (Inactive) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Incorrect Port Assignment Once VLANs are created. all ports are assigned to VLAN 1. It is listed as (Inactive). The assignments Key should be based on which device is going to be connected to that port (based on IP Topic address. Gig0/1 and Gig0/3 have been statically assigned to VLAN 100.154 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide If any VLANs are missing from the output of show vlan brief that should be there. PC2. because the VLAN does not exist. the port will not be forwarding traffic. switchports need to be assigned to VLANs. which displays the output of show interfaces gigabitethernet 0/1 switchport. Example 4-24 displays the output of show vlan brief. If this is not done.

Gi0/7. This section covers the MAC address table and its importance. you will need to figure out why. It is passing traffic for multiple VLANs. The structure of the table is important. when SW1 received a frame inbound on Gigabit Ethernet 0/1 from PC1. Therefore. using Figure 4-11 as the reference topology. Gi0/14.-------------------------------.0/24 active Gi0/1. and the ports.1. Example 4-25 displays the dynamically learned MAC addresses on SW1 with the com- Key mand show mac address-table dynamic. Chapter 4: Troubleshooting Layer 2 Trunks. Gi0/16. Gi0/6. Gi0/22. Gi0/19. Example 4-25 SW1’s MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- From the Library of Outcast Outcast . it learned the MAC from the frame and associated it with the port it arrived on and the VLAN the port is a member of. If the MAC address table is not being populated the way you expect it.0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup It is important to note that ports that belong to VLANs that do not exist will not be dis- played in the output of show vlan brief. The MAC Address Table The MAC address table is the most important table for the switch. It lists Topic the VLANs. Notice in Example 4-24 that Gig0/2 is missing because it is a trunk port and does not belong to any single VLAN. Gi0/24. they will appear as (Inactive) in the output of show interfaces switchport. and VLANs 155 Example 4-24 Verifying Switchport Assignment SW1#show vlan brief VLAN Name Status Ports ---. trunk ports will not appear in the output of show vlan brief. Gi0/13. it is populated based on the source MAC address of the frame when it arrives on a switchport. Gi0/18. Gi0/8. Gi0/3 200 10.200. Gi0/10. In addition. Gi0/21. Te1/0/2 99 NATIVE active 100 10.--------. Gi0/23. Gi0/20. This information is extremely valuable.------------------------------- 1 default active Gi0/5. Gi0/17. Gi0/12. Te1/0/1. VTP.100. As discussed earlier. Gi0/15. The MAC address table is the structure that is used by the switch to make a forwarding decision. Gi0/9. the dynamically learned MAC addresses. Gi0/11. As Example 4-23 displayed.1.

bbbb. Gi0/7. Gi0/10. Gi0/17. Gi0/13. Gi0/24.5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 6 Let’s look at an example.3333.AAAA.AAAA) was learned on the correct interface. Example 4-27 Confirming SW1’s VLAN Assignments SW1#show vlan brief VLAN Name Status Ports ---.cccc.aaaa DYNAMIC Gi0/1 100 bbbb.------------------------------- 1 default active Gi0/5.156 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Vlan Mac Address Type Ports ---.cccc DYNAMIC Gi0/3 100 dddd. -------. Gi0/12.3333 DYNAMIC Gi0/4 200 5555. Gi0/15.5555. Gi0/11.3333 DYNAMIC Gi0/4 200 5555. Gi0/22. con- firms this for us. Gi0/19.cccc DYNAMIC Gi0/3 100 dddd. we can conclude that interface Gigabit Ethernet 0/1 is not a member of the correct VLAN. Reviewing the output of show vlan brief and show interfaces gigabitethernet 0/1 switchport. Gi0/23. Gi0/21.aaaa.cccc.3333. ----- 100 aaaa.aaaa DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 6 When comparing Figure 4-11 with Example 4-26. as demonstrated in Example 4-27. Gi0/8. What can we conclude by looking at the MAC address table for SW1 displayed in Example 4-26 when comparing it to Figure 4-11? Example 4-26 Example of SW1’s MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---. Gi0/9. ----------.5555. Gi0/6. Gi0/16.5555 DYNAMIC Gi0/2 200 aaaa.--------.dddd DYNAMIC Gi0/2 200 3333.dddd.-------------------------------.bbbb DYNAMIC Gi0/2 100 cccc. Gi0/20. -------.dddd DYNAMIC Gi0/2 200 3333. ----------. Gi0/14. ----- 100 bbbb. Te1/0/2 99 NATIVE active From the Library of Outcast Outcast . Gi0/18. Our next step is to reassign the port to the correct VLAN.dddd. Te1/0/1.bbbb. The MAC address table shows the MAC address of PC1 (AAAA. but the VLAN number is 200 instead of 100.aaaa.bbbb DYNAMIC Gi0/2 100 cccc.

VTP.1. and VLANs 157 100 10.BBBB. giving you the opportunity to confirm the correct associations.1.255.100 255.AAAA.1.3333.100.0 DG: 10.DDDD.0 Gig 0/3 Gig 0/3 255. Chapter 4: Troubleshooting Layer 2 Trunks.3333 5555.BBBB PC3 PC5 3333.CCCC PC2 PC4 DDDD.AAAA BBBB..100. CCCC. if you ever need to clear the dynamic entries in the MAC address table immediately so that they can be relearned.100.0/24 active Gi0/1. issue the clear mac address-table dynamic EXEC command.CCCC.255.1.0/24) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none .1.255. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.. All trouble tickets in this section are based on the topology depicted in Figure 4-12.10 10.1.255.200.1. Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup SW1#show interfaces gigabitethernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 200 (10..200.DDDD 10. While troubleshooting.0/24 active Gi0/3 200 10.1 VLAN 100 VLAN 100 Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2 VLAN 100 SW1 SW2 VLAN 100 Trunk Gig 0/4 Gig 0/4 PC1 Server VLAN 200 VLAN 200 AAAA.5555.output omitted..5555 Figure 4-12 Topology for Trouble Tickets From the Library of Outcast Outcast .1 DG: 10.100. Layer 2 Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.100.

as shown in Example 4-28.100: Packets: Sent = 4.1.255.1. which is similar to PC1.1. The output of Example 4-28 indicates that the ping failed. and default gateway are 10.100 Pinging 10.100 Pinging 10. Example 4-29 Issuing a Ping from PC2 PC2>ping 10.100.100. Request timed out. 255.100. Lost = 4 (100% loss). these are correct.1.100. indicates that the IP address.100: Packets: Sent = 4.1.1. Using the ipconfig command.100. A ping from PC2 is successful. Therefore. it is not a problem with the server or the path from PC2 to the server.100.100 with 32 bytes of data: Request timed out. According to Figure 4-11.100.1.100. However. Approximate round trip times in milli-seconds: Minimum = 0ms. A simple ping from PC1 will help us with this. Example 4-28 Issuing a Ping from PC1 PC1>ping 10.100: bytes=32 time 1ms TTL=128 Reply from 10. Received = 4. Received = 0. Therefore.100. Average = 0ms Let’s start by checking the IP address of PC1.0. Therefore.100: bytes=32 time 1ms TTL=128 Reply from 10. From the Library of Outcast Outcast . and 10.100.255. as shown in Example 4-30. Request timed out. we can focus our troubleshooting efforts at these layers. Ping statistics for 10.1. let’s verify whether others are having the same issue. What did we learn from this ping? We learned that we have no connectivity from Layer 1 to Layer 3 of the OSI model.100.1.100 with 32 bytes of data: Reply from 10. This is a typical description within a trouble ticket. as shown in Example 4-29. the first process is to veri- fy the issue.1.158 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Trouble Ticket 4-1 Problem: A user on PC1 indicates that he is not able to access a document on Server.10. Lost = 0 (0% loss). subnet mask.1. Maximum = 0ms.1.100. Request timed out.100: bytes=32 time 1ms TTL=128 Ping statistics for 10.1.100: bytes=32 time 1ms TTL=128 Reply from 10.

1.5555. . let’s confirm this further with the show vlan brief command. Gi0/10. . ----------. .0 Default Gateway . . Gi0/20. -------. .100. Chapter 4: Troubleshooting Layer 2 Trunks.10 Subnet Mask .aaaa.cccc DYNAMIC Gi0/3 100 dddd.dddd DYNAMIC Gi0/2 200 3333. ----- 1 aaaa. . VTP. Gi0/11. Te1/0/1. . Gi0/5.3333 DYNAMIC Gi0/4 200 5555.1. Gi0/22. and VLANs 159 Example 4-30 Verifying PC1’s Layer 3 Settings PC1>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : 10. However. . . . Gi0/13. . . . Gi0/7. . . Example 4-31 shows that the MAC address of PC1 was learned on Gigabit Ethernet 0/1. Gi0/23.1 The next step is to check the MAC address table on SW1 using the command show mac address-table dynamic. It appears we have found the problem.255. : 255.--------. Gi0/12. . . . . .100. .1. but it is associated with VLAN 1 instead of VLAN 100.dddd. . Gi0/15. .255.5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 6 Example 4-32 Verifying VLAN Port Assignments with the show vlan brief Command SW1#show vlan brief VLAN Name Status Ports ---. : 10.-------------------------------. . . as shown in Example 4-32. Gi0/18. Te1/0/2 99 NATIVE active 100 10. which is correct.0/24 active Gi0/3 From the Library of Outcast Outcast .aaaa DYNAMIC Gi0/1 100 bbbb.100. .bbbb DYNAMIC Gi0/2 100 cccc. Gi0/19.3333. Gi0/24. Gi0/16. : IP Address. . . Gi0/17. Gi0/9.cccc. Example 4-31 Verifying PC1 in the MAC Address Table on SW1 SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---. Gi0/6. Gi0/21. Gi0/14.------------------------------- 1 default active Gi0/1.bbbb. Gi0/8. .

Lost = 4 (100% loss). Request timed out. As before.100: Packets: Sent = 4.200.100 Pinging 10. Approximate round trip times in milli-seconds: Minimum = 0ms.1.100. we change the switchport VLAN assignment with the switchport access vlan 100 interface command and verify that the problem is solved by pinging from PC1 again.100.100 with 32 bytes of data: Request timed out.1. Example 4-33 Confirming That the Problem Is Solved with a Successful Ping PC1>ping 10.100 Pinging 10. From the Library of Outcast Outcast .1. A simple ping from PC2 will help us with this.160 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 200 10.100. Example 4-34 Issuing a Ping from PC2 PC2>ping 10.100: bytes=32 time 1ms TTL=128 Reply from 10.100.100 with 32 bytes of data: Reply from 10.100: bytes=32 time 1ms TTL=128 Ping statistics for 10. Example 4-33 confirms that the problem is solved.1.100: bytes=32 time 1ms TTL=128 Reply from 10. Request timed out. Ping statistics for 10. Request timed out.1. Lost = 0 (0% loss). Maximum = 0ms.1.1. Received = 4.100. as shown in Example 4-34. Received = 0.1.1.1.100.100.100.1. Average = 0ms Trouble Ticket 4-2 Problem: A user on PC2 indicates that she is not able to access a document on Server.100.100: Packets: Sent = 4. the first process is to verify the issue.100.0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup To solve the problem.100: bytes=32 time 1ms TTL=128 Reply from 10.

1. Gi0/21. Gi0/24.------------------------------- 1 default active Gi0/5. Gi0/15. Therefore. Request timed out.100 with 32 bytes of data: Request timed out.100. Gi0/23.1.-------------------------------.100.--------. Lost = 4 (100% loss). this is not enough evidence to shift our focus just yet. Gi0/8. This will truly verify that the MAC From the Library of Outcast Outcast .100 Pinging 10. Gi0/10. Gi0/3 200 10. Gi0/13. Request timed out.100.0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup However.1. PC1 and PC2 are both members of VLAN 100. Gi0/12. Therefore. Gi0/22. VTP. as shown in Example 4-35.0/24 active Gi0/1. The most important information comes from the MAC address table.100. let’s verify whether others are having the same issue. Te1/0/1. Te1/0/2 99 NATIVE active 100 10. Example 4-36 Verifying That VLAN 100 Exists on SW1 with show vlan brief SW1#show vlan brief VLAN Name Status Ports ---. Gi0/11. Gi0/19. A ping from PC1 fails. and VLANs 161 The output of Example 4-34 indicates that the ping failed. Gi0/9. Gi0/7.100: Packets: Sent = 4. As you can see from Example 4-36. Gi0/20. Gi0/14. Gi0/16. Gi0/18. Request timed out. Gi0/17.1. What did we learn from this ping? We learned that we have no connectivity from Layer 1 to Layer 3 of the OSI model. Ping statistics for 10. First thing that comes to mind is a missing VLAN on SW1. and both switchports for PC1 and PC2 are associated with it. Gi0/6. Received = 0. and we should be looking for causes that would affect multiple users. this is not an isolated issue.200. Chapter 4: Troubleshooting Layer 2 Trunks. Example 4-35 Issuing a Ping from PC1 PC1>ping 10.1. However. Using the command show vlan brief on SW1 will verify whether the VLAN exists and which switchports are associated with it. we can focus our troubleshooting efforts at these layers. VLAN 100 exists.

Example 4-37 Verifying the MAC Address in the MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---.cccc. as shown in Example 4-40.aaaa DYNAMIC Gi0/1 100 cccc. neither is PC4. Let’s verify this on SW1 with the command show interfaces trunk.200 Port Vlans allowed and active in management domain Gi0/2 100.200 Let’s check the output of show interfaces trunk on SW2. VLAN 200 is the only VLAN allowed on the trunk link. ----------. PC5 is being learned. However.3333 DYNAMIC Gi0/4 200 5555. From the Library of Outcast Outcast . indicates that only VLAN 200 is allowed on the trunk.cccc DYNAMIC Gi0/3 200 3333. -------.aaaa.162 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide addresses of PC1 and PC2 are being learned on the correct interfaces and are being associated with the correct VLAN. As shown in Example 4-39. This output shows that VLAN 100 and 200 are allowed on the trunk between SW1 and SW2.5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 4 However. What is missing? Do you see any reference to the MAC address of Server? The MAC address of Server is not being learned on Gigabit Ethernet 0/2 of SW1. look very closely at the MAC address table in Example 4-37. ----- 100 aaaa. Example 4-37 displays the output of the show mac address-table dynamic command and confirms for us that the MAC addresses are learned correctly and that the ports are associated with the correct VLANs.5555. A further examination of the running configuration. As a matter of fact. as shown in Example 4-38. Example 4-38 Verifying Allowed VLANs on SW1 Trunks SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/2 desirable n-802.200 Port Vlans in spanning tree forwarding state and not pruned Gi0/2 100. This is a good indication that traffic for VLAN 100 is not being allowed over the trunk.3333.1q trunking 99 Port Vlans allowed on trunk Gi0/2 100.

100: bytes=32 time 1ms TTL=128 Reply from 10.1q trunking 99 Port Vlans allowed on trunk Gi0/1 200 Port Vlans allowed and active in management domain Gi0/2 200 Port Vlans in spanning tree forwarding state and not pruned Gi0/2 200 Example 4-40 Verifying Interface Configuration in the Running Configuration SW2#show run interface gigabitethernet 0/1 Building configuration. you ping from PC1 and PC2 again to verify that the issue is solved.100..1.100.100: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. Chapter 4: Troubleshooting Layer 2 Trunks.100: Packets: Sent = 4. Example 4-41 Verifying That the Issue Is Solved PC1>ping 10. VTP..1.100 Pinging 10.100.100.100.100.1. and VLANs 163 Example 4-39 Verifying Allowed VLANs on SW2 Trunks SW2#show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/1 desirable n-802.100.100: bytes=32 time 1ms TTL=128 Reply from 10. Current configuration : 167 bytes ! interface GigabitEthernet0/1 switchport trunk native vlan 99 switchport trunk allowed vlan 200 switchport mode dynamic desirable end After issuing the interface command switchport trunk allowed VLAN 100.100: bytes=32 time 1ms TTL=128 Reply from 10. The ping is successful from PC1 and PC2. Maximum = 0ms.200 on SW2 to allow both VLAN 100 and 200. Average = 0ms PC2>ping 10.100. as illustrated in Example 4-41. Received = 4. Approximate round trip times in milli-seconds: Minimum = 0ms.1.100 From the Library of Outcast Outcast .100 with 32 bytes of data: Reply from 10.1. Lost = 0 (0% loss).1.1.

164 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Pinging 10. Average = 0ms From the Library of Outcast Outcast . Maximum = 0ms.1.100.1.1. Approximate round trip times in milli-seconds: Minimum = 0ms.100: Packets: Sent = 4.100.100: bytes=32 time 1ms TTL=128 Reply from 10.100: bytes=32 time 1ms TTL=128 Ping statistics for 10.100: bytes=32 time 1ms TTL=128 Reply from 10.1.100.100.100 with 32 bytes of data: Reply from 10. Lost = 0 (0% loss). Received = 4.1.1.100: bytes=32 time 1ms TTL=128 Reply from 10.100.100.

VTP domain name. MAC address table. noted with the Key Topic icon in the outer margin of the page. “Final Preparation. and VLANs 165 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction.” and the exam simulation questions on the CD-ROM. Table 4-2 lists a reference of these key topics and the page numbers on which each is found. you have a couple of choices for exam preparation: the exercises here. trunk. encapsulation. destination MAC. ISL. VLAN From the Library of Outcast Outcast . 802. VTP. Review All Key Topics Review the most important topics in this chapter.1Q. access port. Table 4-3 Key Topics for Chapter 4 Key Topic Key Topic Element Description Page Number Paragraph A review of the frame-forwarding process 132 List Outlines potential issues that arise with a Layer 2 140 topology Example 4-2 Output of show interfaces switchport command on 141 SW1 to verify encapsulation Example 4-3 Output of show interfaces switchport command on 141 SW2 to verify encapsulation Example 4-6 Verifying trunking administrative mode (access) 143 Example 4-7 Verifying trunking administrative mode (trunk) 143 Example 4-12 Result of native VLAN mismatch on trunk 146 Section Allowed VLANs 147 Example 4-15 Verifying the VTP domain name on SW1 148 Example 4-16 Verifying the VTP domain name on SW2 149 Example 4-22 Verifying VLANs on a switch 153 Section Incorrect port assignment 154 Paragraph Using the MAC address table during troubleshooting 155 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: frame. Chapter 4: Troubleshooting Layer 2 Trunks. native VLAN. Chapter 22. dynamic auto. VTP. dynamic desirable. source MAC.

clear mac-address-table). and then see how much of the command you can remember. Without the dynamic keyword. Therefore. only dynamically learned entries are displayed. From the Library of Outcast Outcast . Command Reference to Check Your Memory This section includes the most important EXEC show commands covered in this chapter. It might not be necessary to memorize the complete syntax of every command. both static and dynamic entries are displayed.” (found on the disc). Shows to which VLANs the ports of a switch belong. cover the right side of Table 4-4 with a piece of paper. hands-on skills that are used by a net- working professional. but you should be able to remember the basic keywords that are needed. “Memory Tables Answer Key. show vlan brief Displays which VLANs are permitted on the trunk show interfaces trunk ports of a switch and which switchports are configured as trunks.” also on the disc. or at least the section for this chapter. “Memory Tables. With the dynamic keyword. The 300-135 TSHOOT exam focuses on practical. Note that on some versions of Cisco IOS running on Cisco Catalyst switches. To test your memory of the commands. this can allow a troubleshooter to determine whether a previously learned MAC address is relearned. Clears dynamically learned MAC addresses from clear mac address-table dynamic the MAC address table of a switch. read the description on the left side.166 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Complete Tables and Lists from Memory Print a copy of Appendix C. Table 4-4 EXEC CLI show Commands Task Command Syntax Displays the contents of the MAC address table. the clear mac address-table command contains a hyphen between mac and address (that is. Appendix D. show mac address-table [dynamic] including the MAC address associated with a port and the VLAN the port is a member of. and complete the tables and lists from memory. you should be able to identify the commands needed to successfully troubleshoot switches. includes completed tables and lists to check your work.

and VLANs 167 Task Command Syntax Displays VLAN and trunk information related to show interfaces interface_type a switchport. and MD5 hash. configuration revision show vtp status number. Displays the VTP domain name. VTP. mode. Displays the configured VTP password.1Q or ISL). You can verify the operational mode interface_number switchport (access or trunk). version. in addition to the encapsulation (802. Chapter 4: Troubleshooting Layer 2 Trunks. You can also verify the access VLAN the port will be a member of if it is an access port. show vtp password From the Library of Outcast Outcast . in addition to the native VLAN if it is a trunk port.

From the Library of Outcast Outcast . ■ EtherChannel Trouble Tickets: This section provides trouble tickets that demonstrate how a structured troubleshooting process can be used to solve a reported problem. ■ STP Trouble Tickets: This section provides trouble tickets that demonstrate how a structured trouble- shooting process can be used to solve a reported problem. ■ Troubleshooting Layer 2 EtherChannel: This sec- tion reviews how Layer 2 EtherChannels are formed and identifies issues that could cause them to fail. and BPDU Filter. ■ Collecting Information About an STP Topology: This section identifies the show commands required to successfully troubleshoot STP issues. Root Guard. BPDU Guard.This chapter covers the following topics: ■ Spanning-Tree Protocol Overview: This section reviews how STP determines the STP topology from root bridge election to which ports will be nondesig- nated. It also identifies the show commands that can help during the troubleshooting process. ■ Troubleshooting STP Features: This section reviews STP features such as PortFast. ■ STP Troubleshooting Issues: This section focuses on what could happen if STP is not behaving as expected.

broadcast frames creat- ing a broadcast storm). while being able to detect a link failure and bring up a previously blocked switchport to restore connectivity.” Table 5-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Spanning-Tree Protocol Overview 1–4 Collecting Information About an STP Topology 5 STP Troubleshooting Issues 6 Troubleshooting STP Features 7 Troubleshooting Layer 2 EtherChannel 8–10 From the Library of Outcast Outcast . If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. which can impact a business’s bottom line if these applications are unavailable for even a short period. “Answers to the ‘Do I Know This Already?’ Quizzes. Table 5-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. allowing a single switch or a single link to fail while still maintaining connectivity between any two network endpoints. As a result. such as voice and e-commerce. Spanning Tree Protocol (STP) is used to logically break these Layer 2 topological loops by strategically blocking ports. In addition. This chapter reviews the operation of STP and focuses on troubleshooting STP issues. To improve availability. This increases the total bandwidth available on uplinks and tricks STP into thinking there is only one port between the switches instead of multiple ports. all links are used for traffic forwarding instead of STP blocking them. Such a redundant topology. this chapter reviews how you can combine multiple physical Layer 2 switch- ports into a logical EtherChannel bundle. You can find the answers in Appendix A. many enterprise networks interconnect Layer 2 switches with redundant connections. can result in Layer 2 loops. which can cause frames to endlessly circle a LAN (for example. CHAPTER 5 Troubleshooting STP and Layer 2 EtherChannel Maintaining high availability for today’s enterprise networks is a requirement for many applications. however. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. read the entire chapter. Therefore.

Downstream bridge ID b. Downstream port ID d. 2 b.170 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. Designated port b. 1. When determining the root port of a nonroot bridge. Lowest MAC address c. If you do not know the answer to a question or are only partially sure of the answer. Upstream port ID 4. debug spanning-tree state c. Upstream bridge ID c. 15 c. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. What is the maximum age for an STP BPDU in seconds? a. Lowest priority b. What determines the switch that will be the STP root bridge for a VLAN? a. Lowest bridge ID d. Lowest cost 2. show port span From the Library of Outcast Outcast . Nonroot port 3. what is refer- enced next to break the tie? a. Nondesignated port d. Which two of the following commands are most helpful in determining STP informa- tion for a Layer 2 switch? a. Root port c. you should mark that question as wrong for purposes of the self-assessment. if cost is tied. show spanning-tree interface d. 20 d. 50 5. show spanning-tree vlan b. What is the STP port type for all ports on a root bridge? a.

STP b. Interface speed b.) a. and if the port receives a superior BPDU it places it in the root inconsistent state? a. Interface mode (access/trunk) c. Which switch feature allows multiple physical links to be bonded into a logical link? a. What are two common issues that could result from an STP failure? a. Active – Passive b. PortFast 8. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 171 6. PortFast d. What must match on physical switchports to successfully form an EtherChannel bundle? (Choose three. Switch virtual interfaces 9. MAC address table corruption 7. EtherChannel c. Which STP feature ensures that certain ports in the STP topology never become root ports. Desirable – Auto d. Desirable – Passive From the Library of Outcast Outcast . MAC address table filling to capacity d. Tagged frames being sent into a native VLAN b. STP port cost 10. On – Active c. Root Guard d. BPDU Filter c. Native VLAN d. Broadcast storms c. BPDU Guard b. What combination will successfully form a Cisco proprietary Layer 2 EtherChannel bundle? a.

In addition. Therefore. as shown in Figure 5-1.AAAA Gi1/0/6 Gi1/0/6 BBBB. In addition. From the Library of Outcast Outcast . Therefore. SW3.BBBB.CCCC Priority: 32768 Figure 5-1 Layer 2 Loops You need to have a solid understanding of how STP makes decisions when troubleshoot- ing Layer 2 issues. Therefore.1D STP allows a network to physically have Layer 2 loops while strategically blocking data from flowing over one or more switchports to prevent the looping of traffic. Loop1 Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA.AAAA. traffic sent from SW1 on one link to SW2 can go back to SW1 on the other link and continue indefinitely because there is no mechanism built in to a Layer 2 frame that will stop the frame from looping forever through the network. This is different from Layer 3 packets that have a time-to-live (TTL) field that will terminate the packet if it does not reach its destination within a finite number of router hops. this section reviews how an STP topology is dynamically formed. this section discusses commands useful in troubleshooting STP issues.172 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Spanning Tree Protocol Overview Network availability at Layer 2 of the OSI model requires redundant links between the switches in your topology as well as redundant paths through the network. frames sent out any of the interfaces interconnecting these switches could loop indefi- nitely through the network as well. and SW2 (Loop 2). Therefore. Layer 2 loops need to be prevented by a protocol known as Spanning Tree Protocol (STP). Notice how traffic from SW1 can be sent on both links to SW2 and vice versa.BBBB SW1 SW2 Priority: 32768 Priority: 32768 Gi1/0/1 Gi1/0/2 Gi0/1 Gi0/2 Loop 2 MAC Address: SW3 CCCC. this creates a problem known as a Layer 2 loop. as shown with Loop1 in Figure 5-1.CCCC. However. IEEE 802. notice how there is a larger loop between SW1.

Figure 5-2 illustrates the root bridge election in a network. The loops are then removed by logically blocking selected bridge interfaces and placing them in the blocked state. STP prevents Layer 2 loops from occurring in a network. lower to higher is 0–9. priorities. because such an occurrence could result in a broadcast storm or the corruption of a switch’s MAC address table.). The priority is used first. ■ Nonroot bridge: All other switches in the STP topology are considered nonroot bridges.AAAA. addresses. Notice that because all bridge priorities are 32768 (default). then A–F. The BID is made up of a priority value (default is 32768) and a MAC address (base Ethernet MAC of switch as shown in the output of the show version command. only if the priority is tied between two or more switches will the MAC address be used to break the tie. BPDU packets contain information on ports.BBBB.BBBB SW1 SW2 Priority: 32768 Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge Bridge Gi0/1 Gi0/2 MAC Address: SW3 CCCC.AAAA Gi1/0/6 Gi1/0/6 BBBB. Key Topic From the Library of Outcast Outcast .CCCC.CCCC Priority: 32768 Non-Root Bridge Figure 5-2 Root Bridge Election Remember the golden rule of STP: Lower is better and ties are not acceptable. Because a MAC address is based on hexadecimal. SW1) is elected as the root bridge. The switch with the lowest bridge ID (BID) is elected as the Topic root bridge. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 173 Reviewing STP Operation STP uses Bridge Protocol Data Units (BPDUs) to build the STP topology. and costs needed to build the STP topology and ensure that the data ends up where it was intended to go. the switch with the lowest MAC address (that is. BPDU messages are exchanged every 2 seconds by default across switches to detect loops in a network topology. Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. Switches in an STP topology are classified as one of the following: ■ Root bridge: The root bridge is a switch elected to act as a reference point for a Key spanning tree topology. The MAC address is read left to right.

Table 5-2 STP Port Roles Key Topic Port Roles Description Root port (RP) Every nonroot bridge has a single root port (this is mandatory). If cost is tied. If cost is tied. all ports on a root bridge are DPs. in terms of cost. which is inversely proportional to bandwidth by default.BBBB SW1 SW2 Priority: 32768 DP Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge DP DP Bridge RP Gi0/1 Gi0/2 MAC Address: SW3 CCCC. Designated port (DP) Every network segment has a single designated port (this is mandatory). Nondesignated port (X) These are the ports blocking traffic to create a loop-free topology. the upstream BID is used to break the tie. the upstream port ID (PID) is used to break the tie. in terms of cost. Note Because all ports on the root bridge are as close as you could get to the root bridge.174 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Note Remembering this rule will help you during each step of the election processes. If the upstream BID is tied.CCCC Priority: 32768 Non-Root Bridge Figure 5-3 STP Port Roles From the Library of Outcast Outcast . It is the port on the segment that is closest to the root bridge. It is the port on the switch that is closest to the root bridge. the upstream port ID (PID) is used to break the tie. If the upstream BID is tied.BBBB.AAAA Gi1/0/6 Gi1/0/6 BBBB.CCCC. the upstream BID is used to break the tie. DP RP Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. Switchports in an STP topology are categorized as one of the following port roles described in Table 5-2 and illustrated in Figure 5-3.AAAA.

AAAA.1D-2004 STP Port Cost 10 Mbps (Ethernet) 100 2000000 100 Mbps (Fast Ethernet) 19 200000 1 Gbps (Gigabit Ethernet) 4 20000 10 Gbps (Ten Gig Ethernet) 2 2000 100 Gbps N/A 200 1 Tbps N/A 20 10 Tbps N/A 2 Determining Root Port Key Topic Being able to determine why a port has a specific role is important for troubleshooting and tuning the STP topology.1D-2004 STP. you use the upstream PID to break the tie. When SW1 sends BPDUs. AAAA. Proceed to Step 2. Identify the port that has the lowest cumulative cost path to the root bridge. Notice the root port for switch SW2 is Gig 1/0/5 in Figure 5-3. they are both the same because switches use the same base Ethernet MAC address for all BPDUs sent on all interfaces. Table 5-3 Default Port Costs Key Topic Link Speed 802. 3. The total cost from SW2 Gi1/0/2 to the root bridge is (4 + 4) 8. Next is to compare the MAC addresses listed in the BPDUs. the BPDUs will have the same priority because they are sent from the same switch (SW1) with a priority of 32768. The priority number can be manually changed (default 128). When the path cost is tied. 2. Why was it chosen as the root port? If you are not sure.1D STP Port Cost 802. Therefore. In this case. the total cost from SW2 Gi1/0/5 to the root bridge is 4. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 175 Table 5-3 shows the default port costs for various link speeds for both 802. Again. This PID includes a port priority number and an inter- face number. Notice the higher the speed the lower the cost. Remember. you use the lowest upstream BID as a tiebreaker. we have a tie for the lowest value at 4. When the upstream BID is tied. Identify the SW2 port (Gi1/0/5 or Gi1/0/6) that receives a BPDU with a lower upstream BID. lower is better and ties are not acceptable. review the following steps for determining the root port on a switch: 1. Proceed to Step 3.1D STP and its successor 802. From the Library of Outcast Outcast . Remember that a lower cost is better and that the cost used is the cumulative path cost. both received BPDUs from SW1 have a priority of 32768 and a MAC of AAAA. it includes a PID. The priority is checked first for the BPDUs received by SW2 on Gi1/0/5 and Gi1/0/6 from SW1. In this case. In Figure 5-3. In Figure 5-3. Identify the port that receives a BPDU with a lower upstream PID. however. The total cost from SW2 Gi1/0/6 to the root bridge is 4. the BID received in the BPDUs from SW1 is tied.

Lower is better. Point to SW3. What is the priority? 32768. the nondesignated port indirectly detects the link failure from BPDUs and determines whether it needs to transition to the forward- ing state or not to ensure network availability while preventing loops. Determining Designated Port Key Topic When determining the designated ports for each segment. We then need to look at the MAC address. In Figure 5-3. It is generated by the switch to identify the port.CCCC. point to SW2. the type of STP in use will determine how long it takes to transition to the forwarding state. you already know a few designated ports in the topology. If a nondesignated port does need to transition to the forwarding state. Still standing in the middle of the segment. you follow the same steps listed in the previous section for the root port election. As a result.6 on Gi1/0/6 by default. so we move on to Step 2. therefore. What is the MAC address? CCCC. As a result. SW2’s port Gi1/0/2 is the designated port for the segment between SW2 and SW3. Therefore. and Cisco’s implementation of STP (PVST+) transition through the following states: From the Library of Outcast Outcast . when SW2 receives the BPDUs from SW1. Which one is lower? It is the MAC address of SW2.BBBB. We have a tie. Identify the port on the segment with the lowest cumulative cost back to the root bridge.BBBB.5 and the received BPDU on Gi1/0/6 has a PID attached of 128. as depicted in Figure 5-3. SW2 Gi1/0/2 has a cumulative cost (including the cost of the segment itself) of (4 + 4) = 8. Here is my trick. without performing any calculations. Nondesignated ports do not forward traffic during normal operation but do receive BPDUs to determine the state of the STP topology. What is the priority? 32768.6.CCCC. SW3 Gi0/2 has a cumulative cost (including the cost of the segment itself) of (4 + 4) = 8. in Figure 5-3 the only link/segment remaining without a designated port is the segment between SW2 and SW3. the received BPDU on Gi1/0/5 has a PID attached of 128.1D). We can see that it is already labeled as Gi1/0/2 on SW2. 2. We have a tie. What is the MAC address? BBBB. Find the upstream switch with the lowest BID. STP (802. Pretend you are standing in the middle of the segment between SW2 and SW3. Common Spanning Tree (CST). Focusing on SW3 in Figure 5-3 shows a total cost of 4 to get to the root bridge using Gi0/1 and a total cost of 8 using Gi0/2. Remember that every port on the root bridge will be a designated port.176 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the interface number cannot. This is tricky if you do not know where to position yourself.5 on Gi1/0/5 and 128. Gi0/1 is elected as the root port. SW1 would more than likely have a PID of 128. SW2 Gi1/0/5 is elect- ed the root port based on the PID value sent from SW1 in the BPDUs. but why? Let’s walk through the steps together: 1. Point to SW2. Therefore. Therefore. If a link in the topology goes down. Determining Nondesignated Port Every other port that is not a root port or a designated port is a nondesignated port and will be blocking traffic. Point to SW3.

you might want to influence a particular switch to become a root bridge to ensure optimal traffic forwarding through a Layer 2 topology. ■ Learning: The port moves from the listening state to the learning state and remains in this state for 15 seconds by default. 802. It is essentially the time-to-live of a BPDU.1D. it receives BDPUs from other switches.1D. it will wait for 20 seconds by default. the switch considers the BPDU stale and transitions to the listening state. one of the first tasks is to learn which switch is acting as the root bridge. the total time to transition from the blocking state to the forwarding state is 50 seconds with 802. A BPDU is only valid for 20 seconds.1w) and Multiple Spanning Tree Protocol (802. in addition to learning the port roles on the various switches From the Library of Outcast Outcast . Rapid Spanning Tree Protocol (802. timers are used with them for backward compatibility. If it Key Topic needs to transition. During this time. which will help in the building of the STP topology and determining the root ports and designated ports.1s) use a handshaking mechanism rather than timers as their primary method of convergence. You do not have to do anything. This section identifies the various methods we can use to gather information about our STP topology. you need to know the current topology and how to modify it. During this time. For example. Therefore. ■ Listening: The port remains in this state for 15 seconds by default (15 seconds is known as the forward delay).1s rely on the same timers as 802. However. During the blocking state.1w and 802. convergence is 5 seconds or less. Root ports and designated ports are in this state. ■ Forwarding: The port moves from the learning state to the forwarding state and begins to forward frames while learning MAC addresses and sending and receiving BPDUs. As you can see.1D as backup. Or. you might want traffic for one VLAN to take a certain path while traffic for other VLANs takes a different path. the resulting STP topology might not be the best for your organization. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 177 ■ Blocking: The port remains in the blocking state until it needs to transition. In addition. which will more than likely be the case. the port begins to add entries to its MAC address table while still sending and receiving BPDUs to ensure that the decisions made in relation to the STP topology are still accurate. In addition. If you ever need to manipulate STP. Gathering STP Information When troubleshooting an STP topology. a nondesignated port evaluates BPDUs in an attempt to determine its role in the spanning tree. If a new BDPU is not received before the max age time expires. This is known as the max age time. which inform adjacent switches of the port’s intent to forward data. Collecting Information About an STP Topology Cisco Catalyst switches will dynamically form a spanning-tree topology using default port costs and bridge priorities right out of the box. if a neighboring switch is using 802. the port sources BPDUs. If the handshaking mechanism fails.

and the designated root and designated bridge priority and MAC address. Not only is this information important in understanding how frames are currently flowing through the topology. displays the number of BPDUs sent and received.aaaa Cost 4 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address cccc. if you see a high number of sent and received BPDUs on ports. root ports should only receive BPDUs. there is a root port on the switch. and designated ports should only send BPDUs. The VLAN is specified because Cisco Catalyst switches use Per-VLAN Spanning Tree + (PVST+) by default.Nbr Type ----------------------------------------------------------------------- Gi0/1 Root FWD 4 128.26 P2p The show spanning-tree interface interface_type interface_number detail command. Example 5-1 show spanning-tree vlan Command Output SW3#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32768 Address aaaa.cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.178 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide in the topology. you have an unstable STP topology and need to determine why this is so and fix it.aaaa. which a root bridge cannot have.cccc. whereas port Gig 0/2 is a nondesignated port. (That is. but comparing the current STP state of a topol- ogy to a baseline state can also provide clues as to the underlying cause of an issue. and it does not state that this switch is the root bridge. In addition. This is because the MAC address of the root bridge (Root ID) differs from the MAC address of SW3 (Bridge ID). as shown in Example 5-2. From the Library of Outcast Outcast . Consider Example 5-1. The output in Example 5-1 shows that SW3 is not the root bridge for the spanning tree of VLAN 1. The Gig 0/1 port of switch SW3 is the root port of the switch. it is a blocking port. such as suboptimal traffic forwarding. the port identi- fier.) Note that the port cost of Gig 0/1 is 4. The show spanning-tree [vlan {vlan_id}] command can display information about the Key STP state of a switch.25 P2p Gi0/2 Altn BLK 4 128. Therefore. which shows the output from the show Topic spanning-tree vlan 1 command. Note that in a stable topology. PVST+ allows a switch to run a sepa- rate STP instance for each VLAN. and the port cost of Gig 0/2 is 4 as well.

the CPU does not have to process BPDUs for all the different VLANs. ■ The MSTP revision number must match. you can group half the VLANs in one instance and the other half in another instance. If you have 100 VLANs and you only have 2 uplinks from an access layer switch to the distribution layer. To ensure you optimize load sharing. Consider this. Designated root has priority 32768. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 179 Example 5-2 show spanning-tree interface interface_type interface_number detail Command Output SW3#show spanning-tree interface gig 0/1 detail Port 25 (GigabitEthernet0/1) of VLAN0001 is root forwarding Port path cost 4. revision number. and VLAN to instance mappings on a switch. and all the other MST instances are listed in the MST0 BPDUs as M-records.25. This improves CPU performance. you have to remember these three very important rules for switches in the same region: ■ The MSTP region name must match.1. This significantly improves STP in end-to-end VLAN deployments where a large number of VLANs are maintained by many switches. issue the show spanning-tree mst configuration com- mand. From the Library of Outcast Outcast . You have just achieved load sharing and reduced the number of STP instances from 100 to 2. forward delay 0. received 1245 Gathering MSTP Information Multiple Spanning Tree Protocol (MSTP) allows you to group multiple VLANs into a single STP instance. as shown in Example 5-3. the digest that is sent within an MSTP BPDU will be different. address aaaa. hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 1. In fact. with MSTP. You can then manipulate who the root bridge is so that one instance ends up using one uplink and the other instance uses the other uplink. and the switches will consider each other to be in a different MSTP region and therefore produce different spanning-tree topologies than the admin- istrator envisioned. If any of the items listed do not match exactly.aaaa. thus conserving CPU resources. Port priority 128. Port Identifier 128. designated path cost 0 Timers: message age 2. only MST0 (known as the IST) is used to send BPDUs. you need to gather statistics about the traffic flowing through the networking on a VLAN-by-VLAN basis and make sure that you do not place heavily used VLANs in the same MSTP instance or you will not achieve optimal load sharing. address aaaa. ■ The MSTP instance to VLAN mappings must be the same on all the switches. When deploying and troubleshooting MSTP.aaaa.aaaa Designated bridge has priority 32768.aaaa Designated port id is 128. When you group various VLANs together into the same instance. To verify the current region name.

Also. From the Library of Outcast Outcast . In this section we analyze the results of an STP failure. not only would the MAC address table be corrupt. VTP. A switch will dynamically learn what MAC addresses are reachable off its ports. then back on Gig0/1.201-4094 1 10. Because STP is not functioning. then Gig0/2. As a result. PC2 receives two copies of the frame. “Troubleshooting Layer 2 Trunks. then Gig0/2. When the frame sent from PC1 is transmitted on segment A. the frame is seen on the Gig 0/1 ports of switches SW1 and SW2.AAAA. all frames des- tined to AAAA.101-199.AAAA is associated with port Gig 0/1). Similarly. switch SW2 sees the frame forwarded onto segment B by switch SW1 on its Gig 0/2 port. Therefore. it would be unstable. PC1 is transmitting traffic to PC2. In reality.AAAA. Therefore.21-99. as frames continue to propagate through the network.200 ------------------------------------------------------------------ STP Troubleshooting Issues If STP fails to operate correctly.AAAA.AAAA will be forwarded out Gig0/2 and never reach PC1. switch SW1 incorrectly updates its MAC address table indicating that a MAC address of AAAA.” that the MAC address table determines what a switch will do with a frame. This behavior can lead to issues such as MAC address table corruption and broadcast storms. To illustrate. Corruption of a Switch’s MAC Address Table Recall from Chapter 4. consider Figure 5-4. As a result of this. and VLANs.180 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-3 show spanning-tree mst configuration Command Output SW3#show spanning-tree mst configuration Name TSHOOT Revision 10 Instances configured 2 Instance Vlans mapped -------. switch SW2 also incorrectly updates its MAC address table. causing both switches to add an entry to their MAC address tables (AAAA.AAAA. That was a simplified example of what would occur. ------------------------------------------------------- 0 1-9.AAAA. AAAA.100 2 20.11-19.AAAA resides off port Gig 0/2. At one moment AAAA. switch SW1 sees the frame forwarded out the Gig 0/2 port of switch SW2. both switches then forward the frame out segment B. this table needs to be accurate. Layer 2 frames can endlessly circulate through a network because of the loop created. however. the MAC address table of a switch can become corrupt. in the event of an STP failure. Because the frame has a source MAC address of AAAA.AAAA would be learned on Gig0/1.

AAAA Gig 0/1 AAAA.b60c.FFFF.5e00.AAAA PC2 Duplicate Frames Gig 0/2 AAAA. The same is true for unknown unicast and multicast frames. Figure 5-5 illustrates how a broadcast storm can form in a Layer 2 topology when STP is not functioning correctly.AAAA Received Figure 5-4 MAC Address Table Corruption You will be able to recognize this issue because syslog messages will be generated identi- fying that you have MAC addresses flapping between different ports on the same switch.AAAA Gig 0/2 AAAA. Because a Layer 2 frame does not have a TTL field. From the Library of Outcast Outcast . The following syslog messages show that the MAC addresses are being learned on Gi0/1 and Gi0/2.AAAA Segment A Gig 0/1 Gig 0/1 SW1 SW2 Gig 0/2 Gig 0/2 Segment B Switch SW2’s MAC Address Table Port MAC Addresses Gig 0/1 AAAA.7111. consuming resources on both switches and attached devices (for example.0114 in vlan 20 is flapping between port Gi0/1 and port Gi0/2 %SW_MATM-4-MACFLAP_NOTIF: Host 8049. when a switch receives a broadcast frame (that is.AAAA. a broad- cast frame endlessly circulates through the Layer 2 topology.AAAA.f21b in vlan 20 is flapping between port Gi0/1 and port Gi0/2 Broadcast Storms As previously mentioned.AAAA.7e05 in vlan 502 is flapping between port Gi0/1 and port Gi0/2 %SW_MATM-4-MACFLAP_NOTIF: Host 0050. and this would occur only if there were a loop allowing the same frame to be seen on multiple interfaces: %SW_MATM-4-MACFLAP_NOTIF: Host 0000. user PCs).FFFF).AAAA. a frame des- tined for a MAC address of FFFF. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 181 Switch SW1’s MAC Address Table PC1 MAC Address: Port MAC Addresses AAAA. the switch floods the frame out all switch- ports except the port on which the frame was received.AAAA.

Both switches receive a copy of the broadcast frame on their Gig 0/2 ports (that is.182 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide PC1 Broadcast frame destined for (1) FFFF. These features are not enabled by default. Therefore. because they also continue to receive copies of the broadcast frame that they must process. 2.FFFF. This behavior continues. causing PC1 to receive two copies of the broadcast frame. as the broadcast frame copies continue to loop through the network.FFFF (3) Segment A Gig 0/1 (3) Gig 0/1 SW1 SW2 Gig 0/2 Gig 0/2 (2) (2) Segment B PC2 Figure 5-5 Broadcast Storm 1. This is because of the broadcast storm consuming the majority of the resources in the Layer 2 network. The performance of PC1 and PC2 is impacted. from Segment B) and flood the frame out of their Gig 0/1 ports (that is. Both switches flood a copy of the broadcast frame out of their Gig 0/2 ports (that is. on to Segment B). From the Library of Outcast Outcast . causing PC2 to receive two copies of the broadcast frame. PC1 sends a broadcast frame onto Segment A. 3. Knowing how to troubleshoot these features is important to ensure the STP topology is functioning as it should. the network/Internet is really slow. and the frame enters each switch on port Gig 0/1. A common complaint you will receive from multiple network users at the same time when there is an STP issue is. onto Segment A). This section discusses these features and reviews the commands needed to troubleshoot them. the frames going to the resources that the users need to access are not making it to the destination or are taking a really long time because the network is congested. Key Troubleshooting STP Features Topic STP relies on many features to protect the topology.

You can enable PortFast on an interface-by-interface basis with the spanning-tree portfast interface command or globally with the spanning-tree portfast default command..fe3a. Port priority 128. RPVST+. Current configuration : 108 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast end SW3#show spanning-tree interface fastEthernet 0/1 portfast VLAN0010 enabled SW3#show spanning-tree interface fastEthernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19.) If you are using PortFast with PVST+. “The port is in the portfast mode by default. when a BPDU is received on a PortFast-enabled switchport. as shown in Example 5-5. Port Identifier 128. or MSTP. and the switchport is not shut down. Example 5-4 iden- tifies three ways to verify PortFast is enabled on an interface. address 2893. In Example 5-5. it states. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 183 PortFast The PortFast feature is used to transition a switchport to the forwarding state as soon as the switchport is enabled. forward delay 0. the switchport will immediately transition out of the PortFast state and become a normal switchport.. Also notice how the output of the command show spanning-tree interface fastEthernet 0/1 detail in Example 5-5 is different when compared to Example 5-4. Example 5-4 Verifying PortFast-Enabled Interfaces SW3#show run interface fa0/1 Building configuration.b800 Designated port id is 128.1.1. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default BPDU: sent 11. designated path cost 4 Timers: message age 0. This ensures that it transitions through the necessary states and processes before going to the forwarding state to ensure that a loop is not caused. you can use another show command to verify that PortFast was enabled globally: show spanning-tree summary. received 0 If you enabled PortFast globally. address 081f. From the Library of Outcast Outcast . Designated root has priority 10.e300 Designated bridge has priority 32778.f34e. which will enable it on all nontrunking switchports. (A device is plugged in. Notice that PortFast Default is enabled.” which indicates that PortFast was enabled globally.

This ensures that the STP topol- ogy remains predictable..25 P2p Gi0/2 Altn BLK 4 128...e300 Designated bridge has priority 32778. BPDU Guard BPDU Guard is used to enforce STP domain borders. As shown in Example 5-6.---------------------- Fa0/1 Desg FWD 19 128.. Fa 0/1 is listed as an Edge port indicated that PortFast is enabled on the interface.f34e. Designated root has priority 10. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode by default Link type is point-to-point by default Bpdu filter is enabled by default BPDU: sent 11.2 P2p Edge Gi0/1 Root FWD 4 128. Port priority 128.1.output omitted.. forward delay 0. Example 5-6 Using show spanning-tree to Verify PortFast Status SW3#show spanning-tree .output omitted. address 081f.b800 Designated port id is 128.26 P2p .. Interface Role Sts Cost Prio. address 2893.fe3a. designated path cost 4 Timers: message age 0.--------.1 P2p Edge Fa0/2 Desg FWD 19 128.184 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-5 Verifying Globally Enabled PortFast Interfaces SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: EtherChannel misconfig guard is enabled Extended system ID is enabled Portfast Default is enabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short SW3#show spanning-tree interface fastEthernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19.-------.. When a BPDU is received on a switchport enabled with BPDU From the Library of Outcast Outcast .Nbr Type ------------------.---..--. Port Identifier 128.1. received 0 One of the easiest ways to confirm that a switchport is indeed enabled for PortFast is to review the output of show spanning-tree.

output omitted. You can verify whether BPDU Guard is enabled globally using the commands show span- ning-tree summary and show spanning-tree interface interface_type interface_number detail.. you will receive the following: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/1 with BPDU Guard enabled. Fast Ethernet 0/1 is in the err-disabled state. In this example. SW3#show spanning-tree interface fastethernet 0/1 detail From the Library of Outcast Outcast . the port will be disabled and placed in the err-disabled state.. putting Fa0/1 in err-disable state %LINK-3-UPDOWN: Interface FastEthernet0/1. changed state to down Example 5-7 show interfaces status Command Output SW3#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX Fa0/5 notconnect 1 auto auto 10/100BaseTX Fa0/6 notconnect 1 auto auto 10/100BaseTX Like PortFast. if you are tracking syslog messages. BPDU Guard can be enabled on an interface-by-interface basis with the spanning-tree bpduguard enable interface command or globally with the spanning-tree portfast bpduguard default global configuration command. as depicted in Example 5-8.. The global command will only enable it on PortFast-enabled interfaces. issue the command show interfaces status. %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1.. To verify which ports are in the err-disabled state. as shown in Example 5-7. In addition. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 185 Guard. Example 5-8 Verifying BPDU Guard Is Enabled Globally SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short . Disabling port.

f34e. address 2893. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled BPDU: sent 4. designated path cost 4 Timers: message age 0. Port priority 128. Port priority 128. forward delay 0.1.f34e. Example 5-9 Verifying BPDU Guard Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. If the From the Library of Outcast Outcast . remove the device that is sending the rogue BPDUs. address 081f.1.1.186 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19.fe3a. designated path cost 4 Timers: message age 0.. you can set up an err-disable recovery feature that will attempt to automatically enable the interface at defined intervals.e300 Designated bridge has priority 32778. Port Identifier 128.. Current configuration : 140 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast spanning-tree bpduguard enable end To recover from the err-disabled state. and then manually disable and enable the err-disabled interface with the shut- down and then no shutdown commands. as shown in Example 5-9.b800 Designated port id is 128. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled by default BPDU: sent 11.e300 Designated bridge has priority 32778. forward delay 0.b800 Designated port id is 128. address 2893.1. Designated root has priority 10. Port Identifier 128. received 0 SW3#show run interface fastethernet 0/1 Building configuration. address 081f. Or. received 0 You can verify if BPDU Guard has been enabled on an interface basis with the show spanning-tree interface interface_type interface_number detail command and the show run interface interface_type interface_number command.fe3a. Designated root has priority 10.

This would be for security reasons. if a BPDU is received on an interface. it will process it normally and. the interface will automatically recover. If it is enabled on an interface-by- interface basis. as shown in Example 5-11. BPDU Filter will be enabled on all PortFast-enabled interfaces and will sup- press the sending of BPDUs out an interface. it suppresses the sending and receiving of BPDUs. BPDU Filter BPDU Filter is designed to suppress the sending and receiving of BPDUs on an interface. If the rogue BPDUs are not detected anymore. the interface will go back into the err-disabled state. To enable the err-disable recovery feature for BPDU Guard. if necessary. you can verify BPDU Filter with the show spanning-tree interface interface_type interface_number detail command and the show run interface interface_type interface_number command. You can verify whether BPDU Filter is enabled globally with the show spanning-tree summary command and the show spanning-tree interface interface_type interface_ number detail command. How you enable it determines the extent of BDPUs that will be suppressed: ■ If you enable it globally. Example 5-10 Verifying BPDU Filter Is Enabled Globally SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is enabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short SW3#show spanning-tree interface fastethernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding From the Library of Outcast Outcast . Doing so allows the end station to collect the data in the BPDUs and potentially launch an attack against the STP topol- ogy. ■ If you enable BPDU Filter manually on an interface with the spanning-tree bpdufil- ter enable command. This is not recommended because any received BPDUs are ignored and may result in a Layer 2 loop because the interface is automatically in the forwarding state. which is not recommended. as shown in Example 5-10. transition the interface through the normal STP states/processes. with the spanning-tree portfast bpdufilter default com- mand. For example. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 187 rogue BPDUs are still detected. However. use the errdisable recovery cause bpduguard global configuration command. there is no need to send BPDUs out an interface that is connected to an end station or a router.

b800 Designated port id is 128.f34e. it would be suppressing the sending and receiving of BPDUs..1. a port within the topology is in the forwarding state causing a Layer 2 loop when it should be in the blocking state.e300 Designated bridge has priority 32778. Port Identifier 128. designated path cost 4 Timers: message age 0. received 0 SW3#show run interface fastethernet 0/1 Building configuration. forward delay 0. From the Library of Outcast Outcast . If so.1.1. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled BPDU: sent 18. forward delay 0.1. address 2893. designated path cost 4 Timers: message age 0.e300 Designated bridge has priority 32778. check whether BPDUFilter was enabled on an interface.f34e.b800 Designated port id is 128. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled by default BPDU: sent 11. address 081f. As a result.fe3a. Port Identifier 128. Designated root has priority 10. Current configuration : 173 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable end If you are experiencing a Layer 2 loop in your topology. Port priority 128. address 2893.. Port priority 128. address 081f. received 0 Example 5-11 Verifying BPDU Filter Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. Designated root has priority 10.fe3a.188 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Port path cost 19.

From the Library of Outcast Outcast . is used to verify its configuration.1. Port Identifier 128.------------------ VLAN0010 FastEthernet0/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 1 In addition. the root port on a switch points to the root bridge. Example 5-12 Verifying That RootGuard Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. Root Guard stops this from happening by ignoring superior BPDUs that are received on the Root Guard-enabled ports and placing the port in the spanning-tree inconsistent state. Designated root has priority 10.f34e. forward delay 0. This is a good indication that the interface is enabled for Root Guard and that it received a superior BPDU. address 2893. when a port goes into the root inconsistent state you will receive a syslog message indicating so as follows: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/1 on VLAN0010. If you recall. received 0 Example 5-13 Verifying Inconsistent Ports on a Switch SW3#show spanning-tree inconsistent ports Name Interface Inconsistency -------------------. and root ports would change on all the other switches so that the new root ports point to the rogue root bridge. as shown in Example 5-13. address 081f. Port priority 128. If a rogue switch is introduced to the STP topology with a superior BID. it can become the root bridge. designated path cost 4 Timers: message age 0.b800 Designated port id is 128. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 189 Root Guard Root Guard is designed to protect the root bridge by ensuring that certain ports on non- root bridges are prevented from becoming root ports.-----------------------. the command show spanning-tree interface interface_type interface_number detail.fe3a. hold 0 Number of transitions to forwarding state: 2 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled by default Root guard is enabled on the port BPDU: sent 18.e300 Designated bridge has priority 32778. Notice how Fast Ethernet 0/1 is in the root inconsistent state. You can also verify which ports are inconsistent by issuing the show spanning-tree inconsistentports command. Because Root Guard is enabled on an interface-by-interface basis with the command spanning-tree guard root.1. as shown in Example 5-12.

and once the switchport no longer hears the superior BPDUs. as well. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.190 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide When a switchport is in the inconsistent state. From the Library of Outcast Outcast . This would produce a loop because the nondesignated port is now sending and receiving data.------------------ VLAN0010 GigabitEthernet0/2 Loop Inconsistent Number of inconsistent ports (segments) in the system : 1 STP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. All you need to do is remove the device that is sending the superior BPDUs to that switchport from the network. the port is automatically taken out of the inconsistent state. However. Loop Guard ensures that the nondesignated port does not erroneously transition to the forwarding state. it places it in the loop- inconsistent blocking state and generates the following syslog message: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/2 on VLAN0010. no manual intervention is required to recover the port from the inconsistent state. To verify which ports are in the loop-inconsistent state. By default. Instead. Example 5-14 Verifying Loop-Inconsistent Ports on a Switch SW3#show spanning-tree inconsistent ports Name Interface Inconsistency -------------------. would still be able to send and receive data on the interface.-----------------------. if a nondesignated port ceases to receive BPDUs. as shown in Example 5-14. Loop Guard Loop Guard is a feature designed to provide additional protection against Layer 2 loops. All trouble tickets in this section are based on the topology depicted in Figure 5-6. issue the command show span- ning-tree inconsistent ports. This is all because the BPDUs are no longer arriving on the interface. what if the switch was not receiv- ing the BPDUs because the switch that was sending the BPDUs had a software failure preventing it from sending BPDUs? That switch. instead of blocking it. it will transition to the for- warding state once the max age timer expires.

Notice that SW1 is not the root bridge for VLAN 10. According to the topology.0/24 PC1 Figure 5-6 STP Trouble Ticket Topology Trouble Ticket 5-1 Problem: Based on traffic analyzers. Example 5-15 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address bbbb. With this in mind. all traffic for VLAN 10 should be flowing through SW1 under normal conditions.bbbb.bbbb Cost 4 Port 5 (GigabitEthernet1/0/5) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa.10. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 191 CORE Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA.AAAA. SW1 should be the root bridge for VLAN 10.1.CCCC Fa0/1 Priority: 32768 Non-Root Bridge Vlan 10 10. the switch with the MAC address bbbb.BBBB SW1 SW2 Priority: 32768 Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge Bridge Vlan 10 Gi0/1 Gi0/2 MAC Address: SW3 CCCC. check the placement of the root bridge using the show spanning-tree vlan 10 command on SW1. all traffic from the end stations in VLAN 10 destined to the core is flowing through SW2 when it should be flowing through SW1.BBBB.aaaa From the Library of Outcast Outcast .AAAA Gi1/0/6 Gi1/0/6 BBBB. According to the root ID section of the output. Therefore.CCCC.aaaa.bbbb. as shown in Example 5-15.bbbb is the root bridge.

According to the output in Example 5-15. It explicitly states This bridge is the root. Example 5-17 show spanning-tree vlan 10 Command Output for SW2 SW2#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address bbbb.1 P2p Gi1/0/5 Root FWD 4 128.CVTA. the port on SW1 to get to the root bridge is Gigabit Ethernet 1/0/5.bbbb.bbbb Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec From the Library of Outcast Outcast . I . r .Repeater. Figure 5-6 shows that bbbb. C . However. B . you can confirm that SW2 is directly connected to SW1 on port Gi1/0/5. using the show cdp neigh- bors command.Switch. Therefore.Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW2 Gig 1/0/6 138 S I WS-C3750E Gig 1/0/6 SW2 Gig 1/0/5 138 S I WS-C3750E Gig 1/0/5 SW3 Gig 1/0/1 141 S I WS-C2960.Host.6 P2p Next you should check which switch is the root bridge.Nbr Type Gi1/0/1 Desg FWD 4 128.Phone.192 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio. without the diagram. bbbb is the MAC of SW2. D .Remote.Router. M .Trans Bridge.bbbb.bbbb. T . you can confirm that this is the root port. H . The output shows that SW2 is the root bridge for VLAN 10.Gig 0/1 You should now verify if SW2 is the root bridge for VLAN 10 using the output of show spanning-tree vlan 10. as shown in Example 5-17. as shown in Example 5-16. P .IGMP. and notice that all the ports are designated ports. At the bottom of the output.bbbb This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 10 (priority 0 sys-id-ext 10) Address bbbb. Example 5-16 show cdp neighbors Command Output on SW1 SW1#show cdp neighbors Capability Codes: R .Source Route Bridge S .5 P2p Gi1/0/6 Altn BLK 4 128. how would you figure out who the root bridge is? You would follow the path.

--------.5 P2p Gi1/0/6 Desg FWD 4 128.6 P2p Upon further analysis of Example 5-17.. Once done.6 P2p From the Library of Outcast Outcast .---. you will notice that the priority of SW2 is 0 plus the extended system ID (which is the VLAN number).-------.aaaa This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa. which is 32768 plus 10 (32778). for a total value of 10.----------------------- Gi1/0/1 Desg FWD 4 128. Using the command show run | section spanning-tree indicates that the command spanning-tree vlan 10 priority 0 was executed on SW2. Example 5-19 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa. as shown in Example 5-19.output omitted. as shown in Example 5-18..Nbr Type ------------------. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 193 Interface Role Sts Cost Prio..aaaa. It appears that the priority of SW2 was manually lowered. To solve this issue.--------.----------------------- Gi1/0/2 Desg FWD 4 128. we would need to remove this command by executing the no span- ning-tree vlan 10 priority 0 command. which is lower than the priority of SW1.Nbr Type ------------------..1 P2p Gi1/0/5 Desg FWD 4 128. as shown in Example 5- 15. we can verify that SW1 is now the root bridge for VLAN 10 with the show spanning-tree vlan 10 command... spanning-tree vlan 10 priority 0 .2 P2p Gi1/0/5 Desg FWD 4 128.--.aaaa.---.output omitted.--..aaaa Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.-------..5 P2p Gi1/0/6 Desg FWD 4 128. Example 5-18 show run Command Output for SW2 SW2#show run | section spanning-tree .

we can trust the information displayed. Therefore.--------.aaaa.5 P2p Gi1/0/6 Desg FWD 4 128. it is currently an alternate port in the blocking state with a cost of 10. With this in mind.--. According to Figure 5-6. If Figure 5-6 has been kept up to date. If we look at Gig0/1. as shown in Example 5-21.194 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Trouble Ticket 5-2 Problem: Based on traffic analyzers.-------. This cost of 10 is larger than the total cost of 8 using Gig0/2. as shown in Example 5-20.6 P2p We have confirmed that SW1 is the root bridge and this matches our diagram in Figure 5-6. SW1 should be the root bridge for VLAN 10. Reviewing the output of show spanning-tree vlan 10 on SW3. Example 5-20 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa.1 P2p Gi1/0/5 Desg FWD 4 128. all traffic for VLAN 10 should be flowing through SW1 under normal conditions.Nbr Type ------------------. all traffic from the end stations in VLAN 10 destined to the core is flowing through SW2 when it should be flowing through SW1. These links should have a cost of 4 by default. It appears that the cost of interface Gig0/1 has been modified.---. Notice that SW1 is the root bridge for VLAN 10. check the placement of the root bridge using the show spanning-tree vlan 10 command on SW1.----------------------- Gi1/0/1 Desg FWD 4 128. we have a Gigabit Ethernet link between SW3 and SW1 as well as SW3 and SW2.aaaa Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.aaaa This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa.aaaa. we can see that to reach the root bridge the total cost is 8 using Gigabit Ethernet 0/2. Example 5-21 show spanning-tree vlan 10 Command Output for SW3 SW3#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 From the Library of Outcast Outcast . According to the topology.

.cccc.---.2 P2p The output of show run interface gig 0/1 confirms that the cost was modified with the spanning-tree vlan 10 cost 10 command.--.--------.output omitted.aaaa.aaaa Cost 4 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address cccc..-------.output omitted..cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio..aaaa Cost 8 Port 2 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address cccc...----------------------- Gi0/1 Altn BLK 10 128. as shown in Example 5-22.cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio. Example 5-22 show run interface gig 0/1 Command Output for SW3 SW3#show run interface gig 0/1 .. we can verify that SW3 is using Gi0/1 as the root port and that it has a cost of 4 by issuing the show spanning-tree vlan 10 command shown in Example 5-23.Nbr Type From the Library of Outcast Outcast . To solve this issue..aaaa.1 P2p Gi0/2 Root FWD 4 128. Example 5-23 show spanning-tree vlan 10 Command Output for SW3 SW3#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa.cccc. spanning-tree vlan 10 cost 10 . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 195 Address aaaa. After we remove the command.Nbr Type ------------------. we need to execute the no spanning-tree vlan 10 cost 10 command in interface configu- ration mode.

ac47 DYNAMIC Fa0/4 10 0800. Therefore.-------------------------------.254. . : Yes Autoconfiguration IP Address. and there is no entry in the table with PC1’s MAC address. . .1234 DYNAMIC Gi0/1 10 0800. ----------. but it fails.----------------------- Gi0/1 Root FWD 4 128. . . . . . . . . .. . Therefore. : 08-00-27-5D-06-D6 Link-local IPv6 Address . . . . . . Example 5-25 is displaying the MAC address table of SW3. : 169. Your next task is to make sure that the PC is receiving an IP address from the Dynamic Host Configuration Protocol (DHCP) server in the network. : 255.275d. You attempt to ping from the user’s PC to its default gateway. He also indicates that he had no issues on Monday when he left work at 5:45 p.---. .m. Example 5-24 ipconfig Output for PC PC1>ipconfig /all Windows Ip Configuration <Output Omitted> Ethernet adapter Local Area Connection: <Output Omitted> Physical Address.x/16) is being used by the PC.b3dd DYNAMIC Fa0/3 From the Library of Outcast Outcast . . .x.166 Subnet Mask . .196 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ------------------. .--------. . but it fails.1 P2p Gi0/2 Altn BLK 4 128.275d.-------. they are not able to contact a DHCP server. Issuing the command ipconfig /all on the PC as depicted in Example 5-24 indicates that an Automatic Private IP Addressing (APIPA) address (169. . . .254. . Also note the MAC address of PC1 at this point. . .------------------------------- Vlan Mac Address Type Ports ---. ----- 10 0800. something appears to be wrong at Layer 1 or Layer 2 of the OSI model. . .180. . You attempt to ping from the user’s PC to the Internet. Example 5-25 show mac address-table dynamic Output for SW3 SW3#show mac address-table dynamic Mac Address Table ---.--.--------.275d.2 P2p Trouble Ticket 5-3 Problem: It is Tuesday morning.0. : Yes Autoconfiguration enabled. . -------. as it will be useful later. . . and a user has indicated that he cannot connect to the network. .255.0 <Output Omitted> Issuing the command show mac address-table dynamic on SW3 will indicate whether SW3 is receiving any frames from PC1. : fe80::444c:23b1:6e1e:de0c%16 Dhcp enabled.

0/24 active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup Example 5-27 show interfaces status | include Fa0/1 Output for SW3 SW3#show interfaces status | include Fa0/1 Port Name Status Vlan Duplex Speed Type Fa0/1 connected 10 a-full a-10010/100BaseTX No other users at this point have indicated that they are experiencing issues. is in VLAN 10. According to Figure 5-6. Issuing the command show vlan brief will confirm this for us. Fa0/15. PC1 should be in VLAN 10. It appears that BPDUs are being received by Fast Ethernet 0/1 from PC1. confirming that something is not right. Fa0/19.ed13 DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 6 You verify physical connectivity and everything is perfect. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 197 10 0800.275d. Example 5-26 show vlan brief Output for SW3 SW3#show vlan brief VLAN Name Status Ports ---. Fa0/10. Fa0/17. 20 10. Fa0/13. Fa0/18. as shown in Example 5-28.10. you notice that the LED of the switchport PC1 is connected to is amber rather than green. Fa0/7. Fa0/9.ce47 DYNAMIC Fa0/2 10 0800. Fa0/20.--------. Fa0/12. In addition. Fa0/16. Fa0/23. does not indicate that anything is wrong.0/24 active Fa0/1. the output of show inter- faces status | include Fa0/1.------------------------------- 1 default active Fa0/5. Fa0/14. From the Library of Outcast Outcast . Fa0/6. You decide to check the SW3 logs on your syslog server and notice the following entry: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/1 on VLAN0010. 10 10. as shown in Example 5-27. Fa0/3.1. Fa0/8. Fa0/2. Fa0/11.1. Fa0/4. Fa0/24. However. Example 5-26 shows that interface Fa0/1.20.-------------------------------. Fa0/21. Fa0/22. which is connected to PC1. Issuing the com- mand show spanning-tree inconsistentports on SW3 confirms that Fast Ethernet 0/1 is in the root-inconsistent state.275d.

1.1 with 32 bytes of data: Reply from 10. Example 5-30 ipconfig and ping Output for PC After Issue Solved PC1>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix .---------------------. .10.------------------ VLAN0010 FastEthernet0/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 1 Upon further examination.1.1.10. .local Link-local IPv6 Address . . as shown in Example 5-29. . . and the switch will recover the port automatically.1. : 10. .255. .10. . . Example 5-29 SW3 show spanning-tree inconsistenetports Output After Application Removed from PC1 SW3# %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/1 on VLAN0010.1.1: bytes=32 time=1ms TTL=255 Reply from 10. . PC1’s default gateway.10. . . : domain.1. .1 PC1>ping 10.10.255. . . beyond the scope of this book.198 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-28 show spanning-tree inconsistentports Output for SW3 SW3#show spanning-tree inconsistentports Name Interface Inconsistency -------------------. is successful. .1.0 Default Gateway . To solve this issue.1.1. .10. . . .1 Pinging 10.10. we remove the offending application from PC1. : 255.1: bytes=32 time=3ms TTL=255 Reply from 10.1: bytes=32 time<1ms TTL=255 Reply from 10. . . . .1.10. .------------------ Number of inconsistent ports (segments) in the system : 0 The output of ipconfig on PC1 in Example 5-30 verifies it has an IP address and a ping to 10. . . Further investigation will be needed to determine whether this was malicious or by accident. . an application was installed on PC1 after hours that mimics a switch and sends BPDUs.10 Subnet Mask . . : fe80::444c:23b1:6e1e:de0c%16 IPv4 Address. .1: bytes=32 time=1ms TTL=255 From the Library of Outcast Outcast .1. SW3#show spanning-tree inconsistentports Name Interface Inconsistency -------------------.---------------------. : 10. . .

For example. ■ Inappropriate EtherChannel distribution algorithm: EtherChannel determines which physical link to use to transmit frames based on a hash calculation. trunk mode. Maximum = 3ms. as illustrated in Figure 5-7. These modes are not compatible with each other.10. Figure 5-7 shows four Gigabit Ethernet links logically bonded into a single EtherChannel link. when using LACP or PAgP. native VLAN configurations. Average = 1ms Troubleshooting Layer 2 EtherChannel An exception to STP operation can be made if two switches are interconnected via mul- tiple physical links and those links are configured as an EtherChannel. For example. allowed VLAN configurations. STP treats the logi- cal bundle (known as a port channel) as a single port for STP calculation purposes. Received = 4. Link Aggregation Control Protocol (LACP). The hash- ing approach selected should distribute the load fairly evenly across all physical links. a hash calculation might be based only on the destination MAC From the Library of Outcast Outcast . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 199 Ping statistics for 10. In addition. Lost = 0 (0% loss). and ON. Approximate round trip times in milli-seconds: Minimum = 0ms.1: Packets: Sent = 4. An EtherChannel logically combines the bandwidth of multiple physical interfaces into a logical connec- tion between switches. There are three options. Table 5-4 identifies which modes can be configured on each switch to successfully form an EtherChannel bundle. duplex.1. Specifically. Following are common troubleshooting targets to consider when troubleshooting an EtherChannel issue: ■ Mismatched port configurations: The configurations of all ports making up an Key EtherChannel. on both switches. Port Aggregation Protocol (PAgP). should be identical. all ports should Topic have the same speed. Reviewing Layer 2 EtherChannel When multiple ports are combined into a logical EtherChannel. Gig 0/1-4 Gig 0/1-4 SW1 SW2 Figure 5-7 Layer 2 EtherChannel This section reviews what is necessary to successfully form a Layer 2 EtherChannel bun- dle and the EtherChannel mode combinations that will successfully form the bundle. you have to make sure that the modes within the protocol can successfully form the bundle with each other. and port type (Layer 2 or Layer 3). ■ Mismatched EtherChannel configuration: Both switches forming the EtherChannel should be configured with compatible modes.

If the frames are destined for only a few different MAC address- es.200 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide address of a frame. issue the show etherchannel load-balance command. Table 5-4 EtherChannel Modes That Will Successfully Form a Bundle Key Topic SW1 MODE PAgP PAgP Auto LACP LACP ON Desirable Active Passive PAgP Yes Yes No No No Desirable SW2 PAgP Auto Yes No No No No LACP No No Yes Yes No Active LACP No No Yes No No Passive ON No No No No Yes EtherChannel Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. To verify the load-balancing algorithm in use. the load distribution could be uneven. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. All trouble tickets in this section are based on the topology depicted in Figure 5-8. Gi1/0/5 Gi1/0/5 SW1 Gi1/0/6 Gi1/0/6 SW2 Gi1/0/1 Gi1/0/2 Gi0/1 Gi0/2 SW3 Figure 5-8 Layer 2 EtherChannel Trouble Ticket Topology From the Library of Outcast Outcast .

Layer3 S .Layer3 S .waiting to be aggregated d .Hot-standby (LACP only) R .suspended H . the ports are either standalone or suspended.bundled in port-channel I . Example 5-31 show etherchannel summary Output for SW1 and SW2 SW1#show etherchannel summary Flags: D .unsuitable for bundling w .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(s) SW2#show etherchannel summary Flags: D .failed to allocate aggregator M .stand-alone s . and the port channel is down. Notice that both switches are using LACP as their protocol. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 201 Trouble Ticket 5-4 Problem: A junior network administrator has approached you indicating that the EtherChannel bundle she is trying to form between SW1 and SW2 is not forming.down P .bundled in port-channel I . You start by reviewing the output of show etherchannel summary for SW1 and SW2. as shown in Example 5-31.waiting to be aggregated d .not in use. however. This is a good indication that there is a conflict with the port configurations.in use f . minimum links not met u .failed to allocate aggregator M .in use f .unsuitable for bundling w .stand-alone s .suspended H . You need to solve this issue for her.Layer2 U .down P .Layer2 U .Hot-standby (LACP only) R . minimum links not met u .not in use.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) From the Library of Outcast Outcast .

as shown in Example 5-32.. Current configuration : 189 bytes ! interface GigabitEthernet1/0/5 switchport trunk encapsulation isl switchport mode access switchport nonegotiate channel-group 1 mode active end SW1#show run interface gigabitethernet 1/0/6 Building configuration. To form the bun- dle... Current configuration : 151 bytes ! interface GigabitEthernet1/0/6 switchport trunk encapsulation isl switchport mode trunk From the Library of Outcast Outcast . they have to match.. Current configuration : 189 bytes ! interface GigabitEthernet1/0/6 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW2#show run interface gigabitethernet 1/0/5 Building configuration.. Current configuration : 151 bytes ! interface GigabitEthernet1/0/5 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate channel-group 1 mode passive end SW2#show run interface gigabitethernet 1/0/6 Building configuration. Example 5-32 show run interface gigabitethernet Output for SW1 and SW2 SW1#show run interface gigabitethernet 1/0/5 Building configuration...202 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide To verify the port configuration you issue the show run interface gigabitethernet 1/0/5 and show run interface gigabitethernet 1/0/6 command on SW1 and SW2. If you look closely. you will notice that the switchport modes do not match on the SW1 interfaces that are part of the EtherChannel bundle..

Layer3 S .default port From the Library of Outcast Outcast .suspended H .not in use.bundled in port-channel I .Layer2 U .in use f .unsuitable for bundling w . minimum links not met u .stand-alone s .Layer2 U . changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1. the EtherChannel bundle should now be successfully formed.waiting to be aggregated d .Layer3 S . changed state to up In addition.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SU) LACP Gi1/0/5(P) Gi1/0/6(P) SW2#show etherchannel summary Flags: D .failed to allocate aggregator M .down P .unsuitable for bundling w .down P .Hot-standby (LACP only) R .waiting to be aggregated d . minimum links not met u . Example 5-33 show etherchannel summary Output for SW1 and SW2 After Problem Solved SW1#show etherchannel summary Flags: D .not in use. as shown in Example 5-33.in use f . the port channel interface should come up.suspended H . as shown with the following logging messages: %LINK-3-UPDOWN: Interface Port-channel1.bundled in port-channel I .failed to allocate aggregator M .stand-alone s . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 203 switchport nonegotiate channel-group 1 mode passive end Once you change the switchport mode on SW1 Gigabit Ethernet 1/0/5 with the switch- port mode trunk command.Hot-standby (LACP only) R . Reviewing the output of show etherchannel summary on SW1 and SW2 indicates that the ports are successfully bundled with the (P) flags and that the port channel is in use with the (U) flag.

However. You need to solve this issue for him.stand-alone s .Hot-standby (LACP only) R . as shown in Example 5-34.down P . it is down/down.Layer2 U . You start by checking whether the port channel is up on SW1 and SW2.Layer3 S . if you look closer. to solve this issue.bundled in port-channel I . These EtherChannel protocols are not compatible.waiting to be aggregated d . Example 5-34 show ip interface brief | include Port Output for SW1 and SW2 SW1#show ip interface brief | include Port Port-channel1 unassigned YES unset down down SW2#show ip interface brief | include Port Port-channel1 unassigned YES unset down down Next you check the status of the EtherChannel bundle with the show etherchannel sum- mary command. Notice that the port channel is down and that all interfaces are standalone.204 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SU) LACP Gi1/0/5(P) Gi1/0/6(P) Trouble Ticket 5-5 Problem: A junior network administrator has approached you indicating that the EtherChannel bundle he is trying to form between SW1 and SW2 is not forming. minimum links not met u . SW1 is using PAgP. you will need to verify your documentation to determine which protocol should be used between SW1 and SW2 and make the appropriate adjust- ments. you will see the issue. Therefore. as shown in Example 5-35. According to the output.suspended H .in use f .default port Number of channel-groups in use: 1 Number of aggregators: 1 From the Library of Outcast Outcast .not in use.unsuitable for bundling w . and SW2 is using LACP.failed to allocate aggregator M . Example 5-35 show etherchannel summary Output for SW1 and SW2 SW1#show etherchannel summary Flags: D .

suspended H .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) From the Library of Outcast Outcast .down P .waiting to be aggregated d .not in use.Hot-standby (LACP only) R . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 205 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) PAgP Gi1/0/5(I) Gi1/0/6(I) SW2#show etherchannel summary Flags: D .Layer3 S .unsuitable for bundling w .Layer2 U . minimum links not met u .bundled in port-channel I .in use f .stand-alone s .failed to allocate aggregator M .

nondesig- nated port. root bridge. Review All Key Topics Review the most important topics in this chapter. root port. “Final Preparation. PAgP. Layer 2 EtherChannel. listening. learning.1D. Chapter 22. blocking.1w. 802. 802. Table 5-5 lists a reference of these key topics and the page numbers on which each is found. LACP From the Library of Outcast Outcast .206 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. 802.” and the exam simulation questions on the CD-ROM. you have a couple of choices for exam preparation: the exercises here.1s. Table 5-5 Key Topics for Chapter 5 Key Topic Key Topic Element Description Page Number List Describes root bridge election 173 Sentence Identifies the golden rule of STP 173 Table 5-2 Identifies STP port types 174 Table 5-3 Identifies STP port costs 175 Section Reviews how to determine root ports 175 Section Reviews how to determine designated ports 176 List Identifies STP port states 177 Section Identifies show commands used for troubleshooting 178 STP Section Reviews STP features and the show commands used 182 for troubleshooting List Describes issues that could prevent an EtherChannel 199 from forming Table 5-4 Identifies the EtherChannel modes that will 200 successfully form a bundle Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: Spanning Tree Protocol (STP). forwarding. designated port. noted with the Key Topic icon in the outer margin of the page.

you should be able to identify the show commands needed to successfully troubleshoot the topics covered in this chapter. or at least the section for this chapter. read the description on the left side. You will need to return to the previous chapters to review information relating to those show commands.” also on the disc. port priority. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 207 Complete Tables and Lists from Memory Print a copy of Appendix C. Therefore. “Memory Tables. cost. hands-on skills that are used by a networking professional.” (found on the disc). The 300-135 TSHOOT exam focuses on practical. To test your memory of the commands. Command Reference to Check Your Memory This section includes the show commands introduced in this chapter. show spanning-tree interface including the number of BPDUs sent and received and interface_type interface_number the STP features that have been enabled specifically on detail the interface Displays the MST region name. and then see how much of the command you can remember. revision number. “Memory Tables Answer Key. and show spanning-tree interface type for each VLAN on the switch interface_type interface_number Displays detailed STP information about an interface. Appendix D. and complete the tables and lists from memory. cover the right side of Table 5-6 with a piece of paper. includes completed tables and lists to check your work. It does not include the show commands that were used in this chapter but introduced in previous chapters. and show spanning-tree mst the instance to VLAN mappings configuration Displays ports configured with Root Guard that have show spanning-tree received superior BPDUs and ports configured with inconsistentports Loop Guard that are in the loop inconsistent state Displays which STP features have been enabled globally show spanning-tree summary on the switch Displays the status of port-channels as well as the status show etherchannel summary of the ports within the port channel Displays the EtherChannel load-balance algorithm show etherchannel load-balance configured on the switch From the Library of Outcast Outcast . Table 5-6 show Commands Introduced in Chapter 5 Task Command Syntax Displays STP information about all VLANs show spanning-tree Displays STP information about a specific VLAN show spanning-tree [vlan {vlan_id}] Displays the STP interface role.

■ Layer 3 EtherChannel Trouble Tickets: This sec- tion provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a reported problem. From the Library of Outcast Outcast . ■ Routed Port Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem. ■ Router-on-a-Trunk/Stick Trouble Tickets: This sec- tion provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a reported problem.This chapter covers the following topics: ■ Troubleshooting a Router-on-a-Trunk/Stick: This section covers how to troubleshoot inter-VLAN routing issues when using the router-on-a-trunk sce- nario. ■ Troubleshooting Routed Ports: This section reviews what is necessary to convert a Layer 2 switchport into a routed port. ■ Troubleshooting Layer 3 EtherChannel: This sec- tion focuses on the steps needed to successfully troubleshoot a Layer 3 EtherChannel that relies on routed ports. You will also learn how to troubleshoot issues related to SVIs. ■ SVI Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. ■ Troubleshooting Switched Virtual Interfaces: This section identifies what is necessary for an SVI to be up/up and provide inter-VLAN routing.

Of the Layer 3 services. In addition. You can find the answers in Appendix A. You will also be exposed to a few different troubleshooting scenarios for each. routing is the most common that is implemented. “Answers to the ‘Do I Know This Already?’ Quizzes. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section.” Table 6-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting a Router-on-a-Trunk/Stick 1–2 Troubleshooting Switched Virtual Interfaces 3–5 Troubleshooting Routed Ports 6–7 Troubleshooting Layer 3 EtherChannel 8–9 From the Library of Outcast Outcast . VTP. These Layer 3 switches can perform both Layer 2 and Layer 3 services. “Troubleshooting STP and Layer 2 EtherChannel. CHAPTER 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels Chapters 4. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. routed ports. This chapter focuses on how you can troubleshoot different inter-VLAN routing imple- mentations. Table 6-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. “Troubleshooting Layer 2 Trunks. However. These switches operate at Layer 2 of the OSI model.” and 5. you can assign IP addresses to these inter- faces and have the Layer 3 switch route data between VLANs and subnets. many Cisco Catalyst switches are Layer 3 switches. and VLANs. you can use routed ports to create Layer 3 EtherChannels.” focused on Cisco Catalyst switches as Layer 2 switches. forwarding or flooding frames based on the MAC addresses in the frame. and Layer 3 EtherChannel. Through the use of virtual Layer 3 interfaces (known as switched virtual interfaces [SVIs]) or by con- verting a Layer 2 switchport to a routed port. read the entire chapter.

210 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Caution The goal of self-assessment is to gauge your mastery of the topics in this chap-
ter. If you do not know the answer to a question or are only partially sure of the answer,
you should mark that question as wrong for purposes of the self-assessment. Giving your-
self credit for an answer that you correctly guess skews your self-assessment results and
might provide you with a false sense of security.

1. Which command enables you to associate a VLAN with a router subinterface?

a. encapsulation

b. interface

c. ip address

d. vlan

2. Which show command enables you to verify the VLAN that has been associated
with a router subinterface?

a. show interface trunk

b. show vlan brief

c. show ip route

d. show vlans

3. What must be true for an SVI to be up/up? (Choose two answers.)

a. The VLAN associated with the SVI must exist on the switch.

b. The SVI must be disabled.

c. There must be at least one interface on the switch associated with the VLAN in
the spanning-tree forwarding state.

d. IP routing must be enabled on the switch.

4. Which show command enables you to verify the status of the SVI for VLAN 10 and
the MAC address associated with it?

a. show ip interface brief

b. show interfaces vlan 10
c. show ip interface vlan 10

d. show svi

5. Which command enables IPv4 unicast routing on a Layer 3 switch?

a. routing

b. ip route

c. ip routing

d. ip unicast-routing

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 211

6. Which command enables you to convert a Layer 2 switchport to a routed port?

a. no switchport

b. routed port
c. ip address

d. ip routing

7. Which show command enables you to verify whether interface Gigabit Ethernet
1/0/10 is a Layer 2 switchport or a routed port?

a. show gigabitethernet 1/0/10 switchport

b. show interfaces gigabitethernet 1/0/10

c. show interfaces gigabitethernet 1/0/10 switchport

d. show interfaces status

8. What flags in the show etherchannel summary output indicate that the
EtherChannel is Layer 3 and in use?

a. SU

b. SD

c. RU
d. RD

9. Which EtherChannel modes will successfully form an LACP EtherChannel?

a. Active-auto

b. Desirable-auto

c. Passive-desirable

d. Active-passive

10. Which EtherChannel flag indicates that the port is bundled in the EtherChannel
bundle?

a. R

b. S
c. P

d. H

From the Library of Outcast Outcast

212 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Foundation Topics

Troubleshooting a Router-on-a-Trunk/Stick
For traffic to pass from one VLAN to another VLAN, it has to be routed. This is easy to
remember if you recall that a VLAN = a subnet and to send traffic from one subnet to
another you route it. Therefore, to send traffic from one VLAN to another VLAN, you
also route it.

This section reviews how you can use an external router that is trunked to a switch to
perform routing between VLANs. The section also covers the various issues that could
cause this implementation to not function as expected.

Before Layer 3 switches existed, we relied on external routers to perform inter-VLAN
routing. The external router was connected to the Layer 2 switch via a trunk, which cre-
ated the router-on-a-stick or router-on-a-trunk topology, as shown in Figure 6-1.

Fa 1/1/1.1
VLAN 100
Fa 1/1/1
VLAN 200
R1 R1
Fa 1/1/1 Fa 1/1/1.2
Gig 0/2
Trunk

Gig 0/1 Gig 0/3
VLAN 100 SW1 VLAN 200
PC1 PC2
192.168.1.10/24 192.168.2.10/24
VLAN 100 VLAN 200

Figure 6-1 Router-on-a-Trunk / Router-on-a-Stick

In Figure 6-1, router R1’s Fast Ethernet 1/1/1 interface has two subinterfaces as indicated
by the period (.) in the interface identification. There is one for each VLAN, Fast Ethernet
1/1/1.1 for VLAN 100 and Fast Ethernet 1/1/1.2 for VLAN 200. Router R1 can route
between VLANs 100 and 200, while simultaneously receiving and transmitting traffic
over the trunk connection to the switch. Review Example 6-1 and Example 6-2, which
outline the configurations needed to implement a router-on-a-trunk.

Example 6-1 show run Command Output from R1
Key
Topic R1#show run
...output omitted...
interface FastEthernet1/1/1.1
encapsulation dot1Q 100

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 213

ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet1/1/1.2
encapsulation dot1Q 200
ip address 192.168.2.1 255.255.255.0
...output omitted...

Example 6-2 show run Command Output from SW1
Key
Topic SW1#show run
...output omitted...
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 100

interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

interface GigabitEthernet0/3
switchport mode access
switchport access vlan 200
...output omitted...

After reviewing Example 6-1 and Example 6-2, what are issues that could prevent inter-
Key VLAN routing from being successful?
Topic
■ Trunk encapsulation mismatch

■ Incorrect VLAN assignment on routers’ subinterfaces

■ Incorrect IP address or subnet mask on routers’ subinterfaces

■ Incorrect IP address, subnet mask, or default gateway on PCs

■ Switchport connected to router configured as an access port

■ Switchport connected to router configured to use Dynamic Trunking Protocol
(DTP), which is not supported by the router

■ Switchports connected to PCs in wrong VLAN

Being able to identify these issues and correct them is important for any troubleshooter.

Router-on-a-Trunk/Stick Trouble Tickets
This section covers various trouble tickets relating to the topics discussed earlier in the
chapter. The purpose of these trouble tickets is to give a process that you can follow
when troubleshooting in the real world or in an exam environment. All trouble tickets in
this section are based on the topology depicted in Figure 6-2.

From the Library of Outcast Outcast

214 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

192.168.1.1/24
Fa0/1.100
VLAN 100
Fa 0/1
R1 VLAN 200
R1
Fa0/1 Fa0/1.200
192.168.2.1/24

Trunk
802.1q
Fa0/24
PC1 PC2
Fa0/1 Fa0/2
SW1
VLAN 100 VLAN 200
192.168.1.10/24 192.168.2.10/24
VLAN 100 VLAN 200
DG:192.168.1.1 DG:192.168.2.1

Figure 6-2 Router-on-a-Trunk Trouble Tickets

Trouble Ticket 6-1
Problem: PC1 is not able to access resources on PC2.

As you dive deeper into trouble tickets, everything covered in the previous chapters still
applies because the PCs are still connected to the switches, there are still VLANs, and
there are trunks. As a result, having a repeatable structured troubleshooting process in
place will help you maintain focus and clarity as you troubleshoot.

The first item on the list of troubleshooting is to verify the problem. Issuing the ping
command on PC1, as shown in Example 6-3, indicates that PC1 is not able to reach PC2,
confirming the problem.

Example 6-3 Failed Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next you need to verify whether PC1 can get to its default gateway. This will help
you narrow down where the issue may be. Pinging PC1s default gateway, as shown in
Example 6-4, is not successful. This indicates that we have an issue between PC1 and the
default gateway.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 215

Example 6-4 Failed Ping from PC1 to Default Gateway
C:\PC1>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Now is an excellent time to brainstorm the likely causes of the issue based on Figure 6-2
and the fact that PC1 is not able to ping its default gateway:

■ PC1 may have an incorrect IP address, subnet mask, or default gateway configured.

■ SW1 switchport FA0/1 may not be associated with the correct VLAN.

■ VLAN 100 may not exist on SW1.

■ PC1 may physically be connected to the wrong switchport.

■ SW1 Fa0/24 may not be configured as a trunk.

■ SW1 Fa0/24 may not be allowing VLAN 100 traffic on the trunk.

■ SW1 Fa0/24 may be using the wrong trunk encapsulation.

■ R1 may not have the appropriate subinterfaces configured with the correct IP
addresses or subnet masks.

■ R1’s subinterfaces may be using the wrong trunk encapsulation.

■ R1’s subinterfaces may be disabled.

As you can see, the list is quite extensive, and it is not even a complete list. Let’s start fol-
lowing the path from PC1 and work toward the router. Issuing ipconfig on PC1 indicates
that it has the correct IP address, subnet mask, and default gateway configured, as shown
in Example 6-5, when compared to Figure 6-2.

Example 6-5 ipconfig Output on PC1
C:\PC1>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

From the Library of Outcast Outcast

216 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Issuing the show mac address-table dynamic command on SW1 will identify which
MAC address is being learned on Fa0/1 and which VLAN it is associated with. Example
6-6 is indicating that the MAC address of 0800.275d.06d6 is being learned on Fa0/1 and
that it is associated with VLAN 100. Issuing the ipconfig /all command on PC1, as shown
in Example 6-7, identifies PC1’s MAC as 0800.275d.06d6, which is the same as the one
outlined in the MAC address table. We can narrow our focus now because this proves
that PC1 is connected to the correct switchport, VLAN 100 exists, and Fa0/1 is in the
correct VLAN.

Example 6-6 show mac address-table dynamic Command Output on SW1
SW1#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
100 0800.275d.06d6 DYNAMIC Fa0/1
200 0800.27a2.ce47 DYNAMIC Fa0/2
Total Mac Addresses for this criterion: 2

Example 6-7 ipconfig /all Output on PC1
C:\PC1>ipconfig
...output omitted...
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-5D-06-D6
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
...output omitted...

Focus on Example 6-6 again. If you look closely at the MAC address table on SW1, you
will notice that no MAC addresses are being learned for VLAN 100 or VLAN 200 on
Fa0/24. Why would this be? The link between R1 and SW1 should be an 802.1Q trunk
according to Figure 6-2. If this trunk is not configured with the correct encapsulation,
or the correct trunk mode, or the trunk is pruning VLAN 100 or 200 traffic, traffic for
VLANs 100 and 200 would not pass over the link.

On SW1, start by issuing the show interfaces trunk command, as shown in Example 6-8.
The output indicates that Fa0/24 is a trunk using mode on, which means the command
switchport mode trunk was issued. It also indicates that Fa0/24 is using Inter-Switch
Link (ISL) as the trunk encapsulation method. According to Figure 6-2, the trunk should
be using 802.1Q.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 217

Example 6-8 show interfaces trunk Command Output on SW1
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 on isl trunking 1

Port Vlans allowed on trunk
Fa0/24 1-4094

Port Vlans allowed and active in management domain
Fa0/24 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,100,200

Reviewing the output of show vlans on R1 in Example 6-9 confirms that R1 is using
802.1Q for its trunk encapsulation. As a result, we have a trunk encapsulation mismatch.

Example 6-9 show vlans Output on R1
R1#show vlans
...output omitted...
Virtual LAN ID: 100 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.100

Protocols Configured: Address: Received: Transmitted:
IP 192.168.1.1 4 8
Other 0 5

4 packets, 298 bytes input
13 packets, 1054 bytes output

Virtual LAN ID: 200 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 4 8
Other 0 5

4 packets, 298 bytes input
13 packets, 1054 bytes output

You need to fix SW1 so that Fa0/24 is using the correct trunk encapsulation method. On
Fa0/24 of SW1, issue the switchport trunk encapsulation dot1q command. After you
have implemented your solution, you need to confirm that it solved the problem by ping-
ing from PC1 to PC2 again. Example 6-10 shows that the ping is successful.

From the Library of Outcast Outcast

218 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Example 6-10 Successful Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10

Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Trouble Ticket 6-2
Problem: PC1 is not able to access resources on PC2.

The problem reported in this trouble ticket is the exact same as the previous trouble tick-
et. However, do not jump to the conclusion that it is the same problem and solution. You
always want to follow your structured troubleshooting approach to make sure that you
efficiently solve the problem and waste little effort.

The first item on the list of troubleshooting is to verify the problem. Issuing the ping
command on PC1, as shown in Example 6-11, indicates that PC1 is not able to reach PC2,
confirming the problem.

Example 6-11 Failed Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next you need to verify whether PC1 can get to its default gateway. This will help
you narrow down where the issue may be. Pinging PC1’s default gateway, as shown in
Example 6-12, is successful. This indicates that we do not have an issue between PC1 and
the default gateway.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 219

Example 6-12 Successful Ping from PC1 to Default Gateway
C:\PC1>ping 192.168.1.1
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Now is a great time to check whether PC1 can ping the default gateway of VLAN 200 at
192.168.2.1. This will help you determine whether inter-VLAN routing is working on R1
between VLAN 100 and VLAN 200. The ping, as shown in Example 6-13, is successful.

Example 6-13 Successful Ping from PC1 to Default Gateway of VLAN 200
C:\PC1>ping 192.168.2.1
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

It is time to shift attention to R1 and PC2 because it appears everything is fine from
PC1 to R1’s subinterface Fa0/1.100. In this case, we will work our way backward from
R1 to PC2. For VLAN 200 traffic to flow from R1 to PC2, the subinterface Fa0/1.200
needs to be using the correct encapsulation method (802.1Q), it needs to have the cor-
rect IP address and subnet mask assigned to it (192.168.2.1/24), and it needs to have the
right VLAN assigned to it (VLAN 200). Using the command show vlans on R1 will help
to verify the subinterface configuration on R1, as outlined in Example 6-14. Notice that
subinterface Fa0/1.200 has the appropriate IP address and that it is also using 802.1Q as
the trunk encapsulation. However, it is associated with VLAN 20, not VLAN 200. This
appears to be the issue.

Example 6-14 show vlans Command Output on R1
R1#show vlans
...output omitted...
Virtual LAN ID: 20 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

From the Library of Outcast Outcast

220 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 0 0

0 packets, 0 bytes input
0 packets, 0 bytes output
...output omitted...

In subinterface configuration mode for Fa0/1.200, you execute the command encapsula-
tion dot1q 200 to change the VLAN association from 20 to 200. Once done, you review
the output of show vlans on R1, as shown in Example 6-15, to verify that subinterface
Fa0/1.200 is associated with VLAN 200.

Example 6-15 show vlans Command Output on R1 After Configuration Changes
R1#show vlans
...output omitted...
Virtual LAN ID: 200 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 0 0

0 packets, 0 bytes input
0 packets, 0 bytes output

You then confirm the issue is solved by pinging from PC1 to PC2 again. Example 6-
16 shows that the ping is successful, and so you can now conclude that the problem is
solved.

Example 6-16 Successful Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 221

Troubleshooting Switched Virtual Interfaces
On a router, an interface has an IP address that defines the subnet the interface is part
of. In addition, the IP address is usually acting as a default gateway to hosts residing off
of that interface. However, if you have a Layer 3 switch with multiple ports (access or
trunk) belonging to the same VLAN, as shown in Figure 6-3, which interface should the
IP address be configured on?
G
VL

9
ig 00

0/ 0
AN

20
0/

ig
7

AN
1

G
VL

SW1
G

8
ig

0/
VL

0/

ig 00
10
AN

G 1
AN
20
0

V L

Figure 6-3 Layer 3 Switch Without IP addresses

Since Layer 2 switchports cannot be assigned an IP address; you need to create a logi-
cal Layer 3 interface known as a switched virtual interface (SVI). These SVIs can be
assigned an IP address just like router interfaces. However, unlike router interfaces where
an IP address is associated with one interface, the SVI represents all switchports that are
part of the same VLAN the SVI is configured for. Therefore, any device connecting to
the switch that is in VLAN 100 uses SVI 100, and any device in VLAN 200 uses SVI 200,
and so on. This section explains how to configure SVIs on Layer 3 switches and the items
that you should look out for when troubleshooting SVIs.

Reviewing SVIs
Figure 6-4 shows a topology using SVIs, and Example 6-17 shows the corresponding
configuration. Notice that two SVIs are created: one for each VLAN. The SVI for VLAN
100 has the IP address 192.168.1.1/24, and the SVI for VLAN 200 has the IP address
192.168.2.1/24. Notice that these are two different subnets. As a result, devices that are
members of VLAN 100 need to have an IP address in the 192.168.1.0/24 network and

From the Library of Outcast Outcast

222 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

have their default gateway pointing to the VLAN 100 SVI IP address of 192.168.1.1.
Devices that are members of VLAN 200 need to have an IP address in the 192.168.2.0/24
network and have their default gateway pointing to the VLAN 200 SVI IP address of
192.168.2.1. An IP address is assigned to an SVI by going into interface configuration
mode for a VLAN. For example, the global configuration command interface vlan 10
enters interface configuration mode for SVI 10 and, if not previously created, will create
SVI 10. In this example, because both SVIs are local to the switch, the switch’s routing
table knows how to forward traffic between members of the two VLANs. Also, IPv4
routing is not on by default on Layer 3 switches; therefore, you need to enable it with the
ip routing global configuration command.
G
VL

9
ig 00

0/ 0
AN

20
0/

ig
7

AN
1

G
VL

SVI: VLAN 100 SVI: VLAN 200
192.168.1.1/24 192.168.2.1/24

SW1
G

8
ig

0/
VL

0/

ig 00
10
AN

G 1
N
20

A
0

VL

Figure 6-4 Layer 3 Switch with SVIs

Example 6-17 SW1 SVI Configuration
Key
Topic SW1#show run
...output omitted...
!
ip routing
!
...output omitted...
!
interface GigabitEthernet0/7
switchport access vlan 100
switchport mode access

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 223

!
interface GigabitEthernet0/8
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 200
switchport mode access
!
...output omitted...
!
interface Vlan100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan200
ip address 192.168.2.1 255.255.255.0

Troubleshooting SVIs
For an SVI to function, the SVI status has to be up and the protocol has to be up. You
can verify whether the SVI is up/up with a few different show commands, as shown in
Example 6-18. In this case, the SVI for VLAN 100 is up/up, as shown in the output of
show ip interface brief. The output of show interfaces vlan 100 also displays the SVI as
being up/up, but it provides the MAC (bia) address that will be used when devices need
to communicate directly with the SVI. For example, when hosts on VLAN 100 need to
send a frame to the default gateway (remember the SVI will be the default gateway), they
need a destination MAC address for the IP address associated for the SVI. It is this MAC
that will be used in this case. The command also provides the IP address of the SVI.
Lastly, the show ip interface vlan 100 command indicates that the SVI is up/up, in addi-
tion to providing us with the IP address.

Example 6-18 Verifying the Status of an SVI
Key
Topic SW1#show ip interface brief | include Vlan|Interface
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan100 192.168.1.1 YES manual up up
Vlan200 192.168.2.1 YES manual up up

From the Library of Outcast Outcast

224 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

SW1#show interfaces vlan 100
Vlan100 is up, line protocol is up
Hardware is EtherSVI, address is 000d.2829.0200 (bia 000d.2829.0200)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
...output omitted...

SW1#show ip interface vlan 100
Vlan100 is up, line protocol is up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
...output omitted...

To successfully troubleshoot SVIs, you need to understand the circumstances that are
Key necessary for an SVI to be up/up. The following list outlines what is needed for an SVI to
Topic
be up/up:

■ The VLAN the SVI is created for needs to exist locally on the switch.

■ The SVI has to be enabled and not administratively shut down.

■ At a minimum, there must be one switchport (access or trunk) that is up/up and in
the spanning-tree forwarding state for that specific VLAN.

Note To route from one SVI to another SVI, IP routing must be enabled on the Layer 3
switch with the ip routing command.

SVI Trouble Tickets
This section presents various trouble tickets relating to the topics discussed earlier in
the chapter. The purpose of these trouble tickets is to give a process that you can follow
when troubleshooting in the real world or in an exam environment. All trouble tickets in
this section are based on the topology depicted in Figure 6-5.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 225

10.1.1.10/26
PC1
SVI: VLAN 10 IP: 10.1.1.1
802.1q 10.1.1.0/26
Fa0/1
Gig0/1

SW2 Gig1/0/1

Fa0/2 SW1
PC2
SVI: VLAN 20 IP: 10.1.1.65
10.1.1.64/26
10.1.1.74/26

Figure 6-5 SVI Trouble Ticket Topology

Trouble Ticket 6-3
Problem: PC1 is not able to access resources on PC2.

Let’s start this trouble ticket by verifying the problem. Example 6-19 verifies that PC1
cannot access resources on PC2 because the ping has failed.

Example 6-19 Failed Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Pinging 10.1.1.74 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next, we ping the default gateway for PC1, and the result is not successful either, as
shown in Example 6-20. This means that we have an issue from PC1 to the default gate-
way.

Example 6-20 Failed Ping from PC1 to Default Gateway
C:\PC1>ping 10.1.1.1
Pinging 10.1.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

From the Library of Outcast Outcast

226 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Following a structured troubleshooting approach, you would verify the IP configura-
tion on PC1 as well as its MAC address using the ipconfig /all command. Example 6-21
indicates that the IP address, subnet mask, and default gateway are all correct based on
Figure 6-5. It also indicates that the MAC address is 0800:275d:06d6.

Example 6-21 Verifying PC1s Configuration with ipconfig /all
C:\PC1>ipconfig /all
...output omitted...
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-5D-06-D6
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 10.1.1.1
...output omitted...

Next we verify that SW2 is learning the MAC address of PC1 on the correct interface
and that it is associated with the correct VLAN. Example 6-22 shows that the MAC
address of PC1 (0800:275d:06d6) is associated with Fa0/1 and VLAN 10 with the com-
mand show mac address-table dynamic.

Example 6-22 Verifying SW2 Has Learned the MAC Address of PC1 on Fa0/1 and
VLAN 10
SW2#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0800.275d.06d6 DYNAMIC Fa0/1
20 0800.27a2.ce47 DYNAMIC Fa0/2
20 2893.fe3a.e342 DYNAMIC Gi0/1
Total Mac Addresses for this criterion: 3

Next we issue the show mac address-table dynamic command on SW1, as shown in
Example 6-23, to verify that the MAC address of PC1 is being learned on Gig1/0/1 and is
associated with VLAN 10. In this case, it is not being learned at all. In addition, reviewing
the output of Example 6-22 again concludes that there are no MAC addresses for VLAN
10 being learned on the Gig0/1 interface of SW2. We should see the MAC address of the
default gateway for the 10.1.1.0/26 network associated with Gig0/1, but we don’t.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 227

Example 6-23 Verifying SW1 Has Learned the MAC Address of PC1 on Gig1/0/1 and
VLAN 10
SW1#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0800.27a2.ce47 DYNAMIC Gi1/0/1
Total Mac Addresses for this criterion: 1

Because SW1 is a Layer 3 switch, it should have an SVI for VLAN 10 with an IP address
associated with it in the up/up state. Issuing the command show ip interface brief |
include Vlan10, as shown in Example 6-24, indicates that the SVI exists on SW1, it has
the IP address 10.1.1.1, and it is up/down. Therefore, the issue in this trouble ticket is
causing MAC addresses not to be learned for VLAN 10 on SW1’s Gig1/0/1 and SW2’s
Gig0/1 interfaces and is causing the SVI on SW1 to be up/down.

Example 6-24 Verifying SVI Exists on SW1 and Its Status
SW1#show ip interface brief | include VLAN10|Interface
Interface IP-Address OK? Method Status Protocol
Vlan10 10.1.1.1 YES NVRAM up down

What causes an SVIs protocol state to be down?

■ The VLAN the SVI is created for does not exist locally on the switch.

■ The SVI is administratively shut down.
■ There is no switchport (access or trunk) that is up/up and in the spanning-tree for-
warding state for that specific VLAN.

What would cause MAC addresses not to be learned on trunk interfaces?

■ The trunk has mismatched encapsulations, modes, native VLANs.
■ The trunk is manually or dynamically pruning traffic for the VLAN causing spanning
tree to have no forwarding state for the VLAN.

■ The VLAN does not exist on the switch.

Let’s compare these two lists. What do they have in common?

■ The VLAN does not exist.

■ Spanning tree is not in the forwarding state for the VLAN on at least one interface.

On SW1, the show interfaces trunk command enables you to see the spanning-tree for-
warding state for each VLAN on Gig1/0/1. Example 6-25 shows the output of the com-
mand show interfaces trunk on SW1 and highlights the fact that SW1 interface Gig1/0/1

From the Library of Outcast Outcast

228 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

is not in the spanning-tree forwarding state for VLAN 10, only for VLAN 1 and 20. If
you look further at the output, you see that VLAN 10 is not even listed in the list of
VLANs that are active in the management domain. This is a good indication that VLAN
10 does not exist on SW1.

Example 6-25 Output of show interfaces trunk on SW1
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 99

Port Vlans allowed on trunk
Gi1/0/1 1-4094

Port Vlans allowed and active in management domain
Gi1/0/1 1,20

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,20

Reviewing the output of show vlan brief on SW1 confirms that VLAN 10 does not exist,
as shown in Example 6-26. Correcting this issue requires that you create the VLAN in
global configuration mode using the vlan 10 command.

Example 6-26 Output of show vlan brief on SW1
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Te1/0/1,
Te1/0/2
20 10.1.1.64/26 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

After you have corrected the issue, you want to confirm that the VLAN exists, as shown
in the show vlan brief output of Example 6-27. You want to confirm that the output of
show interfaces trunk lists VLAN 10 in the active VLANs in the management domain
and that it is in the spanning-tree forwarding state and not pruned for interface Gig1/0/1,

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 229

as shown in Example 6-28. In addition, you want to verify that the SVI for VLAN 10
is up/up by using the command show ip interface brief | include Vlan10, as shown in
Example 6-29.

Example 6-27 Output of show vlan brief on SW1 After Changes
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Te1/0/1,
Te1/0/2
10 10.1.1.0/26 active
20 10.1.1.64/26 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

Example 6-28 Output of show interfaces trunk on SW1 After Changes
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 99

Port Vlans allowed on trunk
Gi1/0/1 1-4094

Port Vlans allowed and active in management domain
Gi1/0/1 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,10,20

Example 6-29 Output of show ip interface brief | include VLAN10 on SW1 After
Changes
SW1#show ip interface brief | include VLAN10|Interface
Interface IP-Address OK? Method Status Protocol
Vlan10 10.1.1.1 YES NVRAM up up

From the Library of Outcast Outcast

230 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Finally, you want to verify that the problem is solved by successfully pinging from PC1 to
PC2. Example 6-30 shows that the problem is solved and that the ping is successful.

Example 6-30 Successful Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Trouble Ticket 6-4
Problem: PC1 is not able to access resources on PC2.

You start by verifying the problem, as shown in Example 6-31, which confirms (because
the ping has failed) that PC1 is unable to access resources on PC2. Next you verify that
PC1 can reach the default gateway, as shown in Example 6-32, which it can since the ping
was successful. This confirms that no issue exists between PC1 and the default gateway.
Next you verify that PC1 can reach the default gateway of VLAN 20, which is 10.1.1.65.
Example 6-33 confirms that PC1 is able to reach the default gateway of VLAN 20 since
the ping was successful as well.

Example 6-31 Failed Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Pinging 10.1.1.74 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Example 6-32 Successful Ping from PC1 to VLAN 10 Default Gateway
C:\PC1>ping 10.1.1.1
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 231

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Example 6-33 Successful Ping from PC1 to VLAN 20 Default Gateway
PC1#ping 10.1.1.65
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Because all the pings were successful, this might mean that we have a problem between
SW1 and PC2. Let’s ping from SW1 to PC2 to verify this. Example 6-34 provides the
result of issuing the ping 10.1.1.74 command on SW1. Notice that the ping is successful,
which negates our hypothesis that a problem might exist between SW1 and PC2.

Example 6-34 Successful Ping from SW1 to PC2
SW1#ping 10.1.1.74
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.74, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/205/1015 ms

Let’s recap. PC1 can ping SVI 10, and PC2 can ping SVI 20. We also concluded that PC1
can ping SVI 20, which should mean that PC2 can ping SVI 10. Let’s double check by
pinging from PC2 to the IP address 10.1.1.1. As shown in Example 6-35, it is successful as
well.

Example 6-35 Successful Ping from PC2 to SVI 10
C:\PC2>ping 10.1.1.1
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

From the Library of Outcast Outcast

1.IS-IS level-1.1.EIGRP. N2 . S . M .static. confirms that the SVIs for VLAN 10 and VLAN 20 exist.IS-IS level-2 ia . as shown in Example 6-37. EX . IP routing is disabled. on Layer 3 switches. when you create an SVI. It can only respond to pings that are sent to its local interfaces. B . Example 6-38 shows a routing table that we are famil- iar with and the directly connected entries for VLAN 10 and VLAN 20. the pings are getting a little more than halfway to their destination. H . you can issue the show ip route command again on SW1 to verify that directly connected entries have been added to the routing table for SVI VLAN 10 and SVI VLAN 20. The output of Example 6-37 should immediately lead you to the solution of this problem.NHRP. you execute the ip routing command in global configuration mode. Therefore.OSPF. * .per-user static route o . L1 .IS-IS. The output of show ip route. What is required for the ping from PC1 to fully reach PC2? Routing. as shown in Example 6-36.BGP D . R . By default. an entry for the network that the SVI belongs gets placed in the routing table.ODR. l .EIGRP external.OSPF NSSA external type 2 E1 . To enable it.1 YES NVRAM up up Vlan20 10. does not even look like a routing table. Example 6-37 Output of show ip route on SW1 SW1#show ip route Default gateway is not set Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty After you have enabled IP routing. C . P . The problem is that IP routing is not enabled on SW1. Example 6-38 Output of show ip route on SW1 SW1#show ip route Codes: L . Therefore.1. % .replicated route.65 YES NVRAM up up Let’s check the routing table on SW1 with the command show ip route. Issuing the command show ip inter- face brief on SW1. E2 . and they are up/up.periodic downloaded static route.mobile. and it is up/up.RIP. su . IA .OSPF external type 2 i . L2 . U .candidate default.local. they have the correct IP addresses assigned to them. give it an IP address. O .1. SW1 cannot route traffic.connected.OSPF NSSA external type 1. They are equivalent to router interfaces.IS-IS summary.232 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide So.next hop override From the Library of Outcast Outcast . Example 6-36 Output of show ip interface brief on SW1 SW1#show ip interface brief | include Vlan|Interface Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES NVRAM administratively down down Vlan10 10.IS-IS inter area.OSPF inter area N1 .LISP + . Remember how the SVIs work.OSPF external type 1.

1. Therefore. proving that we solved the issue.74: bytes=32 time 1ms TTL=128 Reply from 10.1. By default.1.65/32 is directly connected.1. as shown in Example 6-39.0/26 is directly connected. is successful. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 233 Gateway of last resort is not set 10.1.74: bytes=32 time 1ms TTL=128 Ping statistics for 10. 192.1.2/24 192. A routed port will state Switchport: Disabled.1. Approximate round trip times in milli-seconds: Minimum = 0ms.1. Vlan20 L 10.2. Maximum = 0ms.1/24 Gig0/9 Gi0/10 192. Average = 0ms Troubleshooting Routed Ports Although SVIs can route between VLANs configured on a switch.1. you have to issue the no switchport command in interface configuration mode to convert a switchport to a routed port.1/32 is directly connected.1/24 Gig0/0 192.168.74: bytes=32 time 1ms TTL=128 Reply from 10.1. Vlan20 Finally.1.0/8 is variably subnetted. You can verify whether a port is a routed port by using the show interfaces interface_ type interface_number switchport command.168.64/26 is directly connected.168.74 Reply from 10.1.1.74: bytes=32 time 1ms TTL=128 Reply from 10. Pinging from PC1 to PC2.2.1.1. Received = 4. This sec- tion explains how to configure routed ports on Layer 3 switches so that you can identify potential problems during the troubleshooting process.1.1. which was that PC1 could not access resources on PC2. Vlan10 L 10. as shown in Example 6-40 also. 6 subnets. we need to confirm that our solution solved the original issue. 3 masks C 10.0.1.0. Lost = 0 (0% loss).2/24 Gig0/0 R2 SW2 SW1 Figure 6-6 Routed Ports on a Layer 3 Switch From the Library of Outcast Outcast . Figure 6-6 and Example 6-40 illustrate a Layer 3 switch with its Gigabit Ethernet 0/9 and 0/10 ports configured as routed ports.1. Example 6-39 Successful Ping from PC1 to PC2 C:\PC1>ping 10. Vlan10 C 10. in an environment where you are replacing a router with a Layer 3 switch) by using routed ports on the switch. a Layer 3 switch can be configured to act more as a router (for example. the ports on many Layer 3 Cisco Catalyst switches operate as Layer 2 switch- ports.1.74: Packets: Sent = 4.1.1.168.

0 ! interface GigabitEthernet0/10 no switchport ip address 192. Routed Ports Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.2 255.255.255. ■ Does not run switchport protocols such as Spanning Tree Protocol (STP) or Dynamic Trunking Protocol (DTP).....2 255. ■ Physical switchport that has Layer 3 (routing) capabilities.. IP routing needs to be enabled.255.168.255. SW1#show interfaces gigabitEthernet 0/10 switchport Name: Gi0/10 Switchport: Disabled The following list outlines the characteristics of routed ports: ■ Has no association with any VLAN.2.0 ! . ! interface GigabitEthernet0/9 no switchport ip address 192. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. From the Library of Outcast Outcast . All trouble tickets in this section are based on the topology depicted in Figure 6-7...output omitted.168..output omitted. ■ Does not support subinterfaces like a router. ■ Useful for uplinks between Layer 3 switches or when connecting a Layer 3 switch to a router. ■ To route from one routed port to another or a routed port to an SVI and vice versa.1.234 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 6-40 Configuration for Routed Ports on a Layer 3 Switch Key Topic SW1#show run .

1/26 10.74/26 Figure 6-7 Routed Ports Trouble Tickets Topology Trouble Ticket 6-5 Problem: PC1 and PC2 are not able to access resources outside their subnet.1.1..10/26 PC1 SVI: VLAN 10 802. you ping 10. as shown in Example 6-42.1. You must always be sure that you fully understand the problem that is being submitted. They are able to access each other.1.1 Type escape sequence to abort.0/24 Fa0/1 Gig0/1 Gig1/0/10 .1q 10.1 Internet SW2 Gig1/0/1 . You ping from PC2 to its default gateway. Pinging from PC1 and PC2 to R1’s Gig1/0 interface fails. You ping from PC1 to its default gateway.1. and it fails.1.1. 100-byte ICMP Echos to 10. you always need to further define the problem to make sure that it is accurate. and it is successful. Sending 5.2 Gig1/0 R1 Fa0/2 SW1 PC2 SVI: VLAN 20 10. From the Library of Outcast Outcast . The output shows that there is no IP address configured on Gig1/0/10 and that the interface is up/up. and it is successful. Therefore. Example 6-41 Failed Ping from SW1 to R1 SW1#ping 10. skipping all the Layer 2 troubleshooting between the PCs and SW1.10. Success rate is 0 percent (0/5) Next you issue the show ip interface brief command on SW1.1.1.1. You ping from PC2 to the Internet.1. and it fails. as shown in Example 6-41.10. You ping from PC1 to PC2.. This clarification allows us to focus our attention from SW1 onward. and it fails.10.65/26 10. the problem statement can be changed to read as follows: Problem: PC1 and PC2 are not able to access resources beyond SW1.1. timeout is 2 seconds: .10.1. You ping from PC1 to the Internet. Therefore.. On SW1.. and it is successful. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 235 10.1. to verify that the correct IP address is configured on interface Gig1/0/10 and that it is up/ up.

Also in Example 6-45.. as shown in Example 6-45.2 255. you can see that the IP address command was successfully executed after the no switchport command was entered.. From the Library of Outcast Outcast . You receive the error message dis- played in Example 6-43.1. you need to convert it to a routed port using the no switchport command in interface configuration mode. The output displayed in Example 6-44 indicates that it is indeed a Layer 2 switchport because the output states Switchport: Enabled.output omitted. You confirm this by issuing the Topic show interface Gig1/0/10 switchport command.10. Example 6-43 Error message on SW1 SW1#config t SW1(config)#interface gig 1/0/10 SW1(config-if)#ip address 10.0.1...255.. To assign an IP address to a switchport on a Layer 3 switch.output omitted. You enter interface configuration mode for Gig1/0/10 and issue the command ip address 10. Key This is a good indication that it is a Layer 2 switchport. you are not able to configure an IP address on Gig1/0/10.output omitted. If it stated Switchport: Disabled. Example 6-44 Output of the show interfaces gig1/0/10 switchport Command on SW1 SW1#show interfaces gig1/0/10 switchport Name: Gi1/0/10 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) ..255. As shown in Example 6-43. as shown in Example 6-43.10.2 255... GigabitEthernet1/0/9 unassigned YES unset down down GigabitEthernet1/0/10 unassigned YES unset up up GigabitEthernet1/0/11 unassigned YES unset down down .236 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 6-42 Output of show ip interface brief on SW1 SW1#show ip interface brief Interface IP-Address OK? Method Status Protocol .255.255. this would indicate that it is a routed port.....0 ^ % Invalid input detected at '^' marker.

and allowed VLAN configurations because we use routed ports. This section focuses on the Layer 3 EtherChannel requirements and how you can successfully trouble- shoot issues relating to it. With Layer 3 EtherChannel. An EtherChannel logically combines the bandwidth of multiple physical interfaces into a logical connection between switches. as displayed in Example 6-46. there is no need to worry about trunk mode. Specifically. When you have multiple routed ports on Layer 3 switches.10. Also. as illustrated in Figure 6-8. Example 6-46 Successful Ping from SW1 to R1 SW1#ping 10. which are Layer 3 ports that do not care about those parameters. From the Library of Outcast Outcast . For example. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 237 Example 6-45 Configuring a Routed Port on SW1 SW1#config t SW1(config)#interface gig 1/0/10 SW1(config-if)#no switchport SW1(config-if)#ip address 10. Sending 5. the pings from PC1 and PC2 to the Internet are successful (not displayed). Figure 6-8 shows four Gigabit Ethernet routed ports logically bonded into a single EtherChannel link known as a port channel. should be identical.2 255.1.1.!!!! Success rate is 80 percent (4/5).10. timeout is 2 seconds: . Gig 0/1-4 Gig 0/1-4 Routed Ports Routed Ports SW1 SW2 Figure 6-8 Layer 3 EtherChannel Following are common troubleshooting targets to consider when troubleshooting a Layer Key 3 EtherChannel issue: Topic ■ Mismatched port configurations: The configurations of all ports making up an EtherChannel. 100-byte ICMP Echos to 10. all ports should have the same speed and duplex and port type (Layer 2 or Layer 3).255. native VLAN configura- tions. you can bundle them together to create Layer 3 EtherChannels. round-trip min/avg/max = 9/14/17 ms Troubleshooting Layer 3 EtherChannel Chapter 5 discussed how to troubleshoot Layer 2 EtherChannels between Layer 2 switchports on Cisco Catalyst switches.1 Type escape sequence to abort.1. on both switches.0 Now the ping from SW1 to R1 is successful.10.1.255.

if the physical interfaces are Layer 2 switchports. For example. the port chan- nel will be a Layer 3 port channel. Therefore. there is the on option as well. Table 6-2 identifies which options can be configured on each switch to success- fully form an EtherChannel. The options are Link Aggregation Control Protocol (LACP) and Port Aggregation Protocol (PAgP). the port channel will be a Layer 2 port channel. it is imperative that you either make the physical interfaces routed ports with the no switchport command before creat- ing the bundle or create the Layer 3 port channel with the interface port-channel interface_number command and issue the no switchport command in interface configuration mode before you configure the physical interfaces with the channel- group command. For example. Table 6-2 Options for Successfully Forming an EtherChannel Key Topic SW1 MODE PAgP PAgP Auto LACP LACP On Desirable Active Passive PAgP Yes Yes No No No Desirable SW2 PAgP Auto Yes No No No No LACP No No Yes Yes No Active LACP No No Yes No No Passive On No No No No Yes From the Library of Outcast Outcast . If the physical interfaces are Layer 3 interfaces. a hash calculation might be based only on the destination MAC address of a frame. the load distribution could be uneven. ■ Mismatched EtherChannel configuration: Both switches forming the EtherChannel should be configured for the same EtherChannel negotiation protocol. If the frames are destined for only a few different MAC address- es. Order of operations is more important with Layer 3 EtherChannel than with Layer 2 EtherChannel.238 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Port type during configuration: Creating an EtherChannel with the channel-group command before the port channel is created will automatically create the port channel with the same state as the physical ports bundled in the channel group. The hash- ing approach selected should distribute the load fairly evenly across all physical links. If you prefer to statically configure EtherChannel. ■ Inappropriate EtherChannel distribution algorithm: EtherChannel determines which physical link to use to transmit frames based on a hash calculation.

In this example. it means that you have a configuration issue that is preventing the port from being bundled. The only other option I would like to see beside the ports is H. as indicated by the P. Example 6-47 Output of show etherchannel summary SW1#show etherchannel summary Flags: D . All trouble tickets in this section are based on the topology depicted in Figure 6-9.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) Layer 3 EtherChannel Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. as shown in Example 6-47. and Gig1/0/5 and 1/0/6 are bundled in the port channel.suspended H . When you have more than eight ports with LACP.Hot-standby (LACP only) R . if you see any other combination.Layer2 U . Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 239 Verifying an EtherChannel bundle is done with the show etherchannel summary com- mand. minimum links not met u . and the status of the ports. From the Library of Outcast Outcast . you want to see P listed by the ports.waiting to be aggregated d .unsuitable for bundling w .failed to allocate aggregator M . the protocol that was used. if you see anything else.down P . The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. the ports in the bundle. and it is in use (as indicated by the RU). the status of the port channel.bundled in port-channel I . it is a Layer 3 port channel. the logical port channel is port channel 1.stand-alone s . you can verify the group number.in use f .Layer3 S . the additional ports are placed in the standby state and used only if one of the main eight go down.not in use. With this output. Again. it means that you have a misconfiguration that is preventing the port channel from going up. Link Aggregation Control Protocol (LACP) was used as the protocol in this example. This is what you want to see. the logical port channel number for the group. which is used with LACP when you have more than eight ports in the bundle.

Layer3 S .240 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Core Gi1/0/5 Gi1/0/5 SW1 SW2 Gi1/0/6 Gi1/0/6 Gi1/0/1 Layer 3 EtherChannel Gi1/0/2 Gi0/1 Gi0/2 Fa0/1 Figure 6-9 EtherChannel Trouble Tickets Topology Trouble Ticket 6-6 Problem: A junior network administrator has approached you indicating that the Layer 3 EtherChannel they are trying to form between SW1 and SW2 is not forming.stand-alone s . as shown in Example 6-48 and Example 6-49.failed to allocate aggregator M .down P .in use f . Reviewing the flags on SW1 in Example 6-48 indicates that the ports are in standalone and that the port channel is Layer 2 down. Your first step is to verify the EtherChannel configuration on SW1 and SW2 using the show etherchannel summary command. You need to solve this issue for them.not in use.unsuitable for bundling w .suspended H . Do you see the issue? Example 6-48 SW1 show etherchannel summary Output SW1#show etherchannel summary Flags: D .bundled in port-channel I .Hot-standby (LACP only) R .waiting to be aggregated From the Library of Outcast Outcast . Reviewing the flags on SW2 in Example 6-49 indicates that ports are suspended and that the port channel is Layer 3 down.Layer2 U . minimum links not met u .

not in use. Therefore.bundled in port-channel I . the physical ports and the port channel must be routed ports. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 241 d .suspended H . minimum links not met u . the junior network administrator forgot the no switchport command on SW1.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RD) LACP Gi1/0/5(s) Gi1/0/6(s) It appears that our junior network administrator failed to create a Layer 3 EtherChannel on SW1.stand-alone s .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) Example 6-49 SW2 show etherchannel summary Output SW2#show etherchannel summary Flags: D . If you recall.unsuitable for bundling w .in use f . as shown in Example 6-50.waiting to be aggregated d . to create a Layer 3 EtherChannel.failed to allocate aggregator M .Layer3 S .Hot-standby (LACP only) R .down P . Example 6-50 SW1 show run interface Output SW1#show run int gig 1/0/5 ! interface GigabitEthernet1/0/5 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW1#show run int gig 1/0/6 ! interface GigabitEthernet1/0/6 From the Library of Outcast Outcast .Layer2 U .

suspended H .Layer3 S . Example 6-51 confirms that the Layer 3 EtherChannel bundle is now formed.waiting to be aggregated d . which will create the bundle and the Layer 3 port channel.Layer3 S . convert Gig1/0/5 and Gig1/0/6 to routed ports with the no switchport command.waiting to be aggregated d .down P .in use f . you need to remove the port channel and channel group configura- tion from SW1.Layer2 U .failed to allocate aggregator M .bundled in port-channel I .not in use. Example 6-51 SW1 and SW2 show etherchannel summary Output SW1#show etherchannel summary Flags: D . minimum links not met u .Layer2 U .bundled in port-channel I .Hot-standby (LACP only) R .stand-alone s .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) ! SW2#show etherchannel summary Flags: D .suspended H .Hot-standby (LACP only) R .unsuitable for bundling w .in use f .stand-alone s . minimum links not met u .unsuitable for bundling w . Notice how the ports are bundled in the port channel and that the port channel is Layer 3 in use.down P . and then issue the channel-group mode command on Gig1/0/5 and Gig1/0/6.not in use.242 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW1#show run int port-channel 1 ! interface Port-channel1 end To solve this issue.failed to allocate aggregator M .default port From the Library of Outcast Outcast .

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 243 Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) From the Library of Outcast Outcast .

Chapter 22. rout- ed port. noted with the Key Topic icon in the outer margin of the page. “Final Preparation. Table 6-3 lists a reference of these key topics and the page numbers on which each is found. you have a couple of choices for exam preparation: the exercises here.” and the exam simulation questions on the CD-ROM. Review All Key Topics Review the most important topics in this chapter. Layer 3 EtherChannel From the Library of Outcast Outcast . switched virtual interface (SVI). router-on-a-trunk/router-on-a-stick. Table 6-3 Key Topics for Chapter 6 Key Topic Key Topic Element Description Page Number Example 6-1 show run command output from R1 212 Example 6-2 show run command output from SW1 213 List Describes issues that prevent inter-VLAN routing 213 from functioning with the router-on-a-stick approach Example 6-17 SW1 SVI configuration 222 Example 6-18 Verifying the status of an SVI 223 List Identifies the elements that must be true for an SVI 224 to be up Example 6-40 Configuration for routed ports on a Layer 3 switch 234 Paragraph Identifies how to verify whether the port is a Layer 2 236 switchport or a routed port List Describes the common Layer 3 EtherChannel 237 troubleshooting targets Table 6-2 Options for successfully forming an EtherChannel 238 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: Layer 3 switch.244 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction.

or at least the section for this chapter. “Memory Tables Answer Key. hands-on skills that are used by a networking professional. you should be able to identify the show commands needed to successfully troubleshoot the topics presented in this chapter. and then see how much of the command you can remember. It does not include the show commands that were used in this chapter but introduced in previous chapters. cover the right side of Table 6-4 with a piece of paper. From the Library of Outcast Outcast . in addition to the trunk encapsulation method used on router’s subinterfaces. You will need to return to the previous chapters to review information relating to those show commands. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 245 Complete Tables and Lists from Memory Print a copy of Appendix C. If IPv4 routing is enabled on a Layer 3 switch. in addition show etherchannel summary to the status of the ports within the port channel. Therefore. includes completed tables and lists to check your work. and MAC address associated with it. Identifies if a switchport is operating as a Layer show interfaces interface_type interface_ 2 switchport or a Layer 3 routed port.” also on the disc.” (found on the disc). Table 6-4 show Commands Introduced in Chapter 6 Task Command Syntax Displays the VLANs that are associated with show vlans a router’s subinterfaces. Displays the Layer 1 and Layer 2 status of show interfaces [vlan {vlan-id}] an SVI on an MLS along with the IP address. To test your memory of the commands. subnet mask. The 300-135 TSHOOT exam focuses on practical. number switchport Displays the status of port channels. read the description on the left side. “Memory Tables. Show Command Reference to Check Your Memory This section includes the show commands introduced in this chapter. and complete the tables and lists from memory. Appendix D. it show ip route displays the contents of the IPv4 routing table.

private VLANs. you will learn what could cause these features not to perform as expected and how to troubleshoot them. ■ Troubleshooting Layer 2 Access Control: This sec- tion examines how to troubleshoot misconfigura- tions related to protected ports. ■ Port Security Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem. ■ Troubleshooting Spoof-Prevention Features: This section explains the purpose of DHCP Snooping. In addition. ■ Spoof-Prevention Features Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting pro- cess to solve a reported problem. and VLAN Access Control Lists.This chapter covers the following topics: ■ Troubleshooting Port Security: This section covers the various reasons why port security might not be performing as expected and how you can trouble- shoot them. Dynamic ARP Inspection. and IP Source Guard. From the Library of Outcast Outcast .

If you do not know the answer to a question or are only partially sure of the answer. private VLANs. “Answers to the ‘Do I Know This Already?’ Quizzes. Table 7-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. Therefore. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. dynamic Address Resolution Protocol (ARP) inspec- tion. In addition. This might not be desired. switches are designed to provide connectivity. min- imal security is applied. Therefore. read the entire chapter. CHAPTER 7 Troubleshooting Switch Security Features By default. However. You can find the answers in Appendix A. all traffic within a VLAN is free to flow between the switchports in the same VLAN. by default.” Table 7-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting Port Security 1–3 Troubleshooting Spoof-Prevention Features 4–8 Troubleshooting Layer 2 Access Control 9–10 Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. DHCP snooping. you should mark that question as wrong for purposes of the self-assessment. and IP Source Guard. This chapter covers all these features and explores the various reasons why you may be experiencing issues and how you can troubleshoot them. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. and VLAN access control lists (ACLs). “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. with these added features comes additional issues related to them that you will need to be able to troubleshoot. From the Library of Outcast Outcast . you can control the flow of traffic within the same VLAN with features such as protect- ed ports. out of the box. You can improve switch security by implementing features such as port security.

d. It must be enabled globally. show port-security interface interface_type interface_number c. show port-security b. show port-security address d.248 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 1. Which command enables you to verify the IP address that has been given to each client from the DHCP server along with the interface they are connected to and the VLAN the interface is a member of? a. The ports going to the DHCP servers need to be configured as untrusted.) a. Which two of the following port security violation modes will generate a log mes- sage when a violation occurs? a. show running-configuration b. Restrict c. show running-configuration 2. show interfaces c. show ip dhcp snooping database d. show interfaces status d. Disabled 3. show ip dhcp snooping b. What must be true for DHCP snooping to operate successfully? (Choose two. Shutdown d. show ip dhcp snooping binding c. c. Protect b. Which command enables you to verify the port status of a port security-enabled port? a. b. The ports going to end stations must be configured as trusted. Which two commands identify the ports that are in the err-disabled state if the err- disable recovery feature has not been enabled for port security? a. It must be enabled for specific VLANs. show port-security address 4. show ip dhcp snooping statistics From the Library of Outcast Outcast . 5.

Community ports cannot communicate with other community ports in the same community. ARP cache b. b. Isolated ports cannot communicate with other isolated ports. show ip arp b. What must be true for dynamic ARP inspection to operate successfully? (Choose two answers. d. Which of the following has the ability to deny only FTP traffic between two devices in the same VLAN? a. DHCP snooping must be enabled globally. show ip dhcp snooping binding 9. b. DHCP snooping database d. Private VLANs d. IP Source Guard b. Routing table 8. Which command enables you to verify which interfaces have been configured with IP Source Guard? a. All interfaces. except for upstream interfaces. MAC address table c. Protected ports c. show interfaces status d. Chapter 7: Troubleshooting Switch Security Features 249 6. 10. Community ports can communicate with other community ports in a different community. DHCP snooping must be enabled for specific VLANs. Which two of the following statements are true about PVLANs? a.) a. IP ARP inspection must be enabled for specific VLANs. How does IP Source Guard learn where valid source IPs are in the network? a. need to be configured as trusted interfaces. c. VLAN ACL From the Library of Outcast Outcast . Community ports cannot communicate with isolated ports and vice versa. show ip verify source c. d. c. 7.

Example 7-1 Sample Port Security Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration. Most issues arise from miscon- figurations.250 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting Port Security The port security feature is designed to control a specific set/number of MAC addresses that will be learned on an interface. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 From the Library of Outcast Outcast . Key Topic ■ A static MAC address was not configured correctly. where a malicious user attempts to overflow the CAM table by populating it with a large number of bogus MAC addresses.. port security is a must for all organizations to implement. However. ■ The maximum number of MAC addresses has been reached. if not. port security will perform as expected with minimal issues. ■ Running configuration not saved to startup configuration. In addition. port security is not enabled on the interface regardless of the rest of the con- figuration specified. preventing access. you will be troubleshooting. if you fail to include the command switchport port-security (which is high- lighted). if something goes wrong. it ensures that only specific devices (based on MAC address) can connect to certain switchports.. The following is a listing of issues that may occur when working with port security: ■ Port security is configured but not enabled. as with all services and features. Therefore. This helps to eliminate CAM table flooding attacks. If an attack occurs. ■ Legitimate users are being blocked because of a violation. port security keeps waiting. Port Security Configured but Not Enabled Example 7-1 provides a port security configuration on interface Fast Ethernet 0/1 of an access layer switch. Notice that all commands start with switchport port-security. However. Common Port Security Issues Usually. This section shows you how to iden- tify and troubleshoot port security issues. port security kicks in.

Fast Ethernet 0/1 is enabled for port security.657a switchport port-security mac-address 0800. Example 7-2 Verifying Port Security Is Enabled on an Interface Key Topic SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 ASW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 0 Sticky MAC Addresses : 2 Last Source Address:Vlan : 0800. From the Library of Outcast Outcast . it is impera- tive that they are accurate.275d. If a user complains that he cannot access the network after receiving a new computer and your network relies on static port security addresses.06d6.06d6:10 Security Violation Count : 0 Static MAC Address Not Configured Correctly If you have implemented port security by defining MAC addresses statically.06d6 Use the commands show port-security and show port-security interface interface_type interface_number to verify whether port security is enabled on an interface. In this case.275d. Example 7-3 identifies the static MAC address configuration for 0800.275d. you more than likely forgot to change the port security static MAC address. as shown in Example 7-2.b607. Chapter 7: Troubleshooting Switch Security Features 251 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050.

.275d. .06d6 SecureConfigured Fa0/1 - ----------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 Example 7-5 Verifying MAC Address of PC.275d. . .657a SecureSticky Fa0/1 - 10 0800. as shown in Example 7-5. . Example 7-4 Verifying Static Addresses Associated with Interfaces Key Topic SW1#show port-security address Secure Mac Address Table ----------------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---. . .252 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-3 Sample Static MAC Address Port Security Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration. . . . . . . . . ------------- 10 0050.275d.657a switchport port-security mac-address 0800.06d6 is a statically configured (SecureConfigured) port security MAC address for Fa0/1 and VLAN 10. : pc1 Primary Dns Suffix . . Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050. ----------. In this example. . . PC1#ipconfig /all Windows IP Configuration Host Name . . ----. as shown in Example 7-4. : Broadcast From the Library of Outcast Outcast .06d6 Using the show port-security address command reveals the static MAC address con- figured for the interfaces. . : Node Type . You need to compare this to the MAC address of the PC con- nected to the port with the ipconfig /all command. ---. . . (This is where accurate documentation is helpful.. .. the MAC address 0800. .b607. . .) The show port-security address command will also identify the dynamically learned port security MAC addresses and the sticky secure MAC addresses. .b607. .

. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050.657a switchport port-security mac-address 0800. .b607. . .. Maximum Number of MAC Addresses Reached By default. . .. . . . . . . . . . and two have been learned.06d6 You can verify the maximum number of MAC addresses allowed on an interface with the show port-security and show port-security interface interface_type interface_number commands. Example 7-7 Identifying the Maximum Number of MAC Addresses Allowed SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict From the Library of Outcast Outcast . .275d. . . Example 7-6 Identifying the Maximum Number of MAC Addresses Allowed SW1#show running-config interface fastEthernet 0/1 Building configuration. . . . Chapter 7: Troubleshooting Switch Security Features 253 IP Routing Enabled. Therefore. . . . if you need more than one MAC address. As shown in Example 7-7. two MACs are allowed. . : Description . . : AMD PCNET Family PCI Ethernet Adapter Physical Address. In this case.. . . . . when port security is enabled. : No . only one MAC address will be allowed. . . . . .output omitted. .. . . . you have to specify the number with the switchport port-security maximum number command. : 08-00-27-5D-06-D6 Dhcp Enabled. the maximum number was set to 2 so that two devices could communicate through the interface. ... . as shown in Example 7-6. : No WINS Proxy Enabled. . : No Ethernet adapter PC1 Lab: Connection-specific DNS Suffix .

if there were. If the number is not correct. and log mes- sages are generated. From the Library of Outcast Outcast . the port is placed in the err-disabled state. there is currently no violation. and the violation count is not incremented. any frame from the MAC addresses in violation is dropped. In addition. You can verify whether there is a violation by using the show port-security and show port-security interface interface_type interface_number commands. Tip You can remember that these get more severe in alphabetic order (P/R/S) (drop/ drop&alert/shutdown&alert). Topic ■ Restrict: Any frame from the MAC addresses in violation is dropped.06d6:10 Security Violation Count : 0 Legitimate Users Being Blocked Because of Violation You need to make sure that you have the correct number of MAC addresses specified. However. as shown in Example 7-8. the security violation count would increment.275d. and log messages are generated.254 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800. a violation will occur if more than the specified number of MAC addresses are seen on the port. and any frame from any MAC address will be dropped. and because the violation mode is Restrict. In this case. Three different violations exist: ■ Protect: Any frame from the MAC addresses in violation is dropped without a noti- Key fication. The violation will occur regardless of the additional MAC addresses being accidental or malicious. log messages will be generated. ■ Shutdown: When a violation occurs.

as dis- played in the following syslog messages: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1.ce47 on port FastEthernet0/1. as shown in Example 7-9. changed state to down Example 7-9 Example Port That Has Been Shut Down and Placed in the Err-Disable State SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute From the Library of Outcast Outcast . putting Fa0/1 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. Chapter 7: Troubleshooting Switch Security Features 255 Example 7-8 Identifying Security Violations SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800. and a violation occurs. caused by MAC address 0800. changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/1.06d6:10 Security Violation Count : 0 If the violation mode is set to shutdown.27a2. the port status is Secure-shutdown and placed in the err-disable state.275d.

. line protocol is down (err-disabled) Hardware is Fast Ethernet. ---- arp-inspection Enabled port bpduguard Enabled port channel-misconfig (STP) Enabled port community-limit Enabled port dhcp-rate-limit Enabled port dtp-flap Enabled port gbic-invalid Enabled port iif-reg-failure Enabled port inline-power Enabled port invalid-policy Enabled port From the Library of Outcast Outcast .b801) Example 7-11 Identifying Which Services Are Enabled for Err-Disable SW1#show errdisable detect ErrDisable Reason Detection Mode ----------------. it does not tell you what caused the err-disabled state. as shown in Example 7-10. As you can see. You can also use the show interface interface_type Topic interface_number command. Fa0/1 is in the err-disabled state.b801 (bia 081f. SW1#show interfaces fastEthernet 0/1 FastEthernet0/1 is down..ce47:10 Security Violation Count : 1 To verify ports that are in the err-disabled state.output omitted. Example 7-11 displays all the dif- ferent services that can cause a port to go into the err-disabled state..256 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800. Example 7-10 Identifying Ports in the Err-Disabled State SW1#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX Fa0/5 notconnect 1 auto auto 10/100BaseTX Fa0/6 notconnect 1 auto auto 10/100BaseTX . However.f34e. address is 081f. use the command show interfaces Key status. --------. Notice that they are all enabled by default and that port security is one of them (psecure-violation).f34e..27a2.

27a2. changed state to up %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1. Make sure that logging to the console or terminal lines is enabled. SW1(config)#interface fastEthernet 0/1 SW1(config-if)#shut %LINK-5-CHANGED: Interface FastEthernet0/1. Topic the message text clearly states it was caused by a port security violation. This process is shown in Example 7-12. changed state to down From the Library of Outcast Outcast . after the interface is enabled. End with CNTL/Z. By doing so. In this case. Chapter 7: Troubleshooting Switch Security Features 257 link-flap Enabled port loopback Enabled port lsgroup Enabled port mac-limit Enabled port pagp-flap Enabled port port-mode-failure Enabled port pppoe-ia-rate-limit Enabled port psecure-violation Enabled port/vlan security-violation Enabled port sfp-config-mismatch Enabled port sgacl_limitation Enabled port small-frame Enabled port storm-control Enabled port udld Enabled port vmps Enabled port psp Enabled port The best way to determine why a port is in the err-disabled state is to review syslog mes- Key sages. changed state to administratively down SW1(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0/1. and you can see that the port was err-disabled due to a port security violation. putting Fa0/1 in err-disable state Tip If for some reason you do not have access to the syslog messages.ce47 on port FastEthernet0/1. which will generate a syslog message. one per line. putting Fa0/1 in err- disable state SW1(config-if)# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred. %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1. the error will be detected again. SW1(config-if)# %LINK-3-UPDOWN: Interface FastEthernet0/1. caused by MAC address 0800. Example 7-12 Bouncing the Interface to Determine Why It Is Err-Disabled SW1#config t Enter configuration commands. and the mnemonic is ERR-DISABLE. bounce (shut/ noshut) the interface that is err-disabled. They are listed as severity level 4. and do not forget about the terminal monitor command if you are using Telnet or Secure Shell (SSH).

258 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide If you are relying on the err-disable recovery feature to enable interfaces once the viola- Key Topic tion is no longer detected. Example 7-14 Enabling the Err-Disable Recovery Feature SW1(config)#errdisable recovery cause ? all Enable timer to recover from all error causes arp-inspection Enable timer to recover from arp inspection error disable state bpduguard Enable timer to recover from BPDU Guard error From the Library of Outcast Outcast . Example 7-13 Verifying the Err-Disable Recovery Feature SW1#show errdisable recovery ErrDisable Reason Timer Status ----------------. you can verify the status of the feature with the show errdis- able recovery command. issue the errdisable recov- ery cause service/feature global configuration command. it has to be manually enabled by you. Notice that the err-disable recovery feature is disabled by default for all the different services and features. as shown in Example 7-14. if you need to use it. as shown in Example 7-13. This example displays all the different options available on a Catalyst 2960 switch. -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled link-flap Disabled mac-limit Disabled loopback Disabled pagp-flap Disabled port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Disabled security-violation Disabled sfp-config-mismatch Disabled small-frame Disabled storm-control Disabled udld Disabled vmps Disabled psp Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: To enable err-disable recovery for a specific feature or service. Therefore.

Chapter 7: Troubleshooting Switch Security Features 259 channel-misconfig (STP) Enable timer to recover from channel misconfig error dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error dtp-flap Enable timer to recover from dtp-flap error gbic-invalid Enable timer to recover from invalid GBIC error inline-power Enable timer to recover from inline-power error link-flap Enable timer to recover from link-flap error loopback Enable timer to recover from loopback error mac-limit Enable timer to recover from mac limit disable state pagp-flap Enable timer to recover from pagp-flap error port-mode-failure Enable timer to recover from port mode change failure pppoe-ia-rate-limit Enable timer to recover from PPPoE IA rate-limit error psecure-violation Enable timer to recover from psecure violation error psp Enable timer to recover from psp security-violation Enable timer to recover from 802. that you enable it for port security. Example 7-15 Verifying the Err-Disable Reason SW1#show errdisable recovery ErrDisable Reason Timer Status ----------------. as shown in Example 7-15.1x violation error sfp-config-mismatch Enable timer to recover from SFP config mismatch error small-frame Enable timer to recover from small frame error storm-control Enable timer to recover from storm-control error udld Enable timer to recover from udld error vmps Enable timer to recover from vmps shutdown error When using the err-disable recovery feature. At the bottom of the show errdisable recovery output. for instance. you have an extra piece of information you can use. If the violation still exists at that point. Suppose. It also indicates how much time is left until the port is automatically enabled. -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled link-flap Disabled mac-limit Disabled loopback Disabled pagp-flap Disabled From the Library of Outcast Outcast . information identifies what interface is err-disabled and why. it will be err-disabled again. This makes it easier for you to troubleshoot what caused the port to be err-disabled.

many administrators who use the port security sticky feature forget about saving the configuration when a new PC is added. The sticky feature allows the switch to dynami- cally learn MAC addresses and then place the MAC address in the configuration just like they had been statically configured.657a was learned by the switch on interface Fast Ethernet 0/1.b607.657a command.. However. the switch placed it in the configura- tion with the switchport port-security mac-address sticky 0050. You now need to save the configuration. the sticky-learned MAC address will not be in the configuration if the switch reboots. otherwise.260 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Enabled security-violation Disabled sfp-config-mismatch Disabled small-frame Disabled storm-control Disabled udld Disabled vmps Disabled psp Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) --------. the port security configuration will no longer be available when the switch reboots.b607. ----------------. Once the MAC address 0050.. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security From the Library of Outcast Outcast . Example 7-16 displays the port security sticky con- figuration on a switch. Example 7-16 Port Security Sticky Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration. -------------- Fa0/1 psecure-violation 85 Running Configuration Not Saved to Startup Configuration This is pretty obvious: If you fail to save the running configuration to the NVRAM. Notice how the sticky feature was enabled with the switchport port-security mac-address sticky command.

you decide to start your troubleshooting process by examining the port security configuration on SW1. as shown in Example 7-17. Example 7-17 Verifying Port Security on Fa0/1 SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 1 Shutdown Fa0/2 2 2 0 Shutdown From the Library of Outcast Outcast . According to documentation.275d. and the user on PC1 has called you indicating that she is not able to access any network resources. You notice that port security was added to all access ports on SW1. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. PC1 is connected to Fa0/1.657a switchport port-security mac-address 0800.06d6 Port Security Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. You ask her when the last time it was that she was able to access resources. All trouble tickets in this section are based on the topology depicted in Figure 7-1. VLAN 10 PC1 Fa0/1 Gi0/1 SW1 Fa0/2 PC2 Figure 7-1 Port Security Trouble Ticket Topology Trouble Ticket 7-1 Problem: It is Monday morning. Chapter 7: Troubleshooting Switch Security Features 261 switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050. before she went on vacation. Therefore. She indicates that it was 2 weeks ago.b607. and notice that Fa0/1 is enabled for port secu- rity and that there is a security violation count of 1. You issue the command show port-security. This leads you to examine the change control documentation to determine whether any configuration changes were done in the past 2 weeks.

The last MAC address that was received on the interface was 0800. as shown in Example 7-18. Port security is enabled but it is in the Secure-shutdown state.275d.275d.262 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Fa0/3 2 0 0 Shutdown Fa0/4 2 0 0 Shutdown Fa0/5 2 0 0 Shutdown Fa0/6 2 0 0 Shutdown Fa0/7 2 0 0 Shutdown Fa0/8 2 0 0 Shutdown Fa0/9 2 0 0 Shutdown Fa0/10 2 0 0 Shutdown Fa0/11 2 0 0 Shutdown Fa0/12 2 0 0 Shutdown Fa0/13 2 0 0 Shutdown Fa0/14 2 0 0 Shutdown Fa0/15 2 0 0 Shutdown Fa0/16 2 0 0 Shutdown Fa0/17 2 0 0 Shutdown Fa0/18 2 0 0 Shutdown Fa0/19 2 0 0 Shutdown Fa0/20 2 0 0 Shutdown Fa0/21 2 0 0 Shutdown Fa0/22 2 0 0 Shutdown Fa0/23 2 0 0 Shutdown Fa0/24 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 8192 To verify the status of port security for Fa0/1 you issue the command show port-securi- ty interface fastEthernet 0/1.06d6:10 Security Violation Count : 1 From the Library of Outcast Outcast .06d6 for VLAN 10. Example 7-18 Verifying Port Security Status on Fa0/1 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 2 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0800.

Example 7-19 Verifying Port Security Configuration on Fa0/1 SW1#show run interface fa0/1 Building configuration.. . Chapter 7: Troubleshooting Switch Security Features 263 Next you issue the show run interface fa0/1 command to verify the port security con- figuration on Fa0/1. . Comparing the MAC address of PC1 to the addresses statically configured on Fa0/1. Example 7-20 Reviewing the MAC Address on PC1 C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . Starting with the PC. . you issue the ipconfig /all command. . it has been enabled. . . . . . . . . . . . The MAC address of PC1 is 08-00-27-5D-06-D6. . . . . .. .06d7 no lldp transmit spanning-tree portfast spanning-tree bpduguard enable spanning-tree guard root end You decide to confirm the MAC addresses of the IP Phone and PC1. . . Current configuration : 352 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security mac-address 0050. . As shown in Example 7-19. : Broadcast IP Routing Enabled. : Node Type . . which happens to be the same MAC address that caused the violation shown in Example 7-18. : AMD PCNET Family PCI Ethernet Adapter From the Library of Outcast Outcast .b607. . . . . . . and there are 2 MAC addresses configured (one for the phone and one for PC1). . : pc1 Primary Dns Suffix . . the maximum MAC addresses is set to 2.275d. : Description . . as shown in Example 7-19. . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter PC1 Lab: Connection-specific DNS Suffix . as shown in Example 7-20.657a switchport port-security mac-address 0800. . confirms that PC1s MAC address is not one of the addresses configured.

1. . . as shown in Example 7-23.. . . SW1(config)#interface fastEthernet 0/1 SW1(config-if)#no switchport port-security mac-address 0800. .275d.output omitted. . : 08-00-27-5D-06-D6 Dhcp Enabled.166 Subnet Mask . . . . The issue has been solved. Example 7-21 provides the configuration that is needed to solve the issue. . changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. . You proceed to remove the incorrect static MAC address with the no switchport port- security mac-address 0800. .06d6 You confirm the port is still in the err-disabled state with the show interfaces status command.180.1.. It appears that the static MAC address was misconfigured with a 7 at the end rather than a 6.. and you receive the following syslog messages: %LINK-3-UPDOWN: Interface FastEthernet0/1. changed state to up You confirm the problem is solved by accessing PC1 and pinging the default gateway at 10. .254. . . .275d. : Yes Autoconfiguration Enabled . you conclude that the command switchport port-security mac-address 0050.0. Example 7-22 Confirming Fa0/1 is in the Err-Disabled State SW1#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX . From the Library of Outcast Outcast .0 . End with CNTL/Z. . : 255. : 169. .output omitted. .06d7 SW1(config-if)#switchport port-security mac-address 0800.275d.264 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Physical Address. . . .255. . It is successful.275d.06d7 is not correct.. .657a is correct but that the command switchport port-security mac-address 0800. To recover from the err- disabled state. . .1..06d7 command and replace it with the MAC address of PC1. . Example 7-21 Solving the Issue by Configuring the Correct Static MAC Address SW1#config t Enter configuration commands. The interface successfully goes up/up.657a.. .b607.. . . you bounce the interface by issuing the shutdown and then no shutdown commands.b607. After confirming that the IP Phone’s MAC address is 0050. The output shown in Example 7-22 confirms it is. . . . one per line.. : Yes Autoconfiguration IP Address.

Approximate round trip times in milli-seconds: Minimum = 0ms. This comes in handy with DAI and IP Source Guard. you can implement DHCP snooping.1.1. ■ If the DHCP server does not support option 82 it needs to be disabled on the switch with the no ip dhcp snooping information option command.1. DHCP Snooping To prevent rogue DHCP servers from handing out IP addresses in your network. Average = 0ms Troubleshooting Spoof-Prevention Features Features such as DHCP snooping. dynamic ARP inspection. which displays a sample DHCP snooping con- figuration.1. What is required for DHCP snooping to operate successfully? Let’s make a list: ■ DHCP snooping is enabled globally with the ip dhcp snooping command.1: bytes=32 time 1ms TTL=128 Reply from 10.1: bytes=32 time 1ms TTL=128 Ping statistics for 10. which is the default.1. Received = 4. Chapter 7: Troubleshooting Switch Security Features 265 Example 7-23 Successful Ping from PC1 to Default Gateway C:\>ping 10. DHCP snooping also creates a binding table that keeps track of which devices are connected to which interfaces based on the IP addresses that were handed out by the DHCP server. This section explains what you should look for while troubleshooting these three security features.1.1.1 Reply from 10. ■ Interfaces that need to accept all DHCP message types are configured as trusted with the ip dhcp snooping trust command. Key Topic ■ DHCP snooping is enabled for specific VLANs with the ip dhcp snooping vlan com- mand. and IP Source Guard are designed to protect your network from spoofing attacks against the Dynamic Host Configuration Protocol (DHCP) service.1. With DHCP snooping. as you will see later. Take a moment to examine Example 7-24.1.1: bytes=32 time 1ms TTL=128 Reply from 10.1: Packets: Sent = 4.1. From the Library of Outcast Outcast . ■ All other interfaces need to be untrusted.1: bytes=32 time 1ms TTL=128 Reply from 10. and IP addressing. you can define which interfaces will accept all DHCP messages and which interfaces will accept only Discover and Request DHCP messages.1.1. ARP. Maximum = 0ms. Lost = 0 (0% loss).

output omitted. ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping .. You can verify whether it is enabled globally with the line that states Switch DHCP snooping is enabled.. -----------. you can verify which interfaces are trusted. In this case.266 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-24 Sample DHCP Snooping Configuration SW1#show run .. and all other interfaces that are not listed are automatically untrusted. which interfaces are untrusted..output omitted. To verify DHCP snooping. and which interfaces have a DHCP rate limit applied. You can verify whether option 82 is enabled or disabled. Finally. use the show ip dhcp snooping command... ---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: GigabitEthernet0/2 yes yes unlimited Custom circuit-ids: From the Library of Outcast Outcast . Example 7-25 Verifying DHCP Snooping Key Topic SW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 DHCP snooping is operational on following VLANs: 10 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 081f.. as shown in Example 7-25. ------. You can verify which VLANs are enabled and operational for DHCP snooping. interface GigabitEthernet0/1 ip dhcp snooping trust interface GigabitEthernet0/2 ip dhcp snooping trust .. Gigabit Ethernet 0/1 and 0/2 are trusted interfaces..f34e... it is only VLAN 10.b800 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------.output omitted. In this case..

. as shown in Example 7-26. In this example. In addition..output omitted.10 from a DHCP server. Because of this. In addition.output omitted. ip dhcp snooping vlan 10 ip arp inspection vlan 10 no ip dhcp snooping information option ip dhcp snooping ..1.. Chapter 7: Troubleshooting Switch Security Features 267 To verify the bindings in the DHCP snooping database. it needs to be enabled per VLAN with the ip arp inspection vlan command. Example 7-27 Sample DAI Configuration Key Topic SW1#show run .. you need to be able to troubleshoot DHCP snooping issues when dealing with DAI issues. For DAI to function.. which is part of VLAN 10.1. When DAI detects an invalid ARP request or response on an untrusted interface it will generate syslog messages with a severity level of 4 with the mnemonic of DHCP_ SNOOPING_DENY. the PC with the MAC address 08:00:27:5D:06:D6 is located out Fast Ethernet 0/1.1. ---------. you have to be able to troubleshoot the commands related to DAI. -------------- -- 08:00:27:5D:06:D6 10. and has been assigned the IP address 10. It relies on DHCP snooping and the binding table that is created by it. ---. interfaces where DAI should not be performed (where there are no DHCP snooping bindings) need to be configured as trusted interfaces with the ip arp inspection trust command. issue the show ip dhcp snooping bindings command. Refer to Example 7-27.1. This is because DAI relies on the DHCP snooping binding table to identify appropriate IP address to MAC address bindings.... Example 7-26 Verifying DHCP Snooping Bindings Key Topic SW1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface -----------------. -------------.. interface GigabitEthernet0/1 ip dhcp snooping trust ip arp inspection trust interface GigabitEthernet0/2 ip dhcp snooping trust ip arp inspection trust .10 67720 dhcp-snooping 10 FastEthernet0/1 Total number of bindings: 1 Dynamic ARP Inspection Dynamic ARP inspection (DAI) is used to prevent ARP spoofing attacks. In these syslog messages From the Library of Outcast Outcast ..output omitted. ------------..

you are filtering based on IP address only.268 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide a device with the IP address 10.output omitted. Because of this.1. however.output omitted.1..1. you have to be able to identify issues related to IP Source Guard configurations.. It relies on DHCP snooping and the binding table that is created by it.657a is being denied because its ARPs are invalid since the addresses do not match the addresses in the bind- ing table. vlan 10. and the packets with the source IP address 10.657a/10. If you want to include the MAC address with the IP address when verifying the source of packets. interface FastEthernet0/1 ip verify source interface GigabitEthernet0/1 ip dhcp snooping trust interface GigabitEthernet0/2 ip dhcp snooping trust .1. vlan 10.([0050. b607.10/2893. b607.fe3a. In Example 7-30.. This enables IP Source Guard on the interface. Example 7-28 Sample IP Source Guard Configuration SW1#show run .fe3a. In this case.. %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/1. Notice in Example 7-28 that the same DHCP snooping configuration example is listed.10 and a MAC of 0050.. With the ip verify source command.e345/10.10/2893.([0050.1.657a/10. you issue the ip verify source port-security command. In addition.output omitted. on interface Fast Ethernet 0/1 (which connects to an end station).1/18:43:15 UTC Mon Mar 1 1993]) IP Source Guard IP Source Guard is used to prevent IP address spoofing. Notice how the Mac-address column is blank and the Filter-type is IP.e345/10.10 are the only ones allowed inbound on interface Fa0/1.b607..1. the ip verify source com- mand has been added.1. as shown in Example 7-29.1.1.. you need to be able to trouble- shoot DHCP snooping issues when dealing with IP Source Guard issues.. You can verify which interfaces have IP Source Guard enabled with the show ip verify Key Topic source command..1.1. Fa0/1 on SW1 has been enabled with IP Source Guard. From the Library of Outcast Outcast .1/18:42:55 UTC Mon Mar 1 1993]) %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1.. ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping . you can see that the MAC address is included now and the filter type is ip-mac.1...

1.1. Chapter 7: Troubleshooting Switch Security Features 269 Example 7-29 Verifying IP Source Guard (only IP) SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. ----------. ----------.10 08:00:27:5D:06:D6 10 If you are using the ip-mac filter type. the specific MAC address will not be learned.1. ----------. ---- Fa0/1 ip active 10.1. as shown in Example 7-32.20 permit-all 10 Also.1. because the secure MAC addresses are used.10 70453 dhcp-snooping 10 FastEther- net0/1 Total number of bindings: 1 From the Library of Outcast Outcast . In this example. there is no DHCP snooping binding for Fa0/2 because it has a static IP configured. --------------. ----------------. --------------. ----------.10 10 Example 7-30 Verifying IP Source Guard (IP and MAC) SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------.1. Because IP Source Guard relies on DHCP snooping and there is no binding in the table. ----------------. --------------. ----------------. ---- Fa0/1 ip-mac active 10.1.10 08:00:27:5D:06:D6 10 Fa0/2 ip-mac active 10. If port security is not enabled. Example 7-31 IP MAC Filtering Without Port Security Enabled on Interface SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. ---- Fa0/1 ip-mac active 10. Therefore. if there is no binding in the DHCP snooping database for the port. ----------. ------------. ----------------. and all MAC addresses will be permitted as a result. Example 7-32 Fa0/2 Sourced Traffic Denied Because There Is No Binding SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. ----------.1. --------------. ----------. --------------. ----------.1.10 08:00:27:5D:06:D6 10 Fa0/2 ip-mac active deny-all permit-all 10 SW1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface -----------------.1. all traffic will be blocked for all IPs. as shown in Example 7-31. ---.1. you need to have port security enabled on the interface. all ingress traffic on Fa0/2 will be denied.1. ---- Fa0/1 ip-mac active 10. ---------. -------------- -- 08:00:27:5D:06:D6 10. However. IP Source Guard is enabled on the inter- face. remember that IP Source Guard relies on DHCP snooping.

1.20. End with CNTL/Z. you decide to connect your laptop to Fast Ethernet 0/24 on ASW1. You configure ASW1.1.10.1. so that all traffic sent or received by Fa0/1 is captured and sent to Fa0/24.VLAN20 10.10. To assist with the issue.10. as shown in Example 7-33.1. where your laptop is connected and running packet-capturing software.10. All trouble tickets in this section are based on the topology depicted in Figure 7-2.VLAN10 10. ASW1(config)#monitor session 1 source interface fastEthernet 0/1 both ASW1(config)#monitor session 1 destination interface fastEthernet 0/24 From the Library of Outcast Outcast . They also indicate that they verified the DHCP pool on the DHCP server and that the default gateway address for the VLAN 10 pool is configured for 10.1.270 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Spoof-Prevention Features Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.1.1 PC4 SVI .1. VLAN10 .10.1.0/24 VLAN 10 and 20 VLAN 10 PC1 PC2 Gi1/0/24 Fa0/1 Fa0/2 Gi0/1 Fa0/3 ASW1 Gi1/0/1 PC3 Fa0/4 DSW1 SVI .10. This is the port on ASW1 that is used as the Switched Port Analyzer (SPAN) destination port.10.1.0/24 DHCP Server for VLAN20 .100 when documentation shows that the default gateway should be configured as 10. However.20. they are con- fused as to why they would be receiving the default gateway address of 10. The trouble ticket indicates that users in VLAN 10 are not able to access any resources outside their own subnet.1 VLAN 20 Figure 7-2 Spoof-Prevention Features Trouble Ticket Topology Trouble Ticket 7-2 Problem: A junior administrator has approached you for assistance with a trouble ticket that she is having an issue with. Example 7-33 Configuring a SPAN Session on ASW1 ASW1#config t Enter configuration commands. one per line. They have verified that the clients receive their IP addressing information via a DHCP server.

which is connected to Fa0/24. you issue the ipconfig /renew command on all of them. Using the show mac address- table dynamic address 28:93:fe:3a:e3:45 command to follow the path. you decide to dig deeper. ----- 10 28:93:fe:3a:e3:45 DYNAMIC Fa0/17 Total Mac Addresses for this criterion: 1 The issue is solved. Example 7-35 Reviewing the DHCP Snooping Configuration ASW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 20 DHCP snooping is operational on following VLANs: 20 DHCP snooping is configured on the following L3 Interfaces: From the Library of Outcast Outcast . which is part of VLAN 10. You ask the employee to disable the DHCP server. You decide to issue the show ip dhcp snooping command on ASW1 to verify the DHCP snooping configuration. -------. this issue should have never happened.1. it is enabled for VLAN 20.10. As a result. and IP Source Guard. However. as shown in Example 7-35. By your enabling of DHCP snooping for VLAN 10. ----------. Fa0/17 would become an untrusted port by default and prevent DHCP Offer and Acks from being accepted inbound.10. as shown in Example 7-34. DHCP snooping is enabled globally. Chapter 7: Troubleshooting Switch Security Features 271 You access PC1 and issue the ipconfig /renew command to trigger the DHCP process so that you can identify who is providing the IP addressing. The DHCP packets between the server and PC1 are successfully copied by SPAN to your laptop running packet-capturing software. and she does. information option 82 is disabled.1. the DHCP server that was configured on Fa0/17 is able to hand out DHCP addresses on the network. You review your network documentation and trace the port to a PC that is being used for study purposes by an employee that currently enabled DHCP and just happened to use the same network that VLAN 10 is using in the production net- work. They receive the correct default gateway of 10.34 and MAC 28:93:fe:3a:e3:45. and Gig0/1 is trusted. To update all the client PCs. DHCP snooping has not been enabled for VLAN 10. Your network is configured with DHCP snooping. you verify that the device with that MAC address is reachable out Fa0/17. Based on the output. You review the DHCP offer message in your packet-capture software and notice that it is sourced from IP 10. Therefore.1 now. You have identified the problem. DAI. Example 7-34 Renewing a DHCP Address ASW1#show mac address-table dynamic address 28:93:fe:3a:e3:45 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---.

---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: From the Library of Outcast Outcast . ---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: To fix the DHCP snooping configuration. one per line. ASW1(config)#ip dhcp snooping vlan 10 You verify the configuration with the show ip dhcp snooping command again and con- firm that VLAN 10 is now enabled for DHCP snooping.f600 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------. you issue the ip dhcp snooping vlan 10 com- mand in global configuration mode. ------. End with CNTL/Z. -----------.57fe. Example 7-36 Configuring DHCP Snooping for VLAN 10 ASW1#config t Enter configuration commands.f600 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------.20 DHCP snooping is operational on following VLANs: 10. Example 7-37 Verifying DHCP Snooping Is Enabled for VLAN 10 ASW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10. as shown in Example 7-36. ------. -----------.272 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 001c. as shown in Example 7-37.57fe.20 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 001c.

private VLANs. and VLAN access control lists (VACLs). which are used to filter traffic between devices within the same subnet/VLAN. and VACLs. When dealing with protected ports. both these issues would be the result of a misconfig- uration. it might be because one port is a protected port and the other is not a protected port when it should be. VLAN 10 PC1 Fa0/1 Gi0/1 SW1 Fa0/2 PC2 Figure 7-3 Protected Ports From the Library of Outcast Outcast . Therefore. Figure 7-3 displays an access layer switch with PC1 and PC2 connected to it on Fa0/1 and Fa0/2. Keep in mind that a protected port can only communicate with ports that are not protected ports. traffic is not allowed to flow between Fa0/1 and Fa0/2. regular router-based ACLs that are applied to router interfaces will not filter this traffic. This section explains what is involved when troubleshooting issues related to protected ports. ■ Traffic is not flowing between two interfaces when it should be. Chapter 7: Troubleshooting Switch Security Features 273 Troubleshooting Access Control Access control between devices within the same VLAN/subnet can be implemented using features such as protected ports. However. Because the devices are in the same VLAN/subnet that you are trying to filter traffic to or from. you are usually dealing with the following issues: ■ Traffic is flowing between two interfaces when it should not be. if two devices are able to communi- cate when they should not. Example 7-38 displays the interface configura- tion command switchport protected that is used to configure the ports as protected. it will not be forwarded if the egress port is also a protected port. private VLANs. This is because that traffic is never sent to the router interface. when trouble- Topic shooting protected ports. for security reasons. Protected Ports The purpose of a protected port is to deny all traffic from flowing between devices con- Key nected to two interfaces in the same VLAN on the same switch. Therefore. If traffic arrives inbound on a protected port. Both ports are members of VLAN 10. It stays within the local subnet/VLAN between the Layer 2 switchports.

1..274 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-38 Sample Protected Port Configuration SW1#show run interface fastEthernet 0/1 . you can use the com- mand show interfaces interface_type interface_number switchport to verify whether a port is configured as a protected port...output omitted. In the output for Fa0/1.output omitted...0/26) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL From the Library of Outcast Outcast .. interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport protected end SW1#show run interface fastEthernet 0/2 . it states Protected: true. interface FastEthernet0/2 switchport access vlan 10 switchport mode access switchport protected end Besides using the running configuration to verify protected ports. as shown in Example 7-39. which means Fa0/1 is a protected port.1.. Example 7-39 Verifying Protected Ports SW1#show interfaces fastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (10..

and FS2 are able to communicate out to the cloud because Gi1/0/10 is the promiscuous port. which is within the primary VLAN 200. When dealing with PVLANs. ■ Traffic is not flowing between two interfaces when it should be. ■ DNS1. when troubleshooting PVLANs. DNS1 and DNS2 are in the secondary community VLAN of 501. both these issues would be the result of a misconfigura- tion. DNS2. ■ DNS1 and DNS2 are not able to communicate with FS1 and FS2 because DNS1 and DNS2 are members of a community VLAN and FS1 and FS2 are members of an iso- lated VLAN. you are usually dealing with the following issues: ■ Traffic is flowing between two interfaces when it should not be. based on the rules of PVLANs. the following are true: ■ DNS1 and DNS2 are able to communicate with each other because they are mem- bers of the same community VLAN. Refer to Figure 7-4. From the Library of Outcast Outcast . Chapter 7: Troubleshooting Switch Security Features 275 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: true Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Private VLANs Private VLANs (PVLAN) take the protected port concept further by enabling you to con- trol which ports in the same VLAN can communicate with each other and which ports cannot. FS1. which will be used for our PVLAN examples. ■ FS1 and FS2 are not able to communicate with each other because they are members of an Isolated VLAN. FS1 and FS2 are in the secondary isolated VLAN 502. which is within the primary VLAN 200. Therefore. Just like protected ports. This is accomplished by grouping ports together in secondary VLANs that are members of a Private VLAN.

Gig1/0/10 is the promiscuous port for the secondary VLANs 501 and 502 that are mapped to the primary VLAN 200. In this example. you need to remember the following PVLAN rules: ■ Community ports can communicate with other community ports in the same com- Key munity. Topic ■ Community ports cannot communicate with other community ports in a different community. you use the switchport private-vlan host-association primary_vlan secondary_vlan command in interface configuration mode along with the command switchport mode private-vlan host. you can associate the ports on the switch with the appropriate VLANs. Example 7-40 displays the commands required to successfully implement the PVLANs in Figure 7-4. First. To associate a port with a secondary VLAN.276 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide VLAN 200 Secondary Community DNS1 Primary VLAN 501 DNS2 Gi1/0/x Promiscuous Port 21 22 Gi1/0/10 23 Gi1/0/10 FS1 24 SW2 SW1 FS2 Secondary Isolated VLAN 502 Figure 7-4 PVLANs To successfully troubleshoot PVLANs. The primary VLAN needs to be identified with the private-vlan primary command and associated with the secondary VLANs with the private-vlan association command. VTP Versions 1 and 2 cannot carry PVLAN information like VTPv3. After the VLANs have been identified. ■ Community and isolated ports can communicate with the promiscuous port. In addition. the VTP mode has to be transparent or off. unless you are using Virtual Trunking Protocol (VTP) Version 3. From the Library of Outcast Outcast . the secondary community VLAN needs to be iden- tified with the private-vlan community command. and the secondary isolated VLAN needs to be identified with the private-vlan isolated command. ■ Isolated ports cannot communicate with other isolated ports. as identified by the commands switch- port private-vlan mapping 200 501-502 and switchport mode private-vlan promiscu- ous. ■ Community ports cannot communicate with isolated ports and vice versa. The only way to determine from this output that the interface is in the correct secondary VLAN is to examine the switchport private-vlan host-association primary_vlan secondary_vlan command and compare the secondary VLAN ID to the VLAN configuration information.

...output omitted. if you compare the secondary VLAN ID of 502 in the command switch- port private-vlan host-association 200 502 of interface Gig1/0/23 with the VLAN 502 configuration.output omitted.... end From the Library of Outcast Outcast .output omitted. ! vtp mode transparent ! vlan 200 private-vlan primary private-vlan association 501-502 ! vlan 501 private-vlan community ! vlan 502 private-vlan isolated ! ... you will notice that VLAN 502 is an isolated VLAN.... ! interface GigabitEthernet1/0/10 switchport private-vlan mapping 200 501-502 switchport mode private-vlan promiscuous ! . Chapter 7: Troubleshooting Switch Security Features 277 For example. Example 7-40 PVLAN Configuration Example Key Topic SW2#show run . ! interface GigabitEthernet1/0/21 switchport private-vlan host-association 200 501 switchport mode private-vlan host ! interface GigabitEthernet1/0/22 switchport private-vlan host-association 200 501 switchport mode private-vlan host ! interface GigabitEthernet1/0/23 switchport private-vlan host-association 200 502 switchport mode private-vlan host ! interface GigabitEthernet1/0/24 switchport private-vlan host-association 200 502 switchport mode private-vlan host ! ......output omitted.

1.------------------------------------------ 200 501 community Gi1/0/10. Gi1/0/23. If it stated private-vlan promiscuous. and Gi1/0/24.--------. The primary VLAN in this case is VLAN 200. the administrative mode and operational mode is private-vlan host. Gi1/0/10. Gi1/0/21. You can see in this output the primary VLAN 200 and its associated community VLAN 501 and isolated VLAN 502. Gi1/0/23. you can verify the private VLANs and the ports associated with each pri- vate VLAN using the show vlan private-vlan command. The first port. compare it to a topological diagram. Example 7-42 Verifying Private VLAN Information for a Specific Port SW2#show interfaces gigabitEthernet 1/0/22 switchport Name: Gi1/0/22 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: private-vlan host Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 200 (primary) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: 200 (10. as shown in Example 7-41. The ports associated with the community VLAN are Gi1/0/10. is the promiscuous port in both cases. it is very easy to misconfigure PVLANs. Gi1/0/24 You can also use the command show interfaces interface_type interface_number switchport to verify the PVLAN status and configuration of a specific interface. Therefore. Gi1/0/21.278 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide As you can see.----------------. with all the different parameters. In addition. In addition. as indicated by the line Access Mode VLAN: 200 (primary). it is the promiscuous port. Gi1/0/22 200 502 isolated Gi1/0/10. Example 7-41 Verifying Private VLANs and Associated Ports Key Topic SW2#show vlan private-vlan Primary Secondary Type Ports ------. and determine where the misconfiguration is that is causing traffic to be forwarded to ports it should not be forwarded to or causing traffic to not be for- warded to ports it should be forwarded to.0/24) 501 (VLAN0501) Administrative private-vlan mapping: none From the Library of Outcast Outcast . it is imperative that you can read a PVLAN configuration. you can see the host association. indicating that it is either a member of a community vlan or isolated vlan. As shown in Example 7-42. Further down.200. the Operational private-vlan output states the same. which indicates that the primary VLAN is VLAN 200 and that this specific port is a member of the secondary VLAN 501. and Gi1/0/22. The ports associated with the isolated VLAN are Gi1/0/10.

wrong ports. ■ VLAN filter list: Used to define which VLANs the VLAN access map will apply to.. If you do need to control the type of traffic that is flowing between ports in the same VLAN/subnet on a switch. will immediately execute the actions upon a match. ■ The ACL could be misconfigured: Permit versus deny. Because you are able to control traffic on a more granular level.1. wrong protocol.200. and there is an implicit deny all at the end. Therefore. Notice all the different configurations that could cause the VACL to not function as expected. you can implement VLAN access control lists (VACLs). Use the show run | include vlan filter command or the show vlan filter command to verify the configured VLAN filter list.. it is all traffic or no traffic that is being forwarded between the ports.. they lack granular control. it uses top-down processing. Topic ■ The VLAN access map could be in the wrong sequence order: Just like an ACL. From the Library of Outcast Outcast .output omitted. PC1 will be able to access other resources and services on PC2. Chapter 7: Troubleshooting Switch Security Features 279 Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: 200 (10. Use the show run | section vlan access-map command or the show vlan access-map command to verify the configured VLAN access maps. Refer to the sample VACL in Example 7-43. This VACL is designed to prevent PC1 from being able to ping or telnet to PC2. which was used to configure SW1 in Figure 7-5.. ■ The VLAN access map could be misconfigured: Matching the wrong ACL. However. VACLs Protected ports and PVLANs are excellent features that help you control the traffic that can flow between ports in the same subnet/VLAN. You can- not pick which type of traffic to control. the action could be incorrect. such as drop versus forward. Use the show access-lists command to verify the configured ACLs. wrong Key addresses. However. route map.0/24) 501 (VLAN0501) . and prefix list. when troubleshooting VACLs you need to examine a few different compo- nents that make up the VACL: ■ ACLs: Used to define the traffic that will be examined by the VLAN access map (IP Key or MAC). which is in the same VLAN. Topic ■ VLAN access map: Used to define the action that will be taken on the traffic that is matched in the ACLs.

0 SW1 10.1.1.20 20 permit tcp host 10.10 host 10.2.1.20 eq telnet SW1#show run | section vlan access-map vlan access-map TSHOOT 10 match ip address 100 action drop vlan access-map TSHOOT 20 action forward SW1#show run | include vlan filter vlan filter TSHOOT vlan-list 10 VLAN 10 PC1 Fa0/1 Gi0/1 10.1. or it may be missing completely.1. Example 7-43 Sample VLAN ACL Configuration SW1#show access-lists Extended IP access list 100 10 permit icmp host 10.1.1.1.0 Fa0/2 PC2 Figure 7-5 VACL From the Library of Outcast Outcast .1.1.1.1.10 host 10.280 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ The VLAN filter could be misconfigured: The filter may be referencing the wrong VLAN access map. it could be configured with the wrong VLAN list.1.

Chapter 7: Troubleshooting Switch Security Features 281 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. “Final Preparation. Review All Key Topics Review the most important topics in this chapter. noted with the Key Topic icon in the outer margin of the page. Table 7-2 Key Topics for Chapter 7 Key Topic Key Topic Element Description Page Number List Identifies issues that may be the reason why port 250 security is not behaving as expected Example 7-2 Verifying port security 251 Example 7-4 Verifying static addresses associated with interfaces 252 List Outlines the different port security violation modes 254 Paragraph Describes how to verify a port is in the err-disable 256 state Paragraph Describes how to determine why a port is in the err.257 disable state and provides a valuable tip Paragraph Describes the error disable recovery feature and the 258 commands used for verification purposes List Provides a listing of items that must be true for 265 DHCP snooping to operate correctly Example 7-25 Verifying DHCP snooping 266 Example 7-26 Verifying DHCP snooping bindings 267 Example 7-27 Sample DAI configuration 267 Paragraph Describes how to verify that IP Source Guard has 268 been configured correctly Section Protected ports 273 List Outlines the PVLAN rules that are required when 276 troubleshooting PVLANs Example 7-40 PVLAN configuration example 277 Example 7-41 Verifying Private VLANs and associated ports 278 From the Library of Outcast Outcast . Chapter 22. you have a couple of choices for exam preparation: the exercises here. Table 7-2 lists a reference of these key topics and the page num- bers on which each is found.” and the exam simulation questions on the CD-ROM.

but you should be able to remember the basic keywords that are needed. The 300-135 TSHOOT exam focuses on practical. restrict violation mode. Table 7-3 show Commands Used for Verification and Troubleshooting Task Command Syntax Displays the ports that have port security show port-security enabled. To test your memory of the commands. dynamic ARP inspection. hands-on skills that are used by a net- working professional. community VLAN. cover the right side of Table 7-3 with a piece of paper. DHCP snooping (trusted port). and the action that is taken if a violation occurs. primary VLAN. whether there is a security violation. VLAN access control list Command Reference to Check Your Memory This section includes the most important show commands covered in this chapter. and then see how much of the command you can remember. protected ports. isolated VLAN. IP Source Guard. promiscuous port. DHCP snooping (untrusted port). the maximum number of MAC addresses allowed. DCHP snooping. protect violation mode. From the Library of Outcast Outcast . read the description on the left side. shutdown violation mode. you should be able to identify the commands needed to successfully verify and troubleshoot the topics covered within this chapter.282 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Key Topic Element Description Page Number List Identifies the components involved with VACLs that 279 you may have to troubleshoot List Identifies what could be misconfigured with a VACL 279 that could be causing issues Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: port security. It might not be necessary to memorize the complete syntax of every command. sticky secure MAC address. the current number learned. Therefore. private VLANs. err-disabled.

and any ports that are currently in the err-disable state (along with the reason why). protected ports. the number of statically configured addresses. Displays the MAC address to IP address show ip dhcp snooping binding DHCP snooping mappings. Displays the status of DHCP snooping. and the aging type and time. SecureSticky. whether option 82 is enabled or disabled. and the trusted ports. It also displays the maximum max addresses allowed. along with the port and VLAN they are mapped to. and PVLANs. and the type (SecureDynamic. Also helps identify which ports are in the err-disable state. the timer that has been set. Displays which features are enabled and show errdisable recovery disabled for the error disable recovery feature. show ip dhcp snooping including whether it is enabled or disabled globally. and whether a violation has occurred. IP Source Guard. It displays the port and associated VLAN. It identifies whether interface_number port security is enabled or disabled. the MAC address. DAI. and SecureConfigured). the current number of MAC addresses. Chapter 7: Troubleshooting Switch Security Features 283 Task Command Syntax Displays the secure MAC addresses that show port-security address have been learned on each port security enabled port. which is helpful for troubleshooting. Displays detailed port security information show port-security interface interface_type for the interface. it displays the last seen MAC on the port. You can type interface_number verify configurations related to port security. the violation mode that is configured. In addition. Displays which features are able to use the show errdisable detect error disable recovery feature on the switch and the mode they will use. Displays the configuration within the running show running-config interface interface_ configuration for a specific interface. Displays the Layer 1 and Layer 2 status of an show interface status interface. the VLANs it is enabled for. From the Library of Outcast Outcast . DHCP snooping. the port security status. the number of sticky addresses.

PVLAN. including IP and show access-list MAC. that are configured on the switch. along with the IP address. and VLAN number that source packets and frames will need to match. Displays the VLAN access map configuration show run | section vlan access-map on the switch. trunking. show vlan access-map Displays the VLAN access map to VLAN show run | include vlan filter mapping on the switch.284 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Displays the interfaces that have been show ip verify source enabled with IP Source Guard. the filter type being used. Displays VLAN. show vlan filter From the Library of Outcast Outcast . and show interfaces interface_type interface_ protected port information related to an number switchport interface. MAC address. Displays the primary and secondary PVLAN show vlan private-vlan mappings along with the member interfaces. Displays all access lists.

This page intentionally left blank From the Library of Outcast Outcast .

■ GLBP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. It reviews the GLBP features and functions and how you can verify GLBP configurations and trouble- shoot GLBP issues.This chapter covers the following topics: ■ Troubleshooting HSRP: This section focuses on the Cisco Hot Standby Router Protocol (HSRP). ■ VRRP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. From the Library of Outcast Outcast . VRRP. ■ HSRP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. It reviews the VRRP features and functions as well as how you can verify VRRP con- figurations and troubleshoot VRRP issues. ■ Comparing HSRP. ■ Troubleshooting VRRP: This section focuses on the industry standard Virtual Router Redundancy Protocol (VRRP). It reviews the HSRP features and functions and how you can verify HSRP configurations and trouble- shoot HSRP issues. ■ Troubleshooting GLBP: This section focuses on the Cisco Gateway Load Balancing Protocol (GLBP). and GLBP: This section provides a close-up comparison of the different first- hop redundancy protocols (FHRPs) covered in the chapter.

Cisco devices such as routers and Layer 3 switches offer technologies known as first-hop redundancy protocols (FHRPs) that provide next-hop gateway redundancy. are configured with a default gateway. such as PCs. GLBP 10 From the Library of Outcast Outcast . If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. The default gateway parameter identifies the IP address of a next-hop router on the local-area network (LAN) that serves as the exit point for the LAN. These technologies include HSRP. if that router were to become unavailable. Fortunately.” Table 8-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting HSRP 1–4 Troubleshooting VRRP 5–6 Troubleshooting GLBP 7–9 Comparing HSRP. read the entire chapter. CHAPTER 8 Troubleshooting First-Hop Redundancy Protocols Many devices. As a result. This chapter reviews HSRP. “Answers to the ‘Do I Know This Already?’ Quizzes. VRRP. and GLBP. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. Table 8-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. and GLBP. VRRP. even if the Layer 3 switch or router that had been servicing that IP address becomes unavailable. devices that relied on the default gateway’s IP address would be unable to send traffic off their local subnet. VRRP. You can find the answers in Appendix A. and provides a collection of Cisco IOS commands you can use to troubleshoot issues related to them. which allow clients to continue to reach their default gateway’s IP address.

you should mark that question as wrong for purposes of the self-assessment. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. The virtual router IP address has to be an unused IP in the LAN. show hsrp b. d. 0 b. 100 c. 4 d. What command enables you to verify the virtual MAC address of an HSRP group? a. Preemption is on by default. show standby d.288 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. Active virtual gateway c. Virtual forwarder b. c. 1 b. show standby brief 4. 5. 2 c. What is the name for the router in a VRRP virtual router group that is actively for- warding traffic on behalf of the virtual router group? a. Which two of the following are true about HSRP? a. b. show hsrp brief c. Active virtual forwarder From the Library of Outcast Outcast . No limit 3. Virtual router master d. Preemption is off by default. The virtual router IP address can be an unused IP in the LAN or an IP associ- ated with a router’s LAN interface. If you do not know the answer to a question or are only partially sure of the answer. What is the default priority for an HSRP interface? a. 1. 256 d. 32768 2. How many active forwarders can be in an HSRP group? a.

Which two of the following are true about VRRP? (Choose two answers. Weighted b. Preemption is on by default.) a. Which of the following statements is true concerning GLBP? a. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 289 6. c. show arp c. b.) a. 7. Round-robin 9. GLBP d. IRDP From the Library of Outcast Outcast . d. Preemption is off by default. The virtual router IP address can be an unused IP in the LAN or an IP associ- ated with a router’s LAN interface. GLBP allows multiple routers to simultaneously forward traffic. A GLBP group has multiple active virtual gateways. VRRP c. Which of the following is the default GLBP method for load balancing? a. Which of the following are Cisco proprietary FHRPs? (Choose two answers. b. d. Which show commands enable you to verify the virtual MAC addresses that an AVF is responsible for? (Choose two answers. HSRP b. 10. show glbp d. c. show glbp brief 8. show run b. The virtual router IP address has to be an unused IP in the LAN. The active virtual forwarder in a GLBP group is responsible for responding to ARP requests with different MAC addresses. GLBP is an industry-standard FHRP. Host dependent c.) a. Server dependent d.

This router is responsible for forwarding data sent to the MAC address of the default gateway and responding to ARP requests asking for the MAC associated with the IP address of the default gateway. When the end-stations ARP for the MAC address of the default gateway IP address.1. As a troubleshooter you will need to have a very solid understanding of how HSRP func- tions in order to resolve any issues related to HSRP. Figure 8-1 illustrates a basic HSRP topology.3 Figure 8-1 Basic HSRP Operation From the Library of Outcast Outcast . but they will not be active or standby.1. it allows multiple physical layer 3 gateways to appear as a single virtual layer 3 gateway.1. HSRP operates on both Cisco routers and Cisco multilayer switches.16. It is this virtual layer 3 gateway that the clients point to as their default gateway. This router is wait- ing for the active router to fail or experience a link/reachability failure so that it can take over the active router role and forward traffic and respond to ARP requests. one router is the active router.16.2 Workstation A Next-Hop Gateway = 172. In this section you will review the concepts of HSRP as well as how to verify and troubleshoot HSRP configurations. they are given the virtual MAC address.1 172. They will simply sit and wait for the active or standby to fail so they can elect a replacement among them.1. Under no circumstances should the end-stations ever be given the real MAC address of the device that is acting as the default gateway when they are ARPing for the MAC of the virtual IP address.16.290 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting HSRP Hot Standby Router Protocol (HSRP) is a Cisco Proprietary FHRP that was designed to provide default gateway redundancy. Within an HSRP group. You can have additional routers in an HSRP group.3 Et 0/0 172. The end-stations’ default gateway IP address is the IP address of the virtual router. HSRP Group 10 Active Router Virtual Router Standby Router R1 Virtual R2 Fa 0/0 172. Reviewing HSRP HSRP uses a virtual IP address and MAC address to represent a virtual router within an HSRP group.16. When implemented. Another router in the HSRP group is known as the standby router.

consider the addition of another router to the network segment whose HSRP prior- ity for group 10 is higher than 150. Although this ten-second convergence time applies for a router becoming unavailable for a reason such as a power outage or a link failure. an active router sends a resign mes- sage if its active HSRP interface is shut down.3 standby 10 priority 150 standby 10 preempt . From the Library of Outcast Outcast .16. perhaps because it is powered off. the newly added router were not configured for preemption.. interface Ethernet0/0 ip address 172.. the newly added router would send a coup message.. it will regain its active status when it again becomes available. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 291 Examples 8-1 and 8-2 show the HSRP configuration for routers R1 and R2.0 standby 10 ip 172.. Router R2 has a default HSRP prior- ity of 100 for group 10.OUTPUT OMITTED. the standby router considers the active router to be down. which means that if router R1 loses its active status. Also.16. HSRP sends hello messages every three seconds. If it were configured for preemption. Also...1 255. to inform the active router that the newly added router was going to take on the active role.OUTPUT OMITTED. If. notice that router R1 is configured with the standby 10 preempt command.3 for an HSRP group of 10. however.. Router R1 is configured with a higher pri- Topic ority using the standby 10 priority 150 command.. Also.. higher priority values are more preferable..OUTPUT OMITTED.. Example 8-2 HSRP Configuration on Router R2 R2#show run . convergence happens more rapidly if an interface is administratively shut down.. Specifically. interface FastEthernet0/0 ip address 172.255.255.1.16.16.2 255...1.1.1. if the standby router does not hear a hello message within ten seconds by default.3 .255.0 standby 10 ip 172.. HSRP Converging After a Failure By default..255. Notice that both routers R1 and R2 have been configured with the same virtual IP Key address of 172.1. and with HSRP.OUTPUT OMITTED. the currently active router would remain the active router. The standby router then assumes the active role. Example 8-1 HSRP Configuration on Router R1 R1#show run .16.

From the Library of Outcast Outcast .3.3 Example 8-4 show standby brief Command Output on Router R2 R2#show standby brief P indicates configured to preempt. the HSRP timers. the timers are default at 3 and 10.16.1 local 172.1.16. It also has a priority of 150 with preemption enabled. Examples 8-3 and 8-4 show the output from the show standby brief command issued on routers R1 and R2. and the virtual IP address for the HSRP group. | Interface Grp Prio P State Active Standby Virtual IP Et0/0 10 100 Standby 172.2 is the standby router.1. and if the current local priority is different than the configured local prior- ity. the interface’s state. the router with the IP address 172. this command identifies the router that is currently the active router. the standby rout- ers priority. shows that the virtual MAC address for HSRP group 10 is 0000.ac0a.292 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide HSRP Verification and Troubleshooting When verifying an HSRP configuration or troubleshooting an HSRP issue. It identifies the HSRP group number.1.1.2 172. Example 8-3 show standby brief Command Output on Router R1 Key Topic R1#show standby brief P indicates configured to preempt.1.1. In this case. the standby routers priority is 100.3 In addition to an interface’s HSRP group number. as shown in Example 8-4. are configured with the preempt option? ■ What is the virtual IP address? ■ What is the virtual MAC address? ■ Is interface or object tracking on? The show standby brief command can be used to show which interface is participating in an HSRP group. which happens to be R2. the priority of the interface.16. as shown in Example 8-5.16.16. and the HSRP group’s virtual IP address. Additionally. and the local routers current priority is the same as the configured priority.16. if any. the show standby interface_type interface_number command also displays the HSRP group’s virtual MAC address. and if preemption is enabled or not. where router R1 is currently the active router for group 10 with a virtual IP of 172. the router that is currently the standby router.0c07. you should begin by determining the following information about the HSRP group under inspection: ■ Which router is the active router? Key Topic ■ Which routers. | Interface Grp Prio P State Active Standby Virtual IP Fa0/0 10 150 P Active local 172. Issuing this command on router R1.

0c07.3 Active virtual MAC address is 0000. The last two hexadecimal digits are the hexadecimal representation of the HSRP group number.0c07. hello packets are From the Library of Outcast Outcast . Chapter 8: Troubleshooting First-Hop Redundancy Protocols 293 Example 8-5 show standby fastethernet 0/0 Command Output on Router R1 R1#show standby fastethernet 0/0 FastEthernet0/0 .ac.Group 10 State is Active 1 state change.0c07. is based on the HSRP group number. For example.1. as shown in Figure 8-2.1. HSRP Key will only detect a failure of the device itself or the path that is used by the hello packets. followed with a well-known HSRPv1 code of 07.044 secs Preemption enabled Active router is local Standby router is 172. Interface Tracking HSRP interface tracking is a feature that most organizations will deploy. followed with a well-known HSRPv2 code of 9F. priority 100 (expires in 8. an HSRP group of 10 yields a default virtual MAC address of 0000.321 sec) Priority 150 (configured 150) IP redundancy name is "hsrp-Fa0/0-10" (default) Virtual Router MAC Address The default virtual MAC address for an HSRPv1 group.0c.16.0c07. you can have up to 256 HSRPv1 groups. Specifically.ac0a Vendor Well. HSRP Group 10 Key Topic 0000. the virtual MAC address for an HSRP group begins with a vendor code of 0000. you can have a total of 4096 HSRPv2 groups.ac0a Local virtual MAC address is 0000.ac0a. Therefore.ac0a (v1 default) Hello time 3 sec.0c. hold time 10 sec Next hello sent in 1. because 10 in deci- mal equates to 0a in hexadecimal. HSRP Code known Group HSRP Number Code in Hex Figure 8-2 HSRP Virtual MAC Address The default virtual MAC address for an HSRPv2 group begins with a vendor code of 0000.F. Therefore.16. By default. last state change 01:20:00 Virtual IP address is 172.2. Topic What about the uplinks from the routers running HSRP? If they fail. and then the last three hexa- decimal digits represent the HSRPv2 group.

a group of objects.0c07.1. and if preemption is enabled on the standby router.Group 10 State is Standby 2 state changes. you can see that the tracked interface state is down.0c07. reviewing the configured priority of 110 and the current priority of 99 indicates why this router is not the active router at the moment. you might then check to see whether Key a host on the HSRP virtual IP address’s subnet can ping the virtual IP address.3 Active virtual MAC address is 0000. Example 8-6 show standby Command Output on Router R1 R1#show standby fa 0/0 FastEthernet0/0 . priority 100 (expires in 9. if the uplink is down. Based on Topic the topology previously shown in Figure 8-1. and the status of an interface.784 secs Preemption enabled Active router is 172. packets are dropped at the active router because it cannot forward them.2.294 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide still exchanged successfully. hold time 10 sec Next hello sent in 0. you can decrement the priority of the router to a value that is lower than the standby router. the priority will be decremented by 11. In addition to interface tracking.1. We discuss this type of tracking in the “Troubleshooting VRRP” section.16. which is beyond the scope of our HSRP discussion. Therefore. However. If the interface is anything but up/up. This is where interface tracking comes into play. Now you would have to troubleshoot why the interface is down.16. the status of a service level agreement (SLA). you can use object tracking.ac0a Local virtual MAC address is 0000. From the Library of Outcast Outcast . Example 8-7 shows a successful ping from Workstation A. which allows you to track IP-related information such as a route. it will take over as the active forwarder because it now has the higher priority. Interface tracking allows you to control the priority of a router in an HSRP group based on the status of an interface. Verifying First Hop Once you know the current HSRP configuration. last state change 00:02:16 Virtual IP address is 172. as shown in Example 8-6. Its priority has been lowered to 99 from 110 because the interface state is down. You implement interface tracking with the standby group_number track interface_type interface_num- ber decrement_value command.ac0a (v1 default) Hello time 3 sec.312 sec) Standby router is local Priority 99 (configured 110) Track interface FastEthernet2/0 state Down decrement 11 Group name is "hsrp-Gi0/0-10" (default) In the case of Example 8-6. You can use the show standby command to verify whether interface tracking is configured and the state of the tracked interface. When it is down. and the active router is still available.

2.3.16. Received = 4.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 172. Example 8-9 displays the tracert command executed on a PC.1 .16. suppose that a failure happened and R2 became the active forwarder.. Notice in the output that the MAC address learned via ARP does match the HSRP virtual MAC address reported by the active HSRP router.3 with 32 bytes of data: Reply from 172.1.output omitted.3: bytes=32 time=1ms TTL=255 Reply from 172. The ARP cache would still be the same on the PC.1. Average = 1ms A client could also be used to verify the appropriate virtual MAC address learned by the client corresponding to the virtual MAC address reported by one of the HSRP routers.16.0. Trace complete.4 --.1.16. Approximate round trip times in milli-seconds: Minimum = 1ms. Example 8-8 Workstation A’s ARP Cache C:\>arp -a Interface: 172.3: bytes=32 time=1ms TTL=255 Reply from 172.1.1..16.16.1.16. From the Library of Outcast Outcast ..1.3: bytes=32 time=2ms TTL=255 Reply from 172.3: Packets: Sent = 4. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 295 Example 8-7 Ping Test from Workstation A to the HSRP Virtual IP Address C:\>ping 172.16.3: bytes=32 time=1ms TTL=255 Ping statistics for 172.2. However. Example 8-9 A Trace from Workstation A Confirming That R1 Is the First Hop (Active Forwarder) C:\>tracert 192. With traceroute.2. Maximum = 2ms. This is the IP address of R1’s LAN interface.3 Pinging 172.0.0x4 Internet Address Physical Address Type 172. the output of tracert on the PC would now display that the first hop is 172.3 00-00-0c-07-ac-0a dynamic However..16.1.1. as shown in Example 8-10.1 Tracing route to 192. one of the best tools to use with FHRPs to verify the path is traceroute.16. Example 8-8 shows Workstation A’s Address Resolution Protocol (ARP) cache entry for the HSRP virtual IP address of 172. we can conclude the R1 is the active forwarder at the moment.1. Notice that it states that the first hop is 172.16.1. Therefore. Lost = 0 (0% loss).16. However. you can identify the physical first-hop router that the packets are traversing.1.1.1.16.

Debug You can also use the debug standby terse command to view important HSRP changes.0.930: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 10 state Standby -> Active *Mar 1 01:25:45.936: HSRP: Et0/0 Grp 10 Redundancy group hsrp-Et0/0-10 state Active -> Active When router R1’s Fast Ethernet 0/0 interface is administratively enabled.1) From the Library of Outcast Outcast .1) *Mar 1 01:25:45.16.979: HSRP: Et0/0 Grp 10 Active: j/Coup rcvd from higher pri router (150/172.16. was local *Mar 1 01:25:45.output omitted. because router R1 is configured with the preempt option.16.1. Example 8-11 shows this debug output on router R2 when router R1’s Fast Ethernet 0/0 interface is shut down.1. Example 8-12 debug standby terse Command Output on Router R2: Changing HSRP to Standby R2# *Mar 1 01:27:57.930: HSRP: Et0/0 Grp 10 Standby -> Active *Mar 1 01:25:45. letting router R2 know that router R1 is taking back its active role.930: HSRP: Et0/0 Grp 10 Standby router is unknown.1... Trace complete.2. was 172.1 over a maximum of 30 hops 1 3 ms 2 ms 4 ms 172.2.1..16. Example 8-11 debug standby terse Command Output on Router R2: Changing to Active R2# *Mar 1 01:25:45.1 *Mar 1 01:25:45.16.930: HSRP: Et0/0 Grp 10 Standby: c/Active timer expired (172.1.1 Tracing route to 192. notice that router R2’s state changes from standby to active. such as a state change.16.3 *Mar 1 01:27:57.1 Active pri 150 vIP 172.0.935: HSRP: Et0/0 Grp 10 Redundancy group hsrp-Et0/0-10 state Active -> Active *Mar 1 01:25:51.2 .930: HSRP: Et0/0 Grp 10 Active router is local.296 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-10 A Trace from Workstation A Confirming That R2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.1.979: HSRP: Et0/0 Grp 10 Coup in 172. The output shown in Example 8-12 demonstrates how router R2 receives a coup message.930: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Standby -> Active *Mar 1 01:25:48. router R1 reas- sumes its previous role as the active HSRP router for HSRP group 10..

1.1.1.1/26 IP 10.1.2/26 Active HSRP GROUP 10 Standby IP 10.1. From the Library of Outcast Outcast .62 SW3 PC1 IP 10.1.979: HSRP: Et0/0 Grp 10 Standby router is local *Mar 1 01:28:07.1.2.979: HSRP: Et0/0 Grp 10 Active -> Speak *Mar 1 01:27:57.1.1 Gig 1/0/10 Gig 1/0/10 Int VLAN 10 Int VLAN 10 SW1 SW2 IP 10.10/26 DG 10. 192.1.1.1.0.979: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Speak -> Standby HSRP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.979: HSRP: Et0/0 Grp 10 Active router is 172. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. all traffic for VLAN 10 is flowing through SW2 to reach the core instead of SW1.16.979: HSRP: Et0/0 Grp 10 Speak: d/Standby timer expired (unknown) *Mar 1 01:28:07. All trouble tickets in this section are based on the topology depicted in Figure 8-3.979: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Active -> Speak *Mar 1 01:28:07.1.62 Figure 8-3 HSRP Trouble Ticket Topology Trouble Ticket 8-1 Problem: According to traffic statistics. was local *Mar 1 01:27:57. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 297 *Mar 1 01:27:57.979: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 10 state Active -> Speak *Mar 1 01:27:57.979: HSRP: Et0/0 Grp 10 Speak -> Standby *Mar 1 01:28:07.

2 local 10.1. Example 8-16 displays the output of show standby on SW1. Notice that under the Active column it states local and that under the Standby column it displays 10.1.. Example 8-14 displays the output of show standby brief on SW2.1.0. In this case. and SW2 has a priority of 100. Example 8-13 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.1.1. Example 8-14 show standby brief Command Output on SW2 SW2#show standby brief P indicates configured to preempt.1.1 over a maximum of 30 hops 1 6 ms 1 ms 2 ms 10.1. All you care about is the first hop.1. the best tool is traceroute because it will identify the router hops (real IPs) along the path.298 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide You start by verifying the problem from PC1 on VLAN 10.1.1. is it 10.0.1. which is the IP address of the standby router.2.1.0/26 network because it was the first hop returned for the tracert command output. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 100 P Active local 10. Example 8-15 indicates that SW1 is indeed the standby router for group 10. if you look very closely at Examples 8-14 and 8-15.2? This will identify whether traffic is flowing though SW1 or SW2 to reach the core. Notice that the priority is listed as 10 and that it states it is configured as 10.62 However. Example 8-15 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt.output omitted Trace complete. Next you need to confirm that this is in fact true by reviewing the output of HSRP show commands.1. The HSRP router that has the higher priority is the active forwarder.62 Reviewing Figure 8-3 indicates that SW1 should be the active forwarder for group 10. Example 8-13 indicates that SW2 is in fact the HSRP active forwarder for the 10.. SW1.2 .1. Now is an excellent time to review the output of show standby brief on SW1 to see whether anything stands out that might be the issue. you should notice that SW1 has a priority of 10.2. You should check the output of show standby on SW1 to determine whether that is the configured priority or if some tracked object is down and causing the priority to be lowered.1 10.1.1. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 10 P Standby 10.1.1.1.1 Tracing route to 192. From the Library of Outcast Outcast .1 or 10.

016 secs Preemption enabled Active router is 10.1.1.ac0a (v1 default) Hello time 3 sec.488 sec) Standby router is local Priority 10 (configured 10) Track interface GigabitEthernet1/0/10 state Up decrement 11 Group name is "hsrp-Vl10-10" (default) Example 8-17 displays the interface VLAN 10 configuration..1. and confirm that SW1 is in fact the active forwarder now.1.62 Active virtual MAC address is 0000. as shown in Example 8-18. last state change 00:06:51 Virtual IP address is 10.255.1.1. Example 8-16 show standby Command Output on SW1 SW1#show standby Vlan10 .2. priority 100 (expires in 9.255. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 299 It must have been mistyped.1.62 standby 10 priority 10 standby 10 preempt standby 10 track 1 decrement 11 end After fixing the issue by executing the command standby 10 priority 110 in VLAN 10 interface configuration mode on SW1. hold time 10 sec Next hello sent in 2. Current configuration : 163 bytes ! interface Vlan10 ip address 10.Group 10 State is Standby 4 state changes.0c07..ac0a Local virtual MAC address is 0000. Example 8-17 show run interface vlan 10 Command Output on SW1 SW1#show run interface vlan 10 Building configuration. which shows that the prior- ity was configured to 10 instead of 110.0c07.1 255. From the Library of Outcast Outcast .192 standby 10 ip 10. you see the following syslog message confirming that SW1 is now the active forwarder: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active You then reissue the tracert command on PC1.1. Checking your documentation indicates that the priority should be configured to 110.

which is the IP address of the standby router.300 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-18 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192. Notice that under the Active column it states local and that under the Standby column it displays 10.. Trace complete.0/26 network because it was the first hop returned for the tracert command output. Next you need to confirm that this is in fact true by reviewing the output of HSRP show commands.0.1. SW1.1.2....1 .1. In this case.1.1.output omitted Trace complete.2.2. Example 8-20 show standby brief Command Output on SW2 SW2#show standby brief P indicates configured to preempt.2.1. From the Library of Outcast Outcast . Example 8-19 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.1.1.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 100 P Active local 10..1. You start by verifying the problem from PC1 on VLAN 10.1 over a maximum of 30 hops 1 6 ms 1 ms 2 ms 10.1 Tracing route to 192.1. Now is an excellent time to review the output of show standby brief on SW1 to see whether anything stands out that might be the issue. all traffic for VLAN 10 is flowing through SW2 to reach the core instead of SW1.62 Reviewing Figure 8-3 indicates that SW1 should be the active forwarder for group 10. All you care about is the first hop. Example 8-20 displays the output of show standby brief on SW2.1. Example 8-19 indicates that SW2 is in fact the HSRP active forwarder for the 10. is it 10.1.0.1 or 10.. Example 8-21 indicates that SW1 is indeed the standby router for group 10. Trouble Ticket 8-2 Problem: According to traffic statistics.1 10.1.0.0.output omitted. the best tool is traceroute because it will identify the router hops (real IPs) along the path.2? This will identify whether traffic is flowing through SW1 or SW2 to reach the core.2 .1.1.1 Tracing route to 192.1.1.

1.2 local 10. After fixing the issue by executing the command. Taking an even closer look at Examples 8-20 and 8-21.ac0a Local virtual MAC address is 0000. priority 100 (expires in 10.0c07.1. Example 8-22 show standby Command Output on SW1 SW1#show standby Vlan10 . as indicated by the missing P in the output. as shown in Example 8-22.1. last state change 02:39:07 Virtual IP address is 10. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 110 Standby 10. standby 10 preempt in VLAN 10 interface configuration mode on SW1. hold time 10 sec Next hello sent in 1.62 Active virtual MAC address is 0000.Group 10 State is Standby 7 state changes. it is not. you see the following syslog message confirming that SW1 is now the active forwarder: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active You then reissue the tracert command on PC1.1.1.1. in this case. However. From the Library of Outcast Outcast .1. You check the output of show standby on SW1. The HSRP router that has the higher priority should be the active forwarder.112 sec) Standby router is local Priority 110 (configured 110) Track interface GigabitEthernet1/0/10 state Up decrement 11 Group name is "hsrp-Vl10-10" (default) If SW1 is expected to take over as the active forwarder when it has a higher priority.520 secs Preemption disabled Active router is 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 301 Example 8-21 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt. and confirm that SW1 is in fact the active forwarder now.2. you should notice that SW1 has a priority of 110 and that SW2 has a priority of 100.0c07. as shown in Example 8-23.1.ac0a (v1 default) Hello time 3 sec. and it indi- cates that preemption is disabled.62 However. pre- emption needs to be on. if you look very closely at Examples 8-20 and 8-21. you notice that SW1 does not have pre- emption enabled.

Approximate round trip times in milli-seconds: Minimum = 0ms. Received = 0. You ping the default gateway of PC1.1.62 Reply from 10..62: bytes=32 time 1ms TTL=128 Reply from 10.. which is the virtual router IP address of 10.1.1 Tracing route to 192.1.2.2.output omitted. Maximum = 0ms.62: bytes=32 time 1ms TTL=128 Reply from 10. and it is successful.2.1 .1 with 32 bytes of data: Request timed out.1: Packets: Sent = 4.1.1. Trace complete..302 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-23 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.1.0.0.1.2.1.1.1.62: bytes=32 time 1ms TTL=128 Ping statistics for 10. as shown in Example 8-24.. Lost = 4 (100% loss). Lost = 0 (0% loss). You start by verifying the problem from PC1 on VLAN 10. Received = 4. Average = 0ms From the Library of Outcast Outcast . Ping statistics for 192. Trouble Ticket 8-3 Problem: Users in VLAN 10 are reporting that they are not able to reach any resources outside their LAN.1. Example 8-24 Failed Ping from PC1 to Destination Outside LAN C:\PC1>ping 192.1.0. Request timed out. You ping 192. as shown in Example 8-25.62: Packets: Sent = 4.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10.0.2.1.62.62: bytes=32 time 1ms TTL=128 Reply from 10.2. Request timed out.0.1.1. Example 8-25 Successful Ping from PC1 to Default Gateway C:\PC1>ping 10. Request timed out.1 Pinging 192. and it fails.1.0.1.

0. L2 .2.local. Example 8-26 confirms that it is SW1 at 10. Example 8-27 displays the output of show standby brief on SW1.1. H .IS-IS level-1. Remember how the tracert command output is failing at SW1? This is a good indication that SW1 cannot route the packet to 192. However. EX . E2 . notice how no other hop is displayed and you receive a destination host unreachable message from 10. Trace complete. C .EIGRP. M . P . Example 8-28 show ip route Command Output on SW1 SW1#show ip route Codes: L .EIGRP external.LISP + . S . Example 8-27 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt.1. Notice that under the Active column it states local and that under the Standby column it displays 10.OSPF inter area N1 .2. N2 . % . | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 109 P Active local 10.OSPF external type 1. However.OSPF external type 2 i . B . IA . Example 8-26 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192. You issue the show ip route command on SW1.next hop override From the Library of Outcast Outcast .1. Keep this in mind.1. * .1.1.mobile.1.per-user static route o . Chapter 8: Troubleshooting First-Hop Redundancy Protocols 303 So far.NHRP.1.1.IS-IS.IS-IS inter area.1. R .2. which is the IP address of the standby router. O .connected.1.2 10. L1 .replicated route.BGP D .1. as shown in Example 8-28.62 Review Example 8-26 again.OSPF NSSA external type 1. there is no connected route for Gig1/0/10. Next you need to confirm that SW1 is in fact the active forwarder by reviewing the out- put of HSRP show commands. You decide to use traceroute to determine which router is currently the active forwarder. U .0.OSPF NSSA external type 2 E1 .1 reports: Destination host unreachable.static. All you see are con- nected and local routes.1.1 Tracing route to 192.1.2.IS-IS level-2 ia .1. SW2.1 2 10.0. nor are there any routes learned from a neighboring router in the core on Gig1/0/10. we will come back to it.IS-IS summary.candidate default.1.1 over a maximum of 30 hops 1 4 ms 2 ms 2 ms 10.OSPF. l . su . you have confirmed that connectivity beyond the default gateway is not possible but that connectivity to the default gateway is.periodic downloaded static route.RIP.1.ODR.

65/32 is directly connected. Example 8-29 show ip interface brief | exclude unassigned Command Output on SW1 SW1#show ip int brief | ex unassigned Interface IP-Address OK? Method Status Protocol Vlan10 10.0/8 is variably subnetted.64/26 is directly connected.1.304 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Gateway of last resort is not set 10.1 YES NVRAM up up Vlan20 10.1.1.0.736 secs Preemption enabled Active router is local Standby router is 10.0c07.1.1. it might black hole traffic as it did in this scenario. hold time 10 sec Next hello sent in 0.2.ac0a (v1 default) Hello time 3 sec. However.1.1. 2 masks C 10. Vlan10 C 10. on SW1 and notice that Gig1/0/10 is down/down.2 YES NVRAM down down Interface tracking is a feature that allows an HSRP-enabled router to decrement its pri- ority by a specified value if the status of an interface goes down.Group 10 State is Active 8 state changes.0/26 is directly connected. You escalate the problem because it is beyond your control. Example 8-30 show standby Command Output on SW1 SW1#show standby Vlan10 .62 Active virtual MAC address is 0000. as shown in Example 8-30.0c07. Vlan20 You issue the command show ip interface brief | exclude unassigned.1.0.1. priority 100 (expires in 7. as shown in Example 8-29. you need to determine in the meantime why HSRP did not successfully fail over to SW2 as the active forwarder for group 10 in case this happens again. It also shows that it is down and that the current priority is 109 instead of the configured 110. If it did.1. Vlan20 L 10.1.760 sec) Priority 109 (configured 110) Track interface GigabitEthernet1/0/10 state Down decrement 1 Group name is "hsrp-Vl10-10" (default) From the Library of Outcast Outcast .1. last state change 00:14:11 Virtual IP address is 10.10.1.1/32 is directly connected.65 YES NVRAM up up GigabitEthernet1/0/10 10.ac0a Local virtual MAC address is 0000. 4 subnets. Using the command show standby on SW1 indicates that you are tracking interface Gigabit Ethernet 1/0/10.1.1. Vlan10 L 10.1. There is an issue between SW1 and the core. This ensures that the active forwarder does not maintain the active status if it is not fit to do so.1.

1 255. It appears that whoever configured it thought that the decrement value identified what the new priority should be if the interface goes down.. Current configuration : 163 bytes ! interface Vlan10 ip address 10. it states how much to lower the configured priority by.1.1.0.255..1. In this case. Example 8-31 show run interface vlan 10 Command Output on SW1 SW1#show run interface vlan 10 Building configuration. Interface tracking was configured incorrectly.62 standby 10 priority 110 standby 10 preempt standby 10 track 1 decrement 1 end After you solve this problem by changing the decrement value to a value of 11 or higher (so that the priority of SW1 will be 99 or lower).1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 305 The problem in this case is clear. Therefore.255.2. and on SW2 you will see a sys- log message indicating that it is now in the active state. you will notice a syslog message on SW1 indicating that SW1 is no longer in the active state. as shown in Example 8-32. as verified in Example 8-31. These are examples of the syslog messages: SW1# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Active -> Speak SW1# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby SW1# SW2# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active SW2# You then reissue the tracert command on PC1.1.0.192 standby 10 ip 10. Example 8-32 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.2 From the Library of Outcast Outcast . and confirm that SW2 is the active forwarder. which gives you 109.1 Tracing route to 192. But in reality.1.2.1 over a maximum of 30 hops 1 3 ms 2 ms 4 ms 10. the con- figured priority is 110 and you minus 1. which displays the output of show run interface vlan 10. the decrement value was set to 1.

output omitted.2. The IP address can be the address of a routers physical inter- face on the LAN. Approximate round trip times in milli-seconds: Minimum = 0ms. In addition.0.0. Therefore. A VRRP virtual router identifier (VRID) is made up of a virtual master router and multiple routers acting as virtual router backups. the IP address serviced by a VRRP group does not have to be a Topic unique/unused IP address.1: bytes=32 time 1ms TTL=128 Reply from 192. Example 8-33 Successful Ping from PC1 C:\PC1>ping 192. The virtual router backups are waiting for the master to fail so that one of them can take over the virtual master router role. your knowledge of HSRP can transfer over to VRRP. 7 48 ms 40 ms 30 ms 192. although they are similar.0. you need to ping from a client to make sure that the problem is officially solved.0.0.2. From the Library of Outcast Outcast .2.2. This section focuses on the behavior of VRRP and how to verify and troubleshoot VRRP issues. as shown in Figure 8-4. as a trouble- shooter. is an IETF standard FHRP based on Cisco’s HSRP protocol.1: Packets: Sent = 4. Unlike HSRP.306 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide . Reviewing VRRP Like HSRP.2..2. It is. as shown by the successful ping in Example 8-33. Maximum = 0ms. Average = 0ms Troubleshooting VRRP Virtual Router Redundancy Protocol (VRRP). However. In addition. Received = 4..0. Lost = 0 (0% loss)...1: bytes=32 time 1ms TTL=128 Reply from 192.) The virtual master router is responsible for handing out the virtual MAC address associated with the LAN’s default gateway IP address and forwarding traffic sent to the default gateway.1: bytes=32 time 1ms TTL=128 Ping statistics for 192.2. (Note that the VRID is the same concept as an HSRP group.1 Reply from 192.1 Trace complete.1: bytes=32 time 1ms TTL=128 Reply from 192. VRRP and HSRP are not compatible.0. you need to understand the differences of VRRP so that you can successfully troubleshoot issues related to it. VRRP allows a collection of routers to service traffic destined for a single IP Key address.

.255..1..OUTPUT OMITTED.66/26 IP 10.1.66 Figure 8-4 Basic VRRP Operation Examples 8-34 and 8-35 show the VRRP configuration for SW1 and SW2.255.1. Example 8-35 VRRP Configuration on Router R2 SW2#show run ..1.1.1.192 vrrp 20 ip 10.66 VRM=Virtual Router Master SW3 PC1 IP 10..OUTPUT OMITTED.1. interface vlan 20 ip address 10....1.1.1.2.0. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 307 192.255..74/26 DG 10..66 .1/26 10.192 vrrp 20 ip 10. regardless of what the priority is because it will give itself a pri- From the Library of Outcast Outcast ... Notice in Examples 8-34 and 8-35 that the VRRP group IP address is the same as the SVI on SW2.OUTPUT OMITTED. SW2 will automatically be the virtual router master because it owns that IP address..1. As a result of this. Example 8-34 VRRP Configuration on Router R1 SW1#show run .66 255..65/26 10.1.. interface vlan 20 ip address 10.65 255.1.1..1.OUTPUT OMITTED.1.1.1.66 .1.1 Gig 1/0/10 Gig 1/0/10 20 Int VLAN 10 Int VLAN 10 20 SW1 SW2 IPIP10.2/26 Backup VRRP GROUP 20 VRM IP 10.1.1.255.1.

it is 255 because SW2 owns the IP that is being used as the virtual IP address. the state. Example 8-36 show vrrp brief Command Output on Router SW1 Key Topic SW1#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3609 Y Backup 10. the priority of the interface. this command will identify the current state of the router along with the master address and the group address. We kept it at the default of 100.1. it automatically changes its priority to 255 so that it becomes the virtual router master for the group. are configured with the preempt option? (Enabled by default) ■ What is the IP address of the virtual router? ■ What is the virtual MAC address? ■ Is object tracking on? You can use the show vrrp brief command to show which interface is participating in a VRRP group. SW1 is in the backup state. Examples 8-36 and 8-37 show the output from the show vrrp brief command issued on SW1 and SW2.66 10. you do not have to manually enable it. whether it owns the IP being used as the virtual router IP. VRRP Verification and Troubleshooting When verifying a VRRP configuration or troubleshooting a VRRP issue.1. By default. In this case. Also make note that preemption is on by default.1. and the VRRP group’s virtual IP address. the show vrrp interface interface_type interface_number command also displays the VRRP group’s virtual MAC address and the VRRP timers. Notice how SW2 is currently the master router for group 20. In addition to an interface’s VRRP group number. It identifies the VRRP group number.308 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ority of 255 automatically. In the previous con- figuration examples. In addition. you should begin by determining the following information about the VRRP group under inspection: ■ Which router is the virtual router master? Key Topic ■ How was the virtual router master chosen? ■ Which routers. and whether preemption is enabled.66 10. the priority.1.66 In Examples 8-36 and 8-37.1.1. VRRP uses a priority of 100 like HSRP. if any. From the Library of Outcast Outcast .1.1.66 Example 8-37 show vrrp brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 255 3003 Y Y Master 10. Therefore. You can also see that preemption is enabled and that SW2 owns the IP address that is being used as the virtual router IP address. we did not configure the priority. notice how SW2 has a priority of 255. Therefore.

1.000 sec Preemption enabled Priority is 255 Master Router is 10. VRRP Code known Group (IANA) VRRP Number Code in Hex Figure 8-5 VRRP Virtual MAC Address Object Tracking Object tracking is a feature that most organizations will deploy when using VRRP.5e00.1.1. the timers are default at 1 and 3. VRRP timers are 1 second for the Advertisement interval and 3 seconds for the Master Down interval.0114 Advertisement interval is 1. packets are dropped at the virtual master router because it cannot forward them. the priority is 255. the virtual MAC address for a VRRP group begins with a vendor code of 0000. as shown in Example 8-38.5e00. because 20 in decimal equates to 14 in hexadecimal. The object can be IP-related information such as a route.0114 Vendor Well. shows that the virtual MAC address for VRRP group 20 is 0000. Therefore. By Key default.5e00.5e (IANA’s organizationally unique identifier [OUI]). which is just a fancy way to identify the group number.0114. This is where object tracking comes into play. Specifically. is based on the VRRP VRID. What about the uplinks from the routers running VRRP? If they fail. Object tracking enables you to control the priority of a router in a VRRP group based on the status of an object.Group 20 State is Master Virtual IP address is 10. The last two hexadecimal digits are the hexadecimal representation of the VRID (group) number. the From the Library of Outcast Outcast . followed with a well-known VRRP address block of 00. hello packets are still exchanged successfully.5e00. priority is 255 Master Advertisement interval is 1.003 sec Virtual Router MAC Address The default virtual MAC address for a VRRP group. as shown in Figure 8-5. VRRP will only detect a failure of the device itself or the path that is used by the Topic hello packets.66 Virtual MAC address is 0000.66 (local). and SW2 is the master router. a VRRP group of 20 yields a default virtual MAC address of 0000. Issuing this command on SW2. and the virtual master router is still available.000 sec Master Down interval is 3. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 309 By default.1. a group of objects. Example 8-38 show vrrp interface vlan 20 Command Output on SW2 SW2#show vrrp interface vlan 20 Vlan20 .01. if the uplink is down.0114. For example. VRRP VRID 20 Key (Group) Topic 0000.

last change 00:05:13 Tracked by: VRRP VLAN20 20 Now you would have to troubleshoot why the interface is down. Verifying First Hop Once you know the current VRRP configuration. Using the command show track you can verify what tracked object num- ber 1 is tracking. Example 8-41 shows a successful ping from PC1. It is admin-down and being tracked by VRRP group 20. Example 8-39 show vrrp Command Output on Router SW2 SW2#show vrrp VLAN 20 .Group 20 State is Backup Virtual IP address is 10. the standby router will take over as the virtual master router because it now has the higher priority. Based on the Topic topology previously shown in Figure 8-4. which is beyond the scope of our VRRP discussion.1. However. and the status of an interface.310 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide status of an SLA probe.65. Example 8-40 show track Command Output on Router SW2 SW2#show track Track 1 Interface GigabitEthernet1/0/10 line-protocol Line protocol is Down (hw admin-down) 2 changes. In Example 8-40. and the state of the tracked object. it will decrement the priority by 11. and because preemption is enabled by default.5e00. you need to find out what the tracked object is specifically so that you can trou- bleshoot further.1.0114 Advertisement interval is 1. you can verify that it is the status of the line protocol on interface Gigabit Ethernet 1/0/10. the priority of the router can be decremented to a value that is lower than the standby router.1.126 Virtual MAC address is 0000. and when it is down. you might then check to see whether a Key host on the VRRP virtual IP address’s subnet can ping the virtual IP address. You can use the show vrrp command to verify whether object tracking is configured.000 sec Preemption enabled Priority is 99 (cfgd 110) Track object 1 state Down decrement 11 Master Router is 10. you can see that the tracked object 1 is in a state of down.570 sec (expires in 3.026 sec) In the case of Example 8-39.1.000 sec Master Down interval is 3. You can see the current priority is 99 and the configured priority is 110 (110 – 11 = 99). If the object is anything but up. From the Library of Outcast Outcast . priority is 100 Master Advertisement interval is 1. as shown in Example 8- 39.

you should also verify the virtual MAC address learned by the client corresponds to the virtual MAC address reported by the VRRP virtual router master. From the Library of Outcast Outcast .1.1.66: bytes=32 time=1ms TTL=255 Reply from 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 311 Example 8-41 Ping Test from PC1 to the VRRP Virtual IP Address C:\PC1>ping 10. Notice in the output that the MAC address learned via ARP does match the VRRP virtual MAC address of the master router.1 Tracing route to 192. one of the best tools to use with FHRPs to verify the path is traceroute. Example 8-43 A Trace from PC1 Confirming That SW2 Is the First Hop (Virtual Router Master) C:\PC1>tracert 192.1. as discussed with HSRP.1.1.0. Average = 1ms However. you can identify the physical first-hop router that the packets are traversing. Approximate round trip times in milli-seconds: Minimum = 1ms. Lost = 0 (0% loss).66 .1.1.1.0. With traceroute.2. Therefore.2.1.1.66: bytes=32 time=1ms TTL=255 Ping statistics for 10.1. Trace complete. The ARP cache would still be the same on PC1.. that a failure happened and SW1 became the virtual router master.66.66 Pinging 10.. however..1.. Example 8-42 shows Workstation A’s ARP cache entry for the VRRP virtual IP address of 10.66. Example 8-42 PC1 ARP Cache C:\PC1>arp -a Interface: 10.74 --.66: Packets: Sent = 4.1.1. This is the IP address of SW2’s VLAN 20 SVI. the output of tracert on the PC would now display that the first hop is 10. Suppose. Maximum = 2ms. as shown in Example 8-44.output omitted.1.66 00-00-5e-00-01-14 dynamic However.1. Notice that it states that the first hop is 10.66 with 32 bytes of data: Reply from 10. you can conclude the SW2 is the virtual router master at the moment.1.66: bytes=32 time=2ms TTL=255 Reply from 10. that does not prove that we are using the virtual MAC address and VRRP. Therefore.1.66: bytes=32 time=1ms TTL=255 Reply from 10.65. however.1.1.1. from the client. Example 8-43 displays the tracert command executed on PC1.1.1.1.0x4 Internet Address Physical Address Type 10.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10.1.1. Received = 4.

1 Gig 1/0/10 Gig 1/0/10 Int VLAN 10 20 Int VLAN 10 20 SW1 SW2 IPIP10.2.1.1.65 .1.1. all traffic for VLAN 20 is flowing through SW1 to reach the core instead of SW2.1 Tracing route to 192.1..2. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.1.65/26 10.0.2.66/26 Backup VRRP GROUP 20 VRM IP 10.1.1.1. From the Library of Outcast Outcast .74/26 DG 10.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10.66 VRM=Virtual Router Master SW3 PC1 IP 10. VRRP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.1... Trace complete..1/26 IP 10.1.0.1. 192.1. All trouble tickets in this section are based on the topology depicted in Figure 8-6.output omitted.66 Figure 8-6 VRRP Trouble Ticket Topology Trouble Ticket 8-4 Problem: According to traffic statistics.2/26 10.312 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-44 A Trace from PC1 Confirming That SW1 Is the First Hop (Virtual Router Master) C:\PC1>tracert 192.1.1.1.0.

1. yet the wrong device being used as the first hop? Recall that when a client makes an ARP request for the VRRP group MAC address. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 313 You start by verifying the problem from PC1 on VLAN 20. Therefore.66? This will identify whether traffic is flow- ing though SW1 or SW2 to reach the core.1. Notice that under the State column it states Backup and the Master addr is 10.65. That is the IP and MAC address of interface VLAN 20 on SW1. Example 8-46 displays the output of show vrrp brief on SW1.output omitted.1.1.. as shown in Example 8-49.1.66 10.5e00.1 Tracing route to 192. even though it is being used as the first hop.1. Example 8-46 show vrrp brief Command Output on SW1 SW1#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3609 Y Backup 10. Example 8-47 indicates that SW2 is in the master state. you issue the arp -a com- mand. Example 8-45 indicates that SW1 should be the VRRP virtual router master for the 10.66 What would be causing SW1 and SW2 to be in their correct states. the best tool is traceroute because it will identify the router hops (real IPs) along the path.1. It does not appear that the client is learning a VRRP MAC address.66 address.1 over a maximum of 30 hops 1 2 ms 2 ms 1 ms 10. Example 8-45 A Trace from PC1 Confirming That SW1 Is the First Hop (Master) C:\PC1>tracert 192. is it 10. because it was the first hop returned for the tracert command. Trace complete.65 or 10.66. it should be 0000. as shown in Example 8-48. From the Library of Outcast Outcast . because none of the MAC addresses listed start with 0000. Example 8-47 show standby brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 255 3003 Y Y Master 10.1. the virtual router master will respond with the group MAC address. and it appears that it is.. which displays the output of the show interface vlan 20 command.1.1. On PC1. with a MAC of 28-93-fe-3a-e3-43. to verify the MAC address being used by the client for the 10. Now is an excellent time to review the output of show vrrp brief on SW2 to verify this.1..1.0114 for group 20.2. All you care about is the first hop..1. Also notice how the Internet address listed is 10.0.1.0.1.66 10. SW1 is not the VRRP master.01.1.1.65 .5e00.2.1.1.66 Reviewing Figure 8-6 indicates that SW2 should be the virtual router master of the group.64/26 network. which is also the virtual IP address for the group.1.1. Next you need to confirm that this is in fact true by reviewing the output of VRRP show commands. In this case. In this case.1.

. . . .1.74 From the Library of Outcast Outcast .1. . . : 10.. After the adjustments are made and the clients have the correct default gateway.1. . . .1.1.1. .66. .192 IP Address.255. . . . .output omitted.. address is 2893. . . . .. . .65 You contact the administrator of the DHCP server and inform him of the issue. you confirm that the default gateway is 10. . . . : IP Address. . : 2001:20::20 IP Address.1.74 --. . : 10. .65/26 . Example 8-51 Verifying the Default Gateway on PCs After Adjustments C:\PC1>ipconfig Windows IP Configuration Ethernet adapter PC1: Connection-specific DNS Suffix . From the show commands you just reviewed.1.74 Subnet Mask . .1. . . as shown in Example 8-51 as well. .66) is being used as the first hop. . .255.1.1.e343 (bia 2893. . .65 as the default gateway address instead of the VRRP virtual IP of 10. . . : IP Address. .0x2 Internet Address Physical Address Type 10. . . .fe3a.65 and not 10.1. . Example 8-50 Verifying the Default Gateway on PCs C:\PC1>ipconfig Windows IP Configuration Ethernet adapter PC1: Connection-specific DNS Suffix .1. : 255.1. . it seems as if they are using 10. as shown in Example 8-50.fe3a. . . .1..1. . you reissue the tracert command and confirm that SW2 (10.314 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-48 Verifying PC1’s ARP Cache C:\PC1>arp -a Interface: 10.1. It appears that the PCs might be configured with the wrong default gateway IP address.1. .65 28-93-fe-3a-e3-43 dynamic Example 8-49 Verifying SW1’s SVI IP Address and MAC Address SW1#show interface vlan 20 Vlan20 is up. . . . . line protocol is up Hardware is EtherSVI. : fe80::a00:27ff:fea2:ce47%4 Default Gateway . .1. as shown in Example 8-51. . .66. . . .e343) Internet address is 10. . Using the command ipconfig on PC1.1. . : 10. .1. .1.

.0.74 --. . You start verifying the problem by shutting down the link between SW3 and SW2. .. .0. Trace complete.192 IP Address. . . .1. .output omitted. . . . as shown in Figure 8-7.1. .1.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10.1. it is important that you confirm the correct VRRP MAC address is being used by checking the ARP cache on the PCs..0. .2. SW1 should become the VRRP vir- tual router master so that traffic flow is optimized in the LAN.0114 for group 20 is being used.1. Example 8-53 A Trace from PC1 Confirming That SW2 Is the First Hop (Master) C:\PC1>tracert 192. .2. . : 2001:20::20 IP Address.1 Tracing route to 192. .1. . : 10.1. . .1.66 C:\PC1>tracert 192. (Note that the default gateway IP address differs from the previous figures. . From the Library of Outcast Outcast . . . .1 Tracing route to 192. . . : fe80::a00:27ff:fea2:ce47%4 Default Gateway . is it 10.1.. In Example 8-52. because it was the first hop returned for the tracert command.) If the uplink between SW3 and SW2 is not available. : 255.64/26 network. .. However. .66 . you confirm with the arp -a command that the MAC address of 0000..0x2 Internet Address Physical Address Type 10. . .65 or 10. .1. . Trace complete. .1. SW1.. and then SW2 and routed out to the core. all traffic for VLAN 20 is flowing through SW3.1.1 over a maximum of 30 hops 1 3 ms 1 ms 2 ms 10. Example 8-53 indicates that SW2 is in fact the VRRP vir- tual router master for the 10. .66 00-00-5e-00-01-14 dynamic Trouble Ticket 8-5 Problem: According to traffic statistics.66? This will identify whether traffic is flowing though SW1 or SW2 to reach the core.255.0.1. .5e00. . .1.2.2. . Example 8-52 Verifying PC1’s ARP Cache After Adjustments C:\PC1>arp -a Interface: 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 315 Subnet Mask . .255. All you care about is the first hop. You then trace the path from PC1 to an IP address outside the LAN..1.1..output omitted. .66 . . when the uplink between SW3 and SW2 goes down.

In this output.1/26 SW2 IP 10.1.66 (SW2) for the group address 10. it has been decremented dynami- cally.1. and when it is down.1.1.1.1.1.2.1.1.1.74/26 DG 10.1.1. Example 8-54 displays the output of show vrrp brief on SW2.66/26 10.316 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 192.126 Next you review the output of show vrrp.65/26 10. Example 8-55 show vrrp Command Output on SW2 SW2#show vrrp Vlan20 .1.0.126. Notice that under the State column it states Master and the Master addr is 10. The config- ured priority is 110.1. the priority will be decremented by 10 (110 – 10 = 100).1.126 Figure 8-7 VRRP Suboptimal Traffic Flow Topology Next you need to confirm that this is in fact true by reviewing the output of VRRP show commands.Group 20 State is Master From the Library of Outcast Outcast .1.1. As a result. Example 8-54 show vrrp brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3570 Y Master 10.1. but the current is 100.1.66 10.1.1 Gig 1/0/10 Gig 1/0/10 Int VLAN 20 10 SW1 Int VLAN 10 20 IPIP10.126 VRM=Virtual Router Master SW3 PC1 IP 10. as shown in Example 8-55.1. This can be verified with the tracked object that is currently down. It indicates that the tracking object 1 is down. All looks fine so far.1. you notice that SW2 is the master but that there is a problem with the priority.2/26 Standby Backup VRRP GROUP 20 VRM Gi1/0/2 IP 10.

0114 Advertisement interval is 1. it is the virtual router master. priority is 100 Master Advertisement interval is 1. SW2 is still the virtual router master for group 20 even though the priority is being decremented.1.126 Virtual MAC address is 0000. why is SW2 the virtual router master? When priority is tied.575 sec) From the Library of Outcast Outcast . and the priority is tied.000 sec Preemption enabled Priority is 100 (cfgd 110) Track object 1 state Down decrement 10 Master Router is 10.1.66 (local). At this point in time. last change 01:39:45 Tracked by: VRRP Vlan20 20 Next you verify the priority on SW1 with the show vrrp command. Gigabit Ethernet 1/0/2 is down. However. just like HSRP. the IP address of the LAN interface participating in VRRP is used as the tiebreaker.570 sec What is tracking object 1? To verify.000 sec Master Down interval is 3.000 sec Preemption enabled Priority is 100 Master Router is 10.1.126 Virtual MAC address is 0000. as shown in Example 8-57. you execute the show track command on SW2. VRRP decremented the pri- ority by 10. and as a result.000 sec Master Down interval is 3. Reviewing the output of show vrrp for SW1 and SW2 identifies that preemption is enabled. which is the same as SW2.0114 Advertisement interval is 1. priority is 100 Master Advertisement interval is 1.Group 20 State is Backup Virtual IP address is 10.1.1. The output clearly shows that the priority of SW1 is 100. Example 8-57 show vrrp Command Output on SW1 SW1#show vrrp Vlan20 . Because SW2 has the higher LAN IP address.5e00. Example 8-56 show track Command Output on SW2 SW2#show track Track 1 Interface GigabitEthernet1/0/2 line-protocol Line protocol is Down (hw down) 6 changes. the output of show track indicates that you are tracking the line protocol of Gigabit Ethernet 1/0/2 for VRRP on interface VLAN 20 for group 20. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 317 Virtual IP address is 10.1.1.66. If that is the case.609 sec (expires in 3.1.5e00. As Example 8-56 displays. as you saw in Example 8-55.

1. Troubleshooting GLBP Whereas HSRP can only have one active forwarder for each group.66 . As soon as you do this. GLBP can load balance traffic destined for a next-hop gateway across a collection of routers within the GLBP group.... Example 8-59 A Trace from PC1 Confirming That SW2 Is the First Hop (Master) C:\PC1>tracert 192. Trace complete. as shown in Example 8-59.2.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10..1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10. Trace complete.2. and SW2 becomes the virtual router master.. On SW2.1 Tracing route to 192.0. make sure that the priority of SW2 is dropped below that of SW1. This section explains the GLBP active virtual gateway (AVG) and active virtual forwarder (AVF) concepts and how to verify and troubleshoot issues related to GLBP.1. Next you enable the interface between SW3 and SW2 with the no shutdown command and receive the following syslog message on SW2: %TRACKING-5-STATE: 1 interface Gi1/0/2 line-protocol Down->Up %VRRP-6-STATECHANGE: Vl20 Grp 20 state Backup -> Master Because the interface is up.output omitted. Example 8-58 A Trace from PC1 Confirming That SW1 Is the First Hop (Master) C:\PC1>tracert 192..output omitted. Gateway Load Balancing Protocol (GLBP) can have multiple forwarders for each group. the following syslog message is displayed: %VRRP-6-STATECHANGE: Vl20 Grp 20 state Backup -> Master You now reissue the tracert command on PC1 to verify the first hop. It is now SW1..0..2.1 Tracing route to 192. you issue the vrrp track 1 decrement 11 command in interface VLAN 20 configuration mode. which means that SW2’s priority goes back to 110. From the Library of Outcast Outcast .318 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide How can you make sure that SW1 takes over as the virtual router master if the uplink between SW3 and SW2 fails? In this case. as follows: %VRRP-6-STATECHANGE: Vl20 Grp 20 state Master -> Backup On SW1.0.65 .0. Therefore. as shown in Example 8-58.2. You then reissue the trac- ert command on PC1 to verify the first hop. the tracking object is up.1. a syslog message is dis- played on SW2. It is now SW2.1.

Chapter 8: Troubleshooting First-Hop Redundancy Protocols 319 Reviewing GLBP With GLBP.1.b400. As you can see from Figure 8-8.1. and R1 and R2 are AVFs.20 Figure 8-8 Basic GLBP Operation Examples 8-60 and 8-61 show the possible GLBP configurations for routers R1 and R2.1. Example 8-60 Possible GLBP Configuration on Router R1 R1#show run interface gigabitethernet 0/0 Building configuration.0. When Workstation A sends an ARP request for the MAC address of 10.1.1.1.1 Active Virtual Gateway (AVG) Core Active Virtual Forwarder (AVF) AVF GLBP IP Address = 10.1. Note that the AVG is usually an AVF as well.62.1.1.1.b400.2. 192. The virtual router IP address that will be used as the default gateway on all the hosts is 10. R1 (AVG) responds with the MAC of 0007. This is the default behavior known as round-robin. When Workstation B sends an ARP request for the MAC address of 10.1.62 with a MAC of with a MAC of 0007..62 Next-Hop GW = 10.0a02 Gi0/0 R1 ARP Reply R2 10.1.10 10. and Workstation B sends default gateway destined traffic to R2.62 GLBP IP Address = 10.1.1.b400. which can be changed with the glbp group_id load-balancing interface configuration command.0a01 Gi3/0 Virtual MAC = 0007. R1 is the AVG.2 Gi0/0 10.1. Current configuration : 269 bytes ! From the Library of Outcast Outcast .1. Workstation A sends default gateway destined traffic to R1.b400. it is responsible Topic for replying to ARP requests for the MAC address of the default gateway.b400.1.b400.0a01 and then 0007.0a02.1.62 Virtual MAC = 0007.b400. The AVG is responsible for Key handing out the AVF MAC addresses to the hosts in the LAN. Therefore.1.1. Figure 8-8 shows a GLBP topology example.1 ARP Request ARP Reply ARP Request Next-Hop GW = 10.0a01.0a02.0a02 Workstation A Workstation B 10.0a01 0007. b400. The next workstation that sends an ARP request will get 0007.62. and so on..62.1. The other options are host-dependent and weighted. R1 (AVG) responds with the MAC of 0007. there is one AVG and up to four AVFs in a group. The AVFs are responsible for processing the frames that are sent to their MAC address.1.

Also.1.192 glbp 10 ip 10. higher-priority values are more preferable.1 255.255. and with GLBP.1. Router R2 has a default GLBP priority of 100.62 glbp 10 preempt glbp 10 weighting 100 lower 80 glbp 10 load-balancing weighted end Notice that both routers R1 and R2 have been configured with the same virtual IP address of 10. Referring to Example 8-60 again. This means that R1 will lose its ability to forward traffic for its vir- tual MAC address if its weighting drops below 90.1. Router R1 is configured to be the AVG with a higher priority using the glbp 10 priority 150 command. load balancing has been configured to weighted.255. Therefore. R1 will handle more hosts on average than R2. This ensures that the router with the higher priority will be the AVG.1.62 for GLBP group 10.2 255. the AVG will hand out the MAC addresses in a 110:100 ratio. In this case.1. and whether they will be allowed to forward traffic.1.1. By default.1. It will regain its ability to forward traf- fic for its virtual MAC address if its weighting goes back above 100. This means that R1’s virtual MAC address will be given to clients 11 times for every 10 times that R2’s virtual MAC address will be given out. This means that the initial weighting value defined in the glbp 10 weighting command will determine the ratio that will be used to hand out MAC addresses. in these examples.255. the MACs will be handed out in a round-robin fashion. However.192 glbp 10 ip 10.320 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide interface GigabitEthernet0/0 ip address 10.. notice that R1’s lower limit is 90. or 11:10 ratio.1. Current configuration : 237 bytes ! interface GigabitEthernet0/0 ip address 10.255. The last two commands in Examples 8-60 and 8-61 relate to the AVFs and how their MAC addresses will be handed out to hosts on the LAN by the AVG. Remember that preemption is not enabled by default for the AVG election process. notice that both routers are configured with the glbp 10 preempt command. The lower and upper values are related to when the AVF will lose its ability to forward traffic for its virtual MAC address and when it will regain its ability to forward traffic for its virtual MAC address.1..62 glbp 10 priority 150 glbp 10 preempt glbp 10 weighting 110 lower 90 upper 100 glbp 10 load-balancing weighted end Example 8-61 Possible GLBP Configuration on Router R2 R2#show run interface gigabitethernet 0/0 Building configuration. The initial weighing From the Library of Outcast Outcast .

2 - Example 8-63 show glbp brief Command Output on Router R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .62 local 10. Example 8-62 show glbp brief Command Output on Router R1 Key Topic R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . if any. and the numbers 1 and 2 refer to the AVFs in the group. The State column identifies the state of the device for the group.2 Gi0/0 10 1 . The – refers to the AVG information. Notice that R2 in Example 8-61 has no upper weighting. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 321 value is 110.1 - Gi0/0 10 2 . The output identifies the interfaces that are participating in a GLBP group. Active 0007. begin by deter- mining the following information about the GLBP group under inspection: ■ Which router is the AVG? Key Topic ■ Which routers are the AVFs? ■ How was the AVG chosen? ■ Which routers. GLBP Verification and Troubleshooting When verifying a GLBP configuration or troubleshooting a GLBP issue. Listen means that the router is waiting to take over the forwarding process for the virtual MAC address in the Address column if the router listed in the Active Router column is no longer able to forward traffic for the virtual MAC address.1. Listen 0007.1. 150 Active 10.b400.1. Examples 8- 62 and 8-63 provide samples of the show glbp brief command.1.62 10.1.b400. Active 0007. and standby means that it is waiting to become the AVG if the AVG fails.0a01 local - Gi0/0 10 2 .1. in this case the top row. In these examples.0a02 local - From the Library of Outcast Outcast . are configured with the preempt option? ■ What is the IP address of the virtual router? ■ What are the AVFs virtual MAC addresses? ■ Is object tracking on? The show glbp brief command displays a great deal of GLBP information. 100 Standby 10.b400. which means that it is the same as the initial weighting.1. If it is the AVG row.0a02 10. active means that it is the AVG.1. For the second and third rows.b400. active means that the router is forwarding for the virtual MAC address in the Address column.1.1.0a01 10.1. Listen 0007. The Priority column is used to display the priority used dur- ing the AVG election process. it is referring to the state of the AVF. It identifies who the AVFs are under the Fwd column.1.1 local Gi0/0 10 1 .

62 Hello time 3 sec. This is a great command to verify the weight- ing values. and the members of the group. last state change 00:31:34 Virtual IP address is 10. thresholds: lower 90.1.0008 (10. min delay 0 sec Active is local Standby is 10. hold time 10 sec Next hello sent in 1.1. min delay 30 sec Active is local.568 secs Redirect time 600 sec.322 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The show glbp command output provides significant details about the GLBP groups. 600.2.1) local There are 2 forwarders (1 active) Forwarder 1 State is Active 3 state changes. The virtual IP address.1. min delay 30 sec Active is 10. which are identified by their physical MAC address and IP address associated with the interface participating in the GLBP group. upper 100 Track object 1 state Up decrement 25 Load balancing: weighted Group members: ca12. In the output. the type of load balancing being used.1. you will be able to verify the active or standby routers IP address and its priority.1.0854.000 sec remaining (maximum 600 sec) Time to live: 14400.b400. the hello and hold timers. You can determine whether it is the AVG based on whether it is active or standby.984 sec) Priority 150 (configured) Weighting 110 (configured 110).0008 (10. priority 100 (expires in 9.1. you can verify the group number and the interface associated with it. and the status of preemption is also listed. You will also be able to see your current local priority and the configured priority.1. weighting 100 (expires in 11.b400.1.Group 10 State is Active 1 state change.0008 Redirection enabled Preemption enabled.0854.0854. Example 8-64 show glbp Command Output on Router R1 R1#show glbp gigabitethernet0/0 GigabitEthernet0/0 .232 sec) From the Library of Outcast Outcast . as shown in Example 8-64.0a01 (default) Owner ID is ca13. last state change 00:03:35 MAC address is 0007.0854.0008 Redirection enabled.0a02 (learnt) Owner ID is ca12.2) ca13.2 (primary). forwarder time-out 14400 sec Preemption enabled. Depending on the state of the device.000 sec (maximum 14400 sec) Preemption enabled. weighting 110 Forwarder 2 State is Listen MAC address is 0007.1.1.

b400. the AVF cannot forward packets for the virtual IP and MAC it owns. Object tracking allows you to control the weighting of an AVF in a GLBP group based on the status of an object.b400.b400. The object can be IP-related information such as a route. This informa- tion is related to the AVFs in the group. it would be 0007. a group of objects.b400. meaning that it is forwarding for the MAC address 0007. Virtual Router MAC Addresses The default virtual MAC address for the AVFs in a GLBP group. b400. This is where object tracking comes into play for the AVFs. GLBP will only detect a Key failure of the device itself or the path that is used by the hello packets. because 43 in decimal equates to 2b in hexadecimal. and the AVG is still reachable.0a01 that is listed. you can verify that there are two AVFs. You can use the show glbp command to verify whether object tracking is configured.b400. Specifically. meaning that it is waiting for the current owner of the virtual MAC 0007. R1 is in the listen state for Forwarder 2. what about the AVFs? If the uplinks fail.b400. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 323 Still referring to Example 8-64. based on the physical MAC address of the device.2b03. you can implement object tracking. and the state of the tracked object.2b02. By default. and the status of an interface. In this case. GLBP AVF known Group ID GLBP Number Code in Hex Figure 8-9 GLBP Virtual MAC Address GLBP Object Tracking As with VRRP.2b01. The owner is the device currently responsible for forwarding traffic for the virtual MAC address. the virtual MAC address for a GLBP group begins with a well-known GLBP code of 0007. However.0a02 to no longer be able to forward for the MAC so that it can take over. as shown in Example 8-65. the weight of the router can be decremented to a value that is lower than a configured threshold so that another AVF can forward on behalf of the rout- er that cannot. From the Library of Outcast Outcast . That is perfectly Topic fine for the AVG because a failure of an uplink outside the LAN will not affect the AVG because hello packets are still exchanged successfully. and for AVF 3. It also states who the current owner is of the virtual MAC address. it would be 0007.2b02 Well. For example. For AVF 2. is based on the group number and the AVF forwarder ID within the group. If the object is anything but up. a GLBP group of 43 yields a default virtual MAC address for AVF 1 of 0007. This router is currently active for Forwarder 1. the status of an SLA probe. The next two hexadecimal digits represent the group number. GLBP Group 43 Key Topic 0007. as shown in Figure 8-9. The last two hexa- decimal digits represent the forwarder ID within the group. focus on the area related to the forwarders.

and as a result. AVF2.1.0008 Redirection enabled Preemption enabled. last state change 00:03:35 MAC address is 0007.0008 Redirection enabled. use the command show track.1. the weighting will be lower than the lower threshold of 90 and R1 will no longer be able to be the AVF for MAC 0007. the weighting will be decremented by 25.1) local There are 2 forwarders (1 active) Forwarder 1 State is Active 3 state changes.2) ca13.0a01 (default) Owner ID is ca13. you can see that the tracked object 1 is in a state of up. as shown in Example 8-66.232 sec) In the case of Example 8-65.b400. 600.1. In this output. From the Library of Outcast Outcast . upper 100 Track object 1 state Up decrement 25 Load balancing: weighted Group members: ca12.0008 (10.568 secs Redirect time 600 sec. min delay 0 sec Active is local Standby is 10. last state change 00:31:34 Virtual IP address is 10.1.324 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-65 show glbp Command Output on Router R1 R1#show glbp GigabitEthernet0/0 . However. thresholds: lower 90.0854. min delay 30 sec Active is 10. will have to forward for both MAC addresses at this point. However. if the tracked object goes down. which is R2.984 sec) Priority 150 (configured) Weighting 110 (configured 110). weighting 100 (expires in 11.62 Hello time 3 sec. weighting 110 Forwarder 2 State is Listen MAC address is 0007.2.1. priority 100 (expires in 9. if you need to find out what the tracked object is specifically so that you can troubleshoot further.0854.0854. the line protocol of interface Gigabit Ethernet 3/0 is being tracked by GLBP.Group 10 State is Active 1 state change.1.0854. forwarder time-out 14400 sec Preemption enabled.b400.2 (primary).1. hold time 10 sec Next hello sent in 1.0008 (10.b400.000 sec remaining (maximum 600 sec) Time to live: 14400.1.0a01.000 sec (maximum 14400 sec) Preemption enabled.0a02 (learnt) Owner ID is ca12. min delay 30 sec Active is local.1.1.

1. Example 8-67 Ping Test from Workstation A to the GLBP Virtual IP Address C:\>ping 10. Example 8-68 shows Workstation A’s ARP cache entry for the GLBP virtual IP address of 10. Notice in the output that the MAC address learned via ARP does match the GLBP virtual MAC address of the first AVF.62 00-07-b4-00-0a-01 dynamic From the Library of Outcast Outcast .1.1.1.1. Received = 4. Therefore.1. Lost = 0 (0% loss).62 Pinging 10. Approximate round trip times in milli-seconds: Minimum = 1ms. Example 8-67 shows a successful ping from Workstation A. you might then check to see whether Key a host on the GLBP virtual IP address’s subnet can ping the virtual IP address.1.62: Packets: Sent = 4.62: bytes=32 time=1ms TTL=255 Reply from 10.1.1. that does not prove that we are using the virtual MAC address and GLBP suc- cessfully.1.1.1. last change 00:05:56 Tracked by: GLBP GigabitEthernet0/0 10 Verifying GLBP First Hop Once you know the current GLBP configuration.10 --.1.1.1. you should also verify that the virtual MAC address learned by the client corresponds to the virtual MAC address reported by the GLBP AVG.62: bytes=32 time=2ms TTL=255 Reply from 10.0x4 Internet Address Physical Address Type 10.1.62. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 325 Example 8-66 show track Command Output on R1 R1#show track Track 1 Interface GigabitEthernet3/0 line-protocol Line protocol is Up 3 changes.62 with 32 bytes of data: Reply from 10. Example 8-68 Workstation A’s ARP Cache C:\>arp -a Interface: 10.1. Average = 1ms However.1.62: bytes=32 time=1ms TTL=255 Ping statistics for 10.1.1. from the client.62: bytes=32 time=1ms TTL=255 Reply from 10. Based on Topic the topology previously shown in Figure 8-8. Maximum = 2ms.

2. Example 8-70 displays the tracert command executed on Workstation B..1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10. as discussed with HSRP and VRRP.2.2 . From the Library of Outcast Outcast .62 and are dynamically provided a virtual MAC address based on the AVG load-balancing method. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.0. Example 8-70 A Trace from Workstation B Confirming That R2 Is the First Hop (AVF) C:\>tracert 192.2.. Trace complete. This is the IP address of R1’s Gig0/0 interface..326 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide However.0.output omitted.1. one of the best tools to use with FHRPs to verify the path is traceroute.1.0. you can identify the physical first- hop router that the packets are traversing. This is the IP address on R2’s Gig0/0 interface..1.1 .1. But remember in both cases they are configured to use the vir- tual IP 10.1 Tracing route to 192.output omitted.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10. All trouble tickets in this section are based on the topology depicted in Figure 8-10. With traceroute..1. Example 8-69 A Trace from Workstation A Confirming That R1 Is the First Hop (AVF) C:\>tracert 192. GLBP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.1..2.1 Tracing route to 192.1..1. Trace complete.2. Notice that it states that the first hop is 10. Example 8-69 displays the tracert command executed on Workstation A. Notice that it states that the first hop is 10.1.0.1..1.

62 GLBP IP Address = 10.1.1.1. Active 0007. R1 and R2 are both stating that they are the AVFs for the MAC addresses listed.1. 100 Active 10. and then ask the junior administrator to explain.0a01 local - Gi0/0 10 2 . With a puzzled look on your face. From the Library of Outcast Outcast . you ask the junior admin to show you what she means.1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 327 192.0a01 local - Gi0/0 10 2 .1.1.0a01 Virtual MAC = 0007.1. Example 8-71 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .62 local unknown Gi0/0 10 1 .62 Virtual MAC = 0007.b400.1.0a02 Workstation A Workstation B 10.62.1.1 Active Virtual Gateway (AVG) Core Active Virtual Forwarder (AVF) AVF GLBP IP Address = 10.0a01 0007. they are both indicating that they are the AVG for the virtual address 10.1.0. R1 has a priority of 150.b400. You review them.1.20 Figure 8-10 GLBP Trouble Ticket Topology Trouble Ticket 8-6 Problem: A junior administrator has stated that GLBP is behaving strangely.1. Active 0007. Active 0007.b400.0a02 local - Example 8-72 Output of show glbp brief on R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . In addition.b400.62 local unknown Gi0/0 10 1 . The junior admin provides the output shown in Example 8-71 and Example 8-72.62 with a MAC of with a MAC of 0007. Active 0007. 150 Active 10.0a02 R1 R2 Gi0/0 10.b400.2 Gi0/0 Next-Hop GW = 10.2.1.1.1.0a02 local - The junior administrator indicates that R1 and R2 are both in group 10.1.b400.1.1.b400.1 10.1.1. However. and R2 has a priority of 100.62 Next-Hop GW = 10.10 10.1.b400.

The timers are the same.Group 10 State is Active 3 state changes.1. Do you see it? Example 8-73 Output of show glbp on R1 R1#show glbp brief GigabitEthernet0/0 . last state change 00:21:32 Virtual IP address is 10.. Example 8-74 Output of show glbp on R2 R2#show glbp brief GigabitEthernet0/0 . but because they cannot From the Library of Outcast Outcast . last state change 00:23:29 Virtual IP address is 10. At this point. R1 is using plain-text GLBP authentication. and reviews them hoping to spot the difference. the junior admin spots the difference.328 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide You then ask the junior admin. output omitted. as displayed in Examples 8-73 and 8-74. although they do not have to be as long as they do not cause flapping neighbor relationships.output omitted.1.. “They don’t know each other is on the LAN and participating in GLBP group 10. min delay 0 sec Active is local Standby is unknown Priority 100 (default) . Now find out why!” The junior admin issues the command show glbp on R1 and R2. Therefore... The output confirms that both R1 and R2 are the AVG for group 10 because it states “State is Active” near the top.62 Hello time 3 sec.1.62. hold time 10 sec Next hello sent in 0.1. but the type of authentica- tion does not match.1. forwarder time-out 14400 sec Authentication text..1. forwarder time-out 14400 sec Authentication MD5. they know each other is there. min delay 0 sec Active is local Standby is unknown Priority 150 (configured) . They are both using authentication.288 secs Redirect time 600 sec. key-string Preemption enabled.. “That is correct.62 Hello time 3 sec. “Why would they both consider themselves as the AVG and AVFs?” The junior admin replies. and R2 is using message digest 5 (MD5) GLBP authentication. string "TSHOOT" Preemption enabled.” You grin and state.Group 10 State is Active 8 state changes.592 secs Redirect time 600 sec. The virtual IP is the same at 10... hold time 10 sec Next hello sent in 2.

1. Listen 0007.1. Let’s shoot from the hip this time! Brainstorm: Uplink failed + R2 still AVF when it should not be = object tracking and weight issue? Let’s use the show glbp command to see what the weight of R2 is and whether object tracking is enabled.2 - Example 8-76 Output of show glbp brief on R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .1.62 10.1 local Gi0/0 10 1 . as shown in Examples 8-75 and 8-76. Active 0007. it will still be the AVF for the MAC address assigned to it by the AVG. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 329 authenticate each other. to verify whether the output has changed.Group 10 State is Standby 10 state changes.b400.1.1. 150 Active 10. Example 8-77 Output of show glbp on R2 R2#show glbp GigabitEthernet0/0 . and R2 is standby and the AVF for the second MAC. Your security policy states to use MD5 authentication.1 - Gi0/0 10 2 . which is down.0a02 local - Trouble Ticket 8-7 Problem: The uplink has failed between R2 and the core. the weighting will be decremented by 20.0a02 10.1.1.b400. It has. they consider each other to be rogue GLBP devices and will not accept the GLBP information from each other. Example 8-75 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . which it has been because the configured weight is 100 and the current weight is 80. R2 is still the AVF for MAC 0007.1.1. Therefore.1. 100 Standby 10. Example 8-77 displays the output of show glbp on R2. and it clearly indicates that we are tracking object 1. However. last state change 00:20:58 Virtual IP address is 10.b400.0a01 local - Gi0/0 10 2 . however.62 From the Library of Outcast Outcast .b400.0a01 10. so you change R1 with the com- mand glbp 10 authentication md5 key-string TSHOOT in interface configuration mode.1.1. You then check the output of show glbp brief on R1 and R2. Listen 0007.b400.0a02 when it should be R1.2 Gi0/0 10 1 . and when it is down.1.1.62 local 10. R1 is the AVG and AVF for the first MAC. Active 0007. R2’s weighting still has not passed the lower threshold.

HSRP.480 sec) Standby is local Priority 100 (default) Weighting 80 (configured 100). VRRP. as shown in Example 8-78.1. Yes No Yes Interface IP address can act as No Yes No virtual IP address. forwarder time-out 14400 sec Authentication MD5.0a01 local - Gi0/0 10 2 . VRRP. VRRP.1. When you do so. On R1. Table 8-2 Comparing HSRP. Active 0007. 3 seconds 1 second 3 seconds From the Library of Outcast Outcast . priority 150 (expires in 8. although HSRP.330 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Hello time 3 sec. The output provided by the show commands is similar as well. thresholds: lower 80. 150 Active 10. and GLBP are very similar. you need to modify the glbp 10 weighting track 1 command so that the decrement is greater than 20 (for example. min delay 0 sec Active is 10. upper 100 Track object 1 state Down decrement 20 Load balancing: weighted To solve this problem.62 local 10. It is important to note that the issues will be similar with these FHRPs. and GLBP have commonalities.736 secs Redirect time 600 sec.1. More than one router in a group No No Yes can simultaneously forward traffic for that group. glbp 10 weighting track 1 decrement 21). Example 8-78 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . hold time 10 sec Next hello sent in 0. However. and GLBP As you have witnessed in this chapter. making them easy to troubleshoot for most.1.b400. it is important for you as a troubleshooter to understand the differences to make sure that you are troubleshooting as efficiently as possible. VRRP.1. key-string Preemption enabled.1. Active 0007. Table 8-2 compares several characteristics of these FHRPs. Hello timer default value. you can confirm this with the show glbp brief command.1.2 Gi0/0 10 1 .b400.0a02 local - Comparing HSRP. and GLBP Key Topic Characteristic HSRP VRRP GLBP Cisco proprietary. R1 will be the AVF for both MACs.

10 seconds 3 seconds 10 seconds Preemption enabled by default. V1: 0000. Yes for AVFs Default priority. — — 100 Authentication supported. 224. Yes Yes Yes Multicast address.0.5e00.xxyy (xx = group number)(yy = AVF) V2: 0000.0.0.b400. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 331 Characteristic HSRP VRRP GLBP Hold timer default value.01xx 0007.acxx 0000.18 224. No Yes No for AVG.fxxx