You are on page 1of 1101

From the Library of Outcast Outcast

CCNP Routing and
Switching TSHOOT 300-135
Official Cert Guide

Raymond Lacoste
CCSI/CCNP
Kevin Wallace
CCIE No. 7945

Cisco Press
800 East 96th Street

Indianapolis, IN 46240

From the Library of Outcast Outcast

ii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

CCNP Routing and Switching TSHOOT 300-135
Official Cert Guide
Raymond Lacoste, CCSI/CCNP

Kevin Wallace, CCIE No. 7945

Copyright© 2015 Pearson Education, Inc.

Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a
review.

Printed in the United States of America

First Printing December 2014

Library of Congress Control Number: 2014950275

ISBN-10: 1-58720-561-0

ISBN-13: 978-1-58720-561-3

Warning and Disclaimer
This book is designed to provide information about the 300-135 Troubleshooting and Maintaining Cisco
IP Networks (TSHOOT) exam for the CCNP Routing and Switching certification. Every effort has been
made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall
have neither liability nor responsibility to any person or entity with respect to any loss or damages
arising from the information contained in this book or from the use of the discs or programs that may
accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems,
Inc.

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropri-
ately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information.
Use of a term in this book should not be regarded as affecting the validity of any trademark or service
mark.

From the Library of Outcast Outcast

iii

Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training goals,
marketing focus, or branding interests), please contact our corporate sales department at corpsales@pear-
soned.com or (800) 382-3419.

For government sales inquiries, please contact governmentsales@pearsoned.com.

For questions about sales outside the U.S., please contact international@pearsoned.com.

Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise
of members from the professional technical community.

Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.

We greatly appreciate your assistance.
Publisher: Paul Boger Copy Editor: Keith Cline

Associate Publisher: Dave Dusthimer Technical Editors: Ryan Lindfield, Diane Teare

Business Operation Manager, Cisco Press: Team Coordinator: Vanessa Evans
Jan Cornelssen
Designer: Mark Shirar
Executive Editor: Brett Bartow
Composition: Tricia Bronkella
Managing Editor: Sandra Schroeder
Indexer: Lisa Stumpf
Development Editor: Ellie Bru
Proofreader: The WordSmithery LLC
Project Editor: Mandie Frank

From the Library of Outcast Outcast

iv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

About the Authors
Raymond Lacoste is a Cisco Certified Systems Instructor (CCSI) who has dedicated his
IT career to teaching others. Starting out as a mentor at Skillsoft, he helped students with
their studies, explaining various Cisco, Microsoft, and industry-related concepts in ways
that improved the students understanding. Now he spends his days at Skillsoft teaching
the CCNA and CCNP Routing and Switching certification track. He has taught over 300
Cisco classes in addition to the countless practice labs, demonstrations, hands-on labs,
and student guides he has developed. However, it is not just about teaching, it is also
about learning. To date, Raymond has passed more than 100 IT certification exams as he
continues to keep his learning and knowledge up-to-date. His certification wall includes
various Cisco certifications, Microsoft certifications, CompTIA certifications, and the
ISC2 CISSP (Certified Information Systems Security Professional) designation. He was
also awarded the Cisco Sirius Top Quality Instructor award. His next goal is to achieve
the CCIE designation in Routing and Switching. Raymond lives in Atlantic, Canada, with
his wife, Melanie, and two children.

Kevin Wallace, CCIEx2 (Collaboration and R/S) #7945, CCSI #20061: With Cisco
experience dating back to 1989, Kevin has been a network design specialist for the Walt
Disney World Resort, an instructor of Cisco courses for Skillsoft, and a network man-
ager for Eastern Kentucky University.

Kevin currently produces video courses and writes books for Cisco Press/Pearson IT
Certification (http://kwtrain.com/books), and he lives in central Kentucky with his wife
(Vivian) and two daughters (Stacie and Sabrina).

Kevin can be followed on these social media platforms.

Blog: http://kwtrain.com

Twitter: http://twitter.com/kwallaceccie

Facebook: http://facebook.com/kwallaceccie

YouTube: http://youtube.com/kwallaceccie

LinkedIn: http://linkedin.com/in/kwallaceccie

Google+: http://google.com/+KevinWallace

From the Library of Outcast Outcast

v

About the Technical Reviewers
Ryan Lindfield is an instructor and technical consultant with Stormwind. On a typi-
cal day he’s broadcasting official Cisco training from a video studio. When not in the
virtual classroom, he can be found supporting customer networks. Ryan has nearly
20 years of technical consulting experience, and over a decade in the classroom. He
has delivered training for network, security, and data center technologies around the
world. Certifications include: CCNP Routing & Switching, CCNP Security, HP Master
Accredited Systems Engineer, VMware VCP, CEH, CISSP, SANS GFCA, CISSP, ECSA,
CHFI, CPTE, CPTC, OSWP, and many Microsoft and CompTIA certifications. Ryan
leads a 150 member Defcon user group in Tampa, FL, and has given presentations for
ISC2 and B-Sides computer security events.

Diane Teare, P.Eng, CCNP, CCDP, CCSI, PMP, is a professional in the networking,
training, project management, and e-learning fields. She has more than 25 years of
experience in designing, implementing, and troubleshooting network hardware and soft-
ware, and has been involved in teaching, course design, and project management. She
has extensive knowledge of network design and routing technologies. Diane is a Cisco
Certified Systems Instructor (CCSI), and holds her Cisco Certified Network Professional
(CCNP), Cisco Certified Design Professional (CCDP), and Project Management
Professional (PMP) certifications. She is an instructor, and the Course Director for the
CCNA and CCNP Routing and Switching curriculum, with one of the largest authorized
Cisco Learning Partners. She was the director of e-learning for the same company, where
she was responsible for planning and supporting all the company’s e-learning offerings in
Canada, including Cisco courses. Diane has a Bachelor’s degree in applied science in elec-
trical engineering and a Master’s degree in applied science in management science. She
authored or co-authored the following Cisco Press titles: the first and second editions
of Implementing Cisco IP Routing (ROUTE); the second edition of Designing Cisco
Network Service Architectures (ARCH); Campus Network Design Fundamentals; the
three editions of Authorized Self-Study Guide Building Scalable Cisco Internetworks
(BSCI); and Building Scalable Cisco Networks. Diane edited the first two editions
of the Authorized Self-Study Guide Designing for Cisco Internetwork Solutions
(DESGN), and also edited Designing Cisco Networks.

From the Library of Outcast Outcast

vi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Dedications
This book is dedicated to two very special people who supported me in my early years
of IT, without whom this book would not have been possible. I will forever be grateful
for the opportunity you gave me so many years ago to pursue my career. Thank you!

Raymond Lacoste

From the Library of Outcast Outcast

vii

Acknowledgments
A big thank you to my wife for encouraging me to write this book and supporting me
over the months that it took to complete it. Great big hugs to my two wonderful chil-
dren, ages 9 and 5, who had no idea why Daddy was always sitting at the computer; for
some strange reason, though, they knew that it was important and supported me in their
own mysterious ways. I love you guys!

An equally big thank you to my parents, without whom I would not be where I am or
who I am today, and to my sister, Terry-Anne, who always kicked me in the right direc-
tion.

Thanks to Dan Young, my mentor and the Director of Live Learning at Skillsoft, for all
the support and encouragement you have provided me all these years.

I’d like to thank Ellie Bru, my Development Editor, for organizing and putting into
action all the parts needed to develop this book (definitely not an easy task).

Thank you to Mandie Frank, my Production Editor, for putting all the final pieces of
this book together so nicely and making sure that it resembles a book.

Thank you to Diane Teare and Ryan Lindfield for reviewing the book and making sure
it’s technically sound.

Keith Cline, thank you for making sure all i’s were “crossed” and t’s “dotted” within the
book. (HaHaHa) You found some items in this book that I didn’t even know existed.
Thank you!

Thank you to Brett Bartow, my Executive Editor, for giving me the opportunity to write
this detailed book.

A big thank you to Kevin Wallace, the author of the previous edition of TSHOOT and a
friend, who passed the torch on to me for this edition. Thank you.

Lastly, thank you to the entire team at Cisco Press, their families and friends, who work
extremely hard to produce high-quality training materials.

—Raymond Lacoste

From the Library of Outcast Outcast

viii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Contents at a Glance
Introduction xxx

Part I Fundamental Troubleshooting and Maintenance Concepts
Chapter 1 Introduction to Troubleshooting and Network Maintenance 3

Chapter 2 Troubleshooting and Maintenance Tools 41

Chapter 3 Troubleshooting Device Performance 93

Part II Troubleshooting Cisco Catalyst Switch Features
Chapter 4 Troubleshooting Layer 2 Trunks, VTP, and VLANs 129

Chapter 5 Troubleshooting STP and Layer 2 EtherChannel 169

Chapter 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 209

Chapter 7 Troubleshooting Switch Security Features 247

Chapter 8 Troubleshooting First-Hop Redundancy Protocols 287

Part III Troubleshooting Router Features
Chapter 9 Troubleshooting IPv4 Addressing and Addressing Technologies 335

Chapter 10 Troubleshooting IPv6 Addressing and Addressing Technologies 367

Chapter 11 Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists 397

Chapter 12 Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels 423

Chapter 13 Troubleshooting RIPv2 and RIPng 463

Chapter 14 Troubleshooting EIGRP 513

Chapter 15 Troubleshooting OSPF 587

Chapter 16 Troubleshooting Route Maps and Policy-Based Routing 675

Chapter 17 Troubleshooting Redistribution 697

Chapter 18 Troubleshooting BGP 749

Part IV Troubleshooting Management
Chapter 19 Troubleshooting Management Protocols and Tools 815

Chapter 20 Troubleshooting Management Access 851

From the Library of Outcast Outcast

ix

Part V Final Preparation
Chapter 21 Additional Trouble Tickets 871

Chapter 22 Final Preparation 943

Part VI Appendixes
Appendix A Answers to the “Do I Know This Already” Quizzes 951

Appendix B TSHOOT Exam Updates 957

Index 960

CD-Only Appendixes and Glossary
Appendix C Memory Tables

Appendix D Memory Tables Answer Key

Appendix E Study Planner

Glossary

From the Library of Outcast Outcast

x CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Contents
Introduction xxx

Part I Fundamental Troubleshooting and Maintenance Concepts

Chapter 1 Introduction to Troubleshooting and Network Maintenance 3
“Do I Know This Already?” Quiz 3
Foundation Topics 9
Introduction to Troubleshooting 9
Defining Troubleshooting 9
The Value of Structured Troubleshooting 11
A Structured Approach 13
1. Problem Report 13
2. Collect Information 14
3. Examine Collected Information 15
4. Eliminate Potential Causes 16
5. Propose an Hypothesis 17
6. Verify Hypothesis 18
7. Problem Resolution 19
Popular Troubleshooting Methods 20
The Top-Down Method 21
The Bottom-Up Method 21
The Divide-and-Conquer Method 22
The Following the Traffic Path Method 23
The Comparing Configurations Method 23
The Component Swapping Method 24
Practice Exercise: Selecting a Troubleshooting Approach 25
Introduction to Network Maintenance 26
Defining Network Maintenance 26
Proactive Versus Reactive Network Maintenance 27
Well-Known Network Maintenance Models 28
Example of Adapting a Network Maintenance Model 28
Common Maintenance Procedures 29
Routine Maintenance Tasks 29
Scheduled Maintenance 30
Managing Network Changes 30
Maintaining Network Documentation 32

From the Library of Outcast Outcast

xi

Restoring Operations After a Failure 33
Measuring Network Performance 34
The Troubleshooting and Network Maintenance Relationship 34
Maintaining Current Network Documentation 35
Establishing a Baseline 36
Communication 36
Change Management 37
Exam Preparation Tasks 39
Review All Key Topics 39
Define Key Terms 39

Chapter 2 Troubleshooting and Maintenance Tools 41
“Do I Know This Already?” Quiz 41
Foundation Topics 45
The Troubleshooting and Network Maintenance Toolkit 45
Network Documentation Tools 46
Basic Tools 47
CLI Tools 47
GUI Tools 48
Recovery Tools 48
Logging Tools 53
Network Time Protocol as a Tool 56
Advanced Tools 57
Overview of SNMP and NetFlow 57
Creating a Baseline with SNMP and NetFlow 58
SNMP 58
NetFlow 59
Cisco Support Tools 64
Using Cisco IOS to Verify and Define the Problem 64
Ping 64
Telnet 67
Traceroute 67
Using Cisco IOS to Collect Information 68
Filtering the Output of show Commands 69
Redirecting show Command Output to a File 73
Troubleshooting Hardware 74

From the Library of Outcast Outcast

xii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Collecting Information in Transit 75
Performing Packet Captures 75
SPAN 76
RSPAN 78
Using Tools to Document a Network 80
Exam Preparation Tasks 85
Review All Key Topics 85
Define Key Terms 86
Complete Tables and Lists from Memory 86
Command Reference to Check Your Memory 86

Chapter 3 Troubleshooting Device Performance 93
“Do I Know This Already?” Quiz 93
Foundation Topics 96
Troubleshooting Switch Performance Issues 96
Cisco Catalyst Switch Troubleshooting Targets 96
TCAM Troubleshooting 101
High CPU Utilization Troubleshooting on a Switch 105
Troubleshooting Router Performance Issues 106
Excessive CPU Utilization 107
Understanding Packet-Switching Modes (Routers and Multilayer
Switches) 113
Troubleshooting Packet-Switching Modes 116
Excessive Memory Utilization 121
Exam Preparation Tasks 124
Review All Key Topics 124
Define Key Terms 124
Complete Tables and Lists from Memory 125
Command Reference to Check Your Memory 125

Part II Troubleshooting Cisco Catalyst Switch Features

Chapter 4 Troubleshooting Layer 2 Trunks, VTP, and VLANs 129
“Do I Know This Already?” Quiz 129
Foundation Topics 132
Frame-Forwarding Process 132
Troubleshooting Trunks 140
Encapsulation Mismatch 141
Incompatible Trunking Modes 143

From the Library of Outcast Outcast

xiii

VTP Domain Name Mismatch 146
Native VLAN Mismatch 146
Allowed VLANs 147
Troubleshooting VTP 148
Domain Name Mismatch 148
Version Mismatch 149
Mode Mismatch 149
Password Mismatch 151
Higher Revision Number 151
Troubleshooting VLANs 152
Incorrect IP Addressing 152
Missing VLAN 153
Incorrect Port Assignment 154
The MAC Address Table 155
Layer 2 Trouble Tickets 157
Trouble Ticket 4-1 158
Trouble Ticket 4-2 160
Exam Preparation Tasks 165
Review All Key Topics 165
Define Key Terms 165
Complete Tables and Lists from Memory 166
Command Reference to Check Your Memory 166

Chapter 5 Troubleshooting STP and Layer 2 EtherChannel 169
“Do I Know This Already?” Quiz 169
Foundation Topics 172
Spanning Tree Protocol Overview 172
Reviewing STP Operation 173
Determining Root Port 175
Determining Designated Port 176
Determining Nondesignated Port 176
Collecting Information About an STP Topology 177
Gathering STP Information 177
Gathering MSTP Information 179
STP Troubleshooting Issues 180
Corruption of a Switch’s MAC Address Table 180
Broadcast Storms 181

From the Library of Outcast Outcast

xiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Troubleshooting STP Features 182
PortFast 183
BPDU Guard 184
BPDU Filter 187
Root Guard 189
Loop Guard 190
STP Trouble Tickets 190
Trouble Ticket 5-1 191
Trouble Ticket 5-2 194
Trouble Ticket 5-3 196
Troubleshooting Layer 2 EtherChannel 199
Reviewing Layer 2 EtherChannel 199
EtherChannel Trouble Tickets 200
Trouble Ticket 5-4 201
Trouble Ticket 5-5 204
Exam Preparation Tasks 206
Review All Key Topics 206
Define Key Terms 206
Complete Tables and Lists from Memory 207
Command Reference to Check Your Memory 207

Chapter 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 209
“Do I Know This Already?” Quiz 209
Foundation Topics 212
Troubleshooting a Router-on-a-Trunk/Stick 212
Router-on-a-Trunk/Stick Trouble Tickets 213
Trouble Ticket 6-1 214
Trouble Ticket 6-2 218
Troubleshooting Switched Virtual Interfaces 221
Reviewing SVIs 221
Troubleshooting SVIs 223
SVI Trouble Tickets 224
Trouble Ticket 6-3 225
Trouble Ticket 6-4 230
Troubleshooting Routed Ports 233
Routed Ports Trouble Tickets 234
Trouble Ticket 6-5 235

From the Library of Outcast Outcast

xv

Troubleshooting Layer 3 EtherChannel 237
Layer 3 EtherChannel Trouble Tickets 239
Trouble Ticket 6-6 240
Exam Preparation Tasks 244
Review All Key Topics 244
Define Key Terms 244
Complete Tables and Lists from Memory 245
Show Command Reference to Check Your Memory 245

Chapter 7 Troubleshooting Switch Security Features 247
“Do I Know This Already?” Quiz 247
Foundation Topics 250
Troubleshooting Port Security 250
Common Port Security Issues 250
Port Security Configured but Not Enabled 250
Static MAC Address Not Configured Correctly 251
Maximum Number of MAC Addresses Reached 253
Legitimate Users Being Blocked Because of Violation 254
Running Configuration Not Saved to Startup Configuration 260
Port Security Trouble Tickets 261
Trouble Ticket 7-1 261
Troubleshooting Spoof-Prevention Features 265
DHCP Snooping 265
Dynamic ARP Inspection 267
IP Source Guard 268
Spoof-Prevention Features Trouble Tickets 270
Trouble Ticket 7-2 270
Troubleshooting Access Control 273
Protected Ports 273
Private VLANs 275
VACLs 279
Exam Preparation Tasks 281
Review All Key Topics 281
Define Key Terms 282
Command Reference to Check Your Memory 282

From the Library of Outcast Outcast

xvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Chapter 8 Troubleshooting First-Hop Redundancy Protocols 287
“Do I Know This Already?” Quiz 287
Foundation Topics 290
Troubleshooting HSRP 290
Reviewing HSRP 290
HSRP Converging After a Failure 291
HSRP Verification and Troubleshooting 292
Virtual Router MAC Address 293
Interface Tracking 293
Verifying First Hop 294
Debug 296
HSRP Trouble Tickets 297
Trouble Ticket 8-1 297
Trouble Ticket 8-2 300
Trouble Ticket 8-3 302
Troubleshooting VRRP 306
Reviewing VRRP 306
VRRP Verification and Troubleshooting 308
Virtual Router MAC Address 309
Object Tracking 309
Verifying First Hop 310
VRRP Trouble Tickets 312
Trouble Ticket 8-4 312
Trouble Ticket 8-5 315
Troubleshooting GLBP 318
Reviewing GLBP 319
GLBP Verification and Troubleshooting 321
Virtual Router MAC Addresses 323
GLBP Object Tracking 323
Verifying GLBP First Hop 325
GLBP Trouble Tickets 326
Trouble Ticket 8-6 327
Trouble Ticket 8-7 329
Comparing HSRP, VRRP, and GLBP 330
Exam Preparation Tasks 332
Review All Key Topics 332

From the Library of Outcast Outcast

xvii

Define Key Terms 333
Complete Tables and Lists from Memory 333
Command Reference to Check Your Memory 333

Part III Troubleshooting Router Features

Chapter 9 Troubleshooting IPv4 Addressing and Addressing Technologies 335
“Do I Know This Already?” Quiz 335
Foundation Topics 338
Troubleshooting IPv4 Addressing 338
IPv4 Addressing Issues 338
Determining IP Addresses Within a Subnet 341
Troubleshooting DHCP for IPv4 342
Reviewing DHCP Operations 342
Potential DHCP Troubleshooting Issues 347
DHCP Troubleshooting Commands 348
Troubleshooting NAT 350
Reviewing NAT 350
NAT Troubleshooting Issues 353
NAT Troubleshooting Commands 354
IPv4 Addressing and Addressing Technologies Trouble Tickets 356
Trouble Ticket 9-1 356
Trouble Ticket 9-2 358
Trouble Ticket 9-3 361
Exam Preparation Tasks 364
Review All Key Topics 364
Define Key Terms 365
Command Reference to Check Your Memory 365

Chapter 10 Troubleshooting IPv6 Addressing and Addressing Technologies 367
“Do I Know This Already?” Quiz 367
Foundation Topics 370
Troubleshooting IPv6 Addressing 370
IPv6 Addressing Review 370
Neighbor Solicitation and Neighbor Advertisement 370
EUI-64 373
Troubleshooting IPv6 Address Assignment 375
Stateless Address Autoconfiguration/SLAAC 375
Stateful DHCPv6 381

From the Library of Outcast Outcast

xviii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Stateless DHCPv6 382
DHCPv6 Operation 384
DHCPv6 Relay Agent 385
IPv6 Addressing Trouble Tickets 386
Trouble Ticket 10-1 386
Trouble Ticket 10-2 389
Exam Preparation Tasks 394
Review All Key Topics 394
Define Key Terms 395
Command Reference to Check Your Memory 395

Chapter 11 Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists 397
“Do I Know This Already?” Quiz 397
Foundation Topics 401
Troubleshooting IPv4 ACLs 401
Reading an IPv4 ACL 401
Using an IPv4 ACL for Filtering 403
Using a Time-Based IPv4 ACL 403
IPv4 ACL Trouble Tickets 405
Trouble Ticket 11-1 405
Troubleshooting IPv6 ACLs 407
Reading an IPv6 ACL 408
Using an IPv6 ACL for Filtering 409
IPv6 ACL Trouble Tickets 410
Trouble Ticket 11-2 410
Troubleshooting Prefix Lists 414
Reading a Prefix List 414
Prefix List Processing 415
Prefix List Trouble Tickets 416
Trouble Ticket 11-3 417
Exam Preparation Tasks 419
Review All Key Topics 419
Define Key Terms 419
Command Reference to Check Your Memory 419

From the Library of Outcast Outcast

xix

Chapter 12 Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels 423
“Do I Know This Already?” Quiz 423
Foundation Topics 427
Packet-Forwarding Process 427
Reviewing Layer 3 Packet-Forwarding Process 427
Troubleshooting the Packet-Forwarding Process 431
Troubleshooting Routing Information Sources 435
Data Structures and the Routing Table 436
Sources of Route Information 436
Troubleshooting Static Routes 438
IPv4 Static Routes 439
IPv6 Static Routes 443
Static Routing Trouble Tickets 445
Trouble Ticket 12-1 445
Trouble Ticket 12-2 448
Troubleshooting GRE Tunnels 450
Exam Preparation Tasks 459
Review All Key Topics 459
Define Key Terms 460
Complete Tables and Lists from Memory 460
Command Reference to Check Your Memory 460

Chapter 13 Troubleshooting RIPv2 and RIPng 463
“Do I Know This Already?” Quiz 463
Foundation Topics 466
Troubleshooting RIPv2 466
Missing RIPv2 Routes 466
Interface Is Shut Down 469
Wrong Subnet 469
Bad or Missing Network Statement 470
Passive Interface 471
Wrong Version 473
Max Hop Count Exceeded 475
Authentication 477
Route Filtering 479
Split Horizon 480
Autosummarization 482
Better Source of Information 483

From the Library of Outcast Outcast

xx CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

ACLs 485
Load Sharing 485
Other RIP Issues 486
Missing Default Route 486
Route Summarization 487
Troubleshooting RIPng 492
RIPv2 and RIPng Trouble Tickets 498
Trouble Ticket 13-1 498
Trouble Ticket 13-2 502
Trouble Ticket 13-3 506
Exam Preparation Tasks 509
Review All Key Topics 509
Define Key Terms 510
Command Reference to Check Your Memory 510

Chapter 14 Troubleshooting EIGRP 513
“Do I Know This Already?” Quiz 513
Foundation Topics 517
Troubleshooting EIGRP for IPv4 517
Troubleshooting EIGRP for IPv4 Neighbor Adjacencies 517
Interface Is Down 518
Mismatched Autonomous System Numbers 518
Incorrect Network Statement 520
Mismatched K Values 522
Passive Interface 523
Different Subnets 524
Authentication 525
ACLs 527
Timers 528
Troubleshooting EIGRP for IPv4 Routes 528
Bad or Missing Network Command 529
Better Source of Information 530
Route Filtering 534
Stub Configuration 535
Interface Is Shut Down 537
Split-horizon 537

From the Library of Outcast Outcast

xxi

Troubleshooting Miscellaneous EIGRP for IPv4 Issues 539
Feasible Successors 539
Discontiguous Networks and Autosummarization 542
Route Summarization 543
Load Balancing 544
EIGRP for IPv4 Trouble Tickets 546
Trouble Ticket 14-1 546
Trouble Ticket 14-2 553
Trouble Ticket 14-3 557
Troubleshooting EIGRP for IPv6 561
Troubleshooting EIGRP for IPv6 Neighbor Issues 561
Interface Is Down 561
Mismatched Autonomous System Numbers 562
Mismatched K Values 562
Passive Interfaces 562
Mismatched Authentication 562
Timers 563
Interface Not Participating in Routing Process 563
ACLs 564
Troubleshooting EIGRP for IPv6 Route 564
Interface Not Participating in Routing Process 564
Better Source of Information 565
Route Filtering 565
Stub Configuration 565
Split-horizon 566
EIGRP for IPv6 Trouble Tickets 567
Trouble Ticket 14-4 568
Troubleshooting Named EIGRP Configurations 572
Named EIGRP Verification Commands 573
Named EIGRP Trouble Tickets 577
Trouble Ticket 14-5 577
Exam Preparation Tasks 582
Review All Key Topics 582
Define Key Terms 583
Command Reference to Check Your Memory 583

From the Library of Outcast Outcast

xxii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Chapter 15 Troubleshooting OSPF 587 “Do I Know This Already?” Quiz 587 Foundation Topics 590 Troubleshooting OSPFv2 590 Troubleshooting OSPFv2 Neighbor Adjacencies 590 Interface Is Down 593 Interface Not Running the OSPF Process 593 Mismatched Timers 594 Mismatched Area Numbers 596 Mismatched Area Type 597 Different Subnets 598 Passive Interface 599 Mismatched Authentication Information 600 ACLs 601 MTU Mismatch 602 Duplicate Router IDs 603 Mismatched Network Types 604 Troubleshooting OSPFv2 Routes 606 Interface Not Running the OSPF Process 606 Better Source of Information 607 Route Filtering 611 Stub Area Configuration 613 Interface Is Shut Down 614 Wrong Designated Router Was Elected 615 Duplicate Router IDs 619 Troubleshooting Miscellaneous OSPFv2 Issues 620 Tracking OSPF Advertisements Through a Network 620 Route Summarization 622 Discontiguous Areas 624 Load Balancing 626 Default Route 627 OSPFv2 Trouble Tickets 627 Trouble Ticket 15-1 628 Trouble Ticket 15-2 635 Trouble Ticket 15-3 639 Troubleshooting OSPFv3 for IPv6 641 OSPFv3 Troubleshooting Commands 641 From the Library of Outcast Outcast .

xxiii OSPFv3 Trouble Tickets 647 Trouble Ticket 15-4 647 Trouble Ticket 15-5 650 Troubleshoot OSPFv3 Address Families 655 OSPFv3 Address Family Troubleshooting 655 OSPFv3 AF Trouble Tickets 664 Trouble Ticket 15-6 665 Exam Preparation Tasks 669 Review All Key Topics 669 Define Key Terms 670 Complete Tables and Lists from Memory 670 Command Reference to Check Your Memory 671 Chapter 16 Troubleshooting Route Maps and Policy-Based Routing 675 “Do I Know This Already?” Quiz 675 Foundation Topics 678 Troubleshooting Route Maps 678 How to Read a Route Map 678 Troubleshooting Policy-Based Routing 681 PBR 681 Policy-Based Routing Trouble Tickets 684 Trouble Ticket 16-1 685 Trouble Ticket 16-2 689 Trouble Ticket 16-3 691 Exam Preparation Tasks 693 Review All Key Topics 693 Define Key Terms 693 Command Reference to Check Your Memory 693 Chapter 17 Troubleshooting Redistribution 697 “Do I Know This Already?” Quiz 697 Foundation Topics 700 Troubleshooting IPv4 and IPv6 Redistribution 700 Route Redistribution Overview 700 Troubleshooting Redistribution into RIP 703 Troubleshooting Redistribution into EIGRP 706 Troubleshooting Redistribution into OSPF 710 Troubleshooting Redistribution into BGP 715 Troubleshooting Redistribution with Route Maps 718 From the Library of Outcast Outcast .

xxiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Redistribution Trouble Tickets 718 Trouble Ticket 17-1 719 Trouble Ticket 17-2 723 Trouble Ticket 17-3 727 Trouble Ticket 17-4 733 Troubleshooting Advanced Redistribution Issues 737 Troubleshooting Suboptimal Routing Caused by Redistribution 737 Troubleshooting Routing Loops Caused by Redistribution 739 Exam Preparation Tasks 745 Review All Key Topics 745 Define Key Terms 745 Command Reference to Check Your Memory 746 Chapter 18 Troubleshooting BGP 749 “Do I Know This Already?” Quiz 749 Foundation Topics 753 Troubleshooting BGP Neighbor Adjacencies 753 Interface Is Down 754 Layer 3 Connectivity Is Broken 754 Path to Neighbor Is via Default Route 755 Neighbor Does Not Have a Route to the Local Router 756 Incorrect neighbor Statement 757 BGP Packets Sourced from Wrong IP Address 758 ACLs 759 TTL of BGP Packet Expires 761 Mismatched Authentication 763 Misconfigured Peer Groups 764 Timers 765 Troubleshooting BGP Routes 766 Missing or Bad network mask Command 768 Next-Hop Router Not Reachable 770 BGP Split-Horizon Rule 772 Better Source of Information 773 Route Filtering 775 Troubleshooting BGP Path Selection 780 Understanding the Best Path Decision-Making Process 781 Private Autonomous System Numbers 784 Using debug Commands 784 From the Library of Outcast Outcast .

xxv Troubleshooting BGP for IPv6 786 BGP Trouble Tickets 790 Trouble Ticket 18-1 791 Trouble Ticket 18-2 796 Trouble Ticket 18-3 802 MP-BGP Trouble Tickets 807 Trouble Ticket 18-4 807 Exam Preparation Tasks 810 Review All Key Topics 810 Define Key Terms 811 Command Reference to Check Your Memory 811 Part IV Troubleshooting Management Chapter 19 Troubleshooting Management Protocols and Tools 815 “Do I Know This Already?” Quiz 815 Foundation Topics 818 Management Protocols Troubleshooting 818 NTP Troubleshooting 818 Syslog Troubleshooting 821 SNMP Troubleshooting 823 Management Tools Troubleshooting 826 Cisco IOS IPSLA Troubleshooting 827 Object Tracking Troubleshooting 833 SPAN and RSPAN Troubleshooting 835 Management Protocols and Tools Trouble Tickets 837 Trouble Ticket 19-1 838 Exam Preparation Tasks 845 Review All Key Topics 845 Define Key Terms 846 Command Reference to Check Your Memory 846 Chapter 20 Troubleshooting Management Access 851 “Do I Know This Already?” Quiz 851 Foundation Topics 854 Console and vty Access Troubleshooting 854 Console Access Troubleshooting 854 From the Library of Outcast Outcast .

xxvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide vty Access Troubleshooting 855 Telnet 855 SSH 857 Password Encryption Levels 858 Cisco IOS AAA Troubleshooting 858 Management Access Trouble Tickets 861 Trouble Ticket 20-1 862 Trouble Ticket 20-2 863 Trouble Ticket 20-3 865 Exam Preparation Tasks 868 Review All Key Topics 868 Define Key Terms 868 Command Reference to Check Your Memory 868 Part V Final Preparation Chapter 21 Additional Trouble Tickets 871 Introduction 871 Trouble Ticket 1 872 Suggested Solution 875 Trouble Ticket 2 876 Suggested Solution 879 Trouble Ticket 3 880 Suggested Solution 882 Trouble Ticket 4 884 Issue 1: Suggested Solution 891 Issue 2: Suggested Solution 897 Issue 3: Suggested Solution 897 Issue 4: Suggested Solution 898 Trouble Ticket 5 901 Suggested Solution 907 Trouble Ticket 6 910 Suggested Solution 916 Trouble Ticket 7 918 Issue 1: Forgotten Enable Secret Password 919 Issue 1: Suggested Solution 919 From the Library of Outcast Outcast .

xxvii Issue 2: An exec-timeout Parameter Set Too Low 921 Issue 2: Suggested Solution 921 Issue 3: ACL Misconfiguration 922 Issue 3: Suggested Solution 922 Trouble Ticket 8 923 Suggested Solution 926 Trouble Ticket 9 926 Issue 1: Adjacency Between Routers R1 and R2 927 Issue 1: Suggested Solution 930 Issue 2: Adjacency Between Routers R2 and BB2 930 Issue 2: Suggested Solution 931 Issue 3: Adjacency Between Routers BB1 and BB2 931 Issue 3: Suggested Solution 933 Trouble Ticket 10 934 Issue 1: Router R2 Not Load Balancing Between Routers BB1 and BB2 937 Issue 1: Suggested Solution 937 Issue 2: Backbone Routes Not Being Suppressed 938 Issue 2: Suggested Solution 939 Chapter 22 Final Preparation 943 Tools for Final Preparation 943 Exam Engine and Questions on the CD 943 Install the Exam Engine 944 Activate and Download the Practice Exam 944 Activating Other Exams 945 Premium Edition 945 The Cisco Learning Network 945 Memory Tables 945 Chapter-Ending Review Tools 946 Suggested Plan for Final Review/Study 946 Step 1: Review Key Topics and DIKTA Questions 947 Step 3: Hands-On Practice 947 Step 5: Subnetting Practice 948 Step 6: Use the Exam Engine 948 Summary 949 From the Library of Outcast Outcast .

xxviii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Part VI Appendixes Appendix A Answers to the “Do I Know This Already” Quizzes 951 Appendix B TSHOOT Exam Updates 957 Index 960 CD-Only Appendixes and Glossary Appendix C Memory Tables Appendix D Memory Tables Answer Key Appendix E Study Planner Glossary From the Library of Outcast Outcast .

■ Vertical bars (|) separate alternative. ■ Square brackets [ ] indicate optional elements. ■ Braces within brackets [{ }] indicate a required choice within an optional element. mutually exclusive elements. In actual configuration examples and output (not general command syntax). ■ Braces { } indicate a required choice. xxix Icons Used in This Book Workgroup Router Multilayer Switch Switch File/ Server PC Application Server Laptop Web IP Phone Server Phone Cisco Unified Network Cloud Communications Manager Server Serial Line Ethernet Line Command Syntax Conventions The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. boldface indicates commands that are manually input by the user (such as a show command). The Command Reference describes these conven- tions as follows: ■ Boldface indicates commands and keywords that are entered literally as shown. ■ Italics indicate arguments for which you supply actual values. From the Library of Outcast Outcast .

this book helps you pass not by memorization. The methodology of this book helps you discover the exam topics about which you need more review. the book’s title would be mis- leading. So. although it can be used for that purpose. If you want to pass the exam. in addition to real-world troubleshooting issues you might encounter ■ Providing practice exercises on exam topics. this book is for you. however. Goals and Methods The most important and somewhat obvious goal of this book is to help you pass the 300-135 Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) exam. Although this book and the accompanying CD-ROM have many exam preparation tasks and example test questions. From the Library of Outcast Outcast . but by helping you truly learn and understand the topics. if the primary objective of this book were different. All other consid- erations held equal. presented in each chapter and on the enclosed CD-ROM Who Should Read This Book? This book is not designed to be a general networking topics book. the certified employee/consultant/job candidate is considered more valuable than one who is not. In fact. the book is written with one goal in mind: to help you pass the exam. Many reasons exist for these certifications. Although other objectives can be achieved from using this book. This book is intended to tremendously increase your chances of passing the Cisco TSHOOT exam. fully understand and remember exam topic details. but the most popularly cited reason is that of credibility. The TSHOOT exam is typically your final journey in pursuit of the CCNP Routing and Switching certification. and prove to yourself that you have retained your knowledge of those topics. the book can help you pass the TSHOOT exam by using the following methods: ■ Covering the exam topics and helping you discover which exam topics you have not mastered ■ Providing explanations and information to fill in your knowledge gaps ■ Supplying multiple troubleshooting case studies with diagrams and diagnostic out- put that enhance your ability to resolve trouble tickets presented in the exam envi- ronment. This book would do you a disservice if it did not attempt to help you learn the material. the method in which they are used is not to simply make you memorize as many questions and answers as you possibly can. To that end.xxx CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Introduction Professional certifications have been an important part of the computing industry for many years and will continue to become more important. and the knowledge contained within is vitally important to con- sider yourself a truly skilled routing and switching expert or specialist. the methods used in this book to help you pass the TSHOOT exam are designed to also make you much more knowledgeable about how to do your job.

Cisco does not publish the scores needed for passing. this book is designed to help you gain the knowledge you need about the issues that can arise with different routing and switching technologies and get you to the point where you can apply that knowledge and pass the exam. If you do intend to read them all. mainly based on the skills. “Introduction to Troubleshooting and Network Maintenance:” This chapter discusses the importance of having a structured troubleshooting approach and a solid network maintenance plan. Each core chapter covers a subset of the topics on the CCNP TSHOOT exam. each with an increasing level of proficiency: Entry. Associate. you must pass exams on a series of CCNP topics. ROUTE. go to Cisco. knowledge. and tasks that should be considered by all organizations. the order in the book is an excellent sequence to use. there is no “one-stop shop for all your needs” when it comes to troubleshooting and network maintenance. including the SWITCH. it is designed to be flexible and enable you to easily move between chapters to cover only the material that you need more work with.com and click Training and Events. You need to take the exam to find that out for yourself. It identifies many popular models. However. Regardless of the strategy you use or the background you have. These are commonly known by their acronyms CCENT (Cisco Certified Entry Networking Technician). CCNP (Cisco Certified Network Professional) Routing and Switching. How This Book Is Organized Although this book can be read cover to cover. From the Library of Outcast Outcast . The chapters can be covered in any order. covering the following topics: ■ Chapter 1. For most exams. CCNA (Cisco Certified Network Associate) Routing and Switching. It is more of an art that you will master over time. and Expert. although some chapters are related and build upon each other. and TSHOOT exams. as you will see. The chap- ters are organized into parts. Cisco Certifications and Exams Cisco offers four levels of routing and switching certification. and CCIE (Cisco Certified Internetworking Expert) Routing and Switching. Professional. To see the most current requirements for the CCNP Routing and Switching certifica- tion. There you can find out other exam details such as exam topics and how to register for an exam. if you have attended a TSHOOT course. For the CCNP Routing and Switching certification. For example. and experience you have already obtained. xxxi Strategies for Exam Preparation The strategy you use to prepare for the TSHOOT exam might differ slightly from strate- gies used by other readers. structures. you might take a different approach than someone who learned troubleshooting through on-the- job training.

traceroute. Therefore. Most of the issues you will experience with these features are configuration based. This includes port security. From the Library of Outcast Outcast . designated port selection. ■ Chapter 9. VTP. issues related to routed ports. “Troubleshooting IPv4 Addressing and Addressing Technologies:” This chapter begins by reviewing IPv4 addressing and how you can identify if address- ing is the issue. ■ Chapter 5. this chapter reviews how you can combine multiple physical Layer 2 switchports into a logical EtherChannel bundle and how you can troubleshoot issues related to them. root port selection. Loop Guard. NetFlow. “Troubleshooting STP and Layer 2 EtherChannel:” This chapter reviews the operation of STP and focuses on troubleshooting STP topology issues such as root bridge selection. BPDU Guard. ■ Chapter 8. ■ Chapter 6. protected ports. subnet mask. This is extremely important as you do not want to waste your time troubleshooting a service or feature when the issue is related to the device having an inappropriate IPv4 address. you will focus on the configuration requirements for troubleshooting purposes. “Troubleshooting First-Hop Redundancy Protocols:” This chapter dis- cusses the issues that might arise when implementing FHRPs such as HSRP. You will examine interface statistics. The chapter then covers issues and troubleshooting tasks related to DHCPv4 and NAT. RSPAN. SNMP. “Troubleshooting and Maintenance Tools:” This chapter introduces you to a sampling of Cisco IOS tools and features designed for network maintenance and troubleshooting. and finally. “Troubleshooting Layer 2 Trunks. ■ Chapter 3. You will also examine how to troubleshoot STP features such as PortFast. ■ Chapter 4. and UDLD. the blocked port. SPAN. and VLANs:” This chapter begins by reviewing Layer 2 switch operations and builds from there with discus- sions on how to troubleshoot issues relating to trunks. and VLANs. “Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels:” This chapter focuses on how you can troubleshoot issues related to different inter- VLAN routing implementations (router-on-a-trunk/stick and SVIs). DHCP snooping.xxxii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Chapter 2. The tools include ping. dynamic ARP inspection. It also provides a collection of commands you can use to successfully troubleshoot issues related to each FHRP. and GLBP. and issues related to Layer 3 EtherChannels. PVLANs. VRRP. You will also review the different types of packet switching modes on routers and multilayer switches. “Troubleshooting Switch Security Features:” This chapter is dedicated to troubleshooting issues related to security features that can be implemented on switches. VTP. BPDU Filter. It identifies various elements that could cause these FHRPs not to func- tion as expected and that should be considered while you are troubleshooting. and CDP. You will also discover how important the information in the MAC address table can be while troubleshooting. IP Source Guard. Root Guard. or default gateway. Telnet. “Troubleshooting Device Performance:” This chapter discusses common reasons for high CPU and memory utilization on routers and switches in addition to how you can recognize them. and VACLs. as they can be an initial indication of some type of issue. In addition. ■ Chapter 7.

To wrap up the chapter. It also covers the troubleshooting of various issues that are not directly related to neighborships or routes that might arise with OSPF. “Troubleshooting RIPv2 and RIPng:” This chapter focuses on the issues that you may have to troubleshoot in a RIPv2 and RIPng domain. named EIGRP troubleshooting is covered. It gives you the opportunity to review how route maps are read and the commands that you can use to verify a route map’s con- figuration. To wrap up the chapter. It breaks out the troubleshooting discussions into two differ- ent parts: troubleshooting neighbor adjacencies and troubleshooting missing routes. ■ Chapter 16. “Troubleshooting Route Maps and Policy-Based Routing:” This chap- ter begins by examining route maps. xxxiii ■ Chapter 10. ■ Chapter 15. “Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels:” This chapter covers the packet-delivery process and the various commands that enable you to troubleshoot issues related to the process. OSPFv3 address family troubleshooting is covered. “Troubleshooting IPv6 Addressing and Addressing Technologies:” This chapter covers how an IPv6-enabled device determines whether the destination is local or remote. Therefore. and what to look for while troubleshooting IPv6-related issues. you will discover what could cause PBR not to behave as expected and how you can troubleshoot it. ■ Chapter 11. “Troubleshooting OSPF:” This chapter covers troubleshooting of both OSPFv2 and OSPFv3. It also covers the troubleshooting of various issues that are not directly related to neighborships or routes that might arise with EIGRP. how they are read. You will also learn how MAC addresses are determined for known IPv6 address. ■ Chapter 12. This includes how you would recognize the issues based on the presented symptoms and the commands you would use to successfully verify the reason why the issue exists. and how you can identify issues related to them. From the Library of Outcast Outcast . which allows you to override the router’s default routing behavior. this chapter explains how you can use ACLs for traffic filtering and how a prefix list can be used for route filtering. “Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists:” This chap- ter covers the ins and outs of ACLs and prefix lists. “Troubleshooting EIGRP:” This chapter covers troubleshooting of both EIGRP for IPv4 and EIGRP for IPv6. It breaks out the troubleshooting discussions into two different parts: troubleshooting neighbor adjacencies and troubleshoot- ing missing routes. and you will explore the various options for address assignment such as SLAAC and DHCPv6. The rest of the chapter is dedicated to PBR. ■ Chapter 14. You will learn the way they are processed. You will also learn how to recognize and troubleshoot issues related to static routing and GRE tunnels. ■ Chapter 13. In addition. You will learn how a router choos- es which sources of routing information are more believable so that only the best routes are in the routing table.

■ Chapter 18. ■ Foundation Topics: This is the core section of each chapter that explains the pro- tocols. to give a quick assessment of your knowledge. ■ Chapter 19. It also covers the issues that you might encouter with management tools. You will also examine the issues that may arise when exchanging IPv4 and IPv6 eBGP and iBGP routes and how you can recognize them and troubleshoot them successfully. OSPF. SPAN. Questions are all multiple-choice. You also need to be very familiar with the decision-making process that BGP uses to be an efficient troubleshooter. you will spend time exploring this process in the chapter as well. “Final Preparation:” This chapter identifies tools for final exam prepa- ration and helps you develop an effective study plan.:” This appen- dix has the answers to the “Do I Know This Already” quizzes. Object Tracking. Each chapter in the book uses several features to help you make the best use of your time in that chapter. You will learn what to look out for while troubleshooting so that you can quickly solve any issues related to redistribution. and troubleshooting strategies for the topics in the chapter. sys- log. configuration. Therefore. “Additional Trouble Tickets:” This chapter is dedicated to showing you an additional ten trouble tickets and the various approaches that you can take to solve the problems that are presented. The features are as follows: ■ Assessment: Each chapter begins with a “Do I Know This Already?” quiz that helps you determine the amount of time you need to spend studying each topic of the chapter.” tells you how to find any updates should there be chang- es to the exam. “Troubleshooting Management Access:” This chapter examines the different reasons why access to the console and vty lines might fail. and SNMP. such as Cisco IOS IP SLA. ■ Appendix A . and how you can identify them. From the Library of Outcast Outcast . concepts. In addition. RIP. “Troubleshooting Redistribution:” This chapter explores the differences of redistributing into EIGRP. you will examine what could occur in environments that have multiple points of redistribution and how you can identify the issues and solve them. “Troubleshooting Management Protocols and Tools:” This chapter covers the issues you might encounter with management protocols such as NTP. “TSHOOT Exam Updates. ■ Chapter 22. In addition you will explore the issues that may arise when using Cisco IOS AAA authentication. and RSPAN. If you intend to read the entire chapter. and Appendix B. and BGP for both IPv4 and IPv6. ■ Chapter 20. you can save the quiz for later use. ■ Chapter 21. “Answers to the ‘Do I Know This Already?’ Quizzes.xxxiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Chapter 17. “Troubleshooting BGP:” This chapter examines the various issues that you may face when trying to establish an IPv4 and IPv6 eBGP and iBGP neighbor adjacency and how you can identify them and troubleshoot them.

Note that Cisco has occasionally changed exam topics without changing the exam number. inter-VLAN routing. key terms to define. will help equip you with the tools needed to effectively troubleshoot the trouble tickets present- ed on the exam. Finally. Cisco indicates this when you view the exam topics on their web- site. Be aware that the TSHOOT exam will primarily be made up of trouble tickets you need to resolve. and a command reference that summarizes any relevant com- mands presented in the chapter. CCNP TSHOOT Exam Topics Carefully consider the exam topics Cisco has posted on its website as you study. being well rounded counts more than being well tested. or FHRPs in the exam objectives. identify and describe root cause) Design and implement valid solutions Verify and monitor resolution From the Library of Outcast Outcast . Table I-1 shows the official exam topics for the TSHOOT exam. we have covered the exam topics as well as any additional topics that we considered to be necessary for your success. Therefore. Also. par- ticularly for clues to how deeply you should know each topic. Table I-1 CCNP TSHOOT Exam Topics Exam Topics Chapters Where Exam Topics Are Covered 1. xxxv ■ Exam Preparation Tasks: At the end of each chapter. to ensure that you are well prepared for the exam. However. Also. however. Mastery of the topics covered by the CD-based questions. com. references to memory table exercises to be completed as memorization practice. it is possible to receive questions on the exam that are not related to any of the exam topics listed. Remember that it is in your best interest to become proficient in each of the CCNP Routing and Switching subjects. the companion CD-ROM contains practice CCNP Routing and Switching TSHOOT questions to reinforce your understanding of the book’s concepts. we have included chapters dedicated to these to make sure that you are well prepared.0 Network Principles Debug. there is no mention of Layer 2 security. so do not be alarmed if small changes in the exam topics occur over time. as posted on Cisco. The CD also contains the Memory Table exercises and answer keys as well as over 60mins of video walking you through an exam strategy. conditional debug Chapters 1 and 2 Ping and trace route with extended options Diagnose the root cause of networking issues (analyze symptoms. you can develop a broader knowledge of the subject matter by reading and studying the topics presented in this book. When it is time to use what you have learned. this section collects key top- ics. For example.

5. 10. 12–18 subnetting Troubleshoot IPv6 addressing and subnetting Troubleshoot static routing Troubleshoot default routing Troubleshoot administrative distance Troubleshoot passive interfaces Troubleshoot VRF lite Troubleshoot filter with any protocol Troubleshoot between any routing protocols or routing sources Troubleshoot manual and autosummarization with any routing protocol Troubleshoot policy-based routing Troubleshoot suboptimal routing Troubleshoot loop prevention mechanisms Troubleshoot RIPv2 Troubleshoot EIGRP neighbor relationship and authentication From the Library of Outcast Outcast . 19 Troubleshooting Layer 2 protocols Troubleshoot VLANs Troubleshoot trunking Troubleshoot EtherChannels Troubleshoot spanning tree Troubleshoot other LAN switching technologies Troubleshoot chassis virtualization and aggregation technologies 3.xxxvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Topics Chapters Where Exam Topics Are Covered 2.0 Layer 2 Technologies Troubleshooting switch administration Chapters 4.0 Layer 3 Technologies Troubleshooting IPv4 addressing and Chapters 9.

xxxvii Exam Topics Chapters Where Exam Topics Are Covered Troubleshoot loop free path selection Chapters 9.0 VPN Technologies Troubleshoot GRE Chapter 12 5.0 Infrastructure Security Troubleshoot IOS AAA using local database Chapters 11 and 20 Troubleshoot device access control Troubleshoot router security features 6. 10. and 19 Troubleshoot SNMP Troubleshoot logging Troubleshoot Network Time Protocol (NTP) Troubleshoot IPv4 and IPv6 DHCP Troubleshoot IPv4 Network Address Translation (NAT) Troubleshoot SLA architecture Troubleshoot tracking objects From the Library of Outcast Outcast .0 Infrastructure Services Troubleshoot device Management Chapters 2. 9. and router types Troubleshoot OSPF path preference Troubleshoot OSPF operations Troubleshoot OSPF for IPv6 Troubleshoot BGP peer relationships and authentication Troubleshoot eBGP 4. 10. 12–18 Troubleshoot EIGRP operations Troubleshoot EIGRP stubs Troubleshoot EIGRP load balancing Troubleshoot EIGRP metrics Troubleshoot OSPF neighbor relationship and authentication Troubleshoot network types. area types.

■ Popular Troubleshooting Methods: This section introduces you to various troubleshooting methods that can assist in narrowing your focus during your troubleshooting efforts.This chapter covers the following topics: ■ Introduction to Troubleshooting: This section intro- duces you to troubleshooting and then focuses on a structured troubleshooting approach. ■ Common Maintenance Procedures: This section reviews the common network maintenance tasks that all organizations should perform. From the Library of Outcast Outcast . It also pro- vides you with some common steps to help you be more efficient. ■ Introduction to Network Maintenance: This section introduces you to maintenance tasks and identifies a few well-known network maintenance models that you can adopt. ■ The Troubleshooting and Network Maintenance Relationship: This section identifies the importance of aligning maintenance tasks with troubleshooting goals.

In addition. there is no “one-stop shop for all your needs” when it comes to troubleshooting and network mainte- nance. structures. A structured and systematic maintenance approach significantly contributes to the uptime for all networks. the number of issues in a network can be reduced by following a maintenance plan. However. Consider a vehicle as an example. Similarly. This chapter discusses the importance of having a structured troubleshooting approach and a solid network maintenance plan. and fluid top-offs are performed on a vehicle to ensure that problems do not arise and the life of that vehicle is maximized. without a doubt. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. having a sound troubleshooting methodology in place helps ensure that when issues arise you are confident and ready to fix them. joint lubrica- tion. depend on the reliable operation of data networks (which might also carry voice and video traffic). CHAPTER 1 Introduction to Troubleshooting and Network Maintenance Business operations. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. and tasks that should be considered by all organizations. It is more of an art that you will master over time. This statement holds true regardless of the business size. However. Regular maintenance such as oil changes. You can find the answers in Appendix A. “Answers to the ‘Do I Know This Already?’ Quizzes. read the entire chapter.” Table 1-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Introduction to Troubleshooting 1–7 Popular Troubleshooting Methods 8–9 Introduction to Network Maintenance 10–12 From the Library of Outcast Outcast . as you will see. It identifies many popular models. Table 1-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. and troubleshooting can be more effective with a structured approach in place. it is taken to a mechanic so that they may troubleshoot the issue using a structured troubleshooting process and ultimately fix the vehicle. if an issue does arise.

What are the two primary goals of troubleshooters as they are collecting informa- tion? a. Eliminate potential causes from consideration b. Identify indicators pointing to the underlying cause of the problem c. Problem replication b. The network is broken. What troubleshooting step should you perform after a problem has been reported and clearly defined? a. If you do not know the answer to a question or are only partially sure of the answer. 3. c. Problem report 2. a. you should mark that question as wrong for purposes of the self-assessment. Eliminate potential causes d. Find evidence that can be used to eliminate potential causes From the Library of Outcast Outcast . Problem diagnosis c. Propose an hypothesis about what is most likely causing the problem d. User B recently changed his PC’s operating system to Microsoft Windows 7. Propose an hypothesis b. Examine collected information 4.1.4 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Section Questions Identifying Common Maintenance Procedures 13–16 The Troubleshooting and Network Maintenance Relationship 17–20 Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. 1. although he can print to all network printers. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. Which of the following is the best statement to include in a problem report? a. Identify the three steps in a simplified troubleshooting model. and he can reach the Internet. b. d. Collect information c.1\Budget. Problem resolution d. User A cannot reach the network.1. User C is unable to attach to an internal share resource of \\10.

Attempt to find a temporary workaround for the issue. Bottom-up b. and configure the network device independently because authorized personnel are not currently available. c. Instruct the user to report the problem to the proper department that is autho- rized to resolve the issue. Override corporate policy. Which of the following troubleshooting models requires access to a specific applica- tion? a. When performing the “eliminate potential causes” troubleshooting step. The danger of creating a new problem by implementing the proposed solution 6. d. The danger of drawing an invalid conclusion from the observed data b. Shoot from the hip c. Ad hoc b. The danger of causing disruptions in workflow by implementing the proposed solution d. Comparing configurations d. This illustrates what approach to network trouble- shooting? a. Top-down From the Library of Outcast Outcast . based on the urgency. which cau- tion should the troubleshooter be aware of? a. Chapter 1: Introduction to Troubleshooting and Network Maintenance 5 5. Wait for authorized personnel to address the issue. instead relying on their own insight to determine the most likely cause of a problem. and her hypothesis involves a network device that she is not authorized to configure. Crystal ball d. 7. What should the trouble- shooter do? a. The person who is authorized to configure the network device is unavailable. A troubleshooter is hypothesizing a cause for an urgent problem. Divide-and-conquer c. b. Independent path 8. The danger of troubleshooting a network component over which the trouble- shooter does not have authority c. Experienced troubleshooters with in-depth comprehension of a particular network might skip the examine information and eliminate potential causes steps in a struc- tured troubleshooting model.

Which letter in the FCAPS acronym represents the maintenance area responsible for billing end users? a. Recovery tasks b. Troubleshooting problem reports b. Component swapping 10. Attending training on emerging network technologies c. C c. Installation tasks 12. Interrupt-driven tasks c.6 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 9. Based on your analysis of a problem report and the data collected. F b. Bottom-up c. Network maintenance tasks can be categorized into one of which two categories? a. Which of the following troubleshooting methods would be most appropriate? a. Divide-and-conquer d. S From the Library of Outcast Outcast . you want to use a troubleshooting model that can quickly eliminate multiple layers of the OSI model as potential sources of the reported problem. Structured tasks d. P e. Planning for network expansion d. Following the traffic path b. Which of the following are considered network maintenance tasks? (Choose the three best answers. A d. Hardware installation 11.) a.

Which of the following questions are appropriate when defining your change man- agement policies? a. Listing of interconnections c. Copy of IOS image d. as opposed to a proactive approach. Scheduled maintenance is more of a reactive approach to network maintenance. Scheduled maintenance helps ensure that important maintenance tasks are not overlooked. Chapter 1: Introduction to Troubleshooting and Network Maintenance 7 13. What measureable criteria determine the success or failure of a network change? d. Which three of the following components would you expect to find in a set of net- work documentation? a. some network maintenance tasks are common to most networks. depending on the goals and characteristics of that network. However. to reduce unexpected workflow interruptions. Making sure that digital certificates used for PKI are renewed in advance of their expiration c. Using Cisco Prime to dynamically discover network device changes d. d. Who is responsible for authorizing various types of network changes? 16. What version of operating system is currently running on the device to be upgraded? b. Which of the following statements is true about scheduled maintenance? a. b. Scheduled maintenance is not recommended for larger networks. Logical topology diagram b. 15. because of the diversity of maintenance needs. The lists of tasks required to maintain a network can vary widely. Maintenance tasks should only be performed based on a scheduled maintenance schedule. Performing database synchronization for a network’s Microsoft Active Directory b. Performing scheduled backups 14. What is the return on investment (ROI) of an upgrade? c. Which of the following would be considered a com- mon task that should be present in any network maintenance model? a. IP address assignments From the Library of Outcast Outcast . c.

18. Determine potential causes for the problem requiring the change c. Problem resolution 20. Networking maintenance is a subset of network troubleshooting. Which three troubleshooting phases require clear communication with end users? a. b.8 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 17. Networking maintenance and troubleshooting efforts should complement one another. Hypothesis verification d. Determine when changes can be made b. Automate documentation 19. Networking maintenance and troubleshooting efforts should be conducted by different personnel. Problem report b. Information collection c. Determine who can authorize a change d. Require documentation b. d. Networking maintenance and troubleshooting efforts should be isolated from one another. Which three of the following suggestions can best help troubleshooters keep in mind the need to document their steps? a. c. Keep documentation in a hidden folder c. Schedule documentation checks d. Determine what change should be made From the Library of Outcast Outcast . What is the ideal relationship between network maintenance and troubleshooting? a. What are two elements of a change management system? a.

resulting in a Layer 2 topological loop. thus delaying the guest registrations further. The more troubleshooting situations you are placed in. Then based on your diagnosis. After an issue is reported. This section begins by introducing you to troubleshooting. Sometimes the best approach to resolving an issue cannot be implemented immediately. you should be able to better define the issue. diagnosing the underlying cause of the problem. preventing registrations and keycards from being completed because the server is not accessible. you can begin gathering further information related to it. you next define approaches to resolv- ing the issue and select what you consider to be the best approach. you will get better at it the more you have to perform it. the hotel cannot register guests or create the keycards needed for guest rooms. When you have a clearly defined troubleshooting target. For example. In such situations. and like all skills. Defining Troubleshooting Troubleshooting at its essence is the process of responding to a problem report (some- times in the form of a trouble ticket). and resolving the problem. It then focuses on a structured troubleshooting approach that provides you with some common methods to enhance your efficiency. the more your skills will improve. the network team discovers that Spanning Tree Protocol (STP) has failed on a Cisco Catalyst switch. a piece of equipment might need replacing. you can propose an hypothesis about what is most likely causing the issue. Thus. don’t start wishing for issues to happen in your organization just so that you can get more experience. and as a result of this. Although you normally think of the troubleshooting process as beginning when a user reports an issue. After fol- lowing the documented troubleshooting procedures.m. you need to understand that through effec- tive network monitoring you may detect a situation that could become a troubleshooting issue and resolve that situation before it impacts users. a troubleshoot- er might use a temporary fix until a permanent fix can be put in place. On this day. The network team now has to decide on the best course of action at this point. After you identify a suspected underlying cause. Let’s look at an example. the network is being flooded with traffic. Although there is no right or wrong way to troubleshoot. the first step toward resolution is clearly defining the issue. From this information. Then the evaluation of these likely causes leads to the identifica- tion of the suspected underlying root cause of the issue. at a luxury hotel in Las Vegas. Chapter 1: Introduction to Troubleshooting and Network Maintenance 9 Foundation Topics Introduction to Troubleshooting Troubleshooting is a skill. there is definitely a more efficient and effective way to troubleshoot that all experienced troubleshooters follow. A temporary From the Library of Outcast Outcast . However. the more your confidence will grow. The permanent fix of replacing the failed equipment immediately would disrupt the network further and take a considerable amount of time. It is 3:00 p. or a business’s workflow might be disrupted by implementing such an approach during working hours.

Problem Report Problem Diagnosis Problem Resolution Figure 1-1 Simplified Troubleshooting Flow This simplified model consists of three steps: Key Topic Step 1. Problem diagnosis Step 3. the troubleshooter then examines that information. For example. you decide to take a look at the toaster and diagnose it. the troubleshooter should collect additional information. This is the problem diagnosis step. Verify hypothesis The troubleshooter then tests his hypothesis to confirm or refute his theory about the problem’s underlying cause. So. the network team can implement the permanent fix. he can begin to eliminate potential causes for the problem. You have it clarified further. perhaps using network maintenance tools or by interviewing impacted users. Table 1-2 describes key components of this problem diagnosis step. he is left with one or more causes that are more likely to have resulted in the problem.10 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide fix would be to disconnect the redundant links involved in the loop so that the Layer 2 loop is broken and guests can be registered at that point. Propose an hypothesis After the troubleshooter eliminates multiple potential causes for the problem. That is the problem report step. and your child indicates that the toaster does not get hot. Table 1-2 Steps to Diagnose a Problem Key Topic Step Description Collect information Because a typical problem report lacks sufficient information to give a troubleshooter insight into a problem’s underlying cause. Problem resolution Of these three steps. most of a troubleshooter’s efforts are spent in the problem diagno- sis step. From the Library of Outcast Outcast . Eliminate potential causes Based on the troubleshooter’s knowledge of the network and his interrogation of collected information. Problem report Step 2. Consider Figure 1-1. your child reports that the toaster won’t work. Examine collected information After collecting sufficient information about a problem. When the impact on guests and guest services is minimal. which is broken up into multiple subcomponents. The troubleshooter hypothesizes what he considers to be the most likely cause of the problem. perhaps comparing the information against previously collected baseline information. which depicts a simplified model of the troubleshooting steps previously described.

you hypothesize that the power cable for the toaster is not plugged in. Therefore. and as mentioned earlier. Problem report Key Topic Step 2. you will start to see similar issues. in the next instance you end up taking an unac- ceptable amount of time. spending time methodically examining information and eliminating potential causes might actually be less efficient than immediately hypothesizing a cause after you collect information about the problem and review past documents. Although in one instance you might be fast at solving the issue. Verify hypothesis Step 7. and it is correct. It also aids in communicating to someone else possibilities that you have already eliminated. By combining the three main steps with the five substeps. you need to follow a structured troubleshooting method. To be efficient. This method. A structured troubleshooting method might look like the approach depicted in Figure 1-2. it can become confusing to remember what you have tried and what you have not. Examine collected information Step 4. Eliminate potential causes Step 5. or the toast- er was too old and it broke. but it is not worth much if you are not efficient. but even with a toaster. your skills as a troubleshooter will get better with experience. With experience. From the Library of Outcast Outcast . or the circuit breaker was off. This was a simple example. Problem resolution The Value of Structured Troubleshooting Troubleshooting skills vary from administrator to administrator. You test your hypothesis. In such instances. you should have excep- tional documentation on past network issues and the steps used to solve them. communicating to that administrator the steps you have already gone through becomes a challenge. If you do not follow a structured approach. you get the following struc- tured troubleshooting procedure: Step 1. Once you determined that there was no electricity to the toaster. If it was plugged in. Also. you spent the majority of your time diagnosing the problem. you find yourself repeating solutions you have already tried. you had to figure out whether it was plugged in. Chapter 1: Introduction to Troubleshooting and Network Maintenance 11 After collecting. if another administrator comes to assist you. hoping it works. your primary goal is to be efficient. All of your effort focused on the problem diagnosis step. However. Problem solved. Eventually. and eliminating. examining. you might find yourself moving around troubleshooting tasks in a fairly random way based on instinct. In addition. following a structured troubleshooting approach helps you reduce the possibility of trying the same resolution more than once and inadvertently skipping a task. you then had to consider whether the wall outlet was damaged. as a trouble- shooter. Propose an hypothesis Step 6. Collect information Step 3. is often called the shoot from the hip method. In addition. illus- trated in Figure 1-3. Being fast comes with experience.

12 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-2 Example of a Structured Troubleshooting Approach (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-3 Example of a Shoot from the Hip Troubleshooting Approach From the Library of Outcast Outcast .

you probably need to contact the user and ask him exactly what aspect of the network is not functioning correctly. collect information). Chapter 1: Introduction to Troubleshooting and Network Maintenance 13 The danger with the shoot from the hip method is that if your instincts are incorrect. Therefore. From the Library of Outcast Outcast . For example. This will allow one troubleshooter to more efficiently take over for or assist another troubleshooter if required. “The network is broken. having a structured troubleshooting approach helps ensure that the organiza- tion’s troubleshooting efforts are following a similar flow each time an issue arises no matter who is assigned the task. Problem Report A problem report from a user often lacks sufficient detail for you to take that problem report and move on to the next troubleshooting process (that is. (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-4 A Structured Troubleshooting Approach 1. you waste valuable time. user actions). However. A Structured Approach Key Topic No single collection of troubleshooting procedures is capable of addressing all conceiv- able network issues because there are too many variables (for example. This section examines each step in a structured approach in more detail as shown in Figure 1-4. and the problem is not solved. you need to be able to revert back to the structured troubleshooting approach as needed and examine all col- lected information.” If you receive such a vague report. a user might report.

to be efficient and effective. For example. Collect Information When you are in possession of a clear problem report. If you are not sure at this point. you might need to determine who is responsible for working on the hardware or software associated with that issue. or clients) from which information should be collected. From the Library of Outcast Outcast . show. With our FTP site problem report. ping. the troubleshooter might swap components or use a bottom-up trouble- shooting model. her browser reports a 404 error. instead of following the traffic’s path.” After you have a clear understanding of the issue. However. and traceroute commands. perhaps a troubleshooter is using a troubleshooting model that follows the path of the affected traffic (as discussed in the “Popular Troubleshooting Methods” sec- tion of this chapter).” Or. she observes Y. and information needs to be collected from a network device over which the troubleshooter has no access. when the user does X. Alternatively. For example. and be mindful that you might have to pass this information on to another member of your IT group at some point. “When the user attempts to connect to a website on the Internet. servers. when all they had to do was point the user to the FTP client installed on the client’s computer. (1) Problem Report (2) Collect Information Figure 1-5 A Structured Troubleshooting Approach (Collect Information) Efficiently and effectively gathering information involves focusing information gathering efforts on appropriate network entities (for example. so accurate documentation is important. the user can successfully navigate to websites on her com- pany’s intranet. as shown in Figure 1-5. For example. Troubleshooters not aware of that might spend hours collect- ing irrelevant data with debug. start collecting information so that the picture can become clearer. the next step is gathering relevant information pertaining to the problem. the troubleshooter needs to understand what is required to access the resources the end user is unable to access. In addition. the troubleshooter might switch troubleshooting models. switches. you should be able to construct a more detailed prob- lem report that includes statements such as. 2. routers. At that point. the web browser reports the page can’t be displayed. Therefore. the troubleshooter could waste time wading through reams of irrelevant data. “When the user attempts to connect to an FTP site using a web browser. For example. as the initial point of con- tact. the FTP resources are acces- sible through an FTP client.14 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide After your interview with the user. Otherwise. you might need to decide whether this issue is one you are authorized to address or if you need to forward the issue to someone else who is authorized. the troubleshooter might need to work with appropriate personnel who have access to that device. perhaps your organization has one IT group tasked with managing switches and another IT group charged with managing routers.

collecting output from show or debug commands. she still might be able to effectively examine the col- lected information by contrasting that information with baseline data or documentation. Accurate and up-to-date documentation can assist a troubleshooter in examining the collected data to determine whether anything has changed in relation to the setup or configuration. the troubleshooter attempts to find a balance between two questions: ■ What is occurring on the network? ■ What should be occurring on the network? The delta between the responses to these questions might give the troubleshooter insight into the underlying cause of a reported problem. thus providing a clue as to the underlying cause of the problem under investigation. is for the trouble- shooter to know what currently should be occurring on the network. even an inexperienced troubleshooter might be able to see the difference between the data sets. However. baseline data should periodically be collected when the net- work is functioning properly. performing packet captures. the troubleshooter might be able to determine what is occurring on the network and how that differs from what should be occurring. Chapter 1: Introduction to Troubleshooting and Network Maintenance 15 3. for example. or traceroute). Documentation plays an extremely important role at this point. however. (1) Problem Report (2) Collect Information (3) Examine Information Figure 1-6 A Structured Troubleshooting Approach (Examine Information) A troubleshooter has two primary goals while examining the collected information: ■ Identify indicators pointing to the underlying cause of the problem ■ Find evidence that can be used to eliminate potential causes To achieve these two goals. if the troubleshooter lacks knowl- edge of specific protocol behavior. This implies that as part of a routine network maintenance plan. using ping. A challenge. If the troubleshooter is experienced with the applications and protocols being examined. Examine Collected Information After collecting information about the problem report (for example. By contrasting this baseline data with data collected after a problem occurred. Baseline data might contain. the next structured troubleshooting step is to analyze the collected information as shown in Figure 1-6. Going back to From the Library of Outcast Outcast . the output of show and debug commands issued on routers when the network was functioning properly.

which leads to more work and slower overall response times to problems. Therefore. only to see that all is fine. Jumping to conclusions can make you less efficient as a troubleshooter as you start formulating hypotheses based on a small fraction of collected data. if the troubleshooter was not aware that an FTP client was required. Because those routers do not recognize each other as Cisco Discovery Protocol (CDP) neighbors. The troubleshooter is using a troubleshooting method that follows the path of traffic through the network. (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes Figure 1-7 A Structured Troubleshooting Approach (Eliminate Potential Causes) It is imperative that you not jump to conclusions at this point. Some conclusions might suggest a potential cause for the prob- lem. as shown in Figure 1-8. The troubleshooter examines output from the show cdp neighbor command on routers R1 and R2. the trouble- shooter leaps to the conclusion that Layer 2 and Layer 1 connectivity is down between R1 and R2. As an example. a troubleshooter can start to form conclu- sions based on that data. 4. a troubleshooter might jump to a conclusion based on the following scenario. whereas other conclusions eliminate certain causes from consideration (see Figure 1-7). Eliminate Potential Causes Following an examination of collected data.16 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the FTP example. a quick review of the documentation related to FTP connectivity would indicate so. The troubleshooter then runs to the physical routers to verify physical connectivity. OSPF Area 0 PC A Switch Router Router Switch Server A SW1 R1 R2 SW2 CDP Figure 1-8 Scenario Topology From the Library of Outcast Outcast . Reviewing further output and docu- mentation indicates that CDP is disabled on R1 and R2 interfaces for security rea- sons. which results in wasted time: A problem report indicates that PC A cannot communicate with server A. the output of show cdp neighbors alone is insufficient to conclude that Layer 2 and 1 connectivity was the problem. This would allow the troubleshooter to move on to the next step.

continuing your troubleshooting efforts based on a faulty conclusion can dramatically increase the time required to resolve a problem. as shown in Figure 1-8. a troubleshooter needs to assess whether the problem can wait until authorized personnel have an opportunity to resolve the issue. (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an Hypothesis Figure 1-9 A Structured Troubleshooting Approach (Propose an Hypothesis) After proposing an hypothesis. troubleshooters might realize that they are not authorized to access a network device that needs to be accessed to resolve the problem report. a troubleshooter might reach a faulty conclusion based on the following scenario: A problem report indicates that PC A cannot communicate with server A. If the problem is urgent and no authorized administrator is currently available. as shown in Figure 1-9. if time permits. a caution to be observed when drawing conclusions is not to read more into the data than what is actually there. However. In addition. Because those routers recog- nize each other as Cisco Discovery Protocol (CDP) neighbors. 5. the troubleshooter might attempt From the Library of Outcast Outcast . troubleshooters should rank the potential causes from most likely to least likely. troubleshooters should be left with one or a few potential causes that they can focus on. As an example. Troubleshooters should then focus on the cause they believe is most likely to be the underlying one for the reported problem and propose an hypothesis. Chapter 1: Introduction to Troubleshooting and Network Maintenance 17 On another note. As shown by the previous examples. The troubleshooter is using a troubleshooting method that follows the path of traffic through the network. Propose an Hypothesis By eliminating potential causes of a reported problem. as described in the previous process. The troubleshooter examines output from the show cdp neighbor command on routers R1 and R2. the troubleshooter leaps to the conclusion that these two routers see each other as Open Shortest Path First (OSPF) neighbors and have mutually formed OSPF adjacencies. the show cdp neighbor output is insufficient to conclude that OSPF adjacencies have been formed between routers R1 and R2. explaining the rationale for your conclusions to a coworker can often help reveal faulty conclusions. In such a situation. At this point.

but such a document can serve as a rollback plan if the implemented solution fails to resolve the problem. if the troubleshooter had iden- tified other causes and ranked them during the propose an hypothesis step. she can focus her attention on the next most likely cause and create an action plan to resolve that cause and implement it. This process can be repeated until the troubleshooter has exhausted the list of potential causes or is unable to collect information that can point to other causes. the state prior to deploying the proposed solution). the troubleshooter might wait until after business hours to execute the plan. as shown in Figure 1-10. which ultimately affects the financial bottom line. a troubleshooter might need to gather additional information or enlist the aid of a coworker or the Cisco Technical Assistance Center (TAC). Therefore. Alternatively. After the network is returned to its previous state (that is.18 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide to at least alleviate the symptoms of the problem by creating a temporary workaround. In that case. Although the troubleshooter might have successfully identified the underlying cause. it might help business oper- ations continue until the main cause of the problem can be appropriately addressed. 6. or if the execution of the plan resulted in one or more additional problems. Therefore. the troubleshooter must balance the urgency of the problem with the potential overall loss of productivity. Not only does a documented list of steps help ensure the troubleshooter does not skip any. If the impact on workflow outweighs the urgency of the problem. the troubleshooter could create a different plan to address that cause. the troubleshooter should execute the rollback plan. There should be a change management procedure in place that helps the troubleshooter determine the most appropriate time to make changes to the production network and the steps required to do so. Although this approach does not solve the underlying cause. A key (and you should make it mandatory) component in implementing a problem solu- tion is to have the steps documented. they need to develop a plan to address the suspected cause and implement it. From the Library of Outcast Outcast . if troubleshooters decide to implement a workaround. perhaps the solution failed to resolve that cause. Verify Hypothesis After troubleshooters propose what they believe to be the most likely cause of a prob- lem. At that point. the troubleshooter can then reevaluate her hypothesis. they need to come up with a plan and implement it while noting that a permanent solution is still needed. However. Alternatively. if the problem is not resolved after the troubleshooter implements the plan. implementing a plan that resolves a network issue often causes temporary net- work outages for other users or services.

the troubleshooter should make sure that the solution becomes a documented part of the network. Beyond simply notifying a user that a problem has been resolved. After the reported problem is resolved. the troubleshooter should get user confirmation that the observed symptoms are now gone. This implies that routine network maintenance will maintain the implemented solution. Chapter 1: Introduction to Troubleshooting and Network Maintenance 19 (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes Figure 1-10 A Structured Troubleshooting Approach (Verify Hypothesis) 7. if the solution involves reconfiguring a Cisco IOS router. as shown in Figure 1-11. As a final task. rather than a tangential issue. For example. Although this is one of the most important steps. a backup of that new configuration should be made part of routine net- work maintenance practices. the troubleshooter should report the problem resolution to the appropri- ate party or parties. Problem Resolution This is the final step of the structured approach. it is often forgotten or overlooked. This task confirms that the troubleshooter resolved the specific issue reported in the problem report. From the Library of Outcast Outcast .

However. You can use several common troubleshooting methods to narrow the field of potential causes: ■ The top-down method Key Topic ■ The bottom-up method ■ The divide-and-conquer method ■ Following the traffic path ■ Comparing configurations ■ Component Swapping This section defines each of these methods in greater detail. Depending on your situation and the issue you are trou- bleshooting.20 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-11 A Structured Troubleshooting Approach (Problem Resolution) Popular Troubleshooting Methods As shown in the structured approach. you may use one or multiple methods. keep in mind that there is no single best method. From the Library of Outcast Outcast . the elimination of potential causes is a key step.

A potential downside to this approach is that the troubleshooter needs access to the specific application experi- encing a problem to test Layer 7. The theory is. Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-12 Top-Down Troubleshooting Method The Bottom-Up Method The reciprocal of the top-down method is the bottom-up method. which is a Layer 3 protocol. because ping uses Internet Control Message Protocol (ICMP). as shown in Figure 1-12. as illustrated in Figure 1-13. the assumption can be made that all lower layers are also functioning. Although this is a highly effective method. Therefore. you can assume that Layers 1–3 are functioning properly. the physical layer. Chapter 1: Introduction to Troubleshooting and Network Maintenance 21 The Top-Down Method The top-down troubleshooting method begins at the top layer of the Open Systems Interconnection (OSI) seven-layer model. the bottom-up method is often used after employing some other method to narrow the scope of the problem. your ping would have failed. the bottom-up approach might not be effi- cient in larger networks because of the time required to fully test lower layers of the OSI model. The top layer is num- bered Layer 7 and is named the application layer. For example. The bottom-up method seeks to narrow the field of potential causes by eliminating OSI layers beginning at Layer 1. Otherwise. if you can ping a remote IP address. The top-down method first checks the application residing at the application layer and moves down from there. From the Library of Outcast Outcast . when the troubleshooter encounters a layer that is functioning.

22 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-13 Bottom-Up Troubleshooting Method The Divide-and-Conquer Method After analyzing the information collected for a problem. the network administrator issued the ping 10.2.3 command. you might select the divide-and-conquer approach. In such a situation. Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport ping 10.1. the admin- istrator could begin a top-down approach at Layer 3. you might not see a clear indi- cation as to whether the top-down or bottom-up approach would be most effective. as shown in Figure 1-14. From the Library of Outcast Outcast . which begins in the middle of the OSI stack. if the ping failed.1. the administrator could conclude that Layers 1–3 were operational.2.3 Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-14 Divide-and-Conquer Troubleshooting Method In Figure 1-14. However. If the result was successful. and a bottom-up approach could begin from that point.

11 From the Library of Outcast Outcast . You can also look at the configuration stored in a document (Word.0 255. the problem might be resolved without a thorough understanding of what caused the problem.8.10 ! ip dhcp pool POOL-A network 10. Notepad) to see whether it is the same.0 default-router 10.255. If everything looks good on that link. in addition to the original issue.8.1 10. However. For example. there are addi- tional issues introduced based on an invalid configuration.OUTPUT OMITTED. you could first check the link between the client and switch SW1.. For example. you would check the link between router R1 and switch SW2. Therefore.8.255. imagine that you have multiple remote offices. the problem is more likely to recur. and you were asked to spot the differences... if the client depicted in Figure 1-15 is unable to reach its server. and finally the link between switch SW2 and the server.8. Chapter 1: Introduction to Troubleshooting and Network Maintenance 23 The Following the Traffic Path Method Another useful troubleshooting approach is to follow the path of the traffic experiencing a problem.8.8. Clients at one of those remote offices cannot obtain an IP address via Dynamic Host Configuration Protocol (DHCP). In addition. This childhood skill can also prove valuable when troubleshooting some network issues. Step 1 Step 2 Step 3 Step 4 Client Switch Router Switch Server SW1 R1 SW2 Figure 1-15 Following the Traffic Path Troubleshooting Method The Comparing Configurations Method Did you ever find yourself looking through a Highlights magazine as a child? This maga- zine often featured two similar pictures.8. what if the documentation is outdated? Now. each running the same model of Cisco router. Next. ip dhcp excluded-address 10..8. This methodology is often an appropri- ate approach for a less-experienced troubleshooter not well versed in the specifics of the network. you could then check the connection between the switch SW1 and router R1. Can you spot the difference in the outputs of Example 1-1a and Example 1-1b? Example 1-1a show run R1#show run . One troubleshooting approach is to compare that site’s router configuration with the router configuration of another remote site that is working properly.

cfg R1#more tftp://10. For example.OUTPUT OMITTED.255.1.1.10/R1.. if the problem continues...1.1. As you test each component and find it is not the problem. The Component Swapping Method Yet another approach to narrowing the field of potential causes of a problem is to physi- cally swap out components.10 ! ip dhcp pool POOL-A network 10. If the problem goes away..8. A problem report states that the connection between laptop A and switch SW1 is not bringing up a link light on either the laptop or the switch.. if swapping out the switch resolved the issue. As a next step. checking for configuration or hardware issues.168.8.1.1 dns-server 192. undo the change.cfg output displaying the archived configuration that was produced as a baseline and stored on a TFTP server.8. If the problem persists. a cable or a switch).255.2 . show run is displaying the current running configuration.10/R1. If a problem’s symptoms disappear after swapping out a particular component (for example.1 to 10. Example 1-1b has the more tftp://10.cfg .1.8. consider Figure 1-16.8.8. Example 1-1b more tftp://10..1 10.8.1 netbios-name-server 192.168..8.1. In Example 1-1a.168.10/R1.1 netbios-name-server 192.OUTPUT OMITTED. However.8.0 255.OUTPUT OMITTED.24 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide dns-server 192. ip dhcp excluded-address 10.8.1. you will want to undo the change you made and then move the cable from switchport 1 to switchport 2. you could swap out switch SW1 with another switch (SW2 in this example). Although swapping out components in this fashion might not provide great insight into the specific problem.11..8.1. As an example. From the Library of Outcast Outcast .168.2 . As a first step...8.0 default-router 10.. you could conclude that the issue is with laptop A. you can conclude that the old component was faulty (either in its hardware or its configuration). you could start to investigate the configura- tion of the original switch.1. you might swap out the cable interconnecting these two devices with a known working cable. The default router has been changed from 10.. it could help focus your troubleshooting efforts. you could connect a different laptop to switch SW1.

it is unlikely that these 24 PCs were all recently reconfig- ured with an incorrect application configuration. the network layer). and the problem is probably not application related. these PCs were work- ing yesterday. The 24 PCs that cannot currently access the Internet were able to access the Internet yesterday. Currently. After you reach your own conclusions about which method or methods would be most appropriate. Therefore. To illustrate how you might select an appropriate troubleshooting approach. Therefore. a bottom-up approach stands a good chance of isolating the problem quickly. Chapter 1: Introduction to Troubleshooting and Network Maintenance 25 Port 1 Swap Cable Switch SW1 Laptop A Port 2 Swap Switch Port Switch SW1 Laptop A Port 1 Swap Laptop Switch SW1 L Laptop B Port 1 Swap Switch Switch SW2 Laptop A Figure 1-16 Component Swapping Practice Exercise: Selecting a Troubleshooting Approach As a troubleshooter. Therefore. it is reasonable to guess that there might be an issue with an Ethernet switch (perhaps with a port density of 24). you could From the Library of Outcast Outcast . a divide-and-conquer approach could be useful. the other 24 PCs can. ■ Bottom-up: Based on the symptom reported. Although it is possible that 24 of the PCs have some setting in their Internet browser (for example. you might use one of the previously discussed troubleshooting methods or perhaps a combination of methods to eliminate causes. Starting at Layer 3 (that is. consider the following rationale: ■ Top-down: Because the application is working on some PCs in the same location. starting at the application layer will probably not be effective. consider the following problem report: A computer lab at a university contains 48 PCs. Consider which of the previously discussed troubleshooting models might be appropriate for an issue such as the one reported. 24 of the PCs cannot access the Internet. ■ Divide-and-conquer: The problem seems to be related to a block of PCs. a proxy configuration) that prevents them from accessing the Internet.

■ Comparing configurations: If a previous troubleshooting method (for example. ■ Component swapping: Because the 24 PCs are experiencing the same problem with- in a short time frame (since yesterday).26 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide issue a series of pings to determine whether a next-hop gateway is reachable. if these 24 PCs connect to the same Cisco Catalyst switch. This reactive approach is unavoidable. and the 24 PCs that are working are connected to another Cisco Catalyst switch. divide-and-conquer. ■ Following the traffic path: The symptom seems to indicate that these 24 PCs might share a common switch. is doing whatever is required to keep the network functioning and meeting the business needs of an organization. However. or following the traffic path) reveals that the 24 PCs that are not working are connected to one Cisco Catalyst switch. as important but not urgent. So. this section discusses how to adapt a well-known model to individual needs. following the traffic path to the other end of the cabling (that is. You will combine the dif- ferent methods to produce the most accurate picture possible. at its essence. As you can see from the analysis of the different methods. you need to analyze the business needs of the organization and determine which maintenance tasks From the Library of Outcast Outcast . Spending more time on the important tasks can help reduce time spent on the urgent tasks (for example. bottom-up. such as performing backups and software upgrades. you will not usually rely on just one method while you are troubleshooting. however. Therefore. the occurrence of these interrupt-driven maintenance tasks can be reduced by proactively performing regularly scheduled maintenance tasks. Introduction to Network Maintenance Network maintenance is an inherent component of a network administrator’s responsi- bilities. to a switch) could prove useful. Perhaps the switch has lost power resulting in this connectivity issue for the 24 PCs. However. Therefore. It concludes by discussing several procedures that are a must for maintenance success. checking the Cisco Catalyst switch to which these 24 PCs are attached. swap- ping out the switch could help isolate the problem. It introduces us to standard network maintenance models. However. you could start to troubleshoot Layer 2. Defining Network Maintenance Network maintenance. If the next-hop gateway is not reachable. each has the possibility of providing valuable information that will help you solve this issue. This section begins by identifying several common network maintenance tasks that are seen in most organizations. comparing the configu- ration of those two switches could prove helpful. that network administrator might be performing maintenance tasks in response to a reported problem. because unfore- seen issues do arise. responding to user connectivity issues or troubleshooting a network outage). these off-the-shelf models might not be a perfect fit for the organization. it is unlikely that swapping cables would be useful. Therefore. You could think of regularly scheduled tasks.

however. keep in mind that the list of tasks required to maintain your network could differ significantly from the list of tasks required to maintain another network. You need to align your main- tenance tasks with your business needs. you will also know which tools are required and how to use them to solve the problem. this listing is only a sampling of network maintenance tasks. For example. you can significantly reduce their occurrence when you have a stra- tegic structured approach in place. In addition. From the Library of Outcast Outcast . Proactive Versus Reactive Network Maintenance Network maintenance tasks can be categorized as one of the following: ■ Interrupt-driven tasks: Involve resolving issues as they are reported ■ Structured tasks: Performed as a predefined plan Interrupt-driven tasks are not planned. are you going to back up each PC in the company on a nightly basis or are you going to have all users store resources on a central server and back up the central server? Some examples of the tasks that fall under the umbrella of network maintenance are as follows: ■ Hardware and software installation and configuration Key Topic ■ Troubleshooting problem reports ■ Monitoring and tuning network performance ■ Planning for network expansion ■ Documenting the network and any changes made to the network ■ Ensuring compliance with legal regulations and corporate policies ■ Securing the network against internal and external threats ■ Backing up files and databases Obviously. It is more cost-effective because fewer major problems occur. Also. They result from something happening in the network that requires your attention. Time and money need to be spent wisely. A structured maintenance approach also includes planning for future network capacity. or it may be something you can put off until later. appropriate hardware and software purchases can be made early on. Interrupt-driven tasks can never be completely eliminated. and critical business processes need more attention. If you do have an unplanned net- work outage (interrupt-driven). you can resolve it more quickly because a predefined plan is in place to handle that type of outage. therefore. It reduces total network downtime because you are aware of problems and fix them before they become a major issue. It may be your immediate attention. resulting in less resources being consumed for problem resolution. reducing obsolescence of relatively new pur- chases. Implementing a structured maintenance approach confers many benefits. Chapter 1: Introduction to Troubleshooting and Network Maintenance 27 are necessary for the success of the business.

These phases are pre- pare. implement. Respond to incoming trouble tickets from the help desk. and security management) is a network maintenance model defined by the International Organization for Standardization (ISO). performance management. resourc- es. accounting management. From the Library of Outcast Outcast . which is another com- ponent of a structured maintenance approach. Therefore. and expertise unique to your network. for example. you might want to base your maintenance model on one of the well-known maintenance models and make adjustments as appropriate. that you have selected the ISO FCAPS model as the foundation for your maintenance model. design. plan. To adapt the FCAPS model for your environment. as discussed later in this chapter. ■ ITIL: IT Infrastructure Library (ITIL) defines a collection of best practice recommen- dations that work together to meet IT business management goals. As a result. Implement a change management system to alert relevant personnel of planned network changes. However. rather than starting from scratch. you should identify specific tasks to perform on your network for each element of the FCAPS model. configuration management. Table 1-3 provides a sampling of tasks that might be categorized under each of the FCAPS management areas. operate.28 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide A structured approach also takes into consideration underlying business goals. and optimize. you must adapt the model to your environment. The following is a sampling of some of the more well-known maintenance models: Key Topic ■ FCAPS: FCAPS (which stands for fault management. Send an e-mail alert when processor utilization or bandwidth utilization exceeds a threshold of 80 percent. Example of Adapting a Network Maintenance Model The maintenance model you use in your network should reflect business drivers. Table 1-3 FCAPS Management Tasks Type of Management Examples of Management Tasks Fault management Use network management software to collect information from routers and switches. Once you choose the model. Configuration Require logging of any changes made to network hardware management or software configurations. Well-Known Network Maintenance Models The subtleties of each network should be considered when constructing a structured net- work maintenance model. Security vulnerabilities are more likely to be discovered through ongoing network monitoring. ■ Cisco Lifecycle Services: The Cisco Lifecycle Services maintenance model defines distinct phases in the life of a Cisco technology in a network. Suppose. resources can be allocated that complement business drivers. the Cisco Lifecycle Services model is often referred to as the PPDIOO model.

network administra- From the Library of Outcast Outcast . where relocation of users from one office space to another. This sec- tion discusses common maintenance tasks that all organizations should be performing. and no two organizations will implement them in exactly the same way. However. Chapter 1: Introduction to Troubleshooting and Network Maintenance 29 Type of Management Examples of Management Tasks Accounting management Invoice IP telephony users for their long-distance and international calls. there are tasks common to nearly all network maintenance models that will be implemented by all organizations regardless of the business drivers. weekly. while prioritizing mission-critical traffic. For example. virtual private network (VPN). Use an authorization. In response to organizational changes.m. We cannot have a regular schedule for these types of tasks because they are infrequent and irregular. and intrusion prevention system (IPS) technologies to defend against malicious traffic. the routine can be frequent or infrequent. Keeping track of what is being done on the network and when it is being done. or irregular and should be present in a listing of procedures contained in a network maintenance model. regular. Routine Maintenance Tasks Regardless of the organization. Common Maintenance Procedures No two network maintenance models will be exactly the same. As you can see. This routine can be hourly. By clearly outlining a maintenance methodology and defining actionable and measurable processes you can reduce network downtime and more effectively perform interrupt- driven tasks. is frequent and regular. authentication. per quarter. Deploy appropriate quality of service (QoS) solutions to make the most efficient use of relatively limited WAN bandwidth. or per year. backing up a server on a daily basis at 10:00 p. because of the different business drivers involved. The key with all these tasks is that they are routine regardless of them being frequent. monthly. Security management Deploy firewall. Performance management Monitor network performance metrics for both LAN and WAN links. and log user activity. and accounting (AAA) server to validate user credentials. Following is a listing of such common maintenance tasks: ■ Configuration changes: Businesses are dynamic environments. daily. but it can also be regular or irregular. assign appropriate user privileges. there will be maintenance tasks in each organization that occur routinely. adding users or moving users and updating the network based on the user changes is going to be different each time. However. Create a security policy dictating rules of acceptable network use. the addition of temporary staffers. infrequent. and new hires are commonplace.

monitor. perhaps a firewall From the Library of Outcast Outcast . For example. The updates often address perfor- mance issues and security vulnerabilities. a change to one network component might create a problem for another network component. adds. Therefore. Other tasks can be scheduled. users can be made aware of when various network services will be unavailable. thus minimizing the impact on workflow. and changes. performing routine software updates becomes a key network maintenance task. production devices fail. and resource utilization statistics for network devices are common goals of network monitoring. replacing a failed router that connects the business to the Internet). Scheduled Maintenance Take a moment and define the network maintenance tasks for your network. during which time you apply software patches. These processes are often referred to as moves. Some tasks will undoubtedly be urgent in nature and need a quick response when things go wrong (for example. and you might have a monthly maintenance window. and better understand the nature of the traffic flowing through your network. a common network maintenance task is to schedule. ■ Monitoring network performance: The collection and interpretation of traffic sta- tistics. These backups can also be useful in recovering important data that was deleted. you might schedule weekly full backups of your network’s file servers. clients. By having such a schedule for routine maintenance tasks. Managing Network Changes Making changes to a network often has the side effect of impacting the productivity of users relying on network resources. In addition. Therefore.30 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide tors need to respond by performing appropriate reconfigurations and additions to network hardware and software. ■ Scheduled backups: Recovery from a major system failure can occur much quicker if network data and device configurations have been regularly backed up. due to maintenance windows. capacity planning). and even network devices) are periodically released. ■ Replacement of older or failed hardware: As devices age. their reliability and com- parable performance tend to deteriorate. Occasionally. a common task is the replace- ment of older hardware. and verify backups of selected data and configuration information. After doing so. New features are also commonly offered in software upgrades. Therefore. network administrators are less likely to forget an important task. because they were busy responding to urgent tasks. bandwidth utilization statistics. anticipate potential issues before they arise. you can better plan for future expansion (that is. For example. ■ Updating software: Updates to operating system software (for servers. Through effective network moni- toring (which might involve the collection and examination of log files or the imple- mentation of a high-end network management server). thus requiring immediate replacement. Also. typically with better performing and more feature-rich devices. rank them in order of priority.

some network maintenance tasks are urgent (for example. and what (if any) authorization is required for an override? From the Library of Outcast Outcast . If the WAN IT department plans to upgrade the WAN link between a couple of offices at 2:00 a. Of course. next Tuesday. one of the servers in the server farm acted as an FTP server. because a backup of remote data (that is. in addition to com- mon protocols that were allowed to pass through the firewall (for example. The timing of network changes should also be considered. For example. the departments can work together to accommodate one another’s needs. Rather than taking a router down to upgrade its version of Cisco IOS during regular business hours. and IMAP). POP3. Chapter 1: Introduction to Troubleshooting and Network Maintenance 31 was installed to provide better security for a server farm. SMTP. without going through a formalized change management notification process and allowing time for other departments to respond. backing up a router’s configuration prior to installing a new module in the router)? ■ What measurable criteria determine the success or failure of a network change? ■ How will a network change be documented. and who is responsible for the docu- mentation? ■ How will a rollback plan be created. DNS. HTTPS. a widespread net- work outage). Some organizations have a formalized change management process. where users could no longer reach their FTP server. such that a configuration can be restored to its previous state if the changes resulted in unexpected problems? ■ Under what circumstances can formalized change management policies be overrid- den. data accessible over the WAN link to be upgraded) might be scheduled for that same time period.m. If a conflict is identified. suppose that one information technology (IT) department within an organization is responsible for maintaining WAN connections that interconnect various corporate offic- es. such an opera- tion should probably be performed during off hours. When defining a change management system for your organization. whereas another IT department is charged with performing network backups. and determine whether the planned change will conflict with that department’s operations. where one depart- ment announces online their intention to perform a particular maintenance task during a specified time period. the IT department in charge of backups should be made aware of that planned upgrade. consider the following: ■ Who is responsible for authorizing various types of network changes? Key Topic ■ Which tasks should only be performed during scheduled maintenance windows? ■ What procedures should be followed prior to making a change (for example. Those tasks need timely responses. HTTP. Therefore. However. Making different organization areas aware of upcoming maintenance operations can also aid in reducing unforeseen problems associated with routine maintenance. and the firewall configuration did not consider that server. Other departments are then notified of this upcoming change. the installa- tion of a firewall to better secure a server farm resulted in a troubleshooting issue.

the following list outlines common ele- ments found in a set of network documentation: ■ Logical topology diagram: A logical topology diagram shows the interconnection Key Topic of network segments. and modules installed.32 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Maintaining Network Documentation Network documentation typically gets created as part of a network’s initial design and installation. The diagram reflects where various net- work components are physically located. and an organization’s asset tag number. or a combination of both. in addition to a listing of network components and their configurations. this diagram is not concerned with the physical locations of network components. just as the procedures in a network maintenance model vary. keeping that documentation current. or entire sites) interconnect. reflecting all changes made since the network’s installation. buildings. At a basic level. an organization might have public IP addresses assigned to some or all of their internal devices. While the specific components in a set of network documentation can vary. ■ Physical topology diagram: Unlike a logical topology diagram. model number. accurate documentation can prove to be valuable to designers who want to scale the network. a physical topology diagram shows how different geographical areas (for example. Circuit IDs for service pro- vider circuits might be included in this documentation. should be part of any network maintenance model. From the Library of Outcast Outcast . for service providers and points of contact in an organization’s various IT groups). a spreadsheet that lists which ports on which devices are used to interconnect network components or connect out to service provider networks. for example. However. Keeping documentation current helps more effectively isolate problems when trouble- shooting. network documentation can be much more detailed. However. and how end users interface with the net- work. For IPv6 the orga- nization might be manually assigning the interface ID to each device. using EUI-64. Alternatively. network documentation could consist of physical and logical network diagrams. In addition. version of software. However. ■ Inventory of network equipment: An inventory of network equipment would include such information as the equipment’s manufacturer. floors within a build- ing. These types of IP addressing specifications would be included in a set of network documentation. and the rationale for each network change made. A classful IP address space (either public or private) might be subdivided within an organization. a listing of contact information (for example. including such compo- nents as formalized change management procedures. in addition to information about the licensing of the software. ■ IP address assignments: An organization might use private IP address space internal- ly and use Network Address Translation (NAT) to translate those private IP address space numbers into publicly routable IP addresses. serial number. to name a few. ■ Listing of interconnections: A listing of interconnections could be. resulting in subnets with a nondefault subnet mask. and IP addressing. the protocols used. deployed VLANs.

failures do occur from time to time. With a copy of current configuration information. ■ Original design documents: Documents created during the initial design of a net- work might provide insight into why certain design decisions were made and how the original designers envisioned future network expansion. the current con- figuration should be backed up. consider one network administrator that configures IEEE 802. This example illustrates the criticality of having clear communication among IT personnel and a set of standardized procedures to ensure consistency in network configuration and troubleshooting practices.1Q trunk- ing on Cisco Catalyst switches by disabling Dynamic Trunking Protocol (DTP) frames and forcing a port to act as a trunk port. These older configurations could prove useful when attempting to roll back to a previous configuration state or when trying to duplicate a previous configuration in a new location. As a few examples. From the Library of Outcast Outcast . you should be in possession or have the ability to acquire relatively quickly the following: ■ Duplicate hardware: The hardware can be stored locally or it can be attainable through a supplier that can get you the device within a certain time based on a ser- vice level agreement (SLA). For example.1Q trunking by setting a port’s trunk state to desirable. at some point those approaches might conflict with one another. some network administrators also maintain archival copies of previous configurations.1Q trunk. a device could be replaced quicker. the failure of an air conditioner unit could cause network equipment to overheat. if different personnel troubleshoot using different approaches. Larger network environments often benefit from having step-by-step guidelines for troubleshooting a given network issue. the trunk connection would never come up. resulting in further issues. oth- ers by function. Restoring Operations After a Failure Although most modern network hardware is very reliable. It is a good practice to name archival copies of previous configurations based on a certain format that makes sense to you. which creates a trunk connection only if it receives a DTP frame from the far end of the connec- tion. Such a structured approach to troubleshooting helps ensure that all troubleshooting personnel use a common approach. in the event of an outage. For example. Beyond having a backup of current configuration information. water leakage due to flooding or plumbing issues could cause hardware fail- ures. and still others by a combination of both. These two approaches are not compatible. Planning and provisioning hardware and software for such outages before they occur can accelerate recovery time. and a fire could render the network equipment unusable. Another network administrator within the same company configures 802. and if each of these two network admin- istrators configured different ends of what they intended to be an 802. Aside from hardware failures. some companies name their archival copies by date. Although a net- work issue might be successfully resolved through various means. To efficiently replace a failed (or damaged) device. Chapter 1: Introduction to Troubleshooting and Network Maintenance 33 ■ Configuration information: When a configuration change is made. environmental factors could cause a network outage.

at a minimum have the configurations documented in Notepad somewhere. documentation and baselines are created at a specific point in time for a device and provide a snapshot of the health and configuration of that device at that point. Also. However. What happens if someone neglects to update the documentation or baselines based on changes that may have occurred during scheduled maintenance or some past issue? What happens if we have difficulty communicating with others or they withhold information from us? These assets become liabilities as they are unable to address the question: What should be occurring in the network? As you have seen. All of these are fundamental assets to your success as a troubleshooter. and communication were mentioned. Conversely. it is advisable to have an exact copy of the operating systems and application software stored locally for each device you are using in the organization. Measuring Network Performance Network monitoring is a proactive approach to network maintenance. an installer is often required to troubleshoot the installation until the new network component is functioning properly. For example. network maintenance tasks often include troubleshooting tasks. During our coverage of the structured approach you might have noticed that documen- tation. we will heavily rely on these resources when issues occur. network performance monitoring can ensure that you are providing an appropriate service level to a customer. Also. if you are a customer of a service provider. The Troubleshooting and Network Maintenance Relationship A structured troubleshooting approach provides step-by-step processes that offer a repeatable consistent plan that makes the troubleshooter more efficient and effective. These statistics can forecast future issues. a physical topology diagram created as part of a network maintenance task) to help isolate a problem. You do not want to be caught in a situation where you have no information related to the configuration of a device being restored. For example. they do not simply appear from the ether. you need to restore your device to its last known good configuration. allowing you to be proactive and fix problems before they affect network users. as you have seen from the discussion of network maintenance. the troubleshooter might use network documentation (for example. when troubleshooting a network issue. network monitoring can confirm that the ser- vice provider is conforming to the SLA for which you are paying.34 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Operating system and application software (along with any applicable licensing) for the device: Although you can get this from the manufacturer (such as Cisco). ■ Backup of device configuration information: When a failure happens. when installing a new network component as part of ongoing network maintenance. if you work for a service provider. It is ideal to have a backup of the configuration files on a server in the organization. enabling you to be alerted to trends and utilization statistics (as a couple of examples). change control. From the Library of Outcast Outcast . However. As a result. if that is not pos- sible. baselines. and vice versa.

often falls by the wayside. you might want to take proactive measures to ensure your structured maintenance and troubleshooting processes complement one another. Cisco IOS offers the Configuration Replace and Configuration Rollback feature and the Embedded Event Manager. in practice. if a troubleshooter is following the path that spe- cific traffic takes through a network. troubleshooters know that before a problem report or a trouble ticket Topic can be closed out. Any difference in the configurations indicates that someone failed to update the backup configuration of a device after making a configuration change to that device. compare current and backup copies of device configurations. both network troubleshooting and maintenance include a documentation component. Such a scenario is often worse than not having documentation at all. Although few argue with the criticality of maintaining current documentation. automated processes could be used to. thus increas- ing the accuracy of the documentation. an important task). From the Library of Outcast Outcast . Maintaining Current Network Documentation A set of maintained network documentation can dramatically improve the efficiency of troubleshooting efforts. Because these tasks are so interrelated. for example. A danger with relying on documentation is that if the documentation is dated (not main- tained). The troubleshooter’s focus is on resolving a reported issue in a timely manner (that is. physical and logical topology diagrams could help identify the next network component to check. scribbling notes on the back of a piece of paper) as they are performing their tasks. they must generate appropriate documentation. troubleshooters could be led down an incorrect path because of their reliance on that documentation. To assist with the auto- mation of backups. an urgent task) rather than documenting what they are doing at the time (that is. because in the absence of documentation. they have to create their own path. For example. For example. as opposed to later trying to recall what they did from memory. ■ Schedule documentation checks: A structured maintenance plan could include a component that routinely requires verification of network documentation and when it was last updated based on timestamps. The lack of follow-through when it comes to documenting what happened during a troubleshooting scenario is understandable. troubleshooters are not led down the wrong path during the troubleshooting process. Following are a few suggestions to help troubleshooters keep in mind the need to document their steps: ■ Require documentation: By making documentation a component in the trouble- Key shooting flow. Chapter 1: Introduction to Troubleshooting and Network Maintenance 35 This interrelationship between maintenance and troubleshooting suggests that the effec- tiveness of your troubleshooting efforts is influenced by the effectiveness of your routine network management tasks. This knowledge often motivates troubleshooters to perform some level of documentation (for exam- ple. Therefore. the value of a centralized repository of documentation increases as a result of its use for both maintenance and troubleshooting efforts. docu- menting troubleshooting efforts. ■ Automate documentation: Because manual checks of documentation might not be feasible in larger environments.

From the Library of Outcast Outcast .00% 0.00% 0 Load Meter 3 821 188 4367 0.00% 0 EDDRI_MAIN 5 43026 2180 19736 0. you could issue this command to determine how a router is currently operating. Example 1-2 Monitoring Router CPU Utilization R1# show processes cpu cpu utilization for five seconds: 18%/18%. However. and 5-minute CPU utilization averages.00% 0.13% 0. For example. a baseline of network performance should be measured as part of a routine maintenance procedure and updated on a regular basis.00% 0 chunk Manager 2 4 167 23 0. if she made any recent changes.00% 0.. Table 1-4 Importance of Clear Communication During Troubleshooting Troubleshooting Steps The Role of Communication Problem report When a user reports a problem. 1-minute.36 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Establishing a Baseline As previously mentioned..03% 0 Check heaps .09% 4.13% 0. Communication Each of the troubleshooting steps outlined in the structured approach requires clear com- munication.00% 4. Collect information Some information collected might come from other parties (for example. the show processes cpu command demonstrates the 5-second. troubleshooting involves knowing what should be happening on the network.00% 0. you might not be able to draw a meaningful conclusion based on the command output. a service provider). For example. observing what is currently happening on the network.00% 0. with the out- Topic put logged and archived. one minute: 22%. Clearly communicating with those other parties helps ensure collection of the proper data. Table 1-4 describes how communication plays a role in each troubleshooting phase. clear communication with that user helps define the problem. and when the problem started. a routine network maintenance procedure might require that a show Key processes cpu command be periodically issued on all routers in a network.00% 0. To determine what should be happening on the network.14% 0 Exec 4 4 1 4000 0. five minutes: 22% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY process 1 0 1 0 0. As shown in Example 1-2.. without a baseline as a reference before troubleshooting.OUTPUT OMITTED. and determining the difference between the two.. the user can be asked exactly what is not working correctly. When troubleshooting a performance problem on a router.

a user reported that her PC could not access network resources. Therefore. Consider the following scenario. and the user should confirm that the problem has truly been resolved. therefore. the nature and reason for an interruption should be communicated to the users impacted. the troubleshooter asked whether anything had changed. Problem resolution After a problem is resolved. when managing a major outage. This morning. As a side benefit. being able to quickly divert user requests for status reports to a manager helps minimize interruptions from users. no physical layer connectivity to a device). Propose an Hypothesis The consultation a troubleshooter conducts with other IT personnel when eliminating potential causes might also help the troubleshooter more accurately hypothesize a problem’s underlying cause. those involved in troubleshooting the outage should divert user inquiries to a manager who is in frequent contact with the troubleshooting personnel. as part of the col- From the Library of Outcast Outcast . Because these troubleshooters might be focused on different tasks at different times. the user originally reporting the problem should be informed. these two factors (that is. it is possible that no single administrator can report on the overall status of the problem. Chapter 1: Introduction to Troubleshooting and Network Maintenance 37 Troubleshooting Steps The Role of Communication Examine collected information Because a troubleshooter is often not fully aware of all aspects of a network. In fact. The process of change management includes using policies that dictate rules regarding how and when a change can be made and how that change is documented. a network administrator attempted to better secure a Cisco Catalyst switch by administratively shutting down any ports that were in the down/down state (that is. multiple network administrators could be involved in troubleshooting a problem. Also. This consultation could provide insight leading to the elimination of a potential cause. Change Management Managing when changes can be made and by whose authority helps minimize network downtime. Eliminate potential causes The elimination of potential causes might involve consultation with others. when a change is allowed and who can authorize it) are the distinguishing factors between making a change as part of a routine maintenance plan and making a change as part of a troubleshooting process. Verify hypothesis Temporary network interruptions often occur when verifying an hypothesis. which illustrates how a maintenance change could be a clue while troubleshooting a problem report: Last week. collaboration with other IT personnel is often necessary. After clearly defining the problem. depending on the severity of an issue.

and a sound change management policy minimized the total time it took the troubleshooter to solve the problem. thus leading the troubleshooter to wonder if any network changes had occurred while the user was on vacation. The previous scenario is an excellent example of how following a structured trouble- shooting approach.38 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide lect information troubleshooting phase. having accurate documentation. the troubleshooter was able to find in the documentation that last week an administrator had adminis- tratively shut down this user’s switchport because it was down/down while the user was on vacation and his computer was shut off. Thanks to the network’s change management system. she mentioned that she had just returned from vacation. Even though the user was unaware of any changes. From the Library of Outcast Outcast .

Review All Key Topics Review the most important topics in this chapter. you have a couple of choices for exam preparation: the exercises here. Chapter 22.” and the exam simulation questions on the CD-ROM. Chapter 1: Introduction to Troubleshooting and Network Maintenance 39 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. noted with the Key Topic icon in the outer margin of the page. divide-and-conquer method. structured maintenance task. change management. top-down method. documentation From the Library of Outcast Outcast . FCAPS. baseline. Cisco Lifecycle Services. ITIL. bottom-up method. Table 1-5 lists a reference of these key topics and the page num- bers on which each is found. following the traffic path method. shoot from the hip. Table 1-5 Key Topics for Chapter 1 Key Topic Key Topic Element Description Page Number List Outlines the simplified troubleshooting flow 10 Table 1-2 Identifies the five steps used while diagnosing a 10 problem List Outlines the structured troubleshooting flow 11 Section Provides details of each step during structured 13 troubleshooting List Lists the various troubleshooting methods that can 20 be used to narrow the field of potential causes List Lists examples of network maintenance tasks 27 List Lists examples of network maintenance models 28 List Identifies questions that need to be addressed while 31 implementing a change management system List Outlines various types of documents that should 32 exist and be maintained within an organization List Examples of how to help troubleshooters remember 35 the importance of documenting their steps Paragraph Identifies the importance of a baseline 36 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: interrupt-driven task. comparing configurations method. “Final Preparation. compo- nent swapping method.

■ Using Cisco IOS to Collect Information: This sec- tion focuses on how to use the CLI to collect infor- mation for troubleshooting and maintenance. From the Library of Outcast Outcast . ■ Using Cisco IOS to Verify and Define the Problem: This section reviews the ping. ■ Using CLI Tools to Document a Network: This sec- tion focuses on the steps and commands required to successfully document a network diagram. ■ Collecting Information in Transit: This section iden- tifies how you can configure switches to send copies of frames to packet capturing devices using SPAN and RSPAN.This chapter covers the following topics: ■ The Troubleshooting and Network Maintenance Toolkit: This section introduces you to the essential tools for troubleshooting and maintenance tasks. telnet. and traceroute utilities.

However. not later. There is no argument that you will be collecting network information when there is an issue. if that is the only time you collect network information. This chapter introduces you to a sampling of Cisco IOS tools and features designed for network maintenance and troubleshooting. to a syslog server). and you need it now. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. “Answers to the ‘Do I Know This Already?’ Quizzes. You can find the answers in Appendix A. so you have a snapshot of the device’s health at that point in time. the statistics related to certain network events (for example. you need network information about the good times and the bad times. you are missing the necessary key element of an efficient and effective troubleshooting process. In addition. processor utilization on a network server exceeding a specified threshold) could trigger the writing of log information (for exam- ple. Table 2-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions.” Table 2-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions The Troubleshooting and Network Maintenance Toolkit 1–6 Using Cisco IOS to Verify and Define the Problem 7–9 Using Cisco IOS to Collect Information 10 Collecting Information in Transit 11 Using CLI Tools to Document a Network 12 From the Library of Outcast Outcast . read the entire chapter. Therefore. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. To be an efficient and effective trouble- shooter. you need to gather baseline data on a regular basis so that you have something to compare your current issue to. CHAPTER 2 Troubleshooting and Maintenance Tools Collecting network information is an ongoing process.

QoS information collection d. 1.42 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. show flash: | begin backup d. Troubleshooting information collection b. you should mark that question as wrong for purposes of the self-assessment. Which three of the following are components that would be most useful when recov- ering from a network equipment outage? a. Podcast 4. Which of the following would be appropriate for a collaborative web-based docu- mentation solution? a. Vlog c. Baseline information collection c. Wiki d. show ftp: | begin archive From the Library of Outcast Outcast . Which command enables you to view archival copies of a router’s startup configura- tion? a. The types of information collection used in troubleshooting fall into which three broad categories? a. show archive c. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. Backup of device configuration information b. Duplicate hardware d. Physical topology c. show backup b. Network event information collection 3. If you do not know the answer to a question or are only partially sure of the answer. Blog b. Operating system and application software (along with any applicable licensing) for the device 2.

. IPS 6. Which command enables you to determine whether a routing loop exists? a. and tables to describe network traffic patterns? a. ping c. Which two of the following are characteristics of the NetFlow feature? (Choose the two best answers. U b. NBAR b. QDM d. Collects detailed information about traffic flows b. c. traceroute d. M d. arp -a 9. arp -a From the Library of Outcast Outcast . D 8. charts. Uses a push model 7.) a. Which of the following is the ping response to a transmitted ICMP echo datagram that needed to be fragmented when fragmentation was not permitted? a. Uses a pull model d. Collects detailed information about device statistics c. Chapter 2: Troubleshooting and Maintenance Tools 43 5. NetFlow c. ping c. telnet b. traceroute d. Which of the following is a Cisco IOS technology that uses a collector to take data from monitored devices and present graphs. telnet b. Which command can be used to determine whether transport layer connectivity is functioning? a.

starting where the routing protocol configuration begins? a. RSPAN d. show running-config | redirect router d. SPRT 12. show running-config | append router 11. show cdp neighbor d. Which of the following commands displays a router’s running configuration. show ip interface brief b. show running-config | tee router b. RSTP b. show interface status c. SPAN c.44 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 10. What feature available on Cisco Catalyst switches enables you to connect a network monitor to a port on one switch to monitor traffic flowing through a port on a dif- ferent switch? a. show version From the Library of Outcast Outcast . show running-config | begin router c. What IOS command enables you to discover the Cisco devices that are directly con- nected to other Cisco devices? a.

and compare information. They can then contrast that normal behavior against what they are observing in their collected data. Therefore. if not the same. Let’s examine four of these steps: ■ Problem report: By proactively monitoring network devices with specialized report- ing tools. This information provides a frame of reference against which other data can be compared when we are troubleshooting an issue. If you look closely. Chapter 2: Troubleshooting and Maintenance Tools 45 Foundation Topics The Troubleshooting and Network Maintenance Toolkit As previously discussed. the information that is collected essentially falls into one of three categories: ■ Troubleshooting information collection: This is the information collected while Key troubleshooting an issue that was either reported by a user or a network manage- Topic ment station (NMS). they need to know what normal net- work behavior looks like. in addition to fixing and possibly rolling back configurations. you are gathering more information that will help paint a clearer picture of the issue at hand. the tools we use for troubleshooting and mainte- nance will be very similar. ■ Verify hypothesis: Specialized maintenance and troubleshooting tools help a troubleshooter implement his fix for an issue. ■ Baseline information collection: This is the information collected when the network is operating normally. ■ Collect information: The collection of information when troubleshooting a problem can often be made more efficient through the use of specialized maintenance and troubleshooting tools. At this point. examine. you might be alerted to impending performance issues before users are impacted and report it. ■ Examine collected information: As troubleshooters investigate the information they collected during the troubleshooting process. Specialized maintenance tools can be used in a network to collect baseline data on an ongoing basis so that it is available and current when needed. A relation- ship exists between the two. “Introduction to Troubleshooting and Network Maintenance. From the Library of Outcast Outcast . if that fix proves unsuccessful. however. Chapter 1. he can also help roll back an attempted fix.” introduced you to a series of steps that provide a structured troubleshooting process. troubleshooting and maintenance go hand and hand. Several of these steps involve the use of tools that will help gather.

trouble tickets). This type of wiki technology can also be used on your local network to maintain a central repository for documentation that is both easy to access and easy to update. Network Documentation Tools It is fitting that we start this chapter with a discussion on network documentation tools. all the other tools we use mean nothing if we are not document- ing their findings. if you have a searchable database of past issues that were solved. That is the only way you will be able to determine whether the product will work for you. However. for this documentation to truly add value and be an asset. The true power of documentation is seen during the troubleshooting process. it should be easy to retrieve and. This section focuses on tools that are necessary for trou- bleshooting and maintenance tasks. A popu- lar example of a wiki is Wikipedia (http://www. Shop around and communicate with the vendors to see what they have to offer you and your business needs. At some point. be current. more important. and this is especially true when you have a well-organized.com). because without them. At From the Library of Outcast Outcast . tracking. Many solutions are available on the market. an Internet-based encyclopedia that can be updated by users. However. you can leverage that information and be more efficient and effective. searchable repository of information. you do not have to purchase the most expensive tool to get the best product. configured utilization levels on a switch.wikipedia. These alerts can be simple notification messages or emergency messages. However. you can make it less challenging and less time-consuming if it is easy to update with the proper tools. you should identify the tools required to carry out your maintenance processes based on how well targeted they are toward your specific business processes and tasks. and archiving trouble reports (that is. Get free trials and work with them for a while. or server being exceeded). However. A couple of documentation management system examples are as follows: ■ Trouble ticket reporting system: Several software applications are available for recording. The features you want the tool to provide will determine the overall cost.46 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Network event information collection: This is the information collected when our devices automatically generate alerts in response to specific conditions (for example. their useful- ness extends beyond the help desk environment. During the troubleshooting process. they will come in handy. Chapter 1 discussed the importance of network documentation. To keep the documentation current is a chal- lenge for most people. do not forget to update the documentation after you solve the ticket. These applications are often referred to as help desk applications. and guides that can be followed to resolve issues. Because such a tight relationship exists between troubleshooting and network mainte- nance. The big reason is time. Just because it was reported in the past and already had a resolution does not mean you can skip the documentation process. However. router. while helping you focus your troubleshooting efforts without having to wade through reams of irrelevant information. ■ Wiki: A wiki can act as a web-based collaborative documentation platform.

To illustrate.067: OSPF: Rcv LS UPD from 10. Basic Tools Troubleshooting and network maintenance tools often range in expense from free to tens of thousands of dollars. which can prove invaluable when trouble- shooting a network issue. For example. Example 2-1 Sample debug Output R2#debug ip ospf events OSPF events debugging is on R2# *Mar 1 00:06:06.3. Similarly. In addition. we may need to rely on the number of entries in a ticket reporting system to determine whether some greater issue is lurking in the shadows and causing the reoccur- rence of the same minor issues over and over. The focus of this book is on those show and debug CLI commands that will assist us in solving trouble tickets. can display router configuration information and the routes that have been learned by a routing process.3 on Serial1/0.4.2 length 124 LSA count 1 *Mar 1 00:06:07.999: OSPF: Rcv LS UPD from 10. logging servers. or provide valuable information for day-to-day network operations and for trouble- shooting and maintenance. You need to select tools that balance your troubleshooting and maintenance needs while meeting your budgetary constraints. backup servers.3. all Cisco troubleshooting and network maintenance toolkits will contain the command-line interface (CLI) commands that are executable from a router or switch prompt. consider Example 2-1. The debug command can provide real-time infor- mation about router or switch processes. store. Regardless of budget.3. a show command.2 length 124 LSA count 1 *Mar 1 00:06:06.679: OSPF: Rcv LS UPD from 10.4. Chapter 2: Troubleshooting and Maintenance Tools 47 some point.4.4.1 length 156 LSA count 2 This is one of many show and debug examples you will see throughout this book.1 length 124 LSA count 1 *Mar 1 00:06:06. many network devices have a graphical user interface (GUI) to assist network administrators in their configuration and monitoring tasks.3.4 on Serial1/0. these tools vary in their levels of complexity and usefulness for troubleshooting and maintaining specific issues.3 on Serial1/0. Cisco IOS also has a CLI feature that allows a router to monitor events and automatically From the Library of Outcast Outcast . CLI Tools Cisco IOS offers a wealth of CLI commands. which displays a static snap- shot of information.4 on Serial1/0. External servers (for example.691: OSPF: Rcv LS UPD from 10. and time servers) can also collect. which shows router R2 receiving Open Shortest Path First (OSPF) link-state updates from its OSPF neighbors as those updates occur.

which we cover in more detail later. a Cisco IOS image) and the configuration information. From the Library of Outcast Outcast . or SCP server. Depending on your network device. when it comes to router and switch configuration and troubleshooting for the CCNP Routing and Switching track. However. FTP. External servers are often used to store archival backups of a device’s operating system (for example.48 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide respond to a specific event (such as a defined threshold being reached) with a predefined action. as an example. Therefore. HTTP. you can use the GUI tool known as Cisco Configuration Professional (CCP) to configure and troubleshoot your Integrated Services Routers (ISRs). you need access to duplicate hardware and the IOS. To illustrate. Figure 2-1 Cisco Configuration Professional Recovery Tools During the recovery process. Figure 2-1 provides a sample of the CCP home page. you might be able to back up your operating system and configuration information to a TFTP. However. This feature is called Cisco IOS Embedded Event Manager (EEM). do not get too comfortable with GUI tools for the Routing and Switching track. you also need a backup of the failed devices configurations. you will spend all your time in the CLI. consider Example 2-2. GUI Tools Although Cisco has a great number of GUI tools.

Chapter 2: Troubleshooting and Maintenance Tools 49 Example 2-2 Backing Up a Router’s Startup Configuration to an FTP Server Key Topic R1#copy startup-config ftp://cisco:cisco@192.74 Address or name of remote host [192. router R1’s startup configuration is being copied to an FTP server with an IP address of 192.168.168. Example 2-5 Adding HTTP Server Login Credentials to a Router’s Configuration R1#configure terminal Enter configuration commands. you can avoid specifying the login credentials each time (for security purposes). In a production environment. Example 2-3 shows how to add FTP username and password cre- dentials to the router’s configuration. username=cisco and password=cisco) for the FTP server are specified in the copy command.1.168. End with CNTL/Z. R1(config)#ip http client username cisco R1(config)#ip http client password cisco R1(config)#end From the Library of Outcast Outcast .1.74]? Destination filename [r1-confg]? Writing r1-confg ! 1446 bytes copied in 3. Notice that the login credentials (that is. one per line. one per line.168.1.168.1.74.389 secs (427 bytes/sec) Example 2-5 shows how to add HTTP username and password credentials to the router’s configuration.1. by adding those credentials to the router’s configuration.74]? Destination filename [r1-confg]? Writing r1-confg ! 1446 bytes copied in 3. R1(config)#ip ftp username cisco R1(config)#ip ftp password cisco R1(config)#end Example 2-4 Backing Up a Router’s Startup Configuration to an FTP Server Without Specifying Login Credentials R1#copy startup-config ftp://192. Compare this to the FTP configuration commands and notice the differ- ence. Example 2-3 Adding FTP Server Login Credentials to a Router’s Configuration R1#configure terminal Enter configuration commands. If you intend to routinely copy backups to an FTP server. the username and password should be stronger and not easily guessed.74 Address or name of remote host [192. End with CNTL/Z.349 secs (432 bytes/sec) In Example 2-2. and Example 2-4 shows how the startup configura- tion can be copied to an FTP server without explicitly specifying those credentials in the copy command.

In addition.74.1. the archive feature can be configured to create an archive every time you copy a router’s running configuration to the startup configuration. Example 2-7 Viewing a Configuration Archive Key Topic R1#show archive The maximum archive configurations allowed is 10. as demonstrated in Example 2-7.168. Example 2-6 illustrates a router configured to back up the running configuration every 1440 minutes to an FTP server with an IP address of 192. Specifically.1.74/R1-config-1 2 ftp://192...168.74/R1-config write-memory time-period 1440 .. The login creden- tials have already been configured in the router’s configuration. Also.74/R1-config-2 <.1.168.Most Recent 3 4 5 6 7 8 9 10 From the Library of Outcast Outcast .168.OUTPUT OMITTED. .50 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The process of backing up a router’s configuration can be automated using an archiving feature... ip ftp username cisco ip ftp password cisco ! archive path ftp://192. the write- memory command causes the router to archive a copy of the configuration whenever the router’s running configuration is copied to the startup configuration using either the write-memory or copy running-config startup-config commands.1.1. you can configure a Cisco IOS router to periodically (that is. which is part of the Cisco IOS Configuration Replace and Configuration Rollback feature. the router’s flash... or an FTP server).168. The next archive file will be named ftp://192. Example 2-6 Automatic Archive Configuration R1#show run Building configuration. at intervals specified in minutes) back up a copy of the configuration to a specified location (for example.74/R1-config-3 Archive # Name 1 ftp://192.OUTPUT OMITTED.... You can view the files stored in a configuration archive by issuing the show archive com- mand.

Only the entry in show archive is removed to make space in the list. Note that this does not delete anything from the FTP server. [OK] Writing R1-config-3 ! R1#show archive The maximum archive configurations allowed is 10.168..168. Chapter 2: Troubleshooting and Maintenance Tools 51 Example 2-8 shows the execution of the copy run start command.74/R1-config-4 Archive # Name 1 ftp://192.74/R1-config-4 Archive # Name From the Library of Outcast Outcast . Example 2-8 Confirming Automated Backups R1#copy run start Destination filename [startup-config]? Building configuration. and add the new entry to Archive 10. move all entries up the list one spot. This is not entirely true. Example 2-9 Confirming Archive Configuration R1#copy run start Destination filename [startup-config]? Building configuration. which copies a rout- er’s running configuration to the router’s startup configuration.. If the archive list on the router fills up (maximum ten). [OK] Writing R1-config-3 ! R1#show archive The maximum archive configurations allowed is 10.1. Therefore. the output of show archive will erase the entry for Archive 1. The next archive file will be named ftp://192. Because the path is pointing to an FTP server.74/R1-config-1 2 ftp://192.1.168. and the output confirms that an additional configuration archive (named R1-config-3) has been created on the FTP server because of the write-memory command we issued in config-archive configuration mode. we are limited only by the amount of storage space on the server. the router will continue to create an archive of the running configuration at its scheduled interval. as shown in Example 2-9.74/R1-config-2 3 ftp://192.74/R1-config-3 <. The next archive file will be named ftp://192.168.Most Recent 4 5 6 7 8 9 10 The output of show archive indicates that the maximum configurations allowed is ten.. The show archive com- mand is then reissued..168.1.1.1.

The Cisco IOS copy com- Topic mand treats this as a merge operation instead of a copy and replace operation.. Once the startup configuration is copied to (merged with) the running configuration. you have to issue the no shutdown command on all interfaces you want enabled. which produces a merge.OUTPUT OMITTED.. in addition to moving the entries listed in the show archive command output..OUTPUT OMITTED.1.74/R1-config-15 10 ftp://192.OUTPUT OMITTED.52 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 1 ftp://192.255.74/R1-config-16 <. This is illustrated in Example 2-10.. after you have copied the startup configuration to the running configuration.1. This merge is easily witnessed with the interfaces. interface FastEthernet0/0 ip address 192. This means that copying anything into the running configuration from any source might not produce the result we desire. To fix this.168. interface FastEthernet0/0 no ip address shutdown . During this process. Example 2-10 Comparing the Running Configuration and Startup Configuration Before Issuing the copy Command R1#show run .1. if you are storing the archive locally in flash as an example.1.74/R1-config-7 2 ftp://192.168.74/R1-config-13 8 ftp://192.168..1. after you have loaded the router to factory defaults.74/R1-config-10 5 ftp://192.OUTPUT OMITTED. We can witness this with the password recovery process on a Cisco router..Most Recent However.1.168... the shutdown command prevails in the running configuration because there is not a no shutdown in the startup configuration that will overwrite that.168.168.168. the older files will be deleted to make space. R1#show start . as shown in Example 2-11.0 .168.74/R1-config-14 9 ftp://192. You can change the maximum number of archives with the maximum command in config-archive configuration mode.1.. Restoring a configuration backup requires copying the configuration file from its storage Key location to the running configuration on the router or switch..255.168.1.74/R1-config-8 3 ftp://192.168.1.74/R1-config-11 6 ftp://192..74/R1-config-12 7 ftp://192.1..168.. you copy the startup configuration into the running configuration.74/R1-config-9 4 ftp://192. From the Library of Outcast Outcast .11 255. Interfaces that were enabled do not have a no shutdown command in the startup configuration.1... and the factory default setting of a router interface is shutdown and includes a shutdown command..

this does not merge the Topic archived configuration with the running configuration..0 shutdown . Enter Y if you are sure you want to proceed.. Example 2-12 shows the restora- tion of an archived configuration to a router.444 secs (1303 bytes/sec) R1#show run . Notice how the IOS warns you that this is a copy replace function that completely overwrites the current configuration.168.. once in production.11 255. In this case. we are usually not staring at the console output or even connected to the console port. as indicated by the statement “Total number of passes: 1. Chapter 2: Troubleshooting and Maintenance Tools 53 Example 2-11 Witnessing a Configuration Merge R1#copy start run Destination filename [running-config]? 1881 bytes copied in 1. there was only one small difference between the running configuration and the archive..1. In most cases. Example 2-12 Restoring an Archived Configuration Router#configure replace ftp://192. ? [no]: Y Loading R1-config-3 ! [OK .1. For exam- ple.OUTPUT OMITTED. not a partial configuration.168.74/R1-config-3 This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file. However. we would connect to the device when needed using Telnet or Secure Shell (SSH). which is assumed to be a complete configuration. and these logging messages are not displayed via Telnet or From the Library of Outcast Outcast .255... you can restore a previously archived configuration using the Key configure replace command. interface FastEthernet0/0 ip address 192. if a router interface goes down or up.. Many events that occur on a router are automatically reported to the router’s console.3113/4096 bytes] Total number of passes: 1 Rollback Done R1# Logging Tools Device logs offer valuable information when troubleshooting a network issue. Unlike the copy command.255. R1# On the bright side. a message is written to the console. but rather completely replaces the running configuration with the archived configuration.OUTPUT OMITTED..” It was the hostname.

you might be able to schedule automated log archiving. you can keep a longer history of logging messages. and buffer will log all messages with a severity level of 7 and lower. you enter logging console 6 and logging buffered 7 in global configuration mode. As part of that command. you have to enter the command terminal monitor in privilege EXEC mode. configure advanced script actions. Depending on the syslog server software. A downside of solely relying on console messages is that those messages can scroll off the screen. if you want to log level 6 and lower to the console and level 7 and lower to the buffer. create advanced alerts. If you need to clear the logging messages in the buffer. debugs are logged only when they are turned on with debug commands. To cause mes- sages to be written to a router’s buffer. You can direct your router’s log output to a syslog server’s IP address using From the Library of Outcast Outcast . Logging severity levels range from 0 to 7. vty lines. By default. you can specify how much of the router’s RAM can be dedicated to logging. a step beyond logging messages to the console is logging messages to a router’s buffer (the router’s RAM). You can view the logging messages in the buffer by issuing the show logging command. You can also specify the severity level by name instead of number. issue the clear logging command in privilege EXEC mode. This is possible by using the logging console severity_level and logging buffered severity_level commands. Another logging option is to log messages to an external syslog server. the console. For example. However. By sending log messages to an external server. with corresponding names. you can issue the logging buffered command. After the buffer fills to capacity. Table 2-2 Severity Levels Key Topic Severity Level Name 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warnings 5 Notifications 6 Informational 7 Debugging You might want to log messages of one severity level to a router’s console and messages of another severity level to the router’s buffer. or you might close your terminal emulator. Notice that lower severity levels are more severe than those with higher levels. Therefore. as shown in Table 2-2. and produce statisti- cal graphs. older entries will be deleted to make room for newer entries. If you are connected to a router through Telnet or SSH and want to see console messages. after which those messages would no longer be visible as the session is reset.54 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide SSH by default.

The router can use a maximum of 4096 bytes of RAM for the buffered logging.OUTPUT OMITTED.. Building configuration.. 4) or less (that is.50 logging trap 6 ...com). Figure 2-2 shows logging messages being collected by a Kiwi Syslog Server (available from http://www..OUTPUT OMITTED. The console is configured for logging events of the same severity level. In addition. events with a severity level of warning (that is. Chapter 2: Troubleshooting and Maintenance Tools 55 the logging ip_address command. Example 2-13 Logging Configuration Key Topic R1#show run ..1. the router is configured to log messages with a severity of 6 or lower to a syslog server with an IP address 192. Figure 2-2 Syslog Server From the Library of Outcast Outcast ..50. This buffer can be viewed with the show logging com- mand.kiwisyslog. 0 to 4) are logged to the router’s buffer. and you can specify the severity level that will be sent to the syslog server by using the logging trap severity_level command..168.1. In Example 2-13..168. ! logging buffered 4096 warnings logging console warnings ! logging 192.. Example 2-13 illustrates several of the logging configurations discussed here.

on the second Sunday in March and ends at 2:00 a. In addition. Therefore. whereas a man with two watches is never quite sure. which is 5 hours behind GMT when daylight savings time is not in effect. for redundancy. Naval Observatory in Washington. D.150 R1(config)#ntp server 192.151 prefer R1(config)#end From the Library of Outcast Outcast .m.56 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Network Time Protocol as a Tool Picture this scenario. You have just been assigned a trouble ticket.168. In this example. In such cases.168. R1(config)#clock timezone EST -5 R1(config)#clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 R1(config)#ntp server 192. Example 2-14 shows an NTP configuration entered on a router located in the eastern Key time zone. Such a reference point is made possible by Network Time Protocol (NTP).m.m. one per line. or is it 5:30 p. local time. This implies that devices need to have a common point of reference for their time. However.1. The Topic clock summer-time command defines when daylight savings time begins and ends. If they don’t. You are browsing the logs to see whether anything abnormal is occurring on the network at that time.S.m. you need to make sure the clocks are set correctly on all the devices.C. Stratum 1 time sources are the most reliable and accurate. For example. Users are complain- ing that the network is slow at 5:30 p. For example. Note that a configuration can have more than one ntp server command. you will not be able to correlate the log entrees to the problem the users are reporting.? Time-stamp accuracy is paramount when it comes to troubleshooting. which indicates how many hours its time zone differs from Greenwich mean time (GMT). the U.m. daylight savings time begins at 2:00 a.. because the NTP server might be referenced by devices in different time zones. there may be a log entry for 2:25 p. However.1. your search will be worthwhile only if the logs have time stamps. that reports high network utilization. The problem ticket indicates that this happens every day. or you can manually specify which is most reliable by adding the prefer option to the ntp server command. those clocks might drift over time and not agree causing variations in the log entries. Therefore. Is that really 2:25 p. End with CNTL/Z. The ntp server command is used to point to an NTP server. is a stratum 1 time source. You might have heard the saying that a man with one watch always knows what time it is. which allows network devices to point to a device acting as an NTP server (a time source). this must be a reliable time source. on the first Sunday in November. each device has its own time zone configu- ration. Although you could individually set the clock on each of your devices. Example 2-14 Configuring a Router to Point to an NTP Server R1#configure terminal Enter configuration commands. time stamps are useless if they are not accurate. NTP will decide based on its protocol which is the most reliable.m.

Advanced Tools Keeping an eye on network traffic patterns and performance metrics can help you antici- pate problems before they occur. you might want to confirm that performance levels to and from the service provider’s cloud are conforming to the agreed-upon service level agreement (SLA). such as SNMP. By routinely monitoring network performance. you may not want all of your devices pointing to the stratum 1 time source that is connected to the Internet. ■ Trend monitoring: Monitoring resource utilization on your network (for example. You need advanced tools to proactively monitor the health of your devices and the health of your network traffic. which are software applications that can take the NetFlow information reported from a Cisco device and convert that raw data into useful graphs. and tables reflecting traffic patterns. a router or a switch) to run an SNMP agent that collects data such as utilization statistics for processors and memory. you need more than just basic show and debug commands. bandwidth utilization and router CPU utilization) can help you recognize trends and forecast when upgrades will be required or if users are abusing the network resourc- es. You can then take the necessary measures to address them proactively before they become a major issue. and EEM. This is in contrast to taking a reactive stance where you continually respond to problem reports as they occur. ■ Troubleshooting performance issues: Performance issues can be difficult to trouble- shoot in the absence of a baseline. Because it is based on a hierarchy. Stratum 1 is the most reliable. you have a reference point (that is. a baseline) against which you can compare perfor- mance metrics collected after a user reports a performance issue. Cisco IOS NetFlow can provide you with tremendous insight into your network traffic patterns. Chapter 2: Troubleshooting and Maintenance Tools 57 NTP uses a hierarchy of time servers based on stratum levels from 1 to 15. In these instances. Your stance in this type of environment should be “If it appears that it will break. NetFlow. you could set up a device or two in your organization to receive their time from the stratum 1 source (making them a stratum 2 source) and then configure the other devices in your organization to receive their time from these local devices in your organization (making them a stratum 3). An SNMP server can then query the SNMP agent to retrieve those statistics to determine the overall health of that device.” To be proactive. Overview of SNMP and NetFlow Simple Network Management Protocol (SNMP) allows a monitored device (for example. fix it. From the Library of Outcast Outcast . The saying “If it ain’t broke don’t fix it” does not apply in a proactive network maintenance environment. Reasons to monitor network traffic include the following: ■ Ensuring compliance with an SLA: If you work for a service provider or are a cus- tomer of a service provider. charts. Several companies market NetFlow collectors.

Before SNMPv3. Today. the most popular SNMP version was SNMPv2c. SNMP Version 3 (SNMPv3) supports encryption and hashed authentication of SNMP messages. These statistics can be used. whereas NetFlow is primarily focused on traffic statistics (the health of network traffic). SNMP is primarily focused on device sta- tistics (the health of a device). For the NMS to change the information on the managed device. Figure 2-3 shows a topology using SNMP. SNMP A device being managed by SNMP runs a process called an SNMP agent. many SNMP deployments are still using version 2c because of its simplicity. you can create an access list that determines valid IP addresses or network addresses for NMS servers that are allowed to manage or collect information from the MIB of the device. router R1 is running an SNMP agent that the NMS server can query. the NMS must be configured with a community string that matches the managed device’s read-only community string. using the SNMP protocol. Table 2-3 contrasts these two technologies. they target different fundamental functions. statistics pushed from the monitored device to a NetFlow collector) Available on routers and high-end switches Although both SNMP and NetFlow are useful for statistical data collection. for an NMS to be allowed to read data from a device running an SNMP agent. In the topology. for example. Specifically. traffic counts. To enhance the security available with SNMPv2c. which used community strings for authentication. to establish a Topic baseline that can be used in a troubleshooting scenario or in proactive network manage- ment and maintenance. Table 2-3 Comparing SNMP and NetFlow Technology Characteristics SNMP Collects device statistics (for example. the NMS must be configured with a community string that matches the managed device’s read-write community string. For example. From the Library of Outcast Outcast . A network management system (NMS) can then query the agent for information in the MIB. platform resource utilization.58 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Creating a Baseline with SNMP and NetFlow SNMP and NetFlow are two technologies available on most Cisco IOS platforms that can Key automate the collection statistics. and error counts) Uses a pull model (that is. statistics pulled from a monitored device by a network management station [NMS]) Available on nearly all enterprise network devices NetFlow Collects detailed information about traffic flows Uses a push model (that is. which collects statistics about the device and stores those statistics in a Management Information Base (MIB).

times out. Contact and location information for the device is also specified. this device using SNMP. analysis software running on the NetFlow collector can produce reports detailing traffic statistics. all of which have shared header information such as source and destination IP addresses. From the Library of Outcast Outcast . This information is stored in a flow cache. ro) community string of CISCO and a read-write (that is. protocol numbers. NetFlow can keep track of the number of packets and bytes observed in each flow. Only NMSs permitted in access list 10 and 11 will be able to read. rw) community string of PRESS. which is a software application running on a computer/ server in your network. After the NetFlow collector has received flow information over a period of time.50. Chapter 2: Troubleshooting and Maintenance Tools 59 SW1 R1 NMS Managed Device Running an SNMP Agent Figure 2-3 SNMP Sample Topology Example 2-15 illustrates the SNMPv2c configuration on router R1. In addi- tion. However. and a NetFlow collector is configured on a PC at IP address 192. and type of service (TOS) field information. or fills to capacity. The snmp-server community string [ro | rw] [access_list_number] commands specify a read-only (that is.168. they are entering the same interface on the device. Example 2-15 SNMP Sample Configuration R1#configure terminal R1(config)#snmp-server community CISCO ro 10 R1(config)#snmp-server community PRESS rw 11 R1(config)#snmp-server contact demo@ciscopress. port numbers. rather than using just a standalone implementation of NetFlow.local R1(config)#snmp-server location 3rd Floor of Lacoste Building R1(config)#snmp-server ifindex persist NetFlow NetFlow can distinguish between different traffic flows. This consistency is important when data is being collected for baselin- ing purposes. notice the snmp-server ifindex persist command. Such a standalone configuration might prove useful for troubleshooting because you can observe flows being created as packets enter a router. or read/write. A flow is a series of packets. Finally. respectively. Flow information is removed from a flow cache if the flow is terminated. even if the device is rebooted. Figure 2-4 shows a sample topology in which NetFlow is enabled on router R4.1. you can export the entries in a router’s flow cache to a NetFlow collector. This command ensures that the SNMP interface index stays consistent during data collection. You can use the NetFlow feature as a standalone feature on an individual router.

1. can be monitored.168.8.50 NetFlow Collector Figure 2-4 NetFlow Sample Topology Example 2-16 illustrates the NetFlow configuration on router R4.168. Notice that the ip flow ingress command is issued for both the Fast Ethernet 0/0 and Fast Ethernet 0/1 inter- faces.50 5000 command is issued to specify that the NetFlow collector’s IP address is 192.1. Although not required. This ensures that all flows passing through the router.50.168. check your NetFlow collector’s documenta- tion when selecting a port. Because NetFlow does not have a standardized port number. The ip flow-export source lo 0 command indicates that all communication between router R4 and the NetFlow collec- tor will be via interface Loopback 0.8. Example 2-16 NetFlow Sample Configuration R4#configure terminal R4(config)#int fa 0/0 R4(config-if)#ip flow ingress R4(config-if)#exit R4(config)#int fa 0/1 R4(config-if)#ip flow ingress From the Library of Outcast Outcast .228 Cisco Unified Communications Manager Server Web Server Fa 0/1 Fa 0/0 SW1 SW2 R4 NetFlow Enabled Router 10.1.50. router R4 is configured to report its NetFlow infor- mation to a NetFlow collector at IP address 192.60 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 192. You should check the documentation for your NetFlow collector software to confirm which version to configure. Finally.0.168.1. regardless of direction. the ip flow-export destination 192.6 IP Phone 192. and communi- cation to the NetFlow collector should be done over UDP port 5000.168. A NetFlow Version of 5 was specified.

0.1.8.5 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa0/0 10.50 5000 R4(config)#end Using your favorite search engine. Example 2-17 Viewing NetFlow Information R4#show ip cache flow .2 0.0.3.228 (a Cisco Unified Communications Manager server).228 Fa0/1 10.1 3.168.3.2 TCP-WWW 12 0.4 UDP-other 122 0.5 UDP-TFTP 225 0.0.4 Total: 949 0.228 06 C2DB 07D0 2 Fa0/0 192. for example.6 11 6002 6BD2 9166 Fa0/1 10.0.1.8..8.8.2 06 38F2 0017 438 Providing Notifications for Network Events Whereas responding to problem reports from users is a reactive form of troubleshooting. monitoring network devices for significant events and responding to those events is a From the Library of Outcast Outcast . Chapter 2: Troubleshooting and Maintenance Tools 61 R4(config-if)#exit R4(config)#ip flow-export source lo 0 R4(config)#ip flow-export version 5 R4(config)#ip flow-export destination 192.2 18 255 3.1 49.1.Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 12 0.3.8.0 40 785 0.0 13 91 0.168.3 10. as shown in Example 2-17. you can issue the show ip cache flow command at a router’s CLI prompt to produce a summary of flow information.0 114 284 3.8.6 06 07D0 C2DB 1 Fa0/0 192.4 ICMP 41 0.8.50 Fa0/1 10.0.6 Fa0/0 192.9 15.2 TCP-other 536 0.1..10 58 0000 0000 62 Fa0/1 10.8. Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) ---------.1 Null 224.4 12.8 9.168.8.OUTPUT OMITTED.50 11 6BD2 6002 9166 Fa0/0 10.0 15.6 (a Cisco IP Phone) and 192.1.0 50 40 0.1 15.1 6.0 389 60 0.1 7.3.6 Fa0/0 192.1 1 55 0. Although an external NetFlow collector is valuable for longer-term flow analysis and can provide detailed graphs and charts.0 1797.6 IP-other 1 0.168. search for images of “NetFlow collector” (without the quotes) to see various sample images of what a NetFlow collector can provide you.8.9 15. A troubleshooter can look at the output displayed in Example 2-17 and be able to confirm.168..9 15..2 Local 10.7 14. that traffic is flowing between IP address 10.1 11.0 4 59 0.168.

therefore. However.. If an interface goes down.OUTPUT OMITTED. the SNMP agent on a managed network device can send a message containing informa- tion about the interface state change to an NMS. from the agent to the NMS. third-party software is avail- able that can selectively alert appropriate personnel when specific events are logged. a router that is dual-homed to the Internet might report the event of one of its Internet connections going down. we include that information on the router for communication purposes with the NMS.. before a user loses connectivity with the Internet.50. Earlier.50 version 2c CISCOPRESS command points router R4 to Topic an SNMP server (that is. via e-mail) when a network event is logged.1. The snmp-server enable traps command is used to enable all traps on the router.168.150 version 2c CISCOPRESS R4(config)#snmp-server enable traps R4(config)#end R4#show run | include traps snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps ds1 snmp-server enable traps gatekeeper snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps xgcp snmp-server enable traps ds3 . If you only need to enable specific traps.168. For example. readable format. Example 2-18 Enabling SNMP Traps R4#configure terminal R4(config)#snmp-server host 192. snmp-server enable traps bgp). These traps require the NMS to interpret them because they are not in an easy.1.. The redundant link can then be repaired. an NMS) at IP address 192.1. this section discussed how a network device running an SNMP agent can be que- ried for information from an NMS. thus resolving the problem without users being impacted. The SNMP server is con- figured for SNMP version 2c and a community string of CISCOPRESS. and NetFlow can report events related to network traffic flows. From the Library of Outcast Outcast . These messages. Example 2-18 demonstrates how to enable a router to send SNMP traps to an NMS. Although these protocols by themselves lack a mechanism to alert a network administra- tor (for example. are called traps. you may do so by adding the individual trap keyword to the snmp-server enable traps command (for example.62 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide proactive form of troubleshooting. a network device running an SNMP agent can also initiate communication with an NMS.168. in response to the notification. and then the NMS can notify a network administrator via e-mail. The Key snmp-server host 192. for example.. Both syslog and SNMP are protocols that can report the occurrence of specific events on a network device. You can view the enabled traps by using the show run | include traps command.

The message reminds the administrator to update the network documentation and lists the rationale for clearing the interface counters. consid- Key er Example 2-19. or executing a tool command language (Tcl) script. the occurs 1 parameter indicates that the EEM event is triggered by a single occurrence of the clear counters command being issued. the CLI command will be executed). An event can be defined and triggered based on a sys- log message. cle co) were used. writing a log message to a syslog server. you can already see how powerful the EEM can be. The action command is then entered to indicate what should be done in response to the defined event. Cisco IOS also supports a feature called Embedded Event Manager (EEM) that enables you to create your own event definitions and specify custom responses to those events. To verify the operation of the EEM configuration presented in Example 2-19. The skip no param- eter says that the CLI command will not be skipped (that is. as just a few examples. the action is given a locally significant name of A and is assigned a syslog priority level of informational. and even the issuing of a specific Cisco IOS command. From this short list. The specific action to be taken is producing this informational message saying: Please update network documentation to record why the counters were reset. Example 2-19 EEM Sample Configuration R4#configure terminal R4(config)#event manager applet COUNTER-RESET R4(config-applet)#event cli pattern "clear counters" sync no skip no occurs 1 R4(config-applet)#action A syslog priority informational msg "Please update network documentation to record why the counters were reset. executing specified Cisco IOS commands. Note that the clear counters command would be detected even if a shortcut (for example. EEM can perform various actions. The event command specifies what you are looking for in your custom-defined event." R4(config-applet)#end The event manager applet COUNTER-RESET command creates an EEM applet named COUNTER-RESET and enters applet configuration mode. From the Library of Outcast Outcast . In response to a defined event. SNMP trap. includ- ing sending an SNMP trap to an NMS. the EEM policy will not be executed before the CLI command executes. sending an e-mail to an appropriate party. capturing output of specific show commands. In this example. In Example 2-19. resulting in generation of a syslog message reminding an administrator to document the reason they cleared the interface counters. the clear counters command is executed in Example 2-20. The purpose of this configuration is to create a syslog message that will Topic be displayed on the router console when someone clears the router’s interface counters using the clear counters command. Specifically. The sync no parameter says that the EEM policy will run asynchronously with the CLI command. To illustrate the basic configuration steps involved in configuring an EEM applet. Finally. Notice that entering the clear counters command triggers the custom-defined event. Although this is a rather large collection of predefined messages and should accommodate most network management requirements. you are looking for the CLI command clear counters. Chapter 2: Troubleshooting and Maintenance Tools 63 The messages received via syslog and SNMP are predefined within Cisco IOS.

Sending 5. A basic ping command sends Internet Control Message Protocol (ICMP) echo messages to a specified destination. Using Cisco IOS to Verify and Define the Problem When you receive a trouble ticket. 100-byte ICMP Echos to 10. and maintenance tools available on its website: http://www. a successful ping indicates that Layer 1. which you can use to check network connectivity. an exclamation point appears in the output. including the following: From the Library of Outcast Outcast . is the ping com- Key mand. Three easy-to-use tools built in to the Cisco IOS can help you verify connectivity and further define the problem. R4# Cisco Support Tools Cisco has several other configuration.4.html Some of the tools available at this website require login credentials with appropriate privilege levels. They are ping. and so you can focus your attention on higher OSI layers.cisco. Ping A common command. and 3 of Topic the OSI model are functioning. as shown in Example 2-21. If it is unsuccessful.4.4. and traceroute can verify the problem and help focus our efforts. timeout is 2 seconds: !!!!! The ping command does have several options that can prove useful during troubleshoot- ing.4. Example 2-21 Basic ping Command R1#ping 10. Telnet.com/en/US/support/tsd_most_requested_tools.64 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-20 Testing EEM Configuration R4#clear counters Clear "show interface" counters on all interfaces [confirm] R4# %HA_EM-6-LOG: COUNTER-RESET: Please update network documentation to record why the counters were reset. The same holds true in reverse with an unsuccessful ping. your first couple of tasks should be to verify and define the problem. you focus your troubleshooting on the lower layers of the OSI model. Telnet. This section discusses how ping. If you recall from Chapter 1. Some relatively simple tasks can confirm the issue reported and in most cases help to focus your troubleshooting efforts.4. For every ICMP echo reply received from that specified desti- nation. 2. troubleshooting. and traceroute.4 Type escape sequence to abort.

... if the ping results indicate alternating failures and successes (that is........ but the response to a ping command might provide insight into the nature of a problem... 1500-byte ICMP Echos to 10..OUTPUT OMITTED... Sending 9999. From the Library of Outcast Outcast ... along with a large byte count (repeat value) and a timeout of 0 seconds. To ver- ify your suspicion.... timeout is 0 seconds: ....!).... an MTU less than 1500 bytes)................... you can specify a datagram size of 1500 bytes. as shown in Example 2-22. a troubleshooter might conclude that traffic is being load balanced between the source and destination IP addresses.....4 size 1500 repeat 9999 timeout 0 Type escape sequence to abort. we do not care that it failed. Therefore.. Remember..... in this case...... Chapter 2: Troubleshooting and Maintenance Tools 65 ■ size: Specifies the number of bytes per datagram (defaults to 100 bytes on Cisco IOS) ■ repeat: Specifies the number of ICMP echo messages sent (defaults to 5) ■ timeout: Specifies the number of seconds to wait for an ICMP echo reply (defaults to 2) ■ source: Specifies the source of the ICMP echo datagrams ■ df-bit: Sets the do not fragment bit in the ICMP echo datagram Not only can a ping command indicate that a given IP address is reachable......... These failures occurred because of the 0-second timeout.... The df-bit option instructs a router to drop this datagram rather than fragmenting it if fragmentation is required............. You can also use the ping command to create a load on the network to troubleshoot the network under heavy use.............. Example 2-22 Creating a Heavy Load on the Network R1#ping 10...... . For example..........4.4.4... The router did not wait before considering the ping to have failed and sending another ICMP echo message.. !.. and even Point-to-Point Protocol over Ethernet (PPPoE) interfaces......... ............. Notice the M in the ping responses... we are doing this for the artificial load generated for testing purposes. you could send ICMP echo messages across that interface using the df-bit and size options of the ping command to specify the size of the datagram to be sent.. whereas traffic flowing over the other path is failing....... Perhaps you suspect that an interface has a nondefault maximum transmission unit (MTU) size....... generic routing encapsulation (GRE) tunnels....... Example 2-23 shows the sending of pings with the do not fragment bit set............!......... you can conclude that a link between the source and destination is using a nonstandard MTU (that is.... which indicates that fragmentation was required but could not be performed because the do not fragment bit was set... Notice that all the pings failed.... For example......4............... .....4.. Traffic flowing across one path is successful.. which is commonly seen with Q-n-Q tunnels.......

This invokes the extended ping feature.4.M. 1500-byte ICMP Echos to 10. Record.4. Specifically. Consider Example 2-24.M.M ..M. For example. [1400.M. in Example 2-24 you could deter- mine that the MTU across at least one of the links from the source to the destination IP address was set to 1450 bytes.M.M.4.1500]-byte ICMP Echos to 10.M.4.66 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-23 Pinging with the Do Not Fragment Bit Set R1#ping 10. which issues the ping command without command-line parameters. Verbose[none]: Sweep range of sizes [n]: y Sweep min size [36]: 1400 Sweep max size [18024]: 1500 Sweep interval [1]: Type escape sequence to abort. because the M ping responses begin after 51 ICMP echo datagrams were sent (with datagram sizes in the range of 1400 to 1450 bytes).M.M.M.M.M.4.M. Example 2-24 Extended Ping Performing a Ping Sweep R1#ping Protocol [ip]: Target IP address: 10. timeout is 2 seconds: Packet sent with the DF bit set !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!M. Sending 5. The extended ping feature enables you to granularly customize your pings.M.M.M. you could specify a range of datagram sizes to use in your pings to help determine the size of a nondefault MTU.4.M.M.4 Repeat count [5]: 1 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: yes Validate reply data? [no]: Data pattern [0xABCD]: Loose.M The challenge is how to determine the nondefault MTU size without multiple manual attempts. round-trip min/avg/max = 60/125/232 ms From the Library of Outcast Outcast .M. timeout is 2 seconds: Packet sent with the DF bit set M.M.4.M. Strict. Success rate is 50 percent (51/101).M.4.4 size 1500 df-bit Type escape sequence to abort. Sending 101. Timestamp.M.4.4.M. An extended ping can help with such a scenario.

The first is verified connectivity.4. The telnet command is useful for troubleshooting Layer 4 (that is. This command causes router R1 to attempt a TCP connection with 192. The mail server uses SMTP port 25.4 command to get an idea of where the ping is failing. notice the telnet 192.168.1.168.50 80 command issued in Example 2-25.. the application layer). Open Let’s consider a situation where users indicate that they are unable to connect to the mail server at 192.1.50 80 Trying 192.51. At this point. the ping command is useful for testing Layer 3 (that is.1. Example 2-27 displays the output of a successful trace to the router that has the IP address 10. or a bottom-up approach (which has also confirmed Layer 3 to be operational). 25 .50. The second valuable piece of information is the path that the trace took through the network. if we issue the command ping 10. Telnet uses TCP port 23. 80 .50 is indeed running a service on port 80.4. you can specify an alternate port number to see whether a particular TCP Layer 4 service is running at a destination IP address. The response of Open indicates that 192. Such an approach might prove useful if you are using a divide-and-conquer approach. If the trace completes successfully. Therefore. starting at Layer 3 (which was determined to be operational as a result of a successful ping).168. the network Key layer) connectivity. which is what the ping command provides us.168. The result of using Telnet to test the transport layer shows that port 25 is not responding on the mail server as shown in Example 2-26.168. By default.4. you could use telnet to test the transport layer.1. the Topic transport layer) and Layer 7 (that is. you may want to start by checking whether the server is operational and verifying that no access control lists (ACLs) are denying connectivity to port 25.1.4.1.1. % Connection refused by remote host Traceroute The traceroute command provides valuable information during the troubleshooting Key process.. Example 2-26 Using Telnet to Test the Transport Layer (Failure) R1#telnet 192.168. To illustrate. we could then issue the traceroute 10.168. Chapter 2: Troubleshooting and Maintenance Tools 67 Telnet As you just read. From the Library of Outcast Outcast .51 25 Trying 192. Therefore.4 and it fails. This is something that the ping command does not provide.1.168...51.50 using port 80 (the HTTP port).4. however. Example 2-25 Using Telnet to Test the Transport Layer (Success) R1#telnet 192. we have Topic verified Layer 3 connectivity.4.4.

1..4.1. If you see a repeating pattern of IP addresses in the output of traceroute (for example.4 VRF info: (vrf in name/id. timeout is 2 seconds: . This section introduces basic Cisco From the Library of Outcast Outcast .2 24 msec 64 msec 36 msec 3 10.4. 10. Would you prefer to search for the needle in a haystack by moving one piece of straw at a time. or would you prefer to use the biggest strongest magnet in the world and attract the needle out of the haystack? I choose the magnet.2.2.1.4 VRF info: (vrf in name/id. Time is valuable. Using Cisco IOS to Collect Information After a problem has been clearly defined.2 64 msec 52 msec 84 msec 4 10. the ability to quickly collect appropriate information becomes a valuable troubleshooting skill.1.. 100-byte ICMP Echos to 10.3.4.4.2. Tracing the route to 10.4. Example 2-28 Using Traceroute to Follow The Path R1#ping 10.1..2.1.1. 10.4 Type escape sequence to abort.4 Type escape sequence to abort. Sending 5.3. as described in Chapter 1.OUTPUT OMITTED.4. Success rate is 0 percent (0/5) R1#traceroute 10.4.2.4.1.1.4. 10.2 68 msec 88 msec 88 msec 3 * * * 4 * * * 5 * * * 6 * * * . vrf out name/id) 1 10..4.4.4.2).4..2.1.. Because the collection of information can be one of the most time-consuming of the troubleshooting processes. you have a routing loop.4.2 44 msec 36 msec 44 msec 2 10.2.3.3. We then use traceroute to get a better picture of where this ping is failing so we can focus our attention around that part of the network.2.. 10.4.4. 10. You do not want to spend your time looking for the needle in a haystack.2 24 msec 44 msec 28 msec 2 10.1.4 Type escape sequence to abort.2.1.68 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-27 Using Traceroute R1#traceroute 10. vrf out name/id) 1 10. 10. the first step in diagnosing that problem is col- lecting information.2.4 100 msec * 72 msec Example 2-28 shows an unsuccessful ping from R1 to 10.4.1. Tracing the route to 10.1..

Example 2-29 show processes cpu Command Output R1#show processes cpu CPU Utilization for five seconds: 0%/0%.00% 0.00% 0 APR Input .00% 0. many of these commands produce a large quantity of output.32% 0.00% 0.00% 0 IP NAT Ager 178 0 1 0 0.00% 0.00% 0. Also included in this section are com- mands helpful in diagnosing connectivity and hardware issues.00% 0.00% 0.00% 0.00% 0 CEF Scanner Perhaps you were only looking for CPU utilization statistics for the Check heaps process.00% 0 EDDRI_MAIN 5 21998 1524 14434 0.00% 0 Pool Manager 7 0 2 0 0..00% 0 OSPF Hello 1 4 4 1 4000 0.00% 0 IP NAT WALN 179 8 314 25 0.25% 0 Check heaps 6 0 1 0 0.00% 0.00% 0.00% 0.00% 0. Chapter 2: Troubleshooting and Maintenance Tools 69 IOS commands useful in gathering information and discusses the filtering of irrelevant information from the output of those commands.00% 0 Media Record 174 0 1 0 0.08% 0.00% 0.00% 0.00% 0.00% 0. Filtering the Output of show Commands Cisco IOS offers multiple show commands and debug commands that are useful for gath- ering information. However.00% 0.00% 0.00% 0 Timers 8 0 1 0 0. Consider the output shown in Example 2-29.00% 0 Voice Player 173 0 1 0 0.00% 0 Session Applicat 176 12 151 79 0.00% 0.00% 0.00% 0. 171 0 1 0 0. one minute: 0%.00% 0.00% 0 lib_off_app 172 4 2 2000 0.08% 0.OUTPUT OMITTED.00% 0.00% 0 Crash Writer 9 0 302 0 0.00% 0. Throughout this book..00% 0.00% 0.08% 0 Load Meter 3 56 2040 27 0. making it challenging to pick out a single process.00% 0.00% 0 RTPSPI 177 4 17599 0 0. you could take the output of the show processes cpu command and pipe From the Library of Outcast Outcast .00% 0.00% 0 Environmental mo 10 731 1880 388 0. you will be introduced to a considerable num- ber of show and debug commands. five minute: 0% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTy process 1 4 3 1333 0.00% 0.00% 0 Resource Measure 175 12 6 2000 0. The output from the show processes cpu command generated approximately 180 lines of output..00% 0.00% 0.00% 0 Chunk Manager 2 7245 1802 4020 0. Because you know that the content of the one line you are looking for contains the text Check heaps.00% 0.00% 0.00% 0.00% 0..

This type of filtering can help trouble- shooters more quickly find the data they are looking for. The exclude option can display all lines of the output except lines con- taining the string you specify. However. and 5-minute utilization with the sorted parameter. with the show processes cpu command. Example 2-31 Filtering the show processes cpu Command Output with Column Headers R1#show processes cpu | include Check heaps|^CPU|^ PID CPU utilization for five seconds: 3%/100%. as shown in Example 2-32. In addition.26% 0. realize the information you are looking for is case sensitive. the show ip interfaces brief command can display IP addresses and interface status information for interfaces on a router and switch.14% 0. you could alternatively pipe output to the exclude option. The ^ is a regular expression that represents “begins with. Similar to piping output to the include option. check heaps is not the same as Check heaps. From the Library of Outcast Outcast . Therefore. you can sort by 5-second. This allows you to place in descend- ing order those processes that are consuming the most CPU resources. use the | character) to the include Check heaps statement. The piping of the output causes the output to be filtered to only include lines that include the text Check heaps. as demonstrated in Example 2-30.70 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide that output (that is.” Therefore. these additions state to include any line that begins with CPU or (space)PID. five minutes: 4% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 5 24710 1708 14467 1. Notice that when specifying the additional pipes (|) there is no space because it is an “or” operation. but what do they mean? If you go back to Example 2-29. Now those interesting values have meaning because the column headers are included. Example 2-30 Filtering the show processes cpu Command Output R1#show processes cpu | include Check heaps 5 24710 1708 14467 1. we have to tweak our command so that we can receive the column headers as shown in Example 2-31. 1-minute.24% 0 Check heaps Example 2-30 gave us some interesting values. you will notice column headers that were omitted in Example 2-30.24% 0 Check heaps In Example 2-31 we modified the show processes cpu | include Check heaps command to include |^CPU|^ PID.14% 0. Therefore.26% 0. For example. one minute: 4%.

From the Library of Outcast Outcast . skips the initial portion of the show running-config output and begins displaying the output where the first instance of router is seen in the running configuration.11 YES NVRAM up up Loopback0 10.0.255 area 0 .168.1.11 YES NVRAM up up Serial0/0 unassigned YES NVRAM administratively down down FastEthernet0/1 192..11 YES NVRAM up up FastEthernet0/1 192. you might be troubleshooting an OSPF routing protocol issue and want to see the section of your running configuration where the routing protocol config- uration begins.168..0.255. as illustrated in Example 2-33.1 YES NVRAM up up Notice in Example 2-32 that some of the interfaces have an IP address of unassigned.0..11 YES NVRAM up up Serial0/1 unassigned YES NVRAM administratively down down NVI0 unassigned YES unset up up Loopback0 10.255.0.1.168.0 255.168.1..OUTPUT OMITTED. you can pipe the output of the show ip interface brief command to exclude unassigned.0.1. Example 2-33 Filtering Output from the show ip interface brief Command Using exclude R1#show ip interface brief | exclude unassigned Interface IP-Address OK? Method Status Protocal FastEthernet0/0 192. If you want to only view information pertaining to interfaces with assigned IP addresses.0 network 192. Example 2-34 Filtering Output from the show running-config Command Using begin R1#show running-config | begin router router eigrp 100 network 10. as shown in Example 2-34.1.1 YES NVRAM up up As another example. Piping the output of the show running-config command to begin router.0 router ospf 1 log-adjacency-changes network 0.1. Chapter 2: Troubleshooting and Maintenance Tools 71 Example 2-32 show ip interface brief Command Output R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.0.

3.IS-IS summary.0/24 is directly connected.4.168.168. you will still have to sift through the running configuration until you get to the router ospf section. FastEthernet0/1 C 192. FastEthernet0/1 10. In Example 2-35. E2 .1. FastEthernet0/1 O 172. 00:50:57. FastEthernet0/1 O 10.3.0/8 is variably subnetted.16. FastEthernet0/1 O 10. FastEthernet0/0 From the Library of Outcast Outcast . when piping. 00:50:58.IS-IS level-2 ia .3.0. M . Example 2-35 Filtering Output from the show running-config Command Using section R1#show running-config | section router ospf router ospf 1 log-adjacency-changes network 0.22.EIGRP.static. 00:50:57.OSPF external type 1.0.0.0.1.1.22.72 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide However.per-user static route o . FastEthernet0/1 O 10. L2 .periodic downloaded static route Gateway of last resort is not set 172. section Gigabitethernet0/1. R . EX .0. S . P . section GigabitEthernet0/1 works.0.0 [110/65] via 192.22.16.22. and section Gi0/1 do not work.0.0 [110/65] via 192. 00:50:57.OSPF.3/32 [110/66] via 192.0. su . FastEthernet0/1 C 192.22.2. we can pipe the output to a section.255 area 0 . 2 subnets O 172.IS-IS.OUTPUT OMITTED. Because we are trying to find a specific section (in this case OSPF) in the running configuration. the output of show ip route presented in Example 2-36.168. Another command that often generates a lengthy output.168.0/24 is directly connected.168.OSPF inter area N1 .OSPF NSSA external type 1.0. we pipe the output of the show running-config command to section router ospf and only get output from the router ospf section. Consider. N2 .IS-IS level-1.168. you need to specify the exact case and the exact spacing. Loopback0 O 10.0 255.255.22. IA . 00:50:57.4/32 [110/66] via 192. Example 2-36 Sample show ip route Command Output R1#show ip route Codes: C ...mobile.168.0.168. 00:50:57.ODR. if the first instance of router appears in the running configuration before the router ospf section (as in Example 2-34). U . For example. O .168.0/30 is subnetted. is the show ip route command.2. L1 . FastEthernet0/1 C 10. 00:50:58.OSPF external type 2 i . especially in larger environ- ments.candidate default.22.0/30 [110/129] via 192.2.2/32 [110/2] via 192.connected. * .RIP.0/24 [110/75] via 192.1.0. for example.2. B .1/32 is directly connected. 3 masks O 10.255.IS-IS inter area. As stated earlier.4. 6 subnets..BGP D . but section GigabitEthernet 0/1..16.EIGRP external.1.0.1.OSPF NSSA external type 2 E1 .0.

mobile.2. In that event.2.candidate default. EX .0/30 is subnetted.EIGRP.1. shows all subnets of net- work 172. you could issue the com- mand show ip route 172. If you want to determine whether a route for network 172.static.16.periodic downloaded static route Gateway of last resort is not set 172.0. 00:51:39.connected.2.0 Routing entry for 172.1.16. IA . 2 subnets O 172.16. 00:52:08 ago Routing Descriptor Blocks: * 192. S . From the Library of Outcast Outcast .168.1.168. Such a command.ODR.0. Chapter 2: Troubleshooting and Maintenance Tools 73 Although the output shown in Example 2-36 is relatively small. from 10. Example 2-38 Filtering Output from the show ip route Command with the longer-prefixes Option R1#show ip route 172.0.22 on FastEthernet0/1.255.0.1.OSPF NSSA external type 1.IS-IS level-2 ia .EIGRP external. metric 65.16.IS-IS level-1.BGP D . B . P . as depicted in Example 2-37. R .0.OSPF external type 1.OSPF external type 2 i . distance 110. M .16.0. as demonstrated in Example 2-38.16.0 255. Example 2-37 Specifying a Specific Route with the show ip route Command R1#show ip route 172.16. L1 .22. E2 .0 [110/65] via 192.RIP. * .IS-IS. 00:52:08 ago.0. In this case.16.0 is present in a routing table. su . Example 2-39 shows how you can use the | redirect option to send output from a show command to a file. type intra area Last update from 192.0. it is the show tech-support command being sent to a file on a TFTP server.per-user static route o .OSPF inter area N1 .22.0 longer-prefixes Codes: C . Are you going to issue the command and then copy and paste it from your terminal window to a text editor? That is one option.16.OSPF NSSA external type 2 E1 . via FastEthernet0/1 Route metric is 65.168. U .0/30 Known via "ospf 1". FastEthernet0/1 O 172.OSPF.0/16.0/16 address space. O .168.0 [110/65] via 192.16. L2 .22. for instance. traffic share count is 1 Perhaps you are looking for all subnets of the 172.0. N2 .2.1. FastEthernet0/1 Redirecting show Command Output to a File Imagine that you are working with Cisco Technical Assistance Center (TAC) to trouble- shoot an issue. you could specify the subnet mask and the longer-prefixes argument as part of your command.IS-IS summary. 00:51:39.IS-IS inter area. However. some IP routing tables contain hundreds or even thousands of entries. and they want a file containing output from the show tech-support command issued on your router.0.

RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.50/tac. a network’s underlying hardware often becomes a troubleshooting target. Version 12.168.com/techsupport Copyright (c) 1986-2005 by Cisco Systems.1..txt ! R1# Troubleshooting Hardware In addition to software configurations. From the Library of Outcast Outcast .50/baseline.. In situations where you already have an output file created and you want to append the output of another show command to your existing file. Example 2-41 Appending Output to an Existing File R1#show ip interface brief | append tftp://192. you can pipe the output with the tee option.txt ! ---------------------show version--------------------- Cisco IOS Software.168.OUTPUT OMITTED. As a reference. as shown in Example 2-39. Example 2-41 shows how to use the append option to add the output of the show ip interface brief command to a file named base- line. Example 2-39 Redirecting Output to a TFTP Server R1#show tech-support | redirect tftp://192. as demonstrated in Example 2-40.. C2600 Software (C2600-IPVOICE_IVS-M). Table 2-4 offers a collection of Cisco IOS com- mands used to investigate hardware performance issues.4(3b)..1. Note that this does not overwrite the existing file. it simply adds the new information to it. If you want the show command to be displayed onscreen and stored to a file.txt that was created at an earlier time and already contains information.168.50/tshoot.txt ! R1# Example 2-40 Redirecting Output While Also Displaying the Output Onscreen R1#show tech-support | tee tftp://192. you can pipe the output of your show command with the append option. Compiled Thu 08-Dec-05 17:35 by alnguyen . Inc.1.74 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Notice that directing output to a file suppresses the onscreen output.

the type of connected cable might be displayed for a serial interface and whether it is the DCE side or DTE side of the cable) show platform Provides detailed information about a router or switch hardware platform Collecting Information in Transit Information you collect while troubleshooting is not always going to be at rest. a cyclic redundancy check (CRC) error occurred). perhaps due to a duplex mismatch Note Prior to collecting statistics. in addition to a listing of processes running on a platform along with each process’s utilization statistics show memory Displays summary information about processor and I/O memory. perhaps indicating a cabling problem or a duplex mismatch output errors: Indicates frames were not transmitted correctly. and 5-minute CPU utilization statistics. Chapter 2: Troubleshooting and Maintenance Tools 75 Table 2-4 Cisco IOS Commands for Hardware Troubleshooting Key Topic Command Description show processes cpu Provides 5-second. 1-minute. When troubleshooting. This section discusses how we can capture packets on the network that are flowing through our switches. followed by a more comprehensive report of memory utilization show interfaces Shows Layer 1 and Layer 2 interface status. error statistics). You will sometimes need to collect information while it is in transit. where the information varies for different interface types (for example. analysis of captured From the Library of Outcast Outcast . Performing Packet Captures You can use dedicated appliances or PCs running packet capture software to collect and store packets flowing across a network link. interface counters can be reset using the clear coun- ters command. interface load information. and error statistics including the following: input queue drops: Indicates a router received information faster than the information could be processed by the router output queue drops: Indicates a router is not able to send information out the outgoing interface because of congestion (perhaps because of an input/output speed mismatch) input errors: Indicates frames were not received correctly (for example. show controllers Displays statistical information about an interface (for example.

This is because of how the switch is designed to behave. First. By default. For example. the switch looks in the MAC address table to determine which port the frame should be forwarded out based on the destination MAC address. Therefore. traffic flow between Key two network devices connected to a switch. if the frame is not destined (based on the From the Library of Outcast Outcast . Therefore. you can view a packet’s Layer 3 header to determine that packet’s Layer 3 quality of service (QoS) priority marking. 3. presents two major obstacles. and 4 headers using a packet-capture application. for example. the vol- ume of data collected as part of a packet capture can be so large that finding what you are looking for can be a challenge. you should understand how to use your packet capture application’s filtering features. You can also look inside Layer 2.org). a packet capture data file can show whether packets are being dropped or if sessions are being reset. When a frame is received. For example. the packets traveling between Topic those two devices will not be seen by your packet-capturing device. as shown in Figure 2-5.76 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide packets can provide insight into how a network is treating traffic flow. An example of a popular and free packet-capture utility you can download is Wireshark (http://www. Figure 2-5 Wireshark Packet-Capture Application SPAN A second challenge occurs when you want to monitor. however. A switch is designed to forward frames based on the destination MAC address of a frame.wireshark. Capturing and analyzing packets.

as shown in Figure 2-6. A troubleshooter inserts a packet capture device into Gigabit Ethernet 0/3. Notice that Example 2-42 uses the monitor session id source interface interface_type interface_number command to indicate that a SPAN monitoring session with a locally significant identifier of 1 will copy packets crossing (that is. Cisco IOS supports a feature known as Switched Port Analyzer (SPAN). one per line. SW1(config)#monitor session 1 source interface gig 0/1 SW1(config)#monitor session 1 destination interface gig 0/3 SW1(config)#end SW1#show monitor From the Library of Outcast Outcast . However. Gig 0/1 Gig 0/2 Gig 0/3 Server Client Copy of Traffic Copy of Traffic Sent To Sent From the Server the Server Laptop Running Packet Capture Application Figure 2-6 Cisco Catalyst Switch Configured for SPAN Notice that Figure 2-6 depicts a client (connected to Gigabit Ethernet 0/2) communicat- ing with a server (connected to Gigabit Ethernet 0/1). because the switch’s default behav- ior prevents frames that are flowing between the client and server from being sent out any other port. as shown in Example 2-42. SPAN instructs a switch to send copies of packets seen on one port (or one VLAN) to another port where the packet capturing device is connected. A laptop running packet capture software connected to port Gigabit Ethernet 0/3 will now receive a copy of all traffic the server is sending or receiving. entering and exiting) port Gigabit Ethernet 0/1. Example 2-42 SPAN Configuration SW1#conf term Enter configuration commands. Fortunately. SPAN is configured on the switch. End with CNTL/Z. To cause port Gigabit Ethernet 0/3 to receive a copy of all frames sent or received by the server. the laptop running the packet capture application will not see any of these frames. Then the monitor session id destination interface interface_type interface_number command is used to specify port Gigabit Ethernet 0/3 as the destina- tion port for those copied packets. This behavior ensures that end-user devices do not see frames that are not intended for them. Chapter 2: Troubleshooting and Maintenance Tools 77 MAC address) for the device with the packet-capturing software. the frame will not be sent out the port connected to that device.

a trunk exists between switches SW1 and SW2 to carry the SPAN VLAN in addition to a VLAN carrying user data. note that by default the monitor session id source command monitors both incoming and outgoing traffic on the monitored port. VLAN 20) and to specify that RSPAN should monitor port Gigabit Ethernet 0/1 and send packets sent and received on that port out of Gigabit Ethernet 0/3 on VLAN 20.) The show monitor command is then used to verify the RSPAN source and destination. Example 2-43 RSPAN Configuration on Switch SW1 SW1#conf term SW1(config)#vlan 20 SW1(config-vlan)#name SPAN SW1(config-vlan)#remote-span SW1(config-vlan)#exit SW1(config)#monitor session 1 source interface gig 0/1 SW1(config)#monitor session 1 destination remote vlan 20 reflector-port gig 0/3 SW1(config)#end SW1#show monitor Session 1 ------------ Type: Remote Source Session Source Ports: Both: Gi0/1 Reflector Port: Gi0/3 Dest RSPAN VLAN: 20 From the Library of Outcast Outcast . Remote SPAN (RSPAN) makes such a scenario possible. where a troubleshooter has her laptop running a packet capture application connected to port Fast Ethernet 5/2 on switch SW2. A VLAN is configured whose purpose is to carry captured traffic between the switches. Therefore. a 2960]. Example 2-43 shows the configuration on switch SW1 used to create the RSPAN VLAN (that is. The traf- fic that needs to be captured is traffic coming from and going to the server connected to port Gigabit Ethernet 0/1 on switch SW1. (Note that the reflector-port parameter is not required on all switches [for example. Consider Figure 2-7.78 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Session 1 ------------ Type : Local Session Source Ports : Both : Gi0/1 Destination Ports : Gi0/3 Encapsulation : Native Ingress : Disabled RSPAN In larger environments. Also. a network capture device connected to one switch might need to Key Topic capture packets flowing through a different switch.

Chapter 2: Troubleshooting and Maintenance Tools 79 Gig 0/1 Gig 0/2 SW1 Gig 0/3 Trunk Carrying Server SPAN VLAN Client Fa 5/1 SW2 Fa 5/2 Copy of Traffic Copy of Traffic Sent To Sent From the Server the Server Laptop Running Packet Capture Application Figure 2-7 Cisco Catalyst Switch Configured for RSPAN Example 2-44 shows the configuration on switch SW2 used to create the RSPAN VLAN to specify that RSPAN should receive captured traffic from VLAN 20 and send it out port Fast Ethernet 5/2. Example 2-44 RSPAN Configuration on Switch SW2 SW2#conf term SW2(config)#vlan 20 SW2(config-vlan)#name SPAN SW2(config-vlan)#remote-span SW2(config-vlan)#exit SW2(config)#monitor session 2 source remote vlan 20 SW2(config)#monitor session 2 destination interface fa 5/2 SW2(config)#end SW2#show monitor Session 2 ------------ Type : Remote Destination Session Source RSPAN VLAN : 20 Destination Ports : Fa5/2 From the Library of Outcast Outcast .

You can add this information to your diagram.1.1 R1 Figure 2-9 Discovered Ethernet and Serial Interfaces on R1 From the Library of Outcast Outcast . accurate documentation is a must. As stressed throughout this book.1. FastEthernet 0/0 Serial 0/0/0 192. Your first task is to find out the types of interfaces that are Topic up/up.1.1 YES manual up up FastEthernet0/1 unassigned YES TFTP administratively down down Serial0/0/0 172.1.168.1 172.1. as shown in Example 2-45. You are connected to R1 via the console Key port.1 YES manual up up Serial0/0/1 unassigned YES NVRAM administratively down down Serial0/2/0 unassigned YES NVRAM administratively down down Serial0/2/1 unassigned YES NVRAM administratively down down You can gather from the output in Example 2-45 that R1 has Fast Ethernet 0/0 up/up with an IP address of 192. as shown in Figure 2-8. R1 Figure 2-8 Connected to R1 via the Console Port Example 2-45 Output of show ip interface brief Command on R1 R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.16.80 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Using Tools to Document a Network An important undertaking for every network team is documenting the existing network. as shown in Figure 2-9. It also has Serial 0/0/0 up/up with an IP address of 172.16. you issue the show ip interface brief command. Your network currently has no network diagram.1. To accomplish this. Therefore.16.1.1. this sec- tion covers the CLI commands that enable you to build a network diagram. and the IP addresses associated with them.168.

FastEthernet 0/0 Serial 0/0/0 192.2 and that the management IP address on SW1 is 192. You also observe that R1 is connected to a 2811 series router named R2 out Serial 0/0/0 and that R2 is using Serial 0/0/0 to connect to R1. I . You accomplish this using the show cdp neighbors command.Router.1. D . r .1. you want to determine which Cisco devices are connected to R1.168.16. P .Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Fas 0/0 139 S I WS-C2960. as shown in Figure 2-10.168.1.Fas 0/24 R2 Ser 0/0/0 133 S I 2811 Ser 0/0/0 You observe from the output in Example 2-46 that R1 is connected to a Catalyst 2960 switch named SW1 out Fast Ethernet 0/0.1. In addition. Example 2-46 Output of the show cdp neighbors Command on R1 R1#show cdp neighbors Capability Codes: R .Phone. as shown in Example 2-46.Repeater. You observe from the output that Serial 0/0/0 on R2 has the IP address 172. as shown in Figure 2-11. It also indicates that SW1 is using Fast Ethernet 0/24 to connect to R1. Chapter 2: Troubleshooting and Maintenance Tools 81 Next. You can also use the IEEE standard Link Layer Discovery Protocol (LLDP) to discover neighboring Cisco and Non-Cisco devices if you have enabled it. C . M .168.Trans Bridge.Switch. H .1. You add this information to the diagram. you use the show cdp neighbors detail command. B . To accomplish this.16. T .Remote.IGMP.CVTA.1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 2811 Figure 2-10 Adding SW1 and R2 to the Diagram You need to discover the IP address of Serial 0/0/0 on R2 and the management IP address on SW1.1 172. Example 2-47 Output of the show cdp neighbors Command on R1 R1#show cdp neighbors detail ------------------------- Device ID: SW1 Entry address(es): IP address: 192.Host.Source Route Bridge S .2 From the Library of Outcast Outcast .2. as shown in Example 2-47. You add this infor- mation to the diagram. the show cdp neighbors detail command will also provide the Cisco IOS Software version that is running on the neighbor.

Port ID (outgoing port): FastEthernet0/24 Holdtime : 153 sec Version : Cisco IOS Software. value=00000000FFF FFFFF010220FF000000000000081FF34EB800FF0000 VTP Management Domain: '' Native VLAN: 1 Duplex: full ------------------------- Device ID: R2 Entry address(es): IP address: 172.168.16. Inc.2 Figure 2-11 Updating IPs in Diagram for SW1 and R2 From the Library of Outcast Outcast .1.2 Platform: Cisco 2811.1(4)M5. Inc.com/techsupport Copyright (c) 1986-2012 by Cisco Systems.cisco.1. RELEASE SOFTWARE (fc1) Technical Support: http://www.16.1 172. Capabilities: Switch IGMP Interface: FastEthernet0/0.com/techsupport Copyright (c) 1986-2012 by Cisco Systems.1.16. Capabilities: Switch IGMP Interface: Serial0/0/0.1. Port ID (outgoing port): Serial0/0/0 Holdtime: 127 sec Version : Cisco IOS Software. C2960 Software (C2960-LANBASEK9-M).1. Version 15.cisco.82 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Platform: cisco WS-C2960-24TT-L. 2800 Software (C2800NM-ADVENTERPRISEK9-M).1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 172.168. Compiled Tue 04-Sep-12 15:56 by prod_rel_team advertisement version: 2 VTP Management Domain: '' FastEthernet 0/0 Serial 0/0/0 192.0(2)SE. payload len=27.2 2811 Management IP 192. Compiled Sat 28-Jul-12 00:29 by prod_rel_team advertisement version: 2 Protocol Hello: OUI=0x00000C. RELEASE SOFTWARE (fc1) Technical Support: http://www. Protocol ID=0x0112. Version 15.

From the Library of Outcast Outcast .. Version 12. the number of inter- faces.output omitted. the system bootstrap version..... 125440K bytes of ATA CompactFlash (Read/Write) . Chapter 2: Troubleshooting and Maintenance Tools 83 Finally. You can also verify the Cisco IOS Software version..M5...0) with 247808K/14336K bytes of memory. which indicates it is also a 2811 series router..output omitted.. RELEASE SOFTWARE (fc1) . Cisco 2811 (revision 1.output omitted. Configuration register is 0x2102 You add the type of router to your diagram as shown in Figure 2-12. ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO2811 .bin" Last reload type: Normal Reload . as shown in Example 2-48. ROM: System Bootstrap. 2800 Software (C2800NM-ADVENTERPRISEK9-M). you need to include the type of router R1 is. Processor board ID FTX1023A49D 2 FastEthernet interfaces 4 Serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled.... Version 15. 239K bytes of non-volatile configuration memory. RELEASE SOFTWARE (fc1) R1 uptime is 14 minutes System returned to ROM by power-on System image file is "flash:c2800nm-adventerprisek9-mz.. and the configuration register. You use the show version command.output omitted.4(1r) [hqluong 1r].151-4.. Example 2-48 Output of the show version Command on R1 R1#show version Cisco IOS Software..1(4)M5.

1.84 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide FastEthernet 0/0 Serial 0/0/0 192.1. Your next step in the process of building your diagram is to connect to SW1 and R2 via their console ports or via Telnet/SSH and issue the same four commands to gather infor- mation about the devices connected to them.1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 2811 172.168. show cdp neighbors detail. From the Library of Outcast Outcast .2 Figure 2-12 Updating R1’s Router Type in the Diagram As you can see. you were able to gather quite a bit of information from just four com- mands: show ip interface brief. show cdp neighbors.16.16.1. and show version.2 2811 Management IP 192.1.1 172.168.

Table 2-5 lists a reference of these key topics and the page numbers on which each is found. Chapter 2: Troubleshooting and Maintenance Tools 85 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. you have a couple of choices for exam preparation: the exercises here. Table 2-5 Key Topics for Chapter 2 Key Topic Key Topic Element Description Page Number List Identifies the three categories that collected 45 information essentially falls into Example 2-2 Backing up a router’s startup configuration to an 49 FTP server Example 2-7 Viewing a configuration archive 50 Paragraph Reviews how copying configurations into RAM is a 52 merge operation Paragraph Identifies how the configure replace command is 53 used to restore an archived configuration Table 2-2 Severity levels 54 Example 2-13 Logging configuration 55 Paragraph Identifies the importance of an NTP server and how 56 to configure your device to use one Paragraph Discusses how you can use SNMP and NetFlow to 58 establish baselines Paragraph Discusses how to set a device to send SNMP traps 62 to an SNMP server Paragraph Discusses how you can use EEM to monitor and 63 maintain a device Section Ping 64 Section Telnet 67 Section Traceroute 67 Table 2-4 Cisco IOS commands for hardware troubleshooting 75 From the Library of Outcast Outcast .” and the exam simulation questions on the CD-ROM. Review All Key Topics Review the most important topics in this chapter. “Final Preparation. noted with the Key Topic icon in the outer margin of the page. Chapter 22.

Telnet.86 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Key Topic Element Description Page Number Paragraph Identifies the need for SPAN when collecting data in 76 transit through a switch Paragraph Identifies the need for RSPAN when collecting data 78 in transit through multiple switches Paragraph Discuss the commands and procedures needed to 80 document a network diagram Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: CLI. Appendix D. Table 2-6 CLI Configuration Commands Task Command Syntax Global configuration mode command. FTP. SNMP. cover the right side of Tables 2-6 and 2-7 with a piece of paper. Cisco TAC. read the description on the left side. Command Reference to Check Your Memory This section includes the most important configuration and EXEC commands covered in this chapter. used to archive enter archive configuration mode Archive configuration mode command that path ftp://IP_address/filename_prefix specifies the IP address of an FTP server and filename prefix a router uses to write its archival configuration files From the Library of Outcast Outcast .” (found on the disc). RSPAN. CDP Complete Tables and Lists from Memory Print a copy of Appendix C. HTTP. To test your memory of the commands. hands-on skills that are used by a net- working professional. EEM. configure replace. It might not be necessary to memorize the complete syntax of every com- mand. running configuration. wiki. archive. NTP. Therefore. you should be able to identify the commands needed to configure and troubleshoot routers and switches. and complete the tables and lists from memory. ping.” also on the disc. “Memory Tables Answer Key. merge. SPAN. includes completed tables and lists to check your work. “Memory Tables. GUI. NetFlow. but you should be able to remember the basic keywords that are needed. TFTP. and then see how much of the com- mand you can remember. traceroute. or at least the section for this chapter. syslog. The 300-135 TSHOOT exam focuses on practical.

which no longer necessitates the user entering the username Global configuration mode command used ip ftp password password to specify an FTP password credential. which no longer necessitates the user entering the password Global configuration mode command used logging buffered {max_buffer_size} to log events to a router’s internal buffer. optionally with a minimum severity level of an event to be logged Global configuration mode command used logging ip_address to specify the IP address of a syslog server to which a router’s log files are written Global configuration mode command used to clock timezone time_zone_name {+ | -} specify a router’s local time zone and number hours of hours the time zone varies from Greenwich mean time (GMT) From the Library of Outcast Outcast . which no longer necessitates the user entering the username Global configuration mode command used to ip http client password password specify an HTTP password credential. Chapter 2: Troubleshooting and Maintenance Tools 87 Task Command Syntax Archive configuration mode command write-memory that causes an archival backup of a router’s configuration to be written each time the router’s running configuration is copied to its startup configuration Archive configuration mode command that time-period seconds specifies the interval used by a router to automatically back up its configuration Global configuration mode command used to ip ftp username username specify an FTP username credential. {minimum_severity_level} optionally with a maximum number of bytes to be used by the buffer and optionally the minimum severity level of an event to be logged Global configuration mode command used logging console {minimum_severity_level} to log events to a router’s console. which no longer necessitates the user entering the password Global configuration mode command used to ip http client username username specify an HTTP username credential.

even if a device is rebooted Interface configuration mode command that ip flow ingress | egress enables NetFlow for that interface inbound or outbound. which specifies the source or interface interface_type interface_number destination interface for traffic monitoring VLAN configuration mode command that remote-span indicates a VLAN is to be used as an RSPAN VLAN Global configuration mode command that monitor session id destination remote vlan configures RSPAN on a monitored switch.port port_id where the RSPAN VLAN is specified in addition to the port identifier for the port being used to flood the monitored traffic to the monitoring switch Note The reflector-port parameter is not required on all switches (for example. and when daylight month time {1-4} ending_day ending_ savings time begins and ends month time Global configuration mode command used to ntp server ip_address specify the IP address of an NTP server Global configuration mode command that monitor session id {source | destination} configures SPAN. Global configuration mode command that ip flow-export source interface_type specifies the source interface used when interface_number communicating with an external NetFlow collector From the Library of Outcast Outcast . a 2960).88 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Global configuration mode command used clock summer-time time_zone_name to specify a router’s time zone when daylight recurring {1-4} beginning_day beginning_ savings time is in effect. Global configuration mode command that monitor session id source remote vlan configures RSPAN on a monitoring switch. VLAN_id where the RSPAN VLAN is specified Global configuration mode command that snmp-server community community_ defines an SNMP server read only or read/write string {ro | rw} community string Global configuration mode command that snmp-server contact contact_info specifies SNMP contact information Global configuration mode command that snmp-server location location specifies SNMP location information Global configuration mode command that snmp-server ifindex persist forces an SNMP interface index to stay consistent during data collection. VLAN_id reflector.

Chapter 2: Troubleshooting and Maintenance Tools 89 Task Command Syntax Global configuration mode command that ip flow-export version {1 | 5 | 9} specifies the NetFlow version used by a device Global configuration mode command that ip flow-export destination ip_address specifies the IP address and port number of an port external NetFlow collector Global configuration mode command that snmp-server host ip_address version {1 | specifies the IP address. SNMP version. and 5-minute CPU show processes cpu utilization averages. in addition to a listing of running processes with their CPU utilization Shows all subnets within the specified address space show ip route network_address in the routing table subnet_mask longer-prefixes From the Library of Outcast Outcast . where the ftp://username:password@ip_ login credentials are provided by the username and address password parameters Performs a backup of a router’s startup configuration copy startup-config ftp://ip_ to an FTP server at the specified IP address. and 2c | 3} community_string community string of an NMS Global configuration mode command that snmp-server enable traps enables all possible SNMP traps Global configuration mode command that event manager applet name creates an embedded event manager applet and enters applet configuration mode Table 2-7 CLI EXEC commands Task Command Syntax Performs a backup of a router’s startup configuration copy startup-config to an FTP server at the specified IP address. where the address login credentials have previously been added to the router’s configuration Displays files contained in a router’s configuration show archive archive Replaces (as opposed to merges) a router’s running configure replace ftp://ip_address/ configuration with a specified configuration archive filename Displays 5-second. 1-minute.

interface show interfaces load information. and error statistics. a CRC error occurred). including input queue drops: Indicates a router received information faster than the information could be processed by the router output queue drops: Indicates a router is not able to send information out the outgoing interface because of congestion (perhaps because of an input/output speed mismatch) input errors: Indicates frames were not received correctly (for example. perhaps due to a duplex mismatch Note Prior to collecting statistics. followed by a more comprehensive report of memory utilization Shows Layer 1 and Layer 2 interface status. interface counters can be reset using the clear coun- ters command. perhaps indicating a cabling problem or a duplex mismatch output errors: Indicates frames were not transmitted correctly.90 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Sends ICMP echo packets to the specified IP address. From the Library of Outcast Outcast . ping ip_address {size bytes} {repeat with options that include number} {timeout seconds} {df-bit} size: The number of bytes in the ICMP echo packet repeat: The number of ICMP echo packets sent timeout: The number of seconds the router waits for an ICMP echo reply packet after sending an ICMP echo packet df-bit: Sets the do not fragment bit in the ICMP echo packet Connects to a remote IP address via Telnet using TCP telnet ip_address {port} port 23 by default or optionally through a specified TCP port Displays summary information about processor and show memory I/O memory.

error statistics) where the information varies for different interface types (for example. the type of connected cable might be displayed for a serial interface) Provides detailed information about a router or switch show platform hardware platform From the Library of Outcast Outcast . Chapter 2: Troubleshooting and Maintenance Tools 91 Task Command Syntax Displays statistical information for an interface (for show controllers example.

This chapter covers the following topics: ■ Troubleshooting Switch Performance Issues: This section identifies common reasons why a switch might not be performing as expected. ■ Troubleshooting Router Performance Issues: This section identifies common reasons why a router might not be performing as expected. From the Library of Outcast Outcast .

if a router’s or switch’s CPU is constantly experiencing high utilization. They are also responsible for performing many different tasks. The building of the tables and structures is done by the CPU. they contain a processor. The routers and switches forward traffic from one interface to another interface based on these tables and structures. in addition to how we can recognize them.” Table 3-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting Switch Performance Issues 1–4 Troubleshooting Router Performance Issues 5–8 From the Library of Outcast Outcast . This chapter also covers interface statistics because they sometimes provide the initial indication of some type of issue. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. The storage of these tables and structures is in some form of memory. CHAPTER 3 Troubleshooting Device Performance Switches and routers consist of many different components. these devices will experience performance issues. the memory is over- loaded. and building all the necessary tables and structures needed to perform various tasks. or the interface buffers are full. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. such as routing. You can find the answers in Appendix A. and various interfaces. For example. “Answers to the ‘Do I Know This Already?’ Quizzes. read the entire chapter. Therefore. This chapter discusses common reasons for high CPU and memory utilization on rout- ers and switches. switching. memory (volatile such as RAM and nonvolatile such as NVRAM and flash).

c.) a. The full-duplex side of the connection has a high number of FCS errors. 4. d. The half-duplex side of the connection has a high number of late collisions. one minute: 12%. Memory c. A switch’s TCAM has reached capacity. The full-duplex side of the connection has a high number of late collisions. you should mark that question as wrong for purposes of the self-assessment. An administrator telnets to a switch. What are good indications that you have a duplex mismatch? (Choose two. An ACL is applied to a switchport. What are the components of a switch’s control plane? (Choose two. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. The output of a show processes cpu command on a switch displays the following in the first line of the output: CPU utilization for five seconds: 10%/7%. CPU d. The half-duplex side of the connection has a high number of FCS errors. 7 percent c. 6 percent From the Library of Outcast Outcast . Which of the following are situations when a switch’s TCAM would punt a packet to the switch’s CPU? (Choose the three best answers. OSPF sends a multicast routing update. 10 percent b. b. 1. what percent of the switch’s CPU is being consumed with interrupts? a. five minutes: 6% Based on the output. b. 12 percent d. If you do not know the answer to a question or are only partially sure of the answer. 3. Forwarding logic 2. Backplane b.) a. d.94 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter.) a. c.

Fast switching b. ARP Input process 6. TCP Timer process b. Process switching 7. Chapter 3: Troubleshooting Device Performance 95 5. show processes cpu c. show ip cache b.) a. Identify common reasons that a router displays a MALLOCFAIL error. BGP filtering From the Library of Outcast Outcast . Net Background process d. Cisco IOS bug b. the most CPU intensive) of a router’s packet-switching modes? a. What command is used to display the contents of a router’s FIB? a. Which of the following is the least efficient (that is. Optimum switching d. QoS issue d. CEF c. Which router process is in charge of handling interface state changes? a. IP Background process c. (Choose the two best answers. show ip route d. Security issue c. show ip cef 8.

however. Also. you should isolate the source of the problem and diag- nose the problem on that device. and different hardware. However. network performance might very well be operating at a level that is hamper- ing productivity and at a level that is indeed below its normal level of operation. differ- ent levels of performance. For example. At that point. server. an egress port). depending on the specific switch architecture. Topic ■ Forwarding logic: A switch contains hardware that makes forwarding decisions based on different tables in the data plane. and that device is a Cisco Catalyst switch. This control plane is responsible for running the switch’s operating system and building the neces- sary structures used to make forwarding decisions—for example. ■ Control plane: A switch’s CPU and memory reside in the control plane. Figure 3-1 depicts these components within a switch. Many similarities do exist. if the forwarding hardware is operating at maximum capac- From the Library of Outcast Outcast . the ingress port). Therefore. Key These ports (also known as interfaces) allow a switch to receive and transmit traffic. the MAC address table and the spanning-tree topology to name a few. ■ Backplane: A switch’s backplane physically interconnects a switch’s ports. Cisco Catalyst Switch Troubleshooting Targets Cisco offers a variety of Catalyst switch platforms.” the user’s perception might mean that the network is slow compared to what he expects. you need to determine what network component is responsible for the poor performance. As a result. troubleshooting switches will be platform dependent. and are forwarded out of another port (that is. If you do determine that the network performance is not meeting technical expectations (as opposed to user expectations). However. For example. the user’s client. frames flowing through a switch enter through a port (that is. impact the rate at which the switch forwards frames. or application could be the cause of the performance issue. as part of the troubleshooting process. a continuous load on the control plane could. Therefore.96 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting Switch Performance Issues Switch performance issues can be tricky to troubleshoot because the problem reported is often subjective. the forwarding logic contained in the forwarding hardware comes from the control plane. all Cisco Catalyst switches include the following components: ■ Ports: A switch’s ports physically connect the switch to other network devices. Rather than a switch or a router. with different port densities. flow across the switch’s backplane. This section assumes that you have isolated the device causing the performance issue. if a user reports that the network is running “slowly. Therefore. over time. an indirect relationship exists between frame forwarding and the control plane. Notice that the control plane does not directly participate in the frame-forwarding process.

which shows the output of the show interfaces gig 1/0/9 counters command on a Cisco Catalyst 3750-E switch. examining port statistics can let a troubleshooter know whether an excessive number of frames are being dropped. which causes the window size. another pos- sibility is that the cabling could be bad. If a TCP application is run- ning slowly. A common reason that a TCP flow enters slow start is packet drops. Although dropped frames are most often attributed to network congestion. Control Plane Memory CPU Ingress Data Plane Egress Port Forwarding Hardware Port Forwarding Logic Backplane Figure 3-1 Cisco Catalyst Switch Hardware Components The following are two common troubleshooting targets to consider when diagnosing a suspected switch issue: ■ Port errors ■ Mismatched duplex settings The sections that follow evaluate these target areas in greater detail. because dropped UDP segments are not retransmitted. of TCP flows to be reduced. Notice that this output shows the number of inbound and outbound frames seen on the specified port. the reason might be that TCP flows are going into TCP slow start. although the control plane does not architecturally appear to impact switch performance. To check port statistics. the control plane begins to provide the forwarding logic. a troubleshooter could leverage the show interfaces command. For example. and therefore the bandwidth efficiency. a good first step is to check port statistics. Port Errors When troubleshooting a suspected Cisco Catalyst switch issue. From the Library of Outcast Outcast . packet drops for a UDP flow used for voice or video could result in noticeable quality degradation. Chapter 3: Troubleshooting Device Performance 97 ity. it should be consid- ered when troubleshooting. Consider Example 3-1. So. Similarly.

such as cabling or port (either switchport or network interface card [NIC] port) issues. a Rcv-Err is indicating a duplex mismatch. Xmit-Err) occurs when a port’s transmit buffer overflows. you could add the keyword of errors after the show interfaces interface_type interface_number counters command. Rcv-Err A receive error (that is. Like the Align-Err error. Table 3-2 Errors in the show interfaces interface_type interface_number counters errors Key Command Topic Error Counter Description Align-Err An alignment error occurs when frames do not end with an even number of octets.98 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-1 show interfaces gig 1/0/9 counters Command Output SW1#show interfaces gig 1/0/9 counters Port InOctets InUcastPkts InMcastPkts InBcastPkts Gi1/0/9 31265148 20003 3179 1 Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts Gi1/0/9 18744149 9126 96 6 To view errors that occurred on a port. Rcv-Err) occurs when a port’s receive buffer overflows. FCS-Err A frame check sequence (FCS) error occurs when a frame has an invalid checksum. Congestion on a switch’s backplane could cause the receive buffer on a port to fill to capacity. although the frame has no framing errors. Example 3-2 show interfaces gig 1/0/9 counters errors Command Output SW1#show interfaces gig 1/0/9 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize Gi1/0/9 0 0 0 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/0/9 5603 0 5373 0 0 0 0 Table 3-2 provides a reference for the specific errors that might show up in the output of the show interfaces interface_type interface_number counters errors command. but it also occurs when there is a duplex mismatch. an FCS-Err often points to a Layer 1 issue. most likely. This issue suggests that a connected host is sourcing invalid frame sizes. An alignment error normally suggests a Layer 1 issue. However. as frames await access to the switch’s backplane. Xmit-Err A transmit error (that is. UnderSize An undersize frame is a frame with a valid checksum but a size less than 64 bytes. From the Library of Outcast Outcast . Example 3-2 illustrates sample output from the show interfaces gig 1/0/9 counters errors command. A speed mismatch between inbound and outbound links often results in a transmit error. while simultaneously having a bad cyclic redundancy check (CRC).

Giants A giant is a frame size greater than 1518 bytes (assuming that the frame is not a jumbo frame) that has a bad FCS. a giant is caused by a problem with the NIC in an attached host. all devices should be run- ning in full-duplex mode. duplex mismatches can cause a wide variety of port errors. Cisco Catalyst switchports should be configured to autonegotiate both speed and duplex. Carri-Sen The Carri-Sen counter is incremented when a port wants to send data on a half-duplex link. Therefore. other than shared media hubs. after which the frame is dropped. which would result in multiple errors. however. Late-Col A late collision is a collision that is not detected until well after the frame has begun to be forwarded. This operation is the carrier sense procedure described by the carrier sense multiple access with collision detect (CSMA/CD) operation used on half-duplex connections. it is better for a switchport to negotiate down to half-duplex and run properly than to be forced to run full-duplex. this is an extremely common error seen in mismatched duplex conditions. Full-duplex connections. Mismatched Duplex Settings As shown in Table 3-2. Multi-Col A Multi-Col error occurs when more than one collision occurs before a port successfully transmits a frame. While a Late-Col error could indicate that the connected cable is too long. Excess-Col The Excess-Col error occurs when a frame experiences 16 successive collisions. Runts A runt is a frame that is less than 64 bytes in size and has a bad CRC. if you have no hubs in your network. a duplex mismatch. do not use CSMA/CD. This is normal and expected on a half-duplex port. This error could result from high bandwidth utilization. Common reasons for a Single-Col error include high bandwidth utilization on an attached link or a duplex mismatch. The jumbo frame has a frame size greater than 1518 bytes. A runt could result from a duplex mismatch or a Layer 1 issue. Typically. Two justifications for this recommendation are as follows: ■ If a connected device supports only half-duplex. Chapter 3: Troubleshooting Device Performance 99 Error Counter Description Single-Col A Single-Col error occurs when a single collision occurs before a port successfully transmits a frame. because the port is checking the wire to make sure that no traffic is present prior to sending a frame. Keep in mind that almost all network devices. From the Library of Outcast Outcast . Similar to the Single-Col error. can run in full- duplex mode. common reasons for a Multi-Col error include high bandwidth utilization on an attached link or a duplex mismatch. or too many devices on a segment. which is the default setting. but it has a valid FCS.

100Mb/s. whereas a high Late-Col counter is common on the half-duplex end of the connection. two of the biggest indicators of a duplex mismatch are a high FCS-Err counter and a high Late-Col counter. and we have FCS errors on the full-duplex side. link type is auto. The full-duplex end sends a frame because it is always safe to send and a collision should not occur. and Example 3-4 shows the full-duplex end of a connection. which display output based on the topol- ogy depicted in Figure 3-2. The frames it receives will not be complete because SW1 did not send the entire frame. Gig 0/9 Fa 5/47 SW1 Half-Duplex Full-Duplex SW2 Figure 3-2 Topology with Duplex Mismatch Example 3-3 Output from the show interfaces gig 1/0/9 counters errors and the show interfaces gig 1/0/9 | include duplex Commands on a Half-Duplex Port SW1# show interfaces gig 1/0/9 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize Gi1/0/9 0 0 0 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/0/9 5603 0 5373 0 0 0 0 SW1#show interfaces gig 1/0/9 include duplex Half-duplex. Specifically. However. SW1 will cease to transmit the remainder of the frame (because the port is half-duplex) and will record that a late collision occurred. Example 3-3 shows the half-duplex end of a connection. In a mismatched duplex configuration. a high FCS-Err counter is common to find on the full-duplex end of a connection with a mismatched duplex. the FCS (mathemati- cal checksum) of the frame does not match. examine Examples 3-3 and 3-4. Among the different errors previously listed in Table 3-2. Therefore. To illustrate. the auto-MDIX feature requires that the port autonegotiate both speed and duplex. whereas a switchport at the other end of a connection is configured for half-duplex. The half-duplex end sends a frame because it thinks it is safe to send based on the CSMA/CD rule. You can enable this feature in interface configuration mode with the mdix auto command on some models of Cisco Catalyst switches.100 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ The automatic medium-dependent interface crossover (auto-MDIX) feature can automatically detect whether a port needs a crossover or a straight-through cable to interconnect with an attached device and adjust the port to work regardless of which cable type is connected. media type is 10/100/1000BaseTX SW1# From the Library of Outcast Outcast . SW2 will continue to send and receive frames. However. a switchport at one end of a connection is config- ured for full-duplex. When the collision occurs in this example.

However. multicast routing. A switch’s backplane. you could change the duplex settings on the switch over which you do have control. performing a file transfer) that the user was performing when he noticed the performance issue. if you suspect a duplex mismatch. the backplane will not have the throughput to support a fully populated chassis. and policy- based routing. you might experience a performance gain by simply moving a cable from one switchport to another. A multilayer switch’s forwarding logic can impact switch performance. where each card in the chassis supports the highest combination of port densities and port speeds. Therefore. because most Cisco Catalyst switches have high-capacity backplanes. you must be very familiar with the architecture of the switch with which you are working. This is accomplished because information from the control plane relating to routing processes such as unicast routing. however. 100Mb/s SW2# In your troubleshooting. TCAM works with a switch’s Cisco Express Forwarding (CEF) feature in the data plane (hardware) to provide extreme- ly fast forwarding decisions. However. Then. is rarely the cause of a switch performance issue. as well as information related to traffic policies such as security and qual- ity of service (QoS) access control lists (ACLs). Chapter 3: Troubleshooting Device Performance 101 Example 3-4 Output from the show interfaces fa 5/47 counters errors and the show interfaces fa 5/47 | include duplex Commands on a Full-Duplex Port SW2#show interfaces fa 5/47 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Fa5/47 0 5248 0 5603 27 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Fa5/47 0 0 0 0 0 227 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Fa5/47 0 0 0 0 0 SW2#show interfaces fa 5/47 include duplex Full-duplex. the two primary components of forwarding hardware are forwarding logic and backplane. A switch’s forwarding logic is compiled into a special type of memory called ternary content- addressable memory (TCAM). By comparing the current performance to the performance experienced by the user. it is conceivable that in a modular switch chassis. as illustrated in Figure 3-3. even if you only have access to one of the switches. you might be able to conclude that the problem has been resolved by correcting a mismatched duplex configuration. The architecture of some switches allows groups of switchports to be handled by sepa- rate hardware. You could also perform the same activity (for example. TCAM Troubleshooting As previously mentioned. is populated into the TCAM tables at the data plane (hardware). However. if a switch’s TCAM is unable to forward traffic (for From the Library of Outcast Outcast . you could clear the interface counters to see whether the errors continue to increment. to strategically take advantage of this design characteristic.

From the events listed. ■ Packets using a feature not supported in hardware (for example. so make sure to check the documentation for your switch model. On most switch platforms. that traffic is sent (punted) to the CPU so that it can be forwarded by the switch’s CPU. Therefore. packets traveling over a generic routing encapsulation [GRE] tunnel) are sent to the CPU for process- ing. ■ If a switch’s TCAM has reached capacity.102 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide example. A TCAM might reach capacity if it has too many installed routes or configured access control lists. you might want to investigate the state of the switch’s TCAM. the event most likely to cause a switch performance issue is a TCAM filling to capacity. establishing a Telnet or Secure Shell [SSH] session with the switch) will have his packets sent to the CPU for processing. the TCAM table is full and does not have the information needed to forward the traffic). if you conclude that a switch’s TCAM is the source of the performance problems being reported. Therefore. you could either use a switch with higher-capacity TCAMs or reduce the number of entries From the Library of Outcast Outcast . Control Plane Routing Processes Traffic Policies Data Plane TCAM Figure 3-3 Populating the TCAM The process of the TCAM sending packets to a switch’s CPU is called punting. TCAM verification commands vary among platforms. This is usually the case when you attempt to use a lower-end switch in place of a higher-end switch to save money. Consider a few reasons why a packet might be punted from a TCAM to its CPU: ■ Routing protocols. which has a limited forwarding capability. ■ Someone connecting to a switch administratively (for example. when troubleshooting switch performance. in addition to other control plane protocols such as Spanning Tree Key Protocol (STP). additional packets are punted to the CPU. that send multicast or broadcast traffic will have that traffic sent to Topic the CPU for processing. This is not generally a good practice. TCAMs cannot be upgraded.

In this case. as shown in Example 3-6. This can be accomplished by changing the Switch Database Management (SDM) template on the switch. which displays the TCAM resource utilization on a Catalyst 3750E switch. Notice how a finite amount of resources has been reserved for various services and features on the switch. you can change the SDM template. as well as QoS and security access control entries. the template needs to be changed. optimizing the resources on the switch. Using the show sdm prefer command on SW2. This allows you to “borrow” TCAM memory that was reserved for one feature and use it for another feature. indicates that the current SDM template is “desktop default. Therefore. more resources need to be reserved for IPv4 routing. The selected template optimizes the resources in the switch to support this level of features for From the Library of Outcast Outcast . IPv4 unicast and multicast routes. some switches (for example. you could try to optimize your ACLs by being more creative with the entries or leverage route summarization to reduce the number of route entries maintained by a switch’s TCAM. For example. Refer to Example 3-5. Example 3-6 show sdm prefer Command Output on a Cisco Catalyst Switch SW2#show sdm prefer The current template is "desktop default" template. 3560. or 3750 series switches) enable you to change the amount of TCAM memory allocated to different switch features. if a packet needs to be forwarded and the needed information is not in the TCAM. there- fore.” which is the default template on a 3750E Catalyst switch. There is a maximum value for unicast MAC addresses. Example 3-5 show platform tcam utilization Command Output on a Cisco Catalyst Switch SW2#show platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 6364/6364 35/35 IPv4 IGMP groups + multicast routes: 1120/1120 1/1 IPv4 unicast directly-connected routes: 6144/6144 9/9 IPv4 unicast indirectly-connected routes: 2048/2048 2048/2048 IPv4 policy based routing aces: 442/442 12/12 IPv4 qos aces: 512/512 21/21 IPv4 security aces: 954/954 42/42 Note: Allocation of TCAM entries per feature uses a complex algorithm. Cisco Catalyst 2960. The above information is meant to provide an abstract view of the current TCAM utilization To reallocate more resources to IPv4 routing. it will be punted to the CPU. Chapter 3: Troubleshooting Device Performance 103 in a switch’s TCAM. Also. It appears from this example that SW2 has maxed out the amount of resources that are reserved for IPv4 unicast indirectly connected routes.

104 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 8 routed interfaces and 1024 VLANs. Reload Reason: Reload command... one per line. In this case.875k Using the global configuration command sdm prefer. as shown in Example 3-7. SW2(config)#sdm prefer ? access Access bias default Default bias dual-ipv4-and-ipv6 Support both IPv4 and IPv6 indirect-ipv4-and-ipv6-routing Supports more V4 and V6 Indirect Routes lanbase-routing Supports both IPv4 and IPv6 Static Routing routing Unicast bias vlan VLAN bias SW2(config)#sdm prefer routing Changes to the running SDM preferences have been stored. Example 3-7 Changing the SDM Template on a Cisco 3750E Catalyst Switch SW2#config t Enter configuration commands. but cannot take effect until the next reload. notice how the SDM template is listed as “desktop routing” in Example 3-8 and that more resources are now dedicated to IPv4 indirect routes.5K number of IPv4/MAC security aces: 0. the SDM template is being changed to routing so that more resources will be used for IPv4 unicast routing. End with CNTL/Z. However. After the reload. also notice that while more resources are allocated to IPv4 unicast routes. From the Library of Outcast Outcast . number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0. [OK] Proceed with reload? [confirm] %SYS-5-RELOAD: Reload requested by console. fewer resources are allocated to other resources. Save? [yes/no]: yes Building configuration. SW2(config)#exit SW2#reload System configuration has been modified. Use 'show sdm prefer' to see what SDM preference is currently active. allows you to change the SDM template. such as unicast MAC addresses.

the Topic CPU is rarely tasked to forward traffic.5K number of IPv4/MAC qos aces: 0. Example 3-9 Verifying the tcam utilization on the 3750E Catalyst Switch SW2#show platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 3292/3292 35/35 IPv4 IGMP groups + multicast routes: 1120/1120 1/1 IPv4 unicast directly-connected routes: 3072/3072 8/8 IPv4 unicast indirectly-connected routes: 8144/8144 3148/3148 IPv4 policy based routing aces: 490/490 13/13 IPv4 qos aces: 474/474 21/21 IPv4 security aces: 964/964 42/42 Note: Allocation of TCAM entries per feature uses a complex algorithm. the output of show platform tcam utilization shows that the max masks/ values are now 8144/8144 for IPv4 unicast indirectly connected routes. The show processes cpu command can be used on a Cisco Catalyst switch to display CPU utilization levels. Because the TCAM maintains a switch’s forwarding logic at the data plane. The above information is meant to provide an abstract view of the current TCAM utilization High CPU Utilization Troubleshooting on a Switch The load on a switch’s CPU is often low. number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K number of directly-connected IPv4 hosts: 3K number of indirect IPv4 routes: 8K number of IPv4 policy based routing aces: 0. In addition. Chapter 3: Troubleshooting Device Performance 105 Example 3-8 Verifying That the SDM Template Was Changed After Reload SW2#show sdm prefer The current template is "desktop routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. and therefore. the used masks/values are now 3148. thanks to the Key TCAM.5K number of IPv4/MAC security aces: 1K In Example 3-9. the TCAM can for- ward traffic without having to punt the packets to the CPU. they were 2048. before. even under high utilization. as demonstrated in Example 3-10. From the Library of Outcast Outcast .

If you determine that a switch’s high CPU load is primarily the result of interrupts.00% 0...00% 0 crypto sw pk pro 4 2100 315 6666 0. Such a level implies that the switch’s CPU is actively involved in forwarding packets that should normally be handled by the switch’s TCAM. Therefore. A value as high as 10 percent is consid- ered acceptable.00% 0.106 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-10 show processes cpu Command Output on a Cisco Catalyst Switch SW1#show processes cpu CPU utilization for five seconds: 19%/15%.00% 0 Chunk Manager 2 0 610 0 0. a typical CPU load percentage dedicated to interrupt processing is no more than 5 percent. Notice in the output in Example 3-10 that the switch is reporting a 19 percent CPU load. If the interrupt percent is greater than 10. take time to look into the reason why. Specifically. exam- ine the switch’s packet-switching patterns and check the TCAM utilization. Consider the following reasons that might cause a switch’s CPU utilization to spike: ■ The CPU is processing routing updates.00% 0. ■ The administrator is issuing a debug command (or other processor-intensive com- mands).05% 0 Check heaps . when troubleshooting a performance issue.00% 0 Load Meter 3 128 5 25600 0. Although such load utilization values might not be unusual for a router. Periodic spikes in processor utilization are also not a major cause for concern if such spikes can be explained. one minute: 20%. A high CPU utilization on a switch might be a result of STP.05% 0. these values might be of concern for a switch. Troubleshooting Router Performance Issues As you have seen. realize that a switch’s high CPU utilization might be a symptom of another issue. the output given in Example 3-10 shows a 15 percent utiliza- tion. even though according to Cisco it is a cause for concern.00% 0.00% 0.. five minutes: 13% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 1 0 4 0 0. take the time to investigate those specific processes. From the Library of Outcast Outcast . which is considered high for a Catalyst switch. Of course. ■ Simple Network Management Protocol (SNMP) is being used to poll network devices. a Cisco Catalyst switch’s performance can be the source of network problems. a router performance issue can impact user data flowing through the network.. this value might be normal for your organization based on baseline information. If the high CPU utilization is primarily the result of processes. where Layer 2 broadcast frames endlessly circulate through a network. However.OUTPUT OMITTED.00% 0. Recall that an STP failure could lead to a broadcast storm.00% 0. with 15 percent of the CPU load used for interrupt processing. Similarly.

you ARP for the MAC address of the destination IP address in each packet. you might notice a sluggish response to Telnet sessions or SSH sessions that you attempt to establish with a router. Such symptoms might indicate a router performance issue.0 0.0. This process can consume an inordinate per- Topic centage of CPU resources if the router has to send numerous ARP requests.0. Processes That Commonly Cause Excessive CPU Utilization One reason that the CPU of a router might be overloaded is that the router is running a process that is taking up an unusually high percentage of its CPU resources. This is because the ip route command is stating that all IP addresses (0. resulting in some net- works becoming unreachable. Aside from latency that users and administrators can experience.0. this appears harmless. which will cause strain on the CPU. you might experience longer- than-normal ping response times from a router. Therefore. This section investigates three potential router issues. perhaps a router had the ip route 0. network performance issues might result.0) are reachable through the directly connected interface fastethernet 0/1.0. In addition. Chapter 3: Troubleshooting Device Performance 107 As an administrator. For example. routing protocol adjacencies can fail. Or. the router’s CPU is so busy it does not have time to respond to your Telnet session or the pings you have sent. a router whose CPU is overtaxed might not send routing protocol messages to neighboring routers in a timely fashion. In these examples.0.0. At first. instead of ARPing for the MAC address of a next-hop IP address. One configuration that can cause such a high number of ARP requests is having a default route configured that points to an Ethernet interface.0 0. such a configura- tion should be avoided because an ARP Request has to be sent for every destination IP address in every packet that is received by the router and forwarded out Fa0/1. CPU) utilization escalating to a high level but only remaining at that high level for a brief time could represent normal behavior. Following are four such processes that can result in excessive CPU utilization: ■ ARP Input process: The ARP Input process is in charge of sending Address Key Resolution Protocol (ARP) requests. many of the ARP requests will go unanswered and result in dropped packets. each of which might result in poor router performance ■ Excessive CPU utilization ■ The packet-switching mode of a router ■ Excessive memory utilization Excessive CPU Utilization A router’s processor (that is. As a result.0. However. That will result in an excessive number of ARP requests.0. The better option is to specify the next-hop IP address because the router will only have From the Library of Outcast Outcast . however.0 fastethernet 0/1 command entered in global con- figuration mode so that all packets with no explicit route in the routing table will be forwarded out Fa0/1. if a router’s CPU utilization continually remains at a high level.

At this point. ignored. the server is in the embryonic state (waiting for an ACK from the client to complete the three-way handshake and establish the connec- tion). If an interface needs to store a packet in a buffer but all interface buffers are in use. Cisco IOS Commands Used for Troubleshooting High Processor Utilization Table 3-3 offers a collection of show commands that can be valuable when troubleshoot- ing high CPU utilization on a router. The pro- cess that allows an interface to allocate one of these globally available buffers is Net Background. From the Library of Outcast Outcast . ■ TCP Timer process: The TCP Timer process runs for each TCP router connection. If the throttles. and then the server sends a SYN/ACK back. ■ IP Background process: The IP Background process handles an interface changing its state.108 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide to ARP for the MAC of the next-hop IP address when forwarding the packets out Fa0/1. or vice versa. Another example of state change is an interface’s IP address changing. This could be due to connectivity issues or mali- cious intent. These buffers are sometimes referred to as the queue of an interface. or you have a route pointing out an Ethernet interface as described in our ARP Input process discussion. the underlying cause might be the Net Background process consuming too many CPU resources. you might suspect a malicious scan (for example. For example. might result in the IP Background process consuming a high percentage of CPU resources. An embryonic con- nection occurs when the TCP three-way handshake is only two-thirds completed. Therefore. However. the interface can pull from a main pool of buffers that the router maintains. If several entries are in the Incomplete state. many connections can result in high CPU utilization by the TCP Timer process. whether they are established or embryonic. the client sends the SYN packet to the server. the server will sit in the embryonic state until it times out. such as bad cabling. Table 3-3 Commands for Troubleshooting High CPU Utilization Key Topic Command Description show ip arp Displays the ARP cache for a router. if the client does not send the ACK back. An established TCP connection is one that has successfully completed the three-way handshake. a ping sweep) of a subnet. Therefore. A state change might be an interface going from an Up state to a Down state. anything that can cause repeated state changes. ■ Net Background process: An interface has a certain number of buffers available to store packets. and overrun parameters are incrementing on an interface.

or ignored counters continually increment.3.1 . 00d0. including the number of connections initiated. established. A high number of connections can explain why the TCP Timer process might be consuming excessive CPU resources. In the output. you might be under a denial-of-service (DoS) attack.168. and ignored counters. only a single instance exists of an Incomplete ARP entry. From the Library of Outcast Outcast . and closed. show tcp statistics Provides information about the number of TCP segments a router sends and receives.06fe. If you see an excessive number of embryonic connections. in addition to listing all the router processes and the percentage of CPU resources consumed by each of those processes. and 5-minute intervals.d1e0 ARPA Ethernet0/0 Internet 10.3.2 61 0009. and 3 days.9ea0 ARPA Ethernet0/0 Internet 192. a high number of such entries can suggest the scanning of network resources.50 0 Incomplete ARPA Example 3-12 shows sample output from the show interface interface_type interface_ number command.b7fa. Example 3-11 show ip arp Command Output R2#show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10. However. overrun. This graphical view can indicate whether an observed high CPU utilization is a temporary spike in utilization or whether the high CPU utilization is an ongoing condition.1. you might suspect that the Net Background process is attempting to allocate buffer space for an interface from the main buffer pool of the router. show processes cpu history Displays a graphical view of CPU utilization over the past 60 seconds. interface_number overruns. Chapter 3: Troubleshooting Device Performance 109 Command Description show interface interface_type Displays a collection of interface statistics.3. accepted. If the throttles. If these counters continue to increment. Example 3-11 shows sample output from the show ip arp command. 1-minute. the Net Background process might be consuming excessive CPU resources while it allocates buffers from the main buffer pool of the router.3. 1 hour. show processes cpu Displays average CPU utilization over 5-second. Note the throttles. which might indicate malicious reconnaissance traffic or that you have a route pointing out an Ethernet interface instead of to a next-hop IP address.

Example 3-13 show tcp statistics Command Output R2#show tcp statistics Rcvd: 689 Total. 0 output buffers swapped out Example 3-13 shows sample output from the show tcp statistics command. Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec. 0 CRC. reliability 255/255. loopback not set Keepalive set (10 sec) ARP type: ARPA. 0 no carrier 0 output buffer failures. 0 ignored 0 input packets with dribble condition detected 2155 packets output. If the output indicates numerous connections. rxload 1/255 Encapsulation ARPA. 0 overrun. 0 late collision. 0 no port 0 checksum error. 0 bad offset. 0 runts. 0 too short 474 packets (681 bytes) in sequence 0 dup packets (0 bytes) 0 partially dup packets (0 bytes) 0 out-of-order packets (0 bytes) 0 packets (0 bytes) with data after window 0 packets after close 0 window probe packets. 212080 bytes. 0 frame. 0 packets/sec 2156 packets input.1/24 MTU 1500 bytes.06fe. line protocol is up Hardware is AmdP2. 0 deferred 0 lost carrier. output 00:00:02. 0 throttles 0 input errors. it indi- cates that the three-way handshake is not being completed.9ea0) Internet address is 10. the TCP Timer process might be consuming excessive CPU resources while simultaneously maintaining all those connections. DLY 1000 usec. 7 interface resets 0 babbles. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). 164787 bytes. 1 packets/sec 5 minute output rate 0 bits/sec.3. txload 1/255. If you have a high number of initiated connections with a low number of established connections. 0 collisions. 0 window update packets From the Library of Outcast Outcast .110 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-12 show interface interface_type interface_number Command Output R2#show interface ethernet 0/0 Ethernet0/0 is up. This might be due to a DoS attack that is attempting to consume all the TCP connection slots.9ea0 (bia 00d0. ARP Timeout 04:00:00 Last input 00:00:02.3. address is 00d0. BW 10000 Kbit.06fe. 0 underruns 0 output errors. 0 giants. 0 no buffer Received 861 broadcasts.

00% 0.00% 0. 0 urgent packets 1 control packets (including 0 retransmitted) 562 data packets (14206 bytes) 0 data packets (0 bytes) retransmitted 0 data packets (0 bytes) fastretransmitted 7 ack only packets (7 delayed) 0 window probe packets. 1 connections established 0 Connections closed (including 0 dropped. The out- put in this example indicates a 34 percent CPU utilization in the past 5 seconds.00% 0.00% 0 SERIAL A'detect 18 0 3892 0 0.. Note the ARP Input.00% 0..00% 0 PPP IPCP From the Library of Outcast Outcast . Example 3-14 show processes cpu Command Output R2#show processes cpu CPU utilization for five seconds: 34%/13%.00% 0 DDR Timers 15 12 2 6000 0. and IP Background processes referred to in this section. 0 ack packets with unsend data 479 ack packets (14205 bytes) Sent: 570 Total. 0 window update packets 0 Connections initiated.00% 0.00% 0... Chapter 3: Troubleshooting Device Performance 111 1 dup ack packets.00% 0.00% 0.00% 0.00% 0 Dialer event 20 0 1 0 0.00% 0..00% 0 PPP IP Route 52 4 5 800 0.00% 0 GraphIt 19 0 2 0 0. one minute: 36%.00% 0. Individual processes running on the router are also shown.00% 0. TCP Timer.00% 0. 46 0 521 0 0. 12 4 69 57 0.00% 0. along with their CPU utilization levels. 0 keepalive probe..00% 0.00% 0.00% 0.00% 0 SSS Test Client 47 84 711 118 0.00% 0 Net Background 22 0 15 0 0.00% 0.00% 0.00% 0. Net Background. 0 embryonic dropped) 0 Total rxmt timeout.00% 0.00% 0.00% 0 TCP Protocols 49 0 1 0 0.00% 0 HC Counter Timer 14 0 5 0 0.00% 0 Critical Bkgnd 21 132 418 315 0.00% 0 Logger . 0 Connections dropped in keepalive Example 3-14 shows sample output from the show processes cpu command.00% 0 TCP Timer 48 4 3 1333 0.00% 0. with 13 percent of CPU resources being spent on interrupts. 0 connections dropped in rxmt timeout 0 Keepalive timeout. five minutes: 32% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process .00% 0.00% 0.00% 0.00% 0.00% 0.00% 0 Socket Timers 50 0 15 0 0.00% 0 ATM Idle Timer 17 0 1 0 0..00% 0 Entity MIB API 16 4 2 2000 0.00% 0.00% 0 ARP Input 13 0 1 0 0.00% 0.00% 0.00% 0.OUTPUT OMITTED..00% 0.00% 0.00% 0. The output also shows the 1-minute CPU utilization average as 36 percent and the 5-minute average as 32 percent.00% 0. 1 connections accepted.OUTPUT OMITTED.00% 0 HTTP CORE 51 12 5 2400 0.

...6 0 5 0 5 0 5 0 5 0 5 0 From the Library of Outcast Outcast . The graphical output produced by this command is useful in determining whether a CPU spike is temporary or whether it is an ongoing condition...1....5....5.... Example 3-15 shows sample output from the show processes cpu history command.5............00% 0..3.00% 0...1...2.00% 0 IP RIB Update .2.112 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 53 273 157 1738 0....00% 0 IP Background 54 0 74 0 0......00% 0.4.....4....1. Example 3-15 show processes cpu history Command Output R2#show processes cpu history 4 11111 4444411111 11111 944444555554444444444777775555588888888887777755555777775555 100 90 80 70 60 50 * ***** 40 * ***** 30 * ***** 20 * ***** ********** ***** 10 * ***** ************************************* 0.5..3...4.....5.OUTPUT OMITTED......2...4.00% 0.....5.1.6 0 5 0 5 0 5 0 5 0 5 0 CPU% per second (last 60 seconds) 611111111112111221131111111111111121111111111111211111111111 376577846281637117756665771573767217674374737664008927775277 100 90 80 70 60 * 50 * 40 * * 30 * * 20 ******* * *** ************ ** *** **** * * *** * ** **** 10 ########################################################## 0..........3.2.3.....

.1. 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% Understanding Packet-Switching Modes (Routers and Multilayer Switches) In addition to the high CPU utilization issues previously discussed. consult the documentation for your router to determine how it implements packet switching.. Chapter 3: Troubleshooting Device Performance 113 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 56434334644444334443442544453443 46868692519180723579483247519306 100 90 80 70 * * 60 * * 50 *** * * * * ** * * *** 40 *************** ****** ********* 30 ********************** ********* 20 ******************************** 10 ################################ 0..2.6....... Operation of Process Switching When a router routes a packet (that is. for real-world trouble- shooting. a router’s packet- switching mode can impact router performance....1. and decides how to forward From the Library of Outcast Outcast .....7.. the router removes the packet’s Layer 2 header..6.. examines the Layer 3 addressing....5.. Before discussing the most common switching modes.5...3... Cisco routers and multilayer switches support the following three primary modes of packet switching: ■ Process switching Key Topic ■ Fast switching (route caching) ■ Cisco Express Forwarding (topology-based switching) Packet switching involves the router making a decision about how a packet should be for- warded and then forwarding that packet out of the appropriate router interface... realize that the way a router handles packets (or is capable of handling packets) largely depends on the router’s architecture. however.4..2. performs packet switching).3..... Therefore...5. In general..4.......

the router’s CPU becomes directly involved with packet-switching decisions. The Layer 2 header is then rewritten (which involves changing the source and destination MAC addresses and computing a new FCS). The fast cache con- tains information about how traffic from different data flows should be forwarded. You can enable fast switching by turning off CEF in interface configuration mode with the no ip route-cache cef command. With process switching. From the Library of Outcast Outcast . as illustrated in Figure 3-4. as opposed to being process-switched. Operation of Fast Switching (Route Caching) Fast switching uses a fast cache maintained in a router’s data plane. As shown in Figure 3-5. Subsequent packets in that same data flow are forwarded based on information in the fast cache.114 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the packet. fast switching reduces a router’s CPU utilization when compared to process switching. and then the packet is forwarded out of the appropriate interface. As a result. that forward- ing information is stored in the fast cache. Incoming Packets Outgoing Packets Control Plane CPU Pa ow ck Fl et et Fl ck ow Ingress Egress Pa Interface Interface Data Plane Figure 3-4 Data Flow with Process Switching An interface can be configured for process switching by disabling fast switching and CEF on that interface. The interface configuration mode command used to disable fast switch- ing and CEF at the same time is no ip route-cache. the performance of a router configured for process switching can suffer significantly. As a result. the first packet in a data flow is process-switched by a router’s CPU. After the router determines how to forward the first packet of a data flow.

Specifically. Rather. populated from a router’s IP routing table and ARP cache. the Forwarding Information Base (FIB) maintains Layer 3 forwarding information. whereas the Adjacency Table maintains Layer 2 information for next hops listed in the FIB. Incoming Packets Outgoing Packets Control Plane IP Routing CPU ARP Cache Table La n ye io r3 CEF Data at rm Inf Structures or fo ma In tio FIB r2 n ye Ingress Egress La Interface Adjacency Interface Data Flow Data Flow Table Data Plane Figure 3-6 Data Flow with Cisco Express Forwarding From the Library of Outcast Outcast . Using these tables. CEF does not require the first packet of a data flow to be process-switched. CEF can efficiently make forwarding decisions. an entire data flow can be for- warded at the data plane. Chapter 3: Troubleshooting Device Performance 115 Incoming Packets Outgoing Packets Control Plane CPU in Pac #1 w a D ke k et Flo ata t #1 c ta Forwarding Information Pa Da Flo a w in Subsequent Subsequent Ingress Packets in a Packets in a Egress Interface Data Flow Fast Data Flow Interface Cache Data Plane Figure 3-5 Data Flow with Fast Switching Operation of Cisco Express Forwarding (Topology-Based Switching) Cisco Express Forwarding (CEF) maintains two tables in the data plane. as shown in Figure 3-6. Unlike fast switching.

The CPU utilization for this process might show a high value if the CPU of a router is actively engaged in process-switching traffic because you turned off fast switching and CEF. CEF is enabled by default. show ip cef adjacency egress_interface_id Displays destinations reachable through the next_hop_ip_address detail combination of the specified egress interface and next-hop IP address. she has to call us ten times. show adjacency detail Provides information contained in the adjacency table of a router. show processes cpu | include IP Input Displays information about the IP input process on a router. Alternatively. If we are “Process Switching” with the babysitter. Troubleshooting Packet-Switching Modes Table 3-4 provides a selection of commands that you can use when troubleshooting the packet-switching modes of a router. she has to call us to ask for permission to give the children a cookie. From the Library of Outcast Outcast . place it on the counter. If the children ask ten times. you can enable CEF for a specific interface with the interface configuration mode command ip route-cache cef. Date Night Example of Process-Switching Modes Let’s pretend that my wife and I are going out to dinner and we are leaving our two chil- dren with a babysitter. every time our children ask the babysitter for a cookie. including protocol and timer information. As you can see from this example.116 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide On many router platforms. before we leave for dinner. we take out the cookie jar. show ip cache Displays the contents of the route cache from a router if fast switching is enabled. just give them more without calling us. Table 3-4 Commands for Troubleshooting a Router’s Packet-Switching Modes Key Topic Command Description show ip interface interface_type interface_ Displays multiple interface statistics. you can globally enable it with the ip cef command. the first time she calls us. If it is not. and tell her to have an awesome evening with the kids.” Finally. we say yes and then create a “route cache” for the babysitter that states. number including information about the packet- switching mode of an interface. if we are using “CEF” with the babysitter. If we are “Fast Switching” with the babysitter. “if the kids want more. date night is better when we use CEF. show ip cef Displays the contents of a router’s FIB.

3. 0 refcounts Minimum invalidation interval 2 seconds.8.. Example 3-17 show ip cache Command Output R4#show ip cache IP routing cache 3 entries. which you can use to collect traffic statistics. the IP input process was using only 0.6 192.OUTPUT OMITTED. quiet interval 3 seconds.OUTPUT OMITTED. 0 in last 3 seconds Last full cache invalidation occurred 04:13:57 ago Prefix/Length Age Interface Next Hop 10. Chapter 3: Troubleshooting Device Performance 117 Example 3-16 shows sample output from the show ip interface interface_type interface_number command. where the CPU was directly involved in packet switching.168. From the Library of Outcast Outcast ..8.0.4 10. ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast.1 Example 3-18 shows sample output from the show processes cpu | include IP Input command. However. a high percentage value might indicate that a router was performing process switching.8. 9 invalidates.4/32 00:00:07 FastEthernet0/1 10.0/24 00:00:10 FastEthernet0/0 10. Example 3-17 shows sample output from the show ip cache command.8..8. CEF . threshold 0 requests Invalidation rate 0 in last second. The reference to flow switching being disabled refers to the Cisco IOS NetFlow feature..8. maximum interval 5 seconds. Example 3-16 show ip interface interface_type interface_number Command Output R4#show ip interface fastethernet 0/0 FastEthernet0/0 is up.. The output indicates that fast switching and CEF switching are enabled on interface Fast Ethernet 0/0.6/32 00:00:10 FastEthernet0/1 10. 588 bytes 12 adds. This command shows the contents of a router’s route cache. If fast switching is enabled and CEF is disabled.8.3.08 percent of its router’s CPU capacity during the last 5-second interval.. In the output.8. line protocol is up . a router begins to populate its route cache...

8. and any packets destined to that specific IP will be processed by the CPU of the router.04% 0 IP Input Example 3-19 shows sample output from the show ip cef command.8.0.8.255/32 receive From the Library of Outcast Outcast .6/32 10.1 FastEthernet0/0 10.8.255.8.7.1 FastEthernet0/0 10.0/24 receive 255.5/32 10.3.2/32 10.3.0.8.1.1.3. ensuring that they are processed by the router and not forwarded.255/32 receive 10.1.3.1/32 receive 10.1 FastEthernet0/0 10.3.0.3.3.4.8.5.7 FastEthernet0/1 10.3.1 FastEthernet0/0 10.3.8.0/24 10.4 FastEthernet0/1 10. Note that if a next hop of the network prefix is set to receive.8.168.8.7. you will see that the receive entries are subnet IDs.0.1 FastEthernet0/0 10.6 FastEthernet0/1 10.0.1.3.8.255/32 receive 192.3.3.7.1 FastEthernet0/0 10.1 FastEthernet0/0 10. Examining the output closely.4/32 10. The output con- tains the contents of the FIB for a router.8.8.118 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-18 show processes cpu | include IP Input Command Output R4#show processes cpu | include IP Input 63 3178 7320 434 0.8.3.0/0 drop Null0 (default route handler entry) 0. and then the interface that will be used to reach it.8.3.0/24 10. The attached next hop indicates that the net- work is a directly connected route on the router.2/32 10.0/24 10.3.0/4 drop 224.0/32 receive 10. Notice that the prefix is listed.8.8.0.8. local host IP addresses. followed by the next hop that will be used to reach the prefix.0.0/32 receive 10.3. that network/ IP is local to the router.3.5.5 FastEthernet0/1 10.3.0.3.3.4.8.06% 0.3.8.8.0/32 receive 10.0.255.3.8.3.3.7.08% 0.8.1/32 10.2/32 receive 10.0/24 10.0/24 attached FastEthernet0/1 10.7/32 10.8.3.1 FastEthernet0/0 224. Example 3-19 show ip cef Command Output R4#show ip cef Prefix Next Hop Interface 0.0/24 attached FastEthernet0/0 10.3. and broadcast addresses.0/24 10.

6. The value 00D006FE9EA00009B7FAD1E00800 can be broken into three parts: ■ 00D006FE9EA0 = Destination MAC address ■ 0009B7FAD1E0 = Source MAC address ■ 0800 = Well-know Ethertype value for IP From the Library of Outcast Outcast . 5632 node Table epoch: 0 (25 entries at this epoch) Adjacency Table has 5 adjacencies 10. peak 0 25 leaves.3. Chapter 3: Troubleshooting Device Performance 119 Example 3-20 shows sample output from the show ip cef adjacency egress_interface_id next_hop_ip_address detail command. if we need to send a packet to 10. flags=0x0 25 routes.8. 0 dependencies next hop 10. These MAC addresses are already listed in the adjacency table.8. FastEthernet0/1. peak 1s) 0 in-place/0 aborted modifications refcounts: 5702 leaf.8. In this example.3. 0 reresolve.8. 21 nodes.8. When you see a particular adjacency listed in the FIB. 65 invalidations 0 load sharing elements. In this case.8.6.8. 1 revisions of existing leaves Resolution Timer: Exponential (currently 1s. 0 bytes. epoch 0.8.6 0 packets. no other IP addresses are known to have a next-hop IP address of 10.6 is the IP address of a host and not a router. 0 new).1.8. we will send the packet out Fast Ethernet 0/0.6 detail IP CEF with switching (Table Version 25). FastEthernet0/1 valid cached adjacency Example 3-21 shows sample output from the show adjacency detail command.8. 10. id 24360DB1 5(2) CEF resets.8. which requires a Layer 2 frame with a source and destination MAC address. This command shows the IP addresses that the router knows how to reach using the specified combination of next-hop IP address and egress interface. cached adjacency 10. Therefore. Example 3-20 show ip cef adjacency egress-interface-id next-hop-IP-address detail Command Output R4#show ip cef adjacency fa 0/1 10.8.8. 25640 bytes. 90 inserts.6 with an egress interface of Fast Ethernet 0/1. 0 references universal per-destination load sharing algorithm.8. version 10. 0 bytes via 10. 0 unresolved (0 old.6/32. you can issue this command to confirm that the router has information about how to reach that adjacency.

264 bytes 0008A3B895C40009B7FAD1E10800 ARP 03:53:35 Epoch: 0 ..120 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-21 show adjacency detail Command Output R4#show adjacency detail Protocol Interface Address IP FastEthernet0/0 10. Use the show ip cef command to determine whether all the router interfaces are configured to use CEF. Topic Step 2.. After you identify a router that is causing unusually high delay. you can better analyze how a router is forwarding specific traffic.1(19) 32 packets.3.3. Step 3. use the show processes cpu command to see the CPU utilization of that router and iden- tify any processes that might be consuming an unusually high percentage of the CPU.255 command to verify that CEF has an entry in its FIB that can reach the specified IP address. From the Library of Outcast Outcast .. Following is a list of trouble- shooting steps that you can follow if you suspect that network traffic is being impacted by a performance problem on one of the routers along the path from the source to the destination: Step 1. Use the show ip route ip_address command to verify that the router has a route to the destination IP address.8. Step 4.. Part of the output from this command will be the next-hop adjacency to which traffic should be forwarded. With the show ip arp command. Step 6.255.8. 1920 bytes 00D006FE9EA00009B7FAD1E00800 ARP 03:53:01 Epoch: 0 IP FastEthernet0/1 10.6(5) 4 packets. Issue the show adjacency interface_type interface_number detail command to verify that CEF has an entry in its adjacency table for the egress interface identified in Step 5.255. Use the traceroute command to determine which router along the path is Key causing excessive delay. Step 7. Now that you have reviewed the different packet-switching options for a router. Use the show ip cef ip_address 255. you can then confirm that the router knows the MAC address associated with the next-hop IP address shown in the out- put from Step 6. Step 5.OUTPUT OMITTED. along with the egress interface used to send traffic to that next hop.

The Total column is the total amount of memory available in bytes. a memory leak occurs.. This command can help identify memory leaks. When the process completes. and the total amount of memory that is being used by the various processes. consider the following as potential memory utilization issues.. If not all allocated memory is returned to the router’s main memory pool.. Memory Leak When a router starts a process. router performance can suffer if it lacks sufficient available memory. and that router does not Topic have the minimum amount of memory required to support that specific Cisco IOS image. Excessive Memory Utilization Much like a PC. Such a condition usually results from a bug in the Cisco IOS version running on the router. From the Library of Outcast Outcast .OUTPUT OMITTED. You can then connect to the next-hop device and verify that the MAC address identified in Step 7 is indeed correct. that process can allocate a block of memory. Assuming that a router does have the recommended amount of memory for its installed Cisco IOS image. requiring an upgrade of the router’s Cisco IOS image. the process should return its allocated memory to the router’s pool of memory. Example 3-22 shows sample output from the show memory allocating-process totals command. Example 3-22 show memory allocating-process totals Command Output R4#show memory allocating-process totals Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 83D27480 67463064 15347168 52115896 50311080 50127020 I/O 7C21800 4057088 2383016 1674072 1674072 1674044 Allocator PC Summary for: Processor PC Total Count Name 0x809D7A30 1749360 180 Process Stack 0x80A7F664 918024 10 Init 0x81CEF6A0 882576 4 pak subblock chunk 0x81C04D9C 595344 54 TCL Chunks 0x800902A4 490328 6 MallocLite . The Head column in the output refers to the address (in hexadecimal) of the memory allocation chain. Even though the router might load the image and function. its performance might be sluggish. For Key example.. The output shows information about memory availability on a router after the Cisco IOS image of the router has been decompressed and loaded. perhaps you install a version of Cisco IOS on a router. You can repeat these steps on the next-hop device or on another router whose response time displayed in the output from Step 1 is suspect. Chapter 3: Troubleshooting Device Performance 121 Step 8.

Memory-Allocation Failure A memory-allocation failure (which produces a MALLOCFAIL error message) occurs when a process attempts to allocate a block of memory and fails to do so. You can use the Cisco Bug Toolkit (available from www. and another instance when I tried to load the complete Intrusion Prevention System (IPS) Signature Definition File on another ISR when I knew it could not handle it. Personally. Example 3-23 Identifying a Wedged Interface R4#show interfaces . a buffer leak occurs when a process does not return a buffer to the router when the process has finished using the buffer. A memory leak occurs when a process does not free the memory that it is finished using.OUTPUT OMITTED.pl) to research any such known issues with the version of Cisco IOS run- ning on a router. These values indicate an oversubscription of the queue space.. The Largest column indicates the larg- est block of available memory. Notice the numbers 76 and 75 highlighted in the output. in which a process does not return all of its allocated memory to the router upon terminating. it is likely because of a memory leak. Buffer Leak Similar to a memory leak. memory leaks result from bugs or poor coding in the Cisco IOS Software. These values indicate that an input queue of the interface has a capacity of 75 packets and that the queue currently has 76 packets. Consider the output of the show interfaces command shown in Example 3-23. the router does not for- ward traffic coming into the wedged interface.122 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The Used column indicates how much has been used. In such a condition. If a process is consuming a larger-than-normal amount of memory. From the Library of Outcast Outcast .. Alternatively.. Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) ... Therefore. The Lowest column shows the lowest amount of free memory (in bytes) that has been available since the router last booted. Input queue: 76/75/780/0 (size/max/drops/flushes). and Free indicates how much is remaining..cisco.com/cgi-bin/Support/Bugtool/ launch_bugtool. For example.. Following this summary information.. The best solution is to upgrade the Cisco IOS Software to a version that fixes the issue. Typically. a MALLOCFAIL error might result from a bug in the router’s version of Cisco IOS. An interface in this condition is called a wedged interface. I have witnessed the MALLOCFAIL error message when using an Integrated Services Router (ISR) that was running Network Address Translation (NAT). One com- mon cause for a MALLOCFAIL error is a security issue.OUTPUT OMITTED. the output shows detailed memory allocation information for each process running on a router. the block of memory remains reserved and will be released only when the router is reloaded. a virus or a worm that has infested the network can result in a MALLOCFAIL error.

you might consider filtering out unneeded BGP routes.. 1119 created Public buffer pools: Small buffers. 150 max allowed) 317 hits. upgrading the memory on that router. 7 misses. To illustrate. Chapter 3: Troubleshooting Device Performance 123 The show buffers command can also help to diagnose a buffer leak. 0 misses.OUTPUT OMITTED. consider the output of the show buffers command shown in Example 3-24.. a buffer leak might require updating the Cisco IOS image of a router. be aware that BGP runs multiple pro- cesses and can consume significant amounts of router memory. Example 3-25 show processes memory | include BGP Command Output R1#show processes memory | include BGP|^ PID PID TTY Allocated Freed Holding Getbufs Retbufs Process 184 0 0 0 7096 0 0 BGP Task 198 0 0 0 10096 0 0 BGP Scheduler 229 0 38808 0 11520 0 0 BGP Router 231 0 0 0 10096 0 0 BGP I/O 262 0 0 0 10096 0 0 BGP Scanner 284 0 0 0 7096 0 0 BGP Event Depending on the router platform. 150 max allowed) 122 hits. permanent 50. peak 71 @ 00:21:43): 53 in free list (20 min. or running BGP on a different platform that has more memory. can show you how much memory the various BGP processes of a router are consuming. The show processes memory | include BGP command. Like a memory leak. 600 bytes (total 49. 104 bytes (total 71. Example 3-24 show buffers Command Output R4#show buffers Buffer elements: 1118 in free list (500 max allowed) 570 hits. The show diag command can help you isolate a specific line card that is running low on memory.. peak 49 @ 00:21:43): 5 in free list (10 min. but only 5 of those 49 buffers are available. Such a result might indicate a process allocating buffers but failing to deallocate them. This output indicates that the router has 49 middle buffers. permanent 25. 0 trims. as shown in Example 3-25. 0 trims. 21 created 0 failures (0 no memory) Middle buffers. your router might have multiple line cards with differ- ent amounts of memory available on each line card. 8 misses. 24 created . perhaps because that line card is running BGP. From the Library of Outcast Outcast . If BGP is consuming a large percentage of your router memory.. Excessive BGP Memory Use If a router is running Border Gateway Protocol (BGP).

egress port. Chapter 22. 116 switching modes Step list Example of troubleshooting the forwarding of 120 packets Section Excessive memory utilization 121 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: backplane. IP Background process. control plane. “Final Preparation. TCP Timer process. Net Background process. ARP Input process. noted with the Key Topic icon in the outer margin of the page.124 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. memory-allocation failure. Table 3-5 lists a reference of these key topics and the page numbers on which each is found. CEF. you have sev- eral choices for exam preparation: the exercises here. ingress port.” and the exam simulation questions on the CD-ROM. buffer leak From the Library of Outcast Outcast . memory leak. TCAM. half-duplex. Table 3-5 Key Topics for Chapter 3 Key Topic Key Topic Element Description Page Number List Components in a Catalyst switch 96 Table 3-2 Errors in the show interfaces interface_type 98 interface_number counters errors command List Reasons why a packet could be punted from a 102 switch’s TCAM to its CPU Section High CPU utilization troubleshooting on a switch 105 List Identifies processes that cause excessive router CPU 107 utilization Table 3-3 Commands for troubleshooting high CPU utilization 108 List Three primary modes of packet switching 113 Table 3-4 Commands for troubleshooting a router’s packet. forwarding logic. full-duplex. fast switching. process switching. Review All Key Topics Review the most important topics in this chapter.

or at least the section for this chapter. overruns. Chapter 3: Troubleshooting Device Performance 125 Complete Tables and Lists from Memory Print a copy of Appendix C.” (found on the disc).) Shows a collection of interface statistics. you might suspect a malicious scan [for example. read the description on the left side. The 300-135 TSHOOT exam focuses on practical. Displays a router’s ARP cache. hands-on skills that are used by a net- working professional. To test your memory of the commands.) From the Library of Outcast Outcast . Therefore. Table 3-6 EXEC Commands Task Command Syntax A Cisco Catalyst 3750E series switch command that show platform tcam utilization can be used to verify the maximum and used TCAM resources for various services and features on the switch.) Provides information about the number of TCP seg. including the number of connections initiated. cover the right side of Table 3-6 with a piece of paper. and complete the tables and lists from memory. but you should be able to remember the basic keywords that are needed. “Memory Tables Answer Key. you should be able to identify the commands needed to verify router and switch configurations. Command Reference to Check Your Memory This section includes the most important EXEC commands covered in this chapter. includes completed tables and lists to check your work. (Note: If a large number show ip arp of the entries are in the Incomplete state. a ping sweep] of a subnet.” also on the disc. you might suspect that the Net Background process is attempting to allocate buffer space for an interface from the router’s main buffer pool. (Note: A high number of connections might explain why the TCP Timer process is consuming excessive CPU resources. and then see how much of the command you can remember. and closed. show tcp statistics ments a router sends and receives. “Memory Tables. or ignored counters continually interface_number increment. Appendix D. A Cisco Catalyst switch command that can be used to show sdm prefer display the current SDM template being used on the switch. accepted. It might not be necessary to memorize the complete syntax of every command. established. (Note: If the show interface interface_type throttles.

Displays destinations reachable through the combina. show ip cef adjacency egress_ tion of the specified egress interface and next-hop IP interface_id next_hop_ip_address address. interface_number Shows the contents of the fast cache for a router if fast show ip cache switching is enabled.) Shows how much memory is being consumed by the show processes memory | include various BGP processes of a router.126 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Displays average CPU utilization over 5-second.) Shows how many buffers (of various types) are current. and 3 days.show ip interface interface_type tion about the packet-switching mode of an interface. (Note: This command can help identify memory leaks. 1-min. (Note: The CPU utilization for this process Input might show a high value if the CPU of a router is active- ly engaged in process-switching traffic. including informa. including protocol and timer information. (Note: This command can be helpful in diagnos- ing a buffer leak. Displays information about the IP Input process on show processes cpu | include IP a router.show buffers ly free. broadcast. From the Library of Outcast Outcast . bgp Shows the memory available on the line cards of a show diag router.) Displays the router’s Layer 3 forwarding information. (Note: This graphical view can indicate whether an observed high CPU utili- zation is a temporary spike in utilization or whether the high CPU utilization is an ongoing condition. and 5-minute intervals. Shows a graphical view of CPU utilization over the past show processes cpu history 60 seconds. 1 hour. Verifies that a valid adjacency exists for a connected show adjacency host. and local IP addresses. detail Provides information contained in a router’s adjacency show adjacency detail table. show processes cpu ute. Shows information about memory availability on a show memory allocating-process router after the router’s Cisco IOS image has been totals decompressed and loaded.) Displays multiple interface statistics. in addition to listing all the router processes and the percentage of CPU resources consumed by each of those processes. Displays information about packets forwarded by the show cef not-cef-switched router using a packet-switching mechanism other than CEF. in show ip cef addition to multicast.

This page intentionally left blank From the Library of Outcast Outcast .

■ The MAC address table: This section reviews how to use the MAC address table during your trouble- shooting process. To success- fully troubleshoot Layer 2 issues. ■ Troubleshooting VTP: This section focuses on how to troubleshoot issues relating to VLAN Trunking Protocol. you need to have a complete understanding of this process. ■ Troubleshooting Trunks: This section focuses on how to troubleshoot Layer 2 trunking issues. ■ Layer 2 Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem.This chapter covers the following topics: ■ Frame-Forwarding Process: This section reviews the Layer 2 frame-forwarding process. ■ Troubleshooting VLANs: This section identi- fies how to troubleshoot general issues relating to VLANs and end-user port assignments. From the Library of Outcast Outcast .

Dynamic Trunking Protocol (DTP). Virtual Trunking Protocol (VTP). Table 4-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A. before you master the skills for troubleshooting these Layer 2 technologies. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. “Answers to the ‘Do I Know This Already?’ Quizzes. CHAPTER 4 Troubleshooting Layer 2 Trunks. Ethernet. VTP. read the entire chapter. Fast Ethernet. and virtual local-area net- works (VLANs). you need to have the skills necessary to troubleshoot these Layer 2 technologies. This chapter sets the stage by reviewing basic Layer 2 switch operations. In addition. which will factor into discus- sions in future chapters. VTP.” Table 4-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Frame-Forwarding Process 1–3 Troubleshooting Trunks 4–6 Troubleshooting VTP 7 Troubleshooting VLANs 8 The MAC Address Table 9–10 From the Library of Outcast Outcast . It then moves on to troubleshooting trunks. and VLANs. and VLANs Most enterprise LANs rely on some flavor of Ethernet technology (for example. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. However. you need to have an understanding of Ethernet switch operations at Layer 2. your overall campus design will deter- mine whether you need to worry about Layer 2 technologies such as trunks. or Gigabit Ethernet). If your campus design has any Layer 2 links from the distribution layer to the access layer.

Access – Dynamic desirable b. Missing VLAN 5. Destination MAC address 3.130 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. Dynamic Auto – Dynamic auto c. If you do not know the answer to a question or are only partially sure of the answer. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. Which header information is used by switches to learn which MAC address is reach- able out a specific interface? a. Which two of the trunk mode examples will successfully form a trunk? a. Incompatible trunking modes c. Destination MAC address 2. Destination IP address c. Use ARP to determine the MAC address of the IP address in the packet d. Source MAC address d. Drop it b. Which header information is used by switches to forward frames? a. Flood it out all ports except the port it was received on 4. 1. Destination IP address c. Forward it out the port it is associated with c. Source MAC address d. Source IP address b. Encapsulation mismatch b. What does a switch do with an unknown unicast frame? a. Trunk – Trunk nonegotiate From the Library of Outcast Outcast . Trunk – Dynamic auto d. Source IP address b. Password mismatch d. Which two are examples of issues that could prevent a trunk from forming? a. you should mark that question as wrong for purposes of the self-assessment.

VTP. show mac address-table dynamic 10. show interfaces trunk d. show vtp configurations 8. The VLAN the MAC address is associated with c. show vlan brief b. show mac address-table dynamic 9. Chapter 4: Troubleshooting Layer 2 Trunks.) a. show interfaces interface_type interface_number switchport c. show vtp status d. and VLANs 131 6. Which command enables you to verify the administrative mode and operational mode of an interface? a. show interfaces 7. The port a MAC address was learned on b. Which command enables you to verify VTP configurations? a. What can we confirm when examining the MAC address table of a switch? (Choose two answers. show interfaces interface_type interface_number switchport c. show interfaces trunk d. show run b. show interfaces interface_type interface_number switchport d. show vlan brief b. Which command enables you to verify which port a MAC address is being learned on? a. show interfaces c. The administrative and operational mode of an interface d. show interfaces trunk b. show run interface interface_type interface_number c. Which two commands enable you to verify which VLAN a port is assigned to? a. The number of devices physically connected to an interface From the Library of Outcast Outcast .

132 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Foundation Topics

Frame-Forwarding Process
To successfully troubleshoot Layer 2 forwarding issues, you need a solid understand-
ing of how a switch operates. You would have learned this back in CCNA Routing and
Switching. However, we spend time here reviewing switch operations because our trou-
bleshooting efforts will be based on this knowledge. This section reviews how a switch
populates its MAC address table and how it decides what to do with a frame based on
the information in the MAC address table.

Unlike Ethernet hubs, which take bits in one port and send those same bits out all other
Key ports, Ethernet switches learn about the devices connected to their ports. Therefore,
Topic
when an Ethernet switch sees a frame destined for a particular MAC address, the switch
can consult its MAC address table to determine which port to forward the newly arrived
frame out. This behavior results in more-efficient bandwidth utilization and improved
security on a LAN. In addition, it eliminates the concern of collisions. Specifically, in a
hub environment, if two endpoints each transmitted a data frame at the same time, those
two frames would collide, resulting in both frames being corrupted because all ports on
a hub are in a common collision domain. This collision would require each endpoint to
retransmit its data frame. This is not a concern with switches because every port on an
Ethernet switch is in its own collision domain.

Ethernet switches can dynamically learn the MAC addresses attached to various switch-
ports by looking at the source MAC address on frames coming into a port. For example,
if switchport Gigabit Ethernet 1/1 received a frame with a source MAC address of
DDDD.DDDD.DDDD, the switch could conclude that MAC address DDDD.DDDD.
DDDD resided off of port Gigabit Ethernet 1/1. As a result, it places an entry in the
MAC address table indicating so. In the future, if the switch received a frame destined for
a MAC address of DDDD.DDDD.DDDD, the switch would only send that frame out of
port Gigabit Ethernet 1/1 because of the entry in the MAC address table.

Initially, however, a switch is unaware of what MAC addresses reside off of which
ports (unless MAC addresses have been statically configured). Therefore, when a switch
receives a frame destined for a MAC address not yet present in the switch’s MAC address
table, the switch floods that frame out of all the switchports in the same VLAN, other
than the port on which the frame was received. Similarly, broadcast frames (that is,
frames with a destination MAC address of FFFF.FFFF.FFFF) are always flooded out all
switchports in the same VLAN except the port on which the frame was received. The
reason broadcast frames are always flooded is that no endpoint will have a MAC address
of FFFF.FFFF.FFFF, meaning that the FFFF.FFFF.FFFF MAC address will never be
learned dynamically in the MAC address table of a switch. In addition, if you look at the
output of the MAC address table, you will notice that the all F’s MAC address is stati-
cally bound to the CPU, ensuring that it can never be learned dynamically, as shown in
Example 4-1.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 133

Example 4-1 show mac address-table Command Output
SW1#show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
10 0050.b60c.f258 DYNAMIC Gi0/1
10 0800.2757.1b86 DYNAMIC Gi0/1
10 0800.275d.06d6 DYNAMIC Fa0/1
10 0800.27a2.ce47 DYNAMIC Fa0/2
10 2893.fe3a.e301 DYNAMIC Gi0/1
...output omitted...

To illustrate how a switch’s MAC address table becomes populated, consider an endpoint
named PC1 that wants to form a Telnet connection with a server, as shown in Figure 4-
1. Also, assume that PC1 and its server reside on the same subnet (that is, no routing is
required to get traffic between PC1 and its server) and are therefore in the same VLAN,
in this case VLAN 100. Before PC1 can send a Telnet segment to its server, PC1 needs to
know the IP address (that is, the Layer 3 address) and the MAC address (that is, the Layer
2 address) of the server. The IP address of the server is typically known or is resolved
via a Domain Name System (DNS) lookup. In this example, assume that the server’s
IP address is known. To properly communicate over Ethernet, PC1 needs to know the
server’s Layer 2 MAC address. If PC1 does not already have the server’s MAC address in
its Address Resolution Protocol (ARP) cache, PC1 can send an ARP request to learn the
server’s MAC address.

From the Library of Outcast Outcast

134 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

ARP
Gig 0/3 Gig 0/3
Request
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
Gig 0/1 Empty Gig 0/1 Empty
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-1 Endpoint Sending an ARP Request

When switch SW1 sees PC1’s ARP request enter port Gig0/1, the PC1 MAC address of
AAAA.AAAA.AAAA is added to the MAC address table of switch SW1 and associ-
ated with interface Gig0/1. Because Gig0/1 is a member of VLAN 100, the MAC is also
associated with VLAN 100. Because the ARP request is a broadcast, its destination
MAC address is FFFF.FFFF.FFFF (all F’s). As discussed earlier, frames with a destination
of all F’s will be copied and flooded out all switchports except the port on which the
frame was received. However, notice that port Gig0/1 on switch SW1 belongs to VLAN
100, whereas port Gig0/4 belongs to VLAN 200. This is important because frames are
constrained to the VLAN from which they originated unless routed by a Layer 3 device.
Therefore, the broadcast frame in this case is not flooded out Gig0/4 because Gig0/4 is a
member of a different VLAN. Port Gig0/2, however, is a trunk port, and a trunk can carry
traffic for multiple VLANs. Therefore, the ARP request is flooded out of port Gig0/2
and Gig0/3, as illustrated in Figure 4-2. Because the ARP request is for the MAC of the
server, PC2 will ignore the ARP request.

When switch SW2 receives the ARP request inbound on its Gig0/1 trunk port, the source
MAC address of AAAA.AAAA.AAAA is added to switch SW2’s MAC address table,
associated with Gig0/1 and VLAN 100. Also, similar to the behavior of switch SW1,
switch SW2 floods the broadcast frame out of port Gig0/3 (a member of VLAN 100) and
out of port Gig0/2 (also a member of VLAN 100), as depicted in Figure 4-3.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 135

PC2 PC4

ARP
Request
ARP Gig 0/3 Gig 0/3
Request VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
ARP
VLAN 200 VLAN 200
AAAA.AAAA.AAAA Request BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA Gig 0/1 Empty
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-2 Switch SW1 Flooding the ARP Request

PC2 PC4

ARP ARP
Request Request
ARP Gig 0/3 Gig 0/3 ARP
Request VLAN 100 VLAN 100 Request
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 ARP VLAN 200
AAAA.AAAA.AAAA Request BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-3 Switch SW2 Flooding the ARP Request

The server receives the ARP request and responds with an ARP reply, as shown in Figure
4-4. In addition, the server updates its ARP cache with a mapping of the IP and MAC
address of PC1. Unlike the ARP request, the ARP reply frame is not a broadcast frame; it
is a unicast frame. The ARP reply in this case has a destination MAC address of AAAA.
AAAA.AAAA and a source MAC address of BBBB.BBBB.BBBB.

From the Library of Outcast Outcast

136 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

ARP
Gig 0/3 Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-4 ARP Reply Sent from the Server

Upon receiving the ARP reply from the server, switch SW2 adds the server’s MAC
address of BBBB.BBBB.BBBB to its MAC address table, as shown in Figure 4-5. Also, the
ARP reply is sent out only port Gig0/1 because switch SW2 knows that the destination
MAC address of AAAA.AAAA.AAAA is reachable out port Gig0/1.

PC2 PC4

ARP ARP
Gig 0/3 Reply Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-5 Switch SW2 Forwarding the ARP Reply

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 137

When receiving the ARP reply in its Gig0/2 port, switch SW1 adds the server’s MAC
address of BBBB.BBBB.BBBB to its MAC address table. Also, like switch SW2, switch
SW1 now has an entry in its MAC address table for the frame’s destination MAC address
of AAAA.AAAA.AAAA. Therefore, switch SW1 forwards the ARP reply out port Gig0/1
to the endpoint of PC1, as illustrated in Figure 4-6.

PC2 PC4

ARP ARP ARP
Reply Gig 0/3 Reply Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-6 Switch SW1 Forwarding the ARP Reply

After receiving the server’s ARP reply, PC1 now knows the MAC address of the server.
Therefore, PC1 can send a properly constructed Telnet segment destined for the server,
as depicted in Figure 4-7. The source MAC of the Layer 2 frame will be AAAA.AAAA.
AAAA, and the destination MAC will be BBBB.BBBB.BBBB.

Switch SW1 has the server’s MAC address of BBBB.BBBB.BBBB in its MAC address table.
Therefore, when switch SW1 receives the frame from PC1, that frame is forwarded out of
the Gig0/2 port of switch SW1, as shown in Figure 4-8.

From the Library of Outcast Outcast

138 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

Telnet Gig 0/3 Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-7 PC1 Sending a Telnet Segment

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-8 Switch SW1 Forwarding the Telnet Segment

Similar to the behavior of switch SW1, switch SW2 forwards the frame out its Gig0/2
port. This forwarding, shown in Figure 4-9, is possible because switch SW2 has an entry
for the segment’s destination MAC address of BBBB.BBBB.BBBB in its MAC address
table.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 139

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3 Telnet
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-9 Switch SW2 Forwarding the Telnet Segment

Finally, the server responds to PC1, and a bidirectional Telnet session is established between
the PC and the server, as illustrated in Figure 4-10. Because PC1 learned the MAC address
of the server and the server learned the MAC address of PC1, as a result of PC1’s earlier
ARP request, both devices stored the MAC addresses in their local ARP caches; therefore,
the transmission of subsequent Telnet segments does not require additional ARP requests.
However, if unused for a period of time, entries in a devices ARP cache will time out.

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3 Telnet
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-10 Bidirectional Telnet Session Between PC1 and the Server

From the Library of Outcast Outcast

140 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

When troubleshooting an issue involving Layer 2 switch communication, a thorough
understanding of the preceding steps can help you identify potential problems quickly
and efficiently. Take a moment and review Figure 4-10. Consider where issues might arise
in the topology that would prevent PC1 and Server from communicating. The following
list outlines a few potential issues that could arise:

■ PC1 and Server have IP addresses in different subnets because of incorrect address
Key or subnet mask.
Topic
■ Interface Gig0/1 on SW1 or Gig0/2 on SW2 are not members of the correct VLAN.

■ VLAN 100 is missing on SW1 or SW2.

■ The trunk between SW1 and SW2 is not passing traffic for the necessary VLANs
(VLAN 100 in this case).

■ The trunk is not formed between SW1 and SW2.

■ A VACL is denying PC1 from communicating with Server.

■ Interface Gig0/1 on SW1, Gig0/2 on SW2, or the trunk interfaces are shut down or in
the err-disabled state.

Troubleshooting Trunks
Trunks support multiple VLANs on a single physical link. A trunk can be between two
switches, a switch and a router, and a switch and a server that is providing services for
multiple VLANs. This section focuses on issues that prevent a trunk from being formed
or passing traffic for a VLAN. Figure 4-11 serves as the topology for all of the examples.

PC2 PC4

Gig 0/3 Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-11 Troubleshooting Trunks

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 141

Encapsulation Mismatch
Two types of trunking encapsulations are supported by Cisco Catalyst switches: 802.1Q,
which is an IEEE standard; and ISL (Inter-Switch Link), which is Cisco proprietary. 802.1Q
adds a 4-byte tag to the Ethernet frame, whereas ISL encapsulates the entire Ethernet
frame, resulting in an additional 30 bytes. Not all switches support both. For example,
a Catalyst 2960 switch supports only 802.1Q, whereas a Catalyst 3560 and a Catalyst
3750-E support both. To form a trunk between two switches, the interfaces that will be
forming the trunk must be using the same encapsulation type. By default, Cisco Catalyst
switches that support only 802.1Q will use 802.1Q, Catalyst switches that support both
802.1Q and ISL will autonegotiate the encapsulation using DTP. Therefore, if you connect
a Catalyst 2960 and a Catalyst 3750-E together, they will use 802.1Q because that is all
the Catalyst 2960 can support. However, if you connect two 3750-Es together, they will
negotiate the use of ISL because it is Cisco proprietary. If you are required to use 802.1Q
trunks in your environment, you must manually change it from ISL to 802.1Q in that situ-
ation.

Because autonegotiation of encapsulation works very well, you will usually only have an
encapsulation mismatch if someone is manually setting the trunking encapsulation. To
verify the encapsulation type used on an interface, issue the show interfaces interface_
type interface_number switchport command, as shown in Examples 4-2 and 4-3.

Example 4-2 Output of show interfaces switchport Command on SW1 to Verify
Key Encapsulation
Topic
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-3 Output of show interface switchport Command on SW2 to Verify
Key Encapsulation
Topic
SW2#show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: isl

From the Library of Outcast Outcast

142 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Operational Trunking Encapsulation: isl
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

From the show interfaces switchport output of Example 4-2 and Example 4-3, you can
see that SW1 and SW2 are not using the same trunking encapsulation. SW1 is using
802.1Q, and SW2 is using ISL. Therefore, a trunk will not successfully form in this case.

You can also verify which trunking encapsulation is being used by looking at the output
of show interfaces trunk, as shown in Example 4-4 and Example 4-5.

Example 4-4 Output of show interfaces trunk Command on SW1 to Verify
Encapsulation
SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/2 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/2 1-4094

Port Vlans allowed and active in management domain
Gi0/2 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/2 1,100,200

Example 4-5 Output of show interface trunk Command on SW2 to Verify
Encapsulation
SW2#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 on isl trunking 99
Port Vlans allowed on trunk
Gi0/1 1-4094

Port Vlans allowed and active in management domain
Gi0/1 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,100,200

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 143

Incompatible Trunking Modes
There are different administrative trunking modes an interface can be configured to use
when forming a trunk, as follows:

■ Access: In this administrative mode, a switchport is manually configured to never
become a trunk even if DTP messages are received. This mode is designed for ports
that are connecting to, for example, end stations, servers, and printers, where a trunk
should never be required because only a single VLAN is needed. This mode can be
verified as shown in Example 4-6.

■ Trunk: In this administrative mode, a switchport is manually configured to always be
a trunk. This mode can be verified as shown in Example 4-7.

■ Dynamic desirable: In this administrative mode, a switchport is aggressively try-
ing to become a trunk by negotiating with the other end of the link to form a
trunk using DTP. If the other end of the link agrees then a trunk is formed; if not, it
remains an access port that will listen for DTP messages in addition to periodically
sending DTP messages as it continues to try and form a trunk. This mode can be
verified as shown in Example 4-8.

■ Dynamic auto: In this administrative mode, a switchport is passively waiting for DTP
messages to arrive asking it to form a trunk. If it receives them, it will form a trunk.
If it does not receive any, it remains an access port that will listen for DTP messages.
This mode can be verified as shown in Example 4-9.

Example 4-6 Verifying Trunking Administrative Mode (Access)
Key
Topic SW1#show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 100 (VLAN100)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-7 Verifying Trunking Administrative Mode (Trunk)
Key
Topic SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q

From the Library of Outcast Outcast

144 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-8 Verifying Trunking Administrative Mode (Dynamic Desirable)
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-9 Verifying Trunking Administrative Mode (Dynamic Auto)
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

The default administrative mode varies by Catalyst switch model. To verify the default
administrative mode on your model, issue the show interfaces interface_type interface_
number switchport command for an interface that is still using factory default settings.
Example 4-10 shows that interface Gigabit Ethernet 0/1 is using factory default settings,
because no other configurations have been applied to the interface, as shown in the show
run interface gigabitethernet 0/1 output. The output of show interfaces gigabitethernet
0/1 switchport | include Administrative Mode indicates that the trunking administrative

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 145

mode is dynamic auto. Therefore, we can conclude dynamic auto is the default on this
switch because there is no command in the running configuration that indicates other-
wise.

Example 4-10 Verifying Default Trunking Mode on SW2
SW2#show run interface gigabitethernet 0/1
Building configuration...

Current configuration : 50 bytes
!
interface GigabitEthernet0/1
end

SW2#show interfaces gig 0/1 switchport | include Administrative Mode
Administrative Mode: dynamic auto

Some of these administrative modes are compatible with each other and will form a
trunk, whereas others are not, as shown in Table 4-2. While you are looking at Table 4-12,
remember that dynamic auto, dynamic desirable, and trunk all use DTP by default.

Table 4-2 Comparing Trunking Administrative Modes

SW1
Dynamic Dynamic Trunk Trunk Access
Auto Desirable Nonegotiate
Dynamic Access Trunk Trunk Limited Access
Auto connectivity
Dynamic Trunk Trunk Trunk Limited Access
Desirable connectivity
SW2
Trunk Trunk Trunk Trunk Trunk Limited
connectivity
Trunk Limited Limited Trunk Trunk Limited
Nonegotiate connectivity connectivity connectivity
Access Access Access Limited Limited Access
connectivity connectivity

As you can see in Table 4-2, if both switchports are configured as dynamic auto, a trunk
will not form. The switchports will remain as access ports and pass traffic for the VLAN
the port is a member of. To form a trunk with a switchport that is dynamic auto, the
other switchport must be using dynamic desirable or trunk (using DTP). Limited con-
nectivity is a result of one side being operationally a trunk and the other side being
operationally an access port. Connectivity will occur only if the access port VLAN on
one switch happens to be the same as the native VLAN for the 802.1Q trunk on the other

From the Library of Outcast Outcast

146 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

switch. If not, connectivity will be broken. The reason is because the access port sends
the frames untagged, and once the trunk port receives them at the other end, it considers
them as part of the native VLAN because of the lack of a tag. If these VLAN numbers
match, the frames can be successfully forwarded without a problem. However, if the
native VLAN does not match with the VLAN configured on the access port, the frames
when entering or leaving the trunk port on the switch will be part of a different VLAN
than the access port and the frames are no longer forwarded correctly, and connectivity is
broken. Memorizing Table 4-2 will definitely prove beneficial if you ever have to trouble-
shoot trunk links that are not forming.

VTP Domain Name Mismatch
We will cover VTP in detail shortly. However, if you are using DTP to dynamically form
trunks and the VTP domain name does not match between the two switches, a trunk will
not be formed, as shown in Example 4-11.

Example 4-11 VTP Domain Name Mismatch Causes Trunk Not to Form
SW1#
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/2 because of
VTP domain mismatch.

Native VLAN Mismatch
Trunk issues with the native VLAN only surface when we are using IEEE 802.1Q trunk-
ing encapsulation. The concept of a native VLAN does not exist with Cisco ISL trunking
encapsulation. The native VLAN by default is VLAN 1 and is used to carry untagged
traffic across an 802.1Q trunk. It is imperative that the native VLAN matches on both
sides of a trunk link. If it does not, it is possible for traffic to leak from one VLAN to
another, resulting in an undesired forwarding behavior and possible errors with Spanning
Tree Protocol.

With a native VLAN mismatch, the trunk forms, and syslog messages are generated, as
shown in Example 4-12. From the example, you can see that Cisco Discovery Protocol
(CDP) is warning you about the native VLAN mismatch; however, if CDP is not enabled,
this message would not appear. Example 4-13 displays the output of show interfaces
trunk on SW1 and SW2, confirming that we have a native VLAN mismatch.

Example 4-12 Result of a Native VLAN Mismatch on a Trunk
Key
Topic SW1#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/2
(1), with SW2 GigabitEthernet0/1 (99).
SW2#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1
(99), with SW1 GigabitEthernet0/2 (1).

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 147

Example 4-13 Confirming the Native VLAN Mismatch with the show interfaces trunk
Command
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/2 desirable n-802.1q trunking 1
...output omitted...

SW2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 desirable n-802.1q trunking 99
...output omitted...

Allowed VLANs
By default, traffic for all VLANs will be forwarded on a trunk. You can modify this
Key behavior by identifying which VLANs are allowed on the trunk. You can accomplish
Topic
this manually or dynamically. If you are using VTP to propagate VLAN configuration
information, you can use the VTP pruning feature, which dynamically determines which
VLANs are needed on each of the trunks. You can enable VTP pruning with the vtp
pruning global configuration command. Many prefer to control the VLANs allowed on
trunks manually with the switchport trunk allowed vlans vlan_id command in interface
configuration mode. You can verify which VLANs are allowed on a trunk a few differ-
ent ways. You can use the show interfaces trunk command, the show interface inter-
face_type interface_number switchport command, or review the interface configuration
in the running configuration. Example 4-14 displays the output from these three com-
mands. Focus on the highlighted text because it identifies which VLANs are allowed on
the trunk. If traffic is not flowing across a trunk for a specific VLAN, make sure that the
VLAN is allowed on the trunk.

Example 4-14 Verifying Allowed VLANs on a Trunk
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/2 desirable n-802.1q trunking 99

Port Vlans allowed on trunk
Gi0/2 100,200

Port Vlans allowed and active in management domain
Gi0/2 100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/2 100,200

SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled

From the Library of Outcast Outcast

148 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

...output omitted...
Trunking VLANs Enabled: 100,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
...output omitted...

SW1#show run interface gigabitethernet 0/2
Building configuration...

Current configuration : 167 bytes
!
interface GigabitEthernet0/2
switchport trunk native vlan 99
switchport trunk allowed vlan 100,200
switchport mode dynamic desirable
end

Troubleshooting VTP
Picture a network with 50 switches and 75 VLANs. You have been tasked with deploying
these 75 VLANs to all 50 switches. This is a large task that is definitely prone to human
error. VLAN Trunking Protocol (VTP) is designed to ease the deployment of VLAN
configuration information between switches across trunk links. This section explains
the reasons why VTP might not be sharing VLAN configuration information with other
switches in the domain. Figure 4-11 is used as the topology for the examples. SW1 and
SW2 need to have the same VLAN database.

Domain Name Mismatch
Switches that will learn VLAN configuration information from each other using VTP
need to be in the same VTP domain. The VTP domain is identified by a name known as
the VTP domain name, and it can be anything you want it to be. However, it must match
on the devices that will be exchanging VLAN configuration information. Suppose, for
example, that SW1 in Figure 4-11 is using a VTP domain name of TSHOOT and SW2 is
using a VTP domain name of TSHOOT. Obviously, they match. What about SW1 using
TSHOOT and SW2 using TSHO0T? It looks like they match, but they do not. The VTP
domain name for SW2 has a zero (0) in it instead of the letter O. Compare Examples 4-15
and 4-16, which display the output of show vtp status on SW1 and SW2. Are SW1 and
SW2 in the same VTP domain?

Example 4-15 Verifying the VTP Domain Name on SW1
Key
Topic SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : Tshoot

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 149

VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 001c.57fe.f600
...output omitted...

Example 4-16 Verifying the VTP Domain Name on SW2
Key
Topic SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : TSHOOT
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100
...output omitted...

Note that case does matter for the VTP domain name. Therefore, SW1 and SW2 are in
completely different VTP domains and will not share VLAN configuration information
with each other. In addition, as mentioned earlier, if you are using DTP to form a trunk
and you have a VTP domain name mismatch, a trunk will not form.

Version Mismatch
There are three versions of VTP: VTPv1, VTPv2, and VTPv3. VTPv1 is the default. If you
are running VTPv1, all switches need to be using VTPv1 to successfully exchange VLAN
configuration information. If you are running VTPv2 or VTPv3 the switches can be using
VTPv2 or VTPv3 because they are compatible. However, to reduce the possibility of
issues, it is recommended that you avoid mixing VTP versions. To verify the VTP version
in use on a switch, issue the show vtp status command, as shown in Example 4-17. Also
notice in the output that SW2 is capable of running all three versions of VTP.

Example 4-17 Verifying the VTP Version on SW2
SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : TSHOOT
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100
...output omitted...

Mode Mismatch
VTP has four modes of operation: Server, Client, Transparent, and Off. For a switch to
use the VLAN configuration information in a VTP message, it must be in Server or Client
mode. A switch operating in Transparent mode will ignore the information contained in

From the Library of Outcast Outcast

150 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

a VTP message; however, it will still forward on the message to other switches. In Off
mode, the switch behaves the same as Transparent mode, except that it will not forward
on VTP messages that it receives. Therefore, if you are troubleshooting an issue that
involves missing VLANs on a switch and you are using VTP, check whether the switch
is in VTP Transparent mode or Off. To verify the VTP mode used on a switch, issue
the show vtp status command, as shown in Examples 4-18 and 4-19. In addition, with
VTPv3, only the VTP primary server can add or delete VLANs.

Example 4-18 Verifying the VTP Mode on SW1
SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100

Feature VLAN:
--------------
VTP Operating Mode : Server
Number of existing VLANs : 10
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 1005
Configuration Revision : 3
...output omitted...

Example 4-19 Verifying the VTP Mode on SW2
SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 001c.57fe.f600

Feature VLAN:
--------------
VTP Operating Mode : Client
Number of existing VLANs : 10
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 255
Configuration Revision : 3
...output omitted...

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 151

Password Mismatch
To ensure that a switch only uses VTP configuration information from legitimate sources,
it is recommended that a VTP password is set. When a switch receives a VTP message
from another switch, it will verify that the attached message digest 5 (MD5) algorithm
hash matches its local hash. If it matches, the VTP message is from a legitimate source
and is processed. If not, the VTP message is discarded. Remember that the VTP password
is case sensitive. Example 4-20 shows how you can verify the password that is configured
with the show vtp password command and the hash value that will be used with the
show vtp status command.

Example 4-20 Verifying VTP Passwords
SW1#show vtp password
VTP Password: CCNP

SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100

Feature VLAN:
--------------
VTP Operating Mode : Server
Number of existing VLANs : 11
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 1005
Configuration Revision : 2
Primary ID : 2893.fe3a.e300
Primary Description : DSW1
MD5 digest : 0x98 0x29 0xB8 0x5D 0x4D 0x48 0x71 0xE3
0x8A 0x93 0x8E 0x82 0x2B 0xEA 0xA0 0x45
...output omitted...

Higher Revision Number
When a switch in VTP server mode makes a change to the VLAN database, it incre-
ments the configuration revision number shown in Example 4-20. Currently it is 2, but if
another VLAN were added or a modification were made that affected the VLAN data-
base, VTP would increment the configuration revision number. This number is extremely
important because the switch with the higher configuration revision number is consid-
ered to have the most up-to-date and valid VLAN database. However, this might not
always be the case. For example, suppose that you are preparing for the TSHOOT exam
and you are troubleshooting VLANs. You keep adding and deleting VLANs while using

From the Library of Outcast Outcast

152 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

VTPv1 to propagate your changes to the other switches in your lab pod. Now you have
a really high configuration revision number. The next day a coworker plugs your lab pod
into the production network, and your lab VLAN database overwrites the VLAN data-
base of the production network because you were using the same domain name and pass-
word on your lab devices and the lab had a higher configuration revision number than the
production network. Now you need to rebuild the production VLAN database or restore
it from backup, if you have one.

You need to prevent this from ever happening by ensuring no one uses the same VTP
domain name or password on other devices and then plugs them into the produc-
tion network. However, that is hard to control. So, it is better to run all the switches in
Transparent mode and only use Server or Client mode when you are building the VLAN
database or making significant changes that have to be propagated to all the other switch-
es. This is because Transparent mode switches will not update their VLAN information
from VTP messages, protecting you from having your VLAN database overwritten. You
may also want to consider having all switches in VTP Transparent mode when they are
added to the domain so that their configuration revision number is 0, which it always is
for Transparent mode. Your best option is to use VTPv3 because only the VTP primary
server will be considered a trusted source of VTP messages within the VTP domain, and
any other VTP messages will be ignored, ensuring that your database is not overwritten
by a rouge switch.

Troubleshooting VLANs
Our discussions have led us to this important point in this chapter: Being able to identify
and solve issues with VLANs. This is an important task for any troubleshooter. Some of
these issues could be a result of a trunk or VTP issue, as previously discussed. This sec-
tion identifies the issues that might arise with VLANs and how you can fix them. The
discussion is based on Figure 4-11.

Incorrect IP Addressing
It all starts with the client configuration. If the IP address, subnet mask, or default gate-
way are not configured correctly, frames will not flow as expected. Example 4-21 dis-
plays the output of ipconfig on PC1 and Server. If you look closely, you will notice that
Server is not addressed correctly, and therefore not in the same subnet. When PC1 needs
to send data to Server, because they are not on the same subnet, PC1 will send the frame
to its default gateway so that it can be routed to a different subnet. However, this pro-
cess will fail at some point because both PC1 and Server cannot be in the same Layer 2
VLAN (as Figure 4-11 shows), within different IP networks. They need to be in the same
subnet if they are in the same VLAN so that frames can be sent from PC1 directly to
Server based on the Layer 2 MAC addresses.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 153

Example 4-21 Verifying End-User IP Addresses
PC1>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.100.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.100.1

Server>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.10.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.10.1

Missing VLAN
For a switch to associate switchports with VLANs or to pass traffic over a trunk for a
VLAN, the switch needs to know about the VLAN. The command show vlan brief, as
shown in Example 4-22, displays the VLANs that are known by the switch.

Example 4-22 Verifying VLANs on a Switch
Key
Topic SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/5, Gi0/6, Gi0/7, Gi0/8,
Gi0/9, Gi0/10, Gi0/11, Gi0/12,
Gi0/13, Gi0/14, Gi0/15, Gi0/16,
Gi0/17, Gi0/18, Gi0/19, Gi0/20,
Gi0/21, Gi0/22, Gi0/23, Gi0/24,
Te1/0/1, Te1/0/2
99 NATIVE active
100 10.1.100.0/24 active Gi0/1, Gi0/3
200 10.1.200.0/24 active Gi0/4
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

From the Library of Outcast Outcast

in Figure 4-11. This is a great sign that the interface belongs to a VLAN that does not currently exist on the switch. In Example 4-23. PC4. Note that even though the port is up/up. all ports are assigned to VLAN 1. switchports need to be assigned to VLANs. Notice in brackets the name of the VLAN. Gig0/1 and Gig0/3 have been statically assigned to VLAN 100. this could be the reason why. PC3 and PC5 have to be in the same subnet (but different from the other devices) because they are connected to ports in VLAN 200. you need to find out why.154 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide If any VLANs are missing from the output of show vlan brief that should be there. you need to troubleshoot why VTP is not propagating the VLAN information to the other switches. and has a higher revision number. If VLANs are configured manually in your organization. PC2. and default gateway). The assignments Key should be based on which device is going to be connected to that port (based on IP Topic address. it is important to remember that if you are using VTPv1 or 2 and a switch is added to the domain with the correct pass- word. focus on the highlighted text. and the switch would not be able to for- ward the frames successfully between the devices within the same VLAN. the answer is one of two reasons: Someone forgot to configure the VLAN on the switch. because the VLAN does not exist. the VLAN to switchport assignments would be incorrect. and Server have to be in the same logical subnet because they are all connected to ports in VLAN 100. It is listed as (Inactive). PC1. However. which identifies the VLANs ports are assigned to. For example. From the Library of Outcast Outcast . By default. or some- one deleted the VLAN on the switch. if you are missing VLANs. Example 4-24 displays the output of show vlan brief. Example 4-23 Identifying Missing VLANs on a Switch SW1#show interfaces gigabitethernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 100 (Inactive) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Incorrect Port Assignment Once VLANs are created. subnet mask. the VLAN database in your VTP domain will be overwritten by this switch. If this is not done. and Gig0/4 has been statically assigned to VLAN 200. Therefore. which displays the output of show interfaces gigabitethernet 0/1 switchport. If the creation and deletion of VLANs is learned by other switches though VTP. the port will not be forwarding traffic.

Gi0/9. It is passing traffic for multiple VLANs. Therefore.100. As discussed earlier. If the MAC address table is not being populated the way you expect it. trunk ports will not appear in the output of show vlan brief. when SW1 received a frame inbound on Gigabit Ethernet 0/1 from PC1. it learned the MAC from the frame and associated it with the port it arrived on and the VLAN the port is a member of. they will appear as (Inactive) in the output of show interfaces switchport. Gi0/3 200 10. Gi0/19. Gi0/21. Gi0/12.1. Gi0/23. Gi0/10. Te1/0/2 99 NATIVE active 100 10.0/24 active Gi0/1. Gi0/16. Gi0/6. Chapter 4: Troubleshooting Layer 2 Trunks. VTP. and VLANs 155 Example 4-24 Verifying Switchport Assignment SW1#show vlan brief VLAN Name Status Ports ---. Gi0/11. The MAC Address Table The MAC address table is the most important table for the switch. This information is extremely valuable. It lists Topic the VLANs. Gi0/7.0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup It is important to note that ports that belong to VLANs that do not exist will not be dis- played in the output of show vlan brief. and the ports. using Figure 4-11 as the reference topology. Gi0/24. The structure of the table is important.-------------------------------. Gi0/13. you will need to figure out why.1.200. Notice in Example 4-24 that Gig0/2 is missing because it is a trunk port and does not belong to any single VLAN.--------. Gi0/18. Te1/0/1. The MAC address table is the structure that is used by the switch to make a forwarding decision. Example 4-25 SW1’s MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- From the Library of Outcast Outcast . it is populated based on the source MAC address of the frame when it arrives on a switchport. the dynamically learned MAC addresses. This section covers the MAC address table and its importance. Gi0/14. Example 4-25 displays the dynamically learned MAC addresses on SW1 with the com- Key mand show mac address-table dynamic. In addition. Gi0/22. Gi0/8. Gi0/15.------------------------------- 1 default active Gi0/5. Gi0/17. As Example 4-23 displayed. Gi0/20.

bbbb DYNAMIC Gi0/2 100 cccc.dddd.bbbb DYNAMIC Gi0/2 100 cccc.156 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Vlan Mac Address Type Ports ---. -------. ----- 100 aaaa.------------------------------- 1 default active Gi0/5. Gi0/8. Gi0/22. Gi0/17. -------. Gi0/7. Gi0/21. Gi0/14. Reviewing the output of show vlan brief and show interfaces gigabitethernet 0/1 switchport.AAAA) was learned on the correct interface.3333 DYNAMIC Gi0/4 200 5555. Te1/0/1. Gi0/6. Gi0/13.aaaa. What can we conclude by looking at the MAC address table for SW1 displayed in Example 4-26 when comparing it to Figure 4-11? Example 4-26 Example of SW1’s MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---.3333 DYNAMIC Gi0/4 200 5555.3333.dddd DYNAMIC Gi0/2 200 3333. Our next step is to reassign the port to the correct VLAN. as demonstrated in Example 4-27. ----------. The MAC address table shows the MAC address of PC1 (AAAA.aaaa DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 6 When comparing Figure 4-11 with Example 4-26. Gi0/16. but the VLAN number is 200 instead of 100. Gi0/23. Gi0/11.dddd. we can conclude that interface Gigabit Ethernet 0/1 is not a member of the correct VLAN. Gi0/18. Gi0/12.cccc.aaaa. Gi0/15. Gi0/9.cccc DYNAMIC Gi0/3 100 dddd. Gi0/19. Gi0/10. con- firms this for us.AAAA.bbbb.cccc.bbbb.5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 6 Let’s look at an example.cccc DYNAMIC Gi0/3 100 dddd.aaaa DYNAMIC Gi0/1 100 bbbb. ----- 100 bbbb. Gi0/20.3333.5555. Gi0/24. ----------.-------------------------------.5555 DYNAMIC Gi0/2 200 aaaa. Te1/0/2 99 NATIVE active From the Library of Outcast Outcast . Example 4-27 Confirming SW1’s VLAN Assignments SW1#show vlan brief VLAN Name Status Ports ---.5555.dddd DYNAMIC Gi0/2 200 3333.--------.

0 Gig 0/3 Gig 0/3 255.100.255. VTP.1 DG: 10..10 10.255.0/24) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none .100.1.1.DDDD 10.AAAA BBBB.1 VLAN 100 VLAN 100 Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2 VLAN 100 SW1 SW2 VLAN 100 Trunk Gig 0/4 Gig 0/4 PC1 Server VLAN 200 VLAN 200 AAAA. Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup SW1#show interfaces gigabitethernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 200 (10.200.CCCC PC2 PC4 DDDD.255.0 DG: 10.200. Layer 2 Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.100. All trouble tickets in this section are based on the topology depicted in Figure 4-12.DDDD.100 255.output omitted.0/24 active Gi0/3 200 10. While troubleshooting.1.1.BBBB.1.3333 5555..0/24 active Gi0/1.5555 Figure 4-12 Topology for Trouble Tickets From the Library of Outcast Outcast . Chapter 4: Troubleshooting Layer 2 Trunks.CCCC.1...AAAA.BBBB PC3 PC5 3333. if you ever need to clear the dynamic entries in the MAC address table immediately so that they can be relearned. giving you the opportunity to confirm the correct associations.5555.255. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.3333. issue the clear mac address-table dynamic EXEC command. CCCC.100. and VLANs 157 100 10.100.1.

255. as shown in Example 4-30.1.10.100. The output of Example 4-28 indicates that the ping failed. as shown in Example 4-28. Therefore. it is not a problem with the server or the path from PC2 to the server.100.100: Packets: Sent = 4.100.100.100.100. and default gateway are 10. Request timed out.1. Average = 0ms Let’s start by checking the IP address of PC1.1.100: bytes=32 time 1ms TTL=128 Reply from 10.1.1. Using the ipconfig command. Lost = 4 (100% loss).100. However. let’s verify whether others are having the same issue.100 Pinging 10. A simple ping from PC1 will help us with this.255.100: bytes=32 time 1ms TTL=128 Reply from 10. According to Figure 4-11. Approximate round trip times in milli-seconds: Minimum = 0ms.100.1.1.0.100: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. Therefore. Received = 4.1. Request timed out. subnet mask.1. Request timed out. Ping statistics for 10.100.255.100 Pinging 10. Example 4-29 Issuing a Ping from PC2 PC2>ping 10. What did we learn from this ping? We learned that we have no connectivity from Layer 1 to Layer 3 of the OSI model. This is a typical description within a trouble ticket.100: bytes=32 time 1ms TTL=128 Reply from 10.158 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Trouble Ticket 4-1 Problem: A user on PC1 indicates that he is not able to access a document on Server. Lost = 0 (0% loss). Example 4-28 Issuing a Ping from PC1 PC1>ping 10. Received = 0.1. A ping from PC2 is successful. the first process is to veri- fy the issue.100. and 10. indicates that the IP address.100 with 32 bytes of data: Reply from 10. which is similar to PC1. as shown in Example 4-29.1. we can focus our troubleshooting efforts at these layers. Maximum = 0ms.1.100.100 with 32 bytes of data: Request timed out.100. these are correct. From the Library of Outcast Outcast . Therefore.100: Packets: Sent = 4.

and VLANs 159 Example 4-30 Verifying PC1’s Layer 3 Settings PC1>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . However. . : 10. Gi0/20. .1. Gi0/14.--------. Gi0/12. . Gi0/15. Gi0/9. Gi0/22.3333. . VTP. Example 4-31 shows that the MAC address of PC1 was learned on Gigabit Ethernet 0/1. Gi0/19.255.100.------------------------------- 1 default active Gi0/1. Gi0/23. Gi0/16.dddd. let’s confirm this further with the show vlan brief command. : 255. Gi0/24. which is correct. . . .bbbb.1. Gi0/17. It appears we have found the problem. . ----- 1 aaaa.cccc.100. . . . Gi0/6. . Te1/0/2 99 NATIVE active 100 10. Gi0/10. Chapter 4: Troubleshooting Layer 2 Trunks. Gi0/18. . .5555. -------. : 10.5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 6 Example 4-32 Verifying VLAN Port Assignments with the show vlan brief Command SW1#show vlan brief VLAN Name Status Ports ---. .3333 DYNAMIC Gi0/4 200 5555. Gi0/5.-------------------------------. . . Gi0/11. Te1/0/1. ----------. . Gi0/13. as shown in Example 4-32. .100.cccc DYNAMIC Gi0/3 100 dddd.dddd DYNAMIC Gi0/2 200 3333.aaaa DYNAMIC Gi0/1 100 bbbb. . .1. Example 4-31 Verifying PC1 in the MAC Address Table on SW1 SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---. Gi0/21. . . .bbbb DYNAMIC Gi0/2 100 cccc.0/24 active Gi0/3 From the Library of Outcast Outcast . . Gi0/8. . : IP Address. Gi0/7. but it is associated with VLAN 1 instead of VLAN 100.1 The next step is to check the MAC address table on SW1 using the command show mac address-table dynamic.10 Subnet Mask .255. .aaaa. . .0 Default Gateway .

Example 4-33 confirms that the problem is solved.100: bytes=32 time 1ms TTL=128 Ping statistics for 10. Lost = 4 (100% loss).100 with 32 bytes of data: Reply from 10.100.1.1.1.100 with 32 bytes of data: Request timed out.100.0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup To solve the problem.1.100: bytes=32 time 1ms TTL=128 Reply from 10. Example 4-34 Issuing a Ping from PC2 PC2>ping 10.100. Received = 4.100. Lost = 0 (0% loss). Example 4-33 Confirming That the Problem Is Solved with a Successful Ping PC1>ping 10.100.1.100: Packets: Sent = 4. Received = 0.1.1. Maximum = 0ms.100 Pinging 10.100.100: bytes=32 time 1ms TTL=128 Reply from 10. Approximate round trip times in milli-seconds: Minimum = 0ms.100.160 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 200 10. Average = 0ms Trouble Ticket 4-2 Problem: A user on PC2 indicates that she is not able to access a document on Server. the first process is to verify the issue.100: bytes=32 time 1ms TTL=128 Reply from 10.1. Ping statistics for 10.100: Packets: Sent = 4.1.200.1. Request timed out. we change the switchport VLAN assignment with the switchport access vlan 100 interface command and verify that the problem is solved by pinging from PC1 again. As before. From the Library of Outcast Outcast .100.1. as shown in Example 4-34.100. A simple ping from PC2 will help us with this.100.100 Pinging 10. Request timed out. Request timed out.

First thing that comes to mind is a missing VLAN on SW1. Example 4-35 Issuing a Ping from PC1 PC1>ping 10. Gi0/6. Gi0/9. Example 4-36 Verifying That VLAN 100 Exists on SW1 with show vlan brief SW1#show vlan brief VLAN Name Status Ports ---. Te1/0/1.1. Ping statistics for 10. VTP.-------------------------------.100. Gi0/24. Gi0/11. and we should be looking for causes that would affect multiple users.100: Packets: Sent = 4. Gi0/8. this is not enough evidence to shift our focus just yet.100. let’s verify whether others are having the same issue.1. Therefore. as shown in Example 4-35. Request timed out. What did we learn from this ping? We learned that we have no connectivity from Layer 1 to Layer 3 of the OSI model. Gi0/22. Using the command show vlan brief on SW1 will verify whether the VLAN exists and which switchports are associated with it. this is not an isolated issue. PC1 and PC2 are both members of VLAN 100.100 with 32 bytes of data: Request timed out.0/24 active Gi0/1. Gi0/3 200 10.1.100. VLAN 100 exists. Te1/0/2 99 NATIVE active 100 10. As you can see from Example 4-36. Gi0/17. Gi0/21.0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup However.------------------------------- 1 default active Gi0/5. Therefore. and VLANs 161 The output of Example 4-34 indicates that the ping failed. Gi0/12. Gi0/10. Gi0/20.200. Chapter 4: Troubleshooting Layer 2 Trunks. Request timed out. The most important information comes from the MAC address table.100 Pinging 10. Received = 0. Lost = 4 (100% loss).1. Gi0/15. Gi0/13.100. Request timed out. Gi0/23. and both switchports for PC1 and PC2 are associated with it. Gi0/14.--------. Gi0/19. A ping from PC1 fails. Gi0/16.1. Gi0/7. Gi0/18. However. we can focus our troubleshooting efforts at these layers. This will truly verify that the MAC From the Library of Outcast Outcast .

5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 4 However. neither is PC4. Let’s verify this on SW1 with the command show interfaces trunk. PC5 is being learned. indicates that only VLAN 200 is allowed on the trunk. However.aaaa. What is missing? Do you see any reference to the MAC address of Server? The MAC address of Server is not being learned on Gigabit Ethernet 0/2 of SW1. ----- 100 aaaa. as shown in Example 4-38. Example 4-38 Verifying Allowed VLANs on SW1 Trunks SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/2 desirable n-802.cccc DYNAMIC Gi0/3 200 3333.5555. From the Library of Outcast Outcast . This output shows that VLAN 100 and 200 are allowed on the trunk between SW1 and SW2. As shown in Example 4-39. This is a good indication that traffic for VLAN 100 is not being allowed over the trunk.162 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide addresses of PC1 and PC2 are being learned on the correct interfaces and are being associated with the correct VLAN. As a matter of fact.200 Port Vlans allowed and active in management domain Gi0/2 100. Example 4-37 Verifying the MAC Address in the MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---. as shown in Example 4-40. look very closely at the MAC address table in Example 4-37. -------.200 Let’s check the output of show interfaces trunk on SW2. Example 4-37 displays the output of the show mac address-table dynamic command and confirms for us that the MAC addresses are learned correctly and that the ports are associated with the correct VLANs.1q trunking 99 Port Vlans allowed on trunk Gi0/2 100.aaaa DYNAMIC Gi0/1 100 cccc. A further examination of the running configuration. ----------.3333 DYNAMIC Gi0/4 200 5555.cccc.3333. VLAN 200 is the only VLAN allowed on the trunk link.200 Port Vlans in spanning tree forwarding state and not pruned Gi0/2 100.

100: bytes=32 time 1ms TTL=128 Ping statistics for 10.100: Packets: Sent = 4.100: bytes=32 time 1ms TTL=128 Reply from 10.1.1q trunking 99 Port Vlans allowed on trunk Gi0/1 200 Port Vlans allowed and active in management domain Gi0/2 200 Port Vlans in spanning tree forwarding state and not pruned Gi0/2 200 Example 4-40 Verifying Interface Configuration in the Running Configuration SW2#show run interface gigabitethernet 0/1 Building configuration.100: bytes=32 time 1ms TTL=128 Reply from 10.100 with 32 bytes of data: Reply from 10. you ping from PC1 and PC2 again to verify that the issue is solved. Received = 4.100: bytes=32 time 1ms TTL=128 Reply from 10. Maximum = 0ms. VTP.1.1..100 From the Library of Outcast Outcast .1. The ping is successful from PC1 and PC2.100.100 Pinging 10.1. Chapter 4: Troubleshooting Layer 2 Trunks.100. Approximate round trip times in milli-seconds: Minimum = 0ms. Example 4-41 Verifying That the Issue Is Solved PC1>ping 10.100. as illustrated in Example 4-41. Average = 0ms PC2>ping 10.1.200 on SW2 to allow both VLAN 100 and 200.100.1..100. and VLANs 163 Example 4-39 Verifying Allowed VLANs on SW2 Trunks SW2#show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/1 desirable n-802.100. Lost = 0 (0% loss).100.1. Current configuration : 167 bytes ! interface GigabitEthernet0/1 switchport trunk native vlan 99 switchport trunk allowed vlan 200 switchport mode dynamic desirable end After issuing the interface command switchport trunk allowed VLAN 100.100.

100. Maximum = 0ms.1.100.1. Average = 0ms From the Library of Outcast Outcast .100: Packets: Sent = 4. Received = 4. Approximate round trip times in milli-seconds: Minimum = 0ms.1.100: bytes=32 time 1ms TTL=128 Ping statistics for 10.100.1.100.1.100 with 32 bytes of data: Reply from 10.100.1. Lost = 0 (0% loss).100: bytes=32 time 1ms TTL=128 Reply from 10.100: bytes=32 time 1ms TTL=128 Reply from 10.100.164 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Pinging 10.100: bytes=32 time 1ms TTL=128 Reply from 10.

VTP. Chapter 22. Chapter 4: Troubleshooting Layer 2 Trunks. Table 4-2 lists a reference of these key topics and the page numbers on which each is found. VTP domain name. trunk. MAC address table. Table 4-3 Key Topics for Chapter 4 Key Topic Key Topic Element Description Page Number Paragraph A review of the frame-forwarding process 132 List Outlines potential issues that arise with a Layer 2 140 topology Example 4-2 Output of show interfaces switchport command on 141 SW1 to verify encapsulation Example 4-3 Output of show interfaces switchport command on 141 SW2 to verify encapsulation Example 4-6 Verifying trunking administrative mode (access) 143 Example 4-7 Verifying trunking administrative mode (trunk) 143 Example 4-12 Result of native VLAN mismatch on trunk 146 Section Allowed VLANs 147 Example 4-15 Verifying the VTP domain name on SW1 148 Example 4-16 Verifying the VTP domain name on SW2 149 Example 4-22 Verifying VLANs on a switch 153 Section Incorrect port assignment 154 Paragraph Using the MAC address table during troubleshooting 155 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: frame. ISL. dynamic auto. encapsulation. Review All Key Topics Review the most important topics in this chapter. VTP. dynamic desirable. you have a couple of choices for exam preparation: the exercises here. source MAC. VLAN From the Library of Outcast Outcast .” and the exam simulation questions on the CD-ROM. native VLAN. and VLANs 165 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. access port. noted with the Key Topic icon in the outer margin of the page.1Q. destination MAC. 802. “Final Preparation.

Command Reference to Check Your Memory This section includes the most important EXEC show commands covered in this chapter. “Memory Tables. includes completed tables and lists to check your work. The 300-135 TSHOOT exam focuses on practical. Shows to which VLANs the ports of a switch belong. and then see how much of the command you can remember. “Memory Tables Answer Key. Clears dynamically learned MAC addresses from clear mac address-table dynamic the MAC address table of a switch. It might not be necessary to memorize the complete syntax of every command.” (found on the disc). only dynamically learned entries are displayed. To test your memory of the commands. Table 4-4 EXEC CLI show Commands Task Command Syntax Displays the contents of the MAC address table. you should be able to identify the commands needed to successfully troubleshoot switches. hands-on skills that are used by a net- working professional. both static and dynamic entries are displayed. show vlan brief Displays which VLANs are permitted on the trunk show interfaces trunk ports of a switch and which switchports are configured as trunks.” also on the disc. Appendix D. cover the right side of Table 4-4 with a piece of paper. From the Library of Outcast Outcast . show mac address-table [dynamic] including the MAC address associated with a port and the VLAN the port is a member of. and complete the tables and lists from memory. the clear mac address-table command contains a hyphen between mac and address (that is. clear mac-address-table). read the description on the left side. Note that on some versions of Cisco IOS running on Cisco Catalyst switches. Without the dynamic keyword. Therefore. With the dynamic keyword. but you should be able to remember the basic keywords that are needed. or at least the section for this chapter. this can allow a troubleshooter to determine whether a previously learned MAC address is relearned.166 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Complete Tables and Lists from Memory Print a copy of Appendix C.

Chapter 4: Troubleshooting Layer 2 Trunks. VTP. and VLANs 167 Task Command Syntax Displays VLAN and trunk information related to show interfaces interface_type a switchport.1Q or ISL). and MD5 hash. in addition to the encapsulation (802. You can verify the operational mode interface_number switchport (access or trunk). version. in addition to the native VLAN if it is a trunk port. You can also verify the access VLAN the port will be a member of if it is an access port. show vtp password From the Library of Outcast Outcast . Displays the configured VTP password. configuration revision show vtp status number. mode. Displays the VTP domain name.

■ Troubleshooting STP Features: This section reviews STP features such as PortFast.This chapter covers the following topics: ■ Spanning-Tree Protocol Overview: This section reviews how STP determines the STP topology from root bridge election to which ports will be nondesig- nated. Root Guard. and BPDU Filter. ■ STP Troubleshooting Issues: This section focuses on what could happen if STP is not behaving as expected. ■ Collecting Information About an STP Topology: This section identifies the show commands required to successfully troubleshoot STP issues. ■ EtherChannel Trouble Tickets: This section provides trouble tickets that demonstrate how a structured troubleshooting process can be used to solve a reported problem. ■ STP Trouble Tickets: This section provides trouble tickets that demonstrate how a structured trouble- shooting process can be used to solve a reported problem. From the Library of Outcast Outcast . It also identifies the show commands that can help during the troubleshooting process. ■ Troubleshooting Layer 2 EtherChannel: This sec- tion reviews how Layer 2 EtherChannels are formed and identifies issues that could cause them to fail. BPDU Guard.

while being able to detect a link failure and bring up a previously blocked switchport to restore connectivity. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. many enterprise networks interconnect Layer 2 switches with redundant connections. read the entire chapter. This increases the total bandwidth available on uplinks and tricks STP into thinking there is only one port between the switches instead of multiple ports. all links are used for traffic forwarding instead of STP blocking them. Spanning Tree Protocol (STP) is used to logically break these Layer 2 topological loops by strategically blocking ports. such as voice and e-commerce. To improve availability. You can find the answers in Appendix A. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. CHAPTER 5 Troubleshooting STP and Layer 2 EtherChannel Maintaining high availability for today’s enterprise networks is a requirement for many applications. Table 5-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. however. can result in Layer 2 loops. which can impact a business’s bottom line if these applications are unavailable for even a short period. allowing a single switch or a single link to fail while still maintaining connectivity between any two network endpoints.” Table 5-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Spanning-Tree Protocol Overview 1–4 Collecting Information About an STP Topology 5 STP Troubleshooting Issues 6 Troubleshooting STP Features 7 Troubleshooting Layer 2 EtherChannel 8–10 From the Library of Outcast Outcast . Therefore. this chapter reviews how you can combine multiple physical Layer 2 switch- ports into a logical EtherChannel bundle. Such a redundant topology. “Answers to the ‘Do I Know This Already?’ Quizzes. which can cause frames to endlessly circle a LAN (for example. As a result. This chapter reviews the operation of STP and focuses on troubleshooting STP issues. In addition. broadcast frames creat- ing a broadcast storm).

Nondesignated port d. Lowest bridge ID d. you should mark that question as wrong for purposes of the self-assessment. Upstream bridge ID c. Downstream port ID d. 15 c. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. 1. Lowest cost 2. debug spanning-tree state c. What determines the switch that will be the STP root bridge for a VLAN? a. 20 d. Lowest MAC address c. Designated port b. show port span From the Library of Outcast Outcast . When determining the root port of a nonroot bridge. What is the maximum age for an STP BPDU in seconds? a. Which two of the following commands are most helpful in determining STP informa- tion for a Layer 2 switch? a. 2 b. Downstream bridge ID b. Root port c. Lowest priority b. What is the STP port type for all ports on a root bridge? a. what is refer- enced next to break the tie? a. 50 5. If you do not know the answer to a question or are only partially sure of the answer.170 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. show spanning-tree interface d. if cost is tied. show spanning-tree vlan b. Upstream port ID 4. Nonroot port 3.

STP b. Desirable – Auto d. Which STP feature ensures that certain ports in the STP topology never become root ports. Active – Passive b. Broadcast storms c. and if the port receives a superior BPDU it places it in the root inconsistent state? a. Switch virtual interfaces 9. Interface speed b. STP port cost 10. BPDU Filter c. Native VLAN d. Which switch feature allows multiple physical links to be bonded into a logical link? a. What are two common issues that could result from an STP failure? a. Tagged frames being sent into a native VLAN b. Interface mode (access/trunk) c. PortFast d. Root Guard d. MAC address table corruption 7. On – Active c. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 171 6. PortFast 8. Desirable – Passive From the Library of Outcast Outcast . What combination will successfully form a Cisco proprietary Layer 2 EtherChannel bundle? a. EtherChannel c. BPDU Guard b.) a. What must match on physical switchports to successfully form an EtherChannel bundle? (Choose three. MAC address table filling to capacity d.

BBBB SW1 SW2 Priority: 32768 Priority: 32768 Gi1/0/1 Gi1/0/2 Gi0/1 Gi0/2 Loop 2 MAC Address: SW3 CCCC. This is different from Layer 3 packets that have a time-to-live (TTL) field that will terminate the packet if it does not reach its destination within a finite number of router hops.CCCC Priority: 32768 Figure 5-1 Layer 2 Loops You need to have a solid understanding of how STP makes decisions when troubleshoot- ing Layer 2 issues. traffic sent from SW1 on one link to SW2 can go back to SW1 on the other link and continue indefinitely because there is no mechanism built in to a Layer 2 frame that will stop the frame from looping forever through the network.AAAA Gi1/0/6 Gi1/0/6 BBBB.BBBB. Therefore. this section reviews how an STP topology is dynamically formed. Therefore. this creates a problem known as a Layer 2 loop. Loop1 Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. as shown with Loop1 in Figure 5-1. frames sent out any of the interfaces interconnecting these switches could loop indefi- nitely through the network as well.1D STP allows a network to physically have Layer 2 loops while strategically blocking data from flowing over one or more switchports to prevent the looping of traffic. notice how there is a larger loop between SW1. SW3. this section discusses commands useful in troubleshooting STP issues. In addition.AAAA. as shown in Figure 5-1. In addition. Notice how traffic from SW1 can be sent on both links to SW2 and vice versa. Therefore. Therefore.172 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Spanning Tree Protocol Overview Network availability at Layer 2 of the OSI model requires redundant links between the switches in your topology as well as redundant paths through the network. Layer 2 loops need to be prevented by a protocol known as Spanning Tree Protocol (STP). From the Library of Outcast Outcast . However. and SW2 (Loop 2). IEEE 802.CCCC.

The loops are then removed by logically blocking selected bridge interfaces and placing them in the blocked state.BBBB SW1 SW2 Priority: 32768 Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge Bridge Gi0/1 Gi0/2 MAC Address: SW3 CCCC.CCCC. The BID is made up of a priority value (default is 32768) and a MAC address (base Ethernet MAC of switch as shown in the output of the show version command.BBBB. Because a MAC address is based on hexadecimal. BPDU packets contain information on ports. Switches in an STP topology are classified as one of the following: ■ Root bridge: The root bridge is a switch elected to act as a reference point for a Key spanning tree topology. STP prevents Layer 2 loops from occurring in a network. then A–F. because such an occurrence could result in a broadcast storm or the corruption of a switch’s MAC address table. The MAC address is read left to right. and costs needed to build the STP topology and ensure that the data ends up where it was intended to go. The priority is used first. priorities. ■ Nonroot bridge: All other switches in the STP topology are considered nonroot bridges. BPDU messages are exchanged every 2 seconds by default across switches to detect loops in a network topology. addresses.AAAA Gi1/0/6 Gi1/0/6 BBBB. SW1) is elected as the root bridge. the switch with the lowest MAC address (that is. only if the priority is tied between two or more switches will the MAC address be used to break the tie. Figure 5-2 illustrates the root bridge election in a network. The switch with the lowest bridge ID (BID) is elected as the Topic root bridge. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 173 Reviewing STP Operation STP uses Bridge Protocol Data Units (BPDUs) to build the STP topology.CCCC Priority: 32768 Non-Root Bridge Figure 5-2 Root Bridge Election Remember the golden rule of STP: Lower is better and ties are not acceptable.). Key Topic From the Library of Outcast Outcast .AAAA. Notice that because all bridge priorities are 32768 (default). lower to higher is 0–9. Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA.

Nondesignated port (X) These are the ports blocking traffic to create a loop-free topology. the upstream BID is used to break the tie. in terms of cost. Note Because all ports on the root bridge are as close as you could get to the root bridge. If cost is tied. all ports on a root bridge are DPs.CCCC. the upstream BID is used to break the tie. the upstream port ID (PID) is used to break the tie.BBBB. Table 5-2 STP Port Roles Key Topic Port Roles Description Root port (RP) Every nonroot bridge has a single root port (this is mandatory). DP RP Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. It is the port on the segment that is closest to the root bridge.CCCC Priority: 32768 Non-Root Bridge Figure 5-3 STP Port Roles From the Library of Outcast Outcast . If the upstream BID is tied. the upstream port ID (PID) is used to break the tie. Designated port (DP) Every network segment has a single designated port (this is mandatory).174 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Note Remembering this rule will help you during each step of the election processes. It is the port on the switch that is closest to the root bridge. Switchports in an STP topology are categorized as one of the following port roles described in Table 5-2 and illustrated in Figure 5-3.BBBB SW1 SW2 Priority: 32768 DP Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge DP DP Bridge RP Gi0/1 Gi0/2 MAC Address: SW3 CCCC.AAAA Gi1/0/6 Gi1/0/6 BBBB. If the upstream BID is tied.AAAA. which is inversely proportional to bandwidth by default. If cost is tied. in terms of cost.

Why was it chosen as the root port? If you are not sure. Identify the port that receives a BPDU with a lower upstream PID. The total cost from SW2 Gi1/0/6 to the root bridge is 4. you use the upstream PID to break the tie.1D-2004 STP Port Cost 10 Mbps (Ethernet) 100 2000000 100 Mbps (Fast Ethernet) 19 200000 1 Gbps (Gigabit Ethernet) 4 20000 10 Gbps (Ten Gig Ethernet) 2 2000 100 Gbps N/A 200 1 Tbps N/A 20 10 Tbps N/A 2 Determining Root Port Key Topic Being able to determine why a port has a specific role is important for troubleshooting and tuning the STP topology. Therefore. 3. Notice the root port for switch SW2 is Gig 1/0/5 in Figure 5-3. the total cost from SW2 Gi1/0/5 to the root bridge is 4. they are both the same because switches use the same base Ethernet MAC address for all BPDUs sent on all interfaces. Next is to compare the MAC addresses listed in the BPDUs.1D STP Port Cost 802. Identify the port that has the lowest cumulative cost path to the root bridge. the BID received in the BPDUs from SW1 is tied. AAAA. however. Proceed to Step 3. Table 5-3 Default Port Costs Key Topic Link Speed 802. In this case. Remember. In Figure 5-3. Identify the SW2 port (Gi1/0/5 or Gi1/0/6) that receives a BPDU with a lower upstream BID. The priority is checked first for the BPDUs received by SW2 on Gi1/0/5 and Gi1/0/6 from SW1. When SW1 sends BPDUs. The total cost from SW2 Gi1/0/2 to the root bridge is (4 + 4) 8. lower is better and ties are not acceptable. Remember that a lower cost is better and that the cost used is the cumulative path cost. The priority number can be manually changed (default 128). 2. we have a tie for the lowest value at 4. This PID includes a port priority number and an inter- face number. it includes a PID.1D-2004 STP.1D STP and its successor 802. Again. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 175 Table 5-3 shows the default port costs for various link speeds for both 802.AAAA. When the path cost is tied. the BPDUs will have the same priority because they are sent from the same switch (SW1) with a priority of 32768. Notice the higher the speed the lower the cost. Proceed to Step 2. In Figure 5-3. In this case. When the upstream BID is tied. you use the lowest upstream BID as a tiebreaker. review the following steps for determining the root port on a switch: 1. both received BPDUs from SW1 have a priority of 32768 and a MAC of AAAA. From the Library of Outcast Outcast .

It is generated by the switch to identify the port.6 on Gi1/0/6 by default. and Cisco’s implementation of STP (PVST+) transition through the following states: From the Library of Outcast Outcast . Lower is better. Still standing in the middle of the segment. We have a tie. If a link in the topology goes down. Determining Nondesignated Port Every other port that is not a root port or a designated port is a nondesignated port and will be blocking traffic. As a result. therefore.BBBB. Point to SW2. as depicted in Figure 5-3. We then need to look at the MAC address. without performing any calculations. In Figure 5-3. What is the priority? 32768. What is the MAC address? CCCC.CCCC. As a result. Nondesignated ports do not forward traffic during normal operation but do receive BPDUs to determine the state of the STP topology. SW3 Gi0/2 has a cumulative cost (including the cost of the segment itself) of (4 + 4) = 8. you follow the same steps listed in the previous section for the root port election. We have a tie. What is the MAC address? BBBB. This is tricky if you do not know where to position yourself. the received BPDU on Gi1/0/5 has a PID attached of 128.1D). STP (802. the type of STP in use will determine how long it takes to transition to the forwarding state. Point to SW3. Which one is lower? It is the MAC address of SW2. Identify the port on the segment with the lowest cumulative cost back to the root bridge.CCCC. SW2 Gi1/0/5 is elect- ed the root port based on the PID value sent from SW1 in the BPDUs. Point to SW3. Therefore. We can see that it is already labeled as Gi1/0/2 on SW2. Common Spanning Tree (CST). Pretend you are standing in the middle of the segment between SW2 and SW3. SW2 Gi1/0/2 has a cumulative cost (including the cost of the segment itself) of (4 + 4) = 8. SW1 would more than likely have a PID of 128. Therefore. you already know a few designated ports in the topology.BBBB. but why? Let’s walk through the steps together: 1. point to SW2. SW2’s port Gi1/0/2 is the designated port for the segment between SW2 and SW3. in Figure 5-3 the only link/segment remaining without a designated port is the segment between SW2 and SW3. Find the upstream switch with the lowest BID.5 on Gi1/0/5 and 128. when SW2 receives the BPDUs from SW1. Therefore. Gi0/1 is elected as the root port.6. Remember that every port on the root bridge will be a designated port. 2. Focusing on SW3 in Figure 5-3 shows a total cost of 4 to get to the root bridge using Gi0/1 and a total cost of 8 using Gi0/2.5 and the received BPDU on Gi1/0/6 has a PID attached of 128. If a nondesignated port does need to transition to the forwarding state. so we move on to Step 2.176 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the interface number cannot. Here is my trick. Determining Designated Port Key Topic When determining the designated ports for each segment. What is the priority? 32768. the nondesignated port indirectly detects the link failure from BPDUs and determines whether it needs to transition to the forward- ing state or not to ensure network availability while preventing loops.

Or. you need to know the current topology and how to modify it. In addition. In addition. the switch considers the BPDU stale and transitions to the listening state. if a neighboring switch is using 802. the total time to transition from the blocking state to the forwarding state is 50 seconds with 802. Collecting Information About an STP Topology Cisco Catalyst switches will dynamically form a spanning-tree topology using default port costs and bridge priorities right out of the box. it receives BDPUs from other switches. Therefore. you might want to influence a particular switch to become a root bridge to ensure optimal traffic forwarding through a Layer 2 topology. the port begins to add entries to its MAC address table while still sending and receiving BPDUs to ensure that the decisions made in relation to the STP topology are still accurate. During the blocking state. Root ports and designated ports are in this state.1D as backup. This section identifies the various methods we can use to gather information about our STP topology. ■ Learning: The port moves from the listening state to the learning state and remains in this state for 15 seconds by default. As you can see. the resulting STP topology might not be the best for your organization. This is known as the max age time. the port sources BPDUs. However.1w and 802. Rapid Spanning Tree Protocol (802. a nondesignated port evaluates BPDUs in an attempt to determine its role in the spanning tree. in addition to learning the port roles on the various switches From the Library of Outcast Outcast . it will wait for 20 seconds by default. timers are used with them for backward compatibility. It is essentially the time-to-live of a BPDU. If you ever need to manipulate STP. During this time. which inform adjacent switches of the port’s intent to forward data. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 177 ■ Blocking: The port remains in the blocking state until it needs to transition.1D. During this time. For example. which will help in the building of the STP topology and determining the root ports and designated ports. ■ Forwarding: The port moves from the learning state to the forwarding state and begins to forward frames while learning MAC addresses and sending and receiving BPDUs. 802.1s) use a handshaking mechanism rather than timers as their primary method of convergence. If a new BDPU is not received before the max age time expires.1D. one of the first tasks is to learn which switch is acting as the root bridge. convergence is 5 seconds or less. Gathering STP Information When troubleshooting an STP topology. If it Key Topic needs to transition. which will more than likely be the case. ■ Listening: The port remains in this state for 15 seconds by default (15 seconds is known as the forward delay). If the handshaking mechanism fails. A BPDU is only valid for 20 seconds.1w) and Multiple Spanning Tree Protocol (802. You do not have to do anything.1s rely on the same timers as 802. you might want traffic for one VLAN to take a certain path while traffic for other VLANs takes a different path.

root ports should only receive BPDUs. PVST+ allows a switch to run a sepa- rate STP instance for each VLAN. and it does not state that this switch is the root bridge. The output in Example 5-1 shows that SW3 is not the root bridge for the spanning tree of VLAN 1. Consider Example 5-1. Note that in a stable topology. you have an unstable STP topology and need to determine why this is so and fix it.cccc.cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio. Therefore. the port identi- fier.26 P2p The show spanning-tree interface interface_type interface_number detail command. This is because the MAC address of the root bridge (Root ID) differs from the MAC address of SW3 (Bridge ID). The show spanning-tree [vlan {vlan_id}] command can display information about the Key STP state of a switch. whereas port Gig 0/2 is a nondesignated port. and the port cost of Gig 0/2 is 4 as well.178 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide in the topology.) Note that the port cost of Gig 0/1 is 4.Nbr Type ----------------------------------------------------------------------- Gi0/1 Root FWD 4 128. but comparing the current STP state of a topol- ogy to a baseline state can also provide clues as to the underlying cause of an issue. In addition. which a root bridge cannot have. displays the number of BPDUs sent and received. Not only is this information important in understanding how frames are currently flowing through the topology. The Gig 0/1 port of switch SW3 is the root port of the switch. such as suboptimal traffic forwarding. it is a blocking port. there is a root port on the switch. if you see a high number of sent and received BPDUs on ports.25 P2p Gi0/2 Altn BLK 4 128. Example 5-1 show spanning-tree vlan Command Output SW3#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32768 Address aaaa.aaaa. The VLAN is specified because Cisco Catalyst switches use Per-VLAN Spanning Tree + (PVST+) by default. and the designated root and designated bridge priority and MAC address. From the Library of Outcast Outcast . (That is. as shown in Example 5-2.aaaa Cost 4 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address cccc. and designated ports should only send BPDUs. which shows the output from the show Topic spanning-tree vlan 1 command.

issue the show spanning-tree mst configuration com- mand. This improves CPU performance. This significantly improves STP in end-to-end VLAN deployments where a large number of VLANs are maintained by many switches. Port Identifier 128. address aaaa. To verify the current region name. received 1245 Gathering MSTP Information Multiple Spanning Tree Protocol (MSTP) allows you to group multiple VLANs into a single STP instance. and VLAN to instance mappings on a switch.aaaa. Consider this. you can group half the VLANs in one instance and the other half in another instance. address aaaa. revision number. From the Library of Outcast Outcast .25. If you have 100 VLANs and you only have 2 uplinks from an access layer switch to the distribution layer.aaaa Designated port id is 128. Port priority 128. hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 1. as shown in Example 5-3. you need to gather statistics about the traffic flowing through the networking on a VLAN-by-VLAN basis and make sure that you do not place heavily used VLANs in the same MSTP instance or you will not achieve optimal load sharing. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 179 Example 5-2 show spanning-tree interface interface_type interface_number detail Command Output SW3#show spanning-tree interface gig 0/1 detail Port 25 (GigabitEthernet0/1) of VLAN0001 is root forwarding Port path cost 4. To ensure you optimize load sharing. designated path cost 0 Timers: message age 2. Designated root has priority 32768. ■ The MSTP revision number must match.1. If any of the items listed do not match exactly. only MST0 (known as the IST) is used to send BPDUs. the digest that is sent within an MSTP BPDU will be different. and all the other MST instances are listed in the MST0 BPDUs as M-records. thus conserving CPU resources. You have just achieved load sharing and reduced the number of STP instances from 100 to 2. ■ The MSTP instance to VLAN mappings must be the same on all the switches. When deploying and troubleshooting MSTP.aaaa.aaaa Designated bridge has priority 32768. forward delay 0. you have to remember these three very important rules for switches in the same region: ■ The MSTP region name must match. In fact. When you group various VLANs together into the same instance. with MSTP. and the switches will consider each other to be in a different MSTP region and therefore produce different spanning-tree topologies than the admin- istrator envisioned. the CPU does not have to process BPDUs for all the different VLANs. You can then manipulate who the root bridge is so that one instance ends up using one uplink and the other instance uses the other uplink.

21-99. This behavior can lead to issues such as MAC address table corruption and broadcast storms. not only would the MAC address table be corrupt. switch SW2 sees the frame forwarded onto segment B by switch SW1 on its Gig 0/2 port. ------------------------------------------------------- 0 1-9. Corruption of a Switch’s MAC Address Table Recall from Chapter 4. consider Figure 5-4. As a result. switch SW1 sees the frame forwarded out the Gig 0/2 port of switch SW2. At one moment AAAA. A switch will dynamically learn what MAC addresses are reachable off its ports.AAAA. the frame is seen on the Gig 0/1 ports of switches SW1 and SW2. switch SW2 also incorrectly updates its MAC address table.101-199.AAAA is associated with port Gig 0/1).201-4094 1 10.AAAA. Layer 2 frames can endlessly circulate through a network because of the loop created. Because STP is not functioning. Also. then Gig0/2. however.200 ------------------------------------------------------------------ STP Troubleshooting Issues If STP fails to operate correctly. In this section we analyze the results of an STP failure.” that the MAC address table determines what a switch will do with a frame. Therefore. That was a simplified example of what would occur. VTP. Therefore. AAAA.11-19. To illustrate. then back on Gig0/1. When the frame sent from PC1 is transmitted on segment A. PC2 receives two copies of the frame. in the event of an STP failure.AAAA. then Gig0/2. all frames des- tined to AAAA. as frames continue to propagate through the network.AAAA will be forwarded out Gig0/2 and never reach PC1.100 2 20. this table needs to be accurate. “Troubleshooting Layer 2 Trunks. it would be unstable. Because the frame has a source MAC address of AAAA.AAAA resides off port Gig 0/2. PC1 is transmitting traffic to PC2.180 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-3 show spanning-tree mst configuration Command Output SW3#show spanning-tree mst configuration Name TSHOOT Revision 10 Instances configured 2 Instance Vlans mapped -------. the MAC address table of a switch can become corrupt.AAAA would be learned on Gig0/1. Similarly. In reality. As a result of this. switch SW1 incorrectly updates its MAC address table indicating that a MAC address of AAAA.AAAA. both switches then forward the frame out segment B. From the Library of Outcast Outcast . causing both switches to add an entry to their MAC address tables (AAAA. and VLANs.AAAA.

5e00.7111. a frame des- tined for a MAC address of FFFF.AAAA Gig 0/1 AAAA.AAAA Received Figure 5-4 MAC Address Table Corruption You will be able to recognize this issue because syslog messages will be generated identi- fying that you have MAC addresses flapping between different ports on the same switch.AAAA. consuming resources on both switches and attached devices (for example. a broad- cast frame endlessly circulates through the Layer 2 topology. and this would occur only if there were a loop allowing the same frame to be seen on multiple interfaces: %SW_MATM-4-MACFLAP_NOTIF: Host 0000.AAAA Segment A Gig 0/1 Gig 0/1 SW1 SW2 Gig 0/2 Gig 0/2 Segment B Switch SW2’s MAC Address Table Port MAC Addresses Gig 0/1 AAAA. user PCs).AAAA.0114 in vlan 20 is flapping between port Gi0/1 and port Gi0/2 %SW_MATM-4-MACFLAP_NOTIF: Host 8049. when a switch receives a broadcast frame (that is. From the Library of Outcast Outcast . Because a Layer 2 frame does not have a TTL field.b60c.7e05 in vlan 502 is flapping between port Gi0/1 and port Gi0/2 %SW_MATM-4-MACFLAP_NOTIF: Host 0050. The following syslog messages show that the MAC addresses are being learned on Gi0/1 and Gi0/2. The same is true for unknown unicast and multicast frames.AAAA PC2 Duplicate Frames Gig 0/2 AAAA.AAAA.FFFF). Figure 5-5 illustrates how a broadcast storm can form in a Layer 2 topology when STP is not functioning correctly.f21b in vlan 20 is flapping between port Gi0/1 and port Gi0/2 Broadcast Storms As previously mentioned.FFFF.AAAA Gig 0/2 AAAA.AAAA. the switch floods the frame out all switch- ports except the port on which the frame was received. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 181 Switch SW1’s MAC Address Table PC1 MAC Address: Port MAC Addresses AAAA.AAAA.

These features are not enabled by default. Knowing how to troubleshoot these features is important to ensure the STP topology is functioning as it should. PC1 sends a broadcast frame onto Segment A. This behavior continues. because they also continue to receive copies of the broadcast frame that they must process. onto Segment A).FFFF (3) Segment A Gig 0/1 (3) Gig 0/1 SW1 SW2 Gig 0/2 Gig 0/2 (2) (2) Segment B PC2 Figure 5-5 Broadcast Storm 1. A common complaint you will receive from multiple network users at the same time when there is an STP issue is. on to Segment B). This is because of the broadcast storm consuming the majority of the resources in the Layer 2 network. causing PC1 to receive two copies of the broadcast frame. Key Troubleshooting STP Features Topic STP relies on many features to protect the topology. From the Library of Outcast Outcast . as the broadcast frame copies continue to loop through the network. 2. Both switches receive a copy of the broadcast frame on their Gig 0/2 ports (that is. causing PC2 to receive two copies of the broadcast frame. the frames going to the resources that the users need to access are not making it to the destination or are taking a really long time because the network is congested. 3. from Segment B) and flood the frame out of their Gig 0/1 ports (that is. and the frame enters each switch on port Gig 0/1. The performance of PC1 and PC2 is impacted. Therefore. Both switches flood a copy of the broadcast frame out of their Gig 0/2 ports (that is.182 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide PC1 Broadcast frame destined for (1) FFFF.FFFF. the network/Internet is really slow. This section discusses these features and reviews the commands needed to troubleshoot them.

and the switchport is not shut down.b800 Designated port id is 128. RPVST+. Port Identifier 128. (A device is plugged in. designated path cost 4 Timers: message age 0. You can enable PortFast on an interface-by-interface basis with the spanning-tree portfast interface command or globally with the spanning-tree portfast default command. This ensures that it transitions through the necessary states and processes before going to the forwarding state to ensure that a loop is not caused. as shown in Example 5-5.e300 Designated bridge has priority 32778.f34e. it states. Example 5-4 Verifying PortFast-Enabled Interfaces SW3#show run interface fa0/1 Building configuration. when a BPDU is received on a PortFast-enabled switchport.1. the switchport will immediately transition out of the PortFast state and become a normal switchport. Port priority 128. Example 5-4 iden- tifies three ways to verify PortFast is enabled on an interface.” which indicates that PortFast was enabled globally. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default BPDU: sent 11. Notice that PortFast Default is enabled. Also notice how the output of the command show spanning-tree interface fastEthernet 0/1 detail in Example 5-5 is different when compared to Example 5-4.) If you are using PortFast with PVST+. received 0 If you enabled PortFast globally. which will enable it on all nontrunking switchports. address 2893. “The port is in the portfast mode by default. Current configuration : 108 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast end SW3#show spanning-tree interface fastEthernet 0/1 portfast VLAN0010 enabled SW3#show spanning-tree interface fastEthernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. address 081f. From the Library of Outcast Outcast . you can use another show command to verify that PortFast was enabled globally: show spanning-tree summary. forward delay 0. or MSTP.fe3a. In Example 5-5.1. Designated root has priority 10. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 183 PortFast The PortFast feature is used to transition a switchport to the forwarding state as soon as the switchport is enabled...

BPDU Guard BPDU Guard is used to enforce STP domain borders.b800 Designated port id is 128.1 P2p Edge Fa0/2 Desg FWD 19 128. address 081f..e300 Designated bridge has priority 32778. As shown in Example 5-6. This ensures that the STP topol- ogy remains predictable.. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode by default Link type is point-to-point by default Bpdu filter is enabled by default BPDU: sent 11.---------------------- Fa0/1 Desg FWD 19 128. Port Identifier 128. received 0 One of the easiest ways to confirm that a switchport is indeed enabled for PortFast is to review the output of show spanning-tree.fe3a. When a BPDU is received on a switchport enabled with BPDU From the Library of Outcast Outcast .--------.---.25 P2p Gi0/2 Altn BLK 4 128.f34e. Fa 0/1 is listed as an Edge port indicated that PortFast is enabled on the interface.1. Interface Role Sts Cost Prio.. Designated root has priority 10..184 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-5 Verifying Globally Enabled PortFast Interfaces SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: EtherChannel misconfig guard is enabled Extended system ID is enabled Portfast Default is enabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short SW3#show spanning-tree interface fastEthernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19... Port priority 128.Nbr Type ------------------. Example 5-6 Using show spanning-tree to Verify PortFast Status SW3#show spanning-tree .output omitted.-------.output omitted. forward delay 0.2 P2p Edge Gi0/1 Root FWD 4 128.26 P2p .1. address 2893.--... designated path cost 4 Timers: message age 0.

To verify which ports are in the err-disabled state. In addition. BPDU Guard can be enabled on an interface-by-interface basis with the spanning-tree bpduguard enable interface command or globally with the spanning-tree portfast bpduguard default global configuration command.. putting Fa0/1 in err-disable state %LINK-3-UPDOWN: Interface FastEthernet0/1. %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1.. You can verify whether BPDU Guard is enabled globally using the commands show span- ning-tree summary and show spanning-tree interface interface_type interface_number detail. you will receive the following: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/1 with BPDU Guard enabled. Example 5-8 Verifying BPDU Guard Is Enabled Globally SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short . SW3#show spanning-tree interface fastethernet 0/1 detail From the Library of Outcast Outcast .output omitted. Disabling port. In this example. issue the command show interfaces status. as depicted in Example 5-8.. Fast Ethernet 0/1 is in the err-disabled state.. if you are tracking syslog messages. the port will be disabled and placed in the err-disabled state. as shown in Example 5-7. changed state to down Example 5-7 show interfaces status Command Output SW3#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX Fa0/5 notconnect 1 auto auto 10/100BaseTX Fa0/6 notconnect 1 auto auto 10/100BaseTX Like PortFast. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 185 Guard. The global command will only enable it on PortFast-enabled interfaces.

e300 Designated bridge has priority 32778. Example 5-9 Verifying BPDU Guard Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19..f34e. forward delay 0. as shown in Example 5-9.f34e. Port priority 128. Designated root has priority 10. address 2893. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled BPDU: sent 4.1.fe3a.b800 Designated port id is 128. and then manually disable and enable the err-disabled interface with the shut- down and then no shutdown commands. Current configuration : 140 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast spanning-tree bpduguard enable end To recover from the err-disabled state. If the From the Library of Outcast Outcast . address 081f. remove the device that is sending the rogue BPDUs. Port Identifier 128..b800 Designated port id is 128.1. Port Identifier 128. address 2893. designated path cost 4 Timers: message age 0.186 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. received 0 SW3#show run interface fastethernet 0/1 Building configuration. Or.1. designated path cost 4 Timers: message age 0.1. Designated root has priority 10. forward delay 0. you can set up an err-disable recovery feature that will attempt to automatically enable the interface at defined intervals. address 081f. received 0 You can verify if BPDU Guard has been enabled on an interface basis with the show spanning-tree interface interface_type interface_number detail command and the show run interface interface_type interface_number command.fe3a.e300 Designated bridge has priority 32778. Port priority 128. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled by default BPDU: sent 11.

Doing so allows the end station to collect the data in the BPDUs and potentially launch an attack against the STP topol- ogy. the interface will automatically recover. use the errdisable recovery cause bpduguard global configuration command. if a BPDU is received on an interface. You can verify whether BPDU Filter is enabled globally with the show spanning-tree summary command and the show spanning-tree interface interface_type interface_ number detail command. as shown in Example 5-10. ■ If you enable BPDU Filter manually on an interface with the spanning-tree bpdufil- ter enable command. How you enable it determines the extent of BDPUs that will be suppressed: ■ If you enable it globally. For example. it will process it normally and. If it is enabled on an interface-by- interface basis. transition the interface through the normal STP states/processes. However. the interface will go back into the err-disabled state. This would be for security reasons. with the spanning-tree portfast bpdufilter default com- mand. If the rogue BPDUs are not detected anymore. it suppresses the sending and receiving of BPDUs. if necessary. This is not recommended because any received BPDUs are ignored and may result in a Layer 2 loop because the interface is automatically in the forwarding state. BPDU Filter BPDU Filter is designed to suppress the sending and receiving of BPDUs on an interface. To enable the err-disable recovery feature for BPDU Guard. as shown in Example 5-11. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 187 rogue BPDUs are still detected. you can verify BPDU Filter with the show spanning-tree interface interface_type interface_number detail command and the show run interface interface_type interface_number command. which is not recommended. there is no need to send BPDUs out an interface that is connected to an end station or a router. BPDU Filter will be enabled on all PortFast-enabled interfaces and will sup- press the sending of BPDUs out an interface. Example 5-10 Verifying BPDU Filter Is Enabled Globally SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is enabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short SW3#show spanning-tree interface fastethernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding From the Library of Outcast Outcast .

address 2893. If so. received 0 Example 5-11 Verifying BPDU Filter Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. address 2893.. Current configuration : 173 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable end If you are experiencing a Layer 2 loop in your topology. a port within the topology is in the forwarding state causing a Layer 2 loop when it should be in the blocking state. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled by default BPDU: sent 11. designated path cost 4 Timers: message age 0.1. Designated root has priority 10. As a result.1.b800 Designated port id is 128. Port Identifier 128. From the Library of Outcast Outcast ..b800 Designated port id is 128. forward delay 0. Designated root has priority 10. it would be suppressing the sending and receiving of BPDUs. designated path cost 4 Timers: message age 0.e300 Designated bridge has priority 32778.e300 Designated bridge has priority 32778. address 081f. received 0 SW3#show run interface fastethernet 0/1 Building configuration. forward delay 0.fe3a.1. address 081f. Port Identifier 128.1.188 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Port path cost 19. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled BPDU: sent 18.fe3a. Port priority 128.f34e. check whether BPDUFilter was enabled on an interface. Port priority 128.f34e.

forward delay 0. hold 0 Number of transitions to forwarding state: 2 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled by default Root guard is enabled on the port BPDU: sent 18.f34e. when a port goes into the root inconsistent state you will receive a syslog message indicating so as follows: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/1 on VLAN0010. Designated root has priority 10.-----------------------. the command show spanning-tree interface interface_type interface_number detail. If a rogue switch is introduced to the STP topology with a superior BID. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 189 Root Guard Root Guard is designed to protect the root bridge by ensuring that certain ports on non- root bridges are prevented from becoming root ports. as shown in Example 5-13. as shown in Example 5-12. address 2893.1.e300 Designated bridge has priority 32778. address 081f. received 0 Example 5-13 Verifying Inconsistent Ports on a Switch SW3#show spanning-tree inconsistent ports Name Interface Inconsistency -------------------.1.b800 Designated port id is 128. This is a good indication that the interface is enabled for Root Guard and that it received a superior BPDU. Notice how Fast Ethernet 0/1 is in the root inconsistent state. From the Library of Outcast Outcast .fe3a. and root ports would change on all the other switches so that the new root ports point to the rogue root bridge. Because Root Guard is enabled on an interface-by-interface basis with the command spanning-tree guard root. You can also verify which ports are inconsistent by issuing the show spanning-tree inconsistentports command. the root port on a switch points to the root bridge. Port Identifier 128. Port priority 128. Root Guard stops this from happening by ignoring superior BPDUs that are received on the Root Guard-enabled ports and placing the port in the spanning-tree inconsistent state. is used to verify its configuration. Example 5-12 Verifying That RootGuard Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. If you recall.------------------ VLAN0010 FastEthernet0/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 1 In addition. designated path cost 4 Timers: message age 0. it can become the root bridge.

All trouble tickets in this section are based on the topology depicted in Figure 5-6.190 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide When a switchport is in the inconsistent state. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. By default. as well. This is all because the BPDUs are no longer arriving on the interface. From the Library of Outcast Outcast . it places it in the loop- inconsistent blocking state and generates the following syslog message: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/2 on VLAN0010. instead of blocking it. no manual intervention is required to recover the port from the inconsistent state.-----------------------. it will transition to the for- warding state once the max age timer expires. To verify which ports are in the loop-inconsistent state. This would produce a loop because the nondesignated port is now sending and receiving data. Instead. Example 5-14 Verifying Loop-Inconsistent Ports on a Switch SW3#show spanning-tree inconsistent ports Name Interface Inconsistency -------------------. All you need to do is remove the device that is sending the superior BPDUs to that switchport from the network. as shown in Example 5-14. Loop Guard ensures that the nondesignated port does not erroneously transition to the forwarding state. what if the switch was not receiv- ing the BPDUs because the switch that was sending the BPDUs had a software failure preventing it from sending BPDUs? That switch. and once the switchport no longer hears the superior BPDUs. issue the command show span- ning-tree inconsistent ports. would still be able to send and receive data on the interface.------------------ VLAN0010 GigabitEthernet0/2 Loop Inconsistent Number of inconsistent ports (segments) in the system : 1 STP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. Loop Guard Loop Guard is a feature designed to provide additional protection against Layer 2 loops. the port is automatically taken out of the inconsistent state. However. if a nondesignated port ceases to receive BPDUs.

AAAA.aaaa From the Library of Outcast Outcast . check the placement of the root bridge using the show spanning-tree vlan 10 command on SW1.BBBB.10. all traffic for VLAN 10 should be flowing through SW1 under normal conditions.bbbb. SW1 should be the root bridge for VLAN 10.bbbb is the root bridge.1. all traffic from the end stations in VLAN 10 destined to the core is flowing through SW2 when it should be flowing through SW1. Notice that SW1 is not the root bridge for VLAN 10. With this in mind.bbbb.BBBB SW1 SW2 Priority: 32768 Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge Bridge Vlan 10 Gi0/1 Gi0/2 MAC Address: SW3 CCCC.bbbb Cost 4 Port 5 (GigabitEthernet1/0/5) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa. According to the root ID section of the output. Therefore. Example 5-15 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address bbbb. the switch with the MAC address bbbb. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 191 CORE Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. According to the topology.aaaa.CCCC Fa0/1 Priority: 32768 Non-Root Bridge Vlan 10 10.0/24 PC1 Figure 5-6 STP Trouble Ticket Topology Trouble Ticket 5-1 Problem: Based on traffic analyzers.AAAA Gi1/0/6 Gi1/0/6 BBBB.CCCC. as shown in Example 5-15.

IGMP. H .Switch.1 P2p Gi1/0/5 Root FWD 4 128. Example 5-16 show cdp neighbors Command Output on SW1 SW1#show cdp neighbors Capability Codes: R .Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW2 Gig 1/0/6 138 S I WS-C3750E Gig 1/0/6 SW2 Gig 1/0/5 138 S I WS-C3750E Gig 1/0/5 SW3 Gig 1/0/1 141 S I WS-C2960.Host.Gig 0/1 You should now verify if SW2 is the root bridge for VLAN 10 using the output of show spanning-tree vlan 10.bbbb. the port on SW1 to get to the root bridge is Gigabit Ethernet 1/0/5. and notice that all the ports are designated ports. T . as shown in Example 5-16.Nbr Type Gi1/0/1 Desg FWD 4 128. At the bottom of the output.CVTA. The output shows that SW2 is the root bridge for VLAN 10. According to the output in Example 5-15. Therefore. bbbb is the MAC of SW2.Remote. D .bbbb. M .Router. r .Source Route Bridge S . as shown in Example 5-17.Trans Bridge. Example 5-17 show spanning-tree vlan 10 Command Output for SW2 SW2#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address bbbb. B .bbbb.Repeater. how would you figure out who the root bridge is? You would follow the path. However.bbbb Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec From the Library of Outcast Outcast .bbbb This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 10 (priority 0 sys-id-ext 10) Address bbbb.5 P2p Gi1/0/6 Altn BLK 4 128. I . you can confirm that this is the root port.192 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio. It explicitly states This bridge is the root.6 P2p Next you should check which switch is the root bridge. C . without the diagram. you can confirm that SW2 is directly connected to SW1 on port Gi1/0/5. P .Phone. Figure 5-6 shows that bbbb. using the show cdp neigh- bors command.

2 P2p Gi1/0/5 Desg FWD 4 128. for a total value of 10.--------. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 193 Interface Role Sts Cost Prio.5 P2p Gi1/0/6 Desg FWD 4 128.aaaa Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio..--.Nbr Type ------------------.1 P2p Gi1/0/5 Desg FWD 4 128. Example 5-19 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa.Nbr Type ------------------. as shown in Example 5- 15.----------------------- Gi1/0/2 Desg FWD 4 128.output omitted.aaaa. spanning-tree vlan 10 priority 0 .output omitted.--.-------. we can verify that SW1 is now the root bridge for VLAN 10 with the show spanning-tree vlan 10 command.6 P2p Upon further analysis of Example 5-17.---.6 P2p From the Library of Outcast Outcast .----------------------- Gi1/0/1 Desg FWD 4 128. which is 32768 plus 10 (32778).aaaa.---. as shown in Example 5-19. It appears that the priority of SW2 was manually lowered. you will notice that the priority of SW2 is 0 plus the extended system ID (which is the VLAN number).. which is lower than the priority of SW1. we would need to remove this command by executing the no span- ning-tree vlan 10 priority 0 command. Once done. Using the command show run | section spanning-tree indicates that the command spanning-tree vlan 10 priority 0 was executed on SW2...--------.aaaa This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa. as shown in Example 5-18. Example 5-18 show run Command Output for SW2 SW2#show run | section spanning-tree .-------.5 P2p Gi1/0/6 Desg FWD 4 128. To solve this issue.....

According to Figure 5-6. as shown in Example 5-21. we can see that to reach the root bridge the total cost is 8 using Gigabit Ethernet 0/2.Nbr Type ------------------.---. SW1 should be the root bridge for VLAN 10. all traffic from the end stations in VLAN 10 destined to the core is flowing through SW2 when it should be flowing through SW1. Example 5-20 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa.5 P2p Gi1/0/6 Desg FWD 4 128.-------.aaaa This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa. it is currently an alternate port in the blocking state with a cost of 10. It appears that the cost of interface Gig0/1 has been modified. If Figure 5-6 has been kept up to date. This cost of 10 is larger than the total cost of 8 using Gig0/2. we can trust the information displayed.----------------------- Gi1/0/1 Desg FWD 4 128.aaaa.--.aaaa. all traffic for VLAN 10 should be flowing through SW1 under normal conditions.6 P2p We have confirmed that SW1 is the root bridge and this matches our diagram in Figure 5-6. If we look at Gig0/1.--------. Reviewing the output of show spanning-tree vlan 10 on SW3.194 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Trouble Ticket 5-2 Problem: Based on traffic analyzers. as shown in Example 5-20. Example 5-21 show spanning-tree vlan 10 Command Output for SW3 SW3#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 From the Library of Outcast Outcast . Notice that SW1 is the root bridge for VLAN 10. we have a Gigabit Ethernet link between SW3 and SW1 as well as SW3 and SW2.1 P2p Gi1/0/5 Desg FWD 4 128. Therefore.aaaa Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio. With this in mind. According to the topology. These links should have a cost of 4 by default. check the placement of the root bridge using the show spanning-tree vlan 10 command on SW1.

output omitted.aaaa Cost 4 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address cccc.-------. After we remove the command.cccc.. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 195 Address aaaa.cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio..2 P2p The output of show run interface gig 0/1 confirms that the cost was modified with the spanning-tree vlan 10 cost 10 command.---.----------------------- Gi0/1 Altn BLK 10 128. Example 5-23 show spanning-tree vlan 10 Command Output for SW3 SW3#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa.aaaa..cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.--.1 P2p Gi0/2 Root FWD 4 128. To solve this issue. Example 5-22 show run interface gig 0/1 Command Output for SW3 SW3#show run interface gig 0/1 ..aaaa..output omitted. spanning-tree vlan 10 cost 10 . we need to execute the no spanning-tree vlan 10 cost 10 command in interface configu- ration mode..cccc. we can verify that SW3 is using Gi0/1 as the root port and that it has a cost of 4 by issuing the show spanning-tree vlan 10 command shown in Example 5-23.aaaa Cost 8 Port 2 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address cccc.--------..Nbr Type ------------------. as shown in Example 5-22.Nbr Type From the Library of Outcast Outcast ..

-------. they are not able to contact a DHCP server.--------. : 08-00-27-5D-06-D6 Link-local IPv6 Address . . . . .254. . . : 255.-------------------------------. ----- 10 0800. .196 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ------------------. .x.1 P2p Gi0/2 Altn BLK 4 128.m.180. . Example 5-24 ipconfig Output for PC PC1>ipconfig /all Windows Ip Configuration <Output Omitted> Ethernet adapter Local Area Connection: <Output Omitted> Physical Address.-------. . . . .--. . .0 <Output Omitted> Issuing the command show mac address-table dynamic on SW3 will indicate whether SW3 is receiving any frames from PC1. Your next task is to make sure that the PC is receiving an IP address from the Dynamic Host Configuration Protocol (DHCP) server in the network. . . Therefore. : Yes Autoconfiguration IP Address. and there is no entry in the table with PC1’s MAC address. but it fails. something appears to be wrong at Layer 1 or Layer 2 of the OSI model. . You attempt to ping from the user’s PC to its default gateway. .1234 DYNAMIC Gi0/1 10 0800.--------. . as it will be useful later. but it fails.166 Subnet Mask . Example 5-25 show mac address-table dynamic Output for SW3 SW3#show mac address-table dynamic Mac Address Table ---. . : Yes Autoconfiguration enabled.275d. Also note the MAC address of PC1 at this point. . . . . . .----------------------- Gi0/1 Root FWD 4 128. : 169. ----------.b3dd DYNAMIC Fa0/3 From the Library of Outcast Outcast .------------------------------- Vlan Mac Address Type Ports ---.0.2 P2p Trouble Ticket 5-3 Problem: It is Tuesday morning.275d.ac47 DYNAMIC Fa0/4 10 0800.x/16) is being used by the PC. Issuing the command ipconfig /all on the PC as depicted in Example 5-24 indicates that an Automatic Private IP Addressing (APIPA) address (169.. . . . . .255. and a user has indicated that he cannot connect to the network. . .275d. Therefore. . Example 5-25 is displaying the MAC address table of SW3. . : fe80::444c:23b1:6e1e:de0c%16 Dhcp enabled.---. He also indicates that he had no issues on Monday when he left work at 5:45 p. You attempt to ping from the user’s PC to the Internet.254. .

--------. as shown in Example 5-27. the output of show inter- faces status | include Fa0/1. Fa0/13. Fa0/22. In addition. Fa0/11. Fa0/2. Fa0/23. Fa0/16. Fa0/6.10. From the Library of Outcast Outcast . Fa0/19.------------------------------- 1 default active Fa0/5. as shown in Example 5-28. Issuing the command show vlan brief will confirm this for us. Fa0/17. Fa0/12. Fa0/4. Fa0/7. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 197 10 0800. does not indicate that anything is wrong.1. Example 5-26 shows that interface Fa0/1. which is connected to PC1.275d.20.ed13 DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 6 You verify physical connectivity and everything is perfect. 10 10. PC1 should be in VLAN 10. Fa0/21. 20 10. Issuing the com- mand show spanning-tree inconsistentports on SW3 confirms that Fast Ethernet 0/1 is in the root-inconsistent state. you notice that the LED of the switchport PC1 is connected to is amber rather than green. It appears that BPDUs are being received by Fast Ethernet 0/1 from PC1. According to Figure 5-6.-------------------------------. Fa0/9. Fa0/15. Fa0/3. Fa0/24. is in VLAN 10.0/24 active Fa0/1. Fa0/18.ce47 DYNAMIC Fa0/2 10 0800. Fa0/10. Fa0/8. Fa0/14.1.0/24 active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup Example 5-27 show interfaces status | include Fa0/1 Output for SW3 SW3#show interfaces status | include Fa0/1 Port Name Status Vlan Duplex Speed Type Fa0/1 connected 10 a-full a-10010/100BaseTX No other users at this point have indicated that they are experiencing issues. confirming that something is not right. Example 5-26 show vlan brief Output for SW3 SW3#show vlan brief VLAN Name Status Ports ---. However. Fa0/20.275d. You decide to check the SW3 logs on your syslog server and notice the following entry: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/1 on VLAN0010.

1. SW3#show spanning-tree inconsistentports Name Interface Inconsistency -------------------. is successful. . : 10. . .1.10.10.1. .1.10. we remove the offending application from PC1. . . .local Link-local IPv6 Address .0 Default Gateway . .1.10.---------------------. . . : 255. . . .------------------ Number of inconsistent ports (segments) in the system : 0 The output of ipconfig on PC1 in Example 5-30 verifies it has an IP address and a ping to 10. and the switch will recover the port automatically. . . Further investigation will be needed to determine whether this was malicious or by accident.1: bytes=32 time<1ms TTL=255 Reply from 10. . . . . . .1: bytes=32 time=3ms TTL=255 Reply from 10. .198 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-28 show spanning-tree inconsistentports Output for SW3 SW3#show spanning-tree inconsistentports Name Interface Inconsistency -------------------.1. beyond the scope of this book.10.255.10. . : 10.------------------ VLAN0010 FastEthernet0/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 1 Upon further examination. .1. : fe80::444c:23b1:6e1e:de0c%16 IPv4 Address.1. .255.1 with 32 bytes of data: Reply from 10.1. . .1 Pinging 10. . . To solve this issue. Example 5-29 SW3 show spanning-tree inconsistenetports Output After Application Removed from PC1 SW3# %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/1 on VLAN0010. as shown in Example 5-29. an application was installed on PC1 after hours that mimics a switch and sends BPDUs.1: bytes=32 time=1ms TTL=255 From the Library of Outcast Outcast .10. . . : domain.10.1 PC1>ping 10.1.---------------------.10 Subnet Mask .1. . PC1’s default gateway. Example 5-30 ipconfig and ping Output for PC After Issue Solved PC1>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix .1: bytes=32 time=1ms TTL=255 Reply from 10.

Gig 0/1-4 Gig 0/1-4 SW1 SW2 Figure 5-7 Layer 2 EtherChannel This section reviews what is necessary to successfully form a Layer 2 EtherChannel bun- dle and the EtherChannel mode combinations that will successfully form the bundle.1. These modes are not compatible with each other. as illustrated in Figure 5-7. ■ Mismatched EtherChannel configuration: Both switches forming the EtherChannel should be configured with compatible modes. you have to make sure that the modes within the protocol can successfully form the bundle with each other. An EtherChannel logically combines the bandwidth of multiple physical interfaces into a logical connec- tion between switches. In addition. The hash- ing approach selected should distribute the load fairly evenly across all physical links. trunk mode. STP treats the logi- cal bundle (known as a port channel) as a single port for STP calculation purposes. Table 5-4 identifies which modes can be configured on each switch to successfully form an EtherChannel bundle. Port Aggregation Protocol (PAgP). There are three options. For example. Figure 5-7 shows four Gigabit Ethernet links logically bonded into a single EtherChannel link.10. when using LACP or PAgP. and port type (Layer 2 or Layer 3). all ports should Topic have the same speed. allowed VLAN configurations. a hash calculation might be based only on the destination MAC From the Library of Outcast Outcast . Approximate round trip times in milli-seconds: Minimum = 0ms. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 199 Ping statistics for 10. should be identical. on both switches. Reviewing Layer 2 EtherChannel When multiple ports are combined into a logical EtherChannel. Link Aggregation Control Protocol (LACP). Average = 1ms Troubleshooting Layer 2 EtherChannel An exception to STP operation can be made if two switches are interconnected via mul- tiple physical links and those links are configured as an EtherChannel. Lost = 0 (0% loss). duplex. For example. and ON. Received = 4.1: Packets: Sent = 4. Maximum = 3ms. ■ Inappropriate EtherChannel distribution algorithm: EtherChannel determines which physical link to use to transmit frames based on a hash calculation. Following are common troubleshooting targets to consider when troubleshooting an EtherChannel issue: ■ Mismatched port configurations: The configurations of all ports making up an Key EtherChannel. Specifically. native VLAN configurations.

200 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide address of a frame. If the frames are destined for only a few different MAC address- es. Table 5-4 EtherChannel Modes That Will Successfully Form a Bundle Key Topic SW1 MODE PAgP PAgP Auto LACP LACP ON Desirable Active Passive PAgP Yes Yes No No No Desirable SW2 PAgP Auto Yes No No No No LACP No No Yes Yes No Active LACP No No Yes No No Passive ON No No No No Yes EtherChannel Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. issue the show etherchannel load-balance command. All trouble tickets in this section are based on the topology depicted in Figure 5-8. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. To verify the load-balancing algorithm in use. Gi1/0/5 Gi1/0/5 SW1 Gi1/0/6 Gi1/0/6 SW2 Gi1/0/1 Gi1/0/2 Gi0/1 Gi0/2 SW3 Figure 5-8 Layer 2 EtherChannel Trouble Ticket Topology From the Library of Outcast Outcast . the load distribution could be uneven.

failed to allocate aggregator M .not in use.bundled in port-channel I .suspended H . and the port channel is down.Layer2 U .bundled in port-channel I .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(s) SW2#show etherchannel summary Flags: D . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 201 Trouble Ticket 5-4 Problem: A junior network administrator has approached you indicating that the EtherChannel bundle she is trying to form between SW1 and SW2 is not forming. Notice that both switches are using LACP as their protocol.down P . as shown in Example 5-31.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) From the Library of Outcast Outcast .suspended H .in use f .not in use.unsuitable for bundling w . This is a good indication that there is a conflict with the port configurations. minimum links not met u . You start by reviewing the output of show etherchannel summary for SW1 and SW2.down P .waiting to be aggregated d .waiting to be aggregated d . the ports are either standalone or suspended.stand-alone s . however.Hot-standby (LACP only) R .Layer3 S .in use f .Layer2 U . minimum links not met u .failed to allocate aggregator M .Layer3 S .stand-alone s .unsuitable for bundling w .Hot-standby (LACP only) R . Example 5-31 show etherchannel summary Output for SW1 and SW2 SW1#show etherchannel summary Flags: D . You need to solve this issue for her.

you will notice that the switchport modes do not match on the SW1 interfaces that are part of the EtherChannel bundle. as shown in Example 5-32.. Current configuration : 151 bytes ! interface GigabitEthernet1/0/5 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate channel-group 1 mode passive end SW2#show run interface gigabitethernet 1/0/6 Building configuration.. If you look closely. Current configuration : 151 bytes ! interface GigabitEthernet1/0/6 switchport trunk encapsulation isl switchport mode trunk From the Library of Outcast Outcast .. Current configuration : 189 bytes ! interface GigabitEthernet1/0/6 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW2#show run interface gigabitethernet 1/0/5 Building configuration.. Current configuration : 189 bytes ! interface GigabitEthernet1/0/5 switchport trunk encapsulation isl switchport mode access switchport nonegotiate channel-group 1 mode active end SW1#show run interface gigabitethernet 1/0/6 Building configuration.. To form the bun- dle. they have to match.202 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide To verify the port configuration you issue the show run interface gigabitethernet 1/0/5 and show run interface gigabitethernet 1/0/6 command on SW1 and SW2... Example 5-32 show run interface gigabitethernet Output for SW1 and SW2 SW1#show run interface gigabitethernet 1/0/5 Building configuration..

in use f .default port From the Library of Outcast Outcast . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 203 switchport nonegotiate channel-group 1 mode passive end Once you change the switchport mode on SW1 Gigabit Ethernet 1/0/5 with the switch- port mode trunk command. as shown with the following logging messages: %LINK-3-UPDOWN: Interface Port-channel1.not in use. the port channel interface should come up. as shown in Example 5-33. the EtherChannel bundle should now be successfully formed.failed to allocate aggregator M .down P .stand-alone s . Example 5-33 show etherchannel summary Output for SW1 and SW2 After Problem Solved SW1#show etherchannel summary Flags: D . changed state to up In addition. minimum links not met u .Hot-standby (LACP only) R .suspended H .Layer3 S .Layer2 U .in use f .Layer2 U . Reviewing the output of show etherchannel summary on SW1 and SW2 indicates that the ports are successfully bundled with the (P) flags and that the port channel is in use with the (U) flag.stand-alone s . minimum links not met u .down P .Hot-standby (LACP only) R .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SU) LACP Gi1/0/5(P) Gi1/0/6(P) SW2#show etherchannel summary Flags: D .waiting to be aggregated d .failed to allocate aggregator M . changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1.unsuitable for bundling w .unsuitable for bundling w .bundled in port-channel I .waiting to be aggregated d .Layer3 S .bundled in port-channel I .not in use.suspended H .

you will need to verify your documentation to determine which protocol should be used between SW1 and SW2 and make the appropriate adjust- ments. to solve this issue.stand-alone s . Therefore.204 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SU) LACP Gi1/0/5(P) Gi1/0/6(P) Trouble Ticket 5-5 Problem: A junior network administrator has approached you indicating that the EtherChannel bundle he is trying to form between SW1 and SW2 is not forming. However.suspended H .failed to allocate aggregator M .down P . Example 5-34 show ip interface brief | include Port Output for SW1 and SW2 SW1#show ip interface brief | include Port Port-channel1 unassigned YES unset down down SW2#show ip interface brief | include Port Port-channel1 unassigned YES unset down down Next you check the status of the EtherChannel bundle with the show etherchannel sum- mary command. Example 5-35 show etherchannel summary Output for SW1 and SW2 SW1#show etherchannel summary Flags: D . minimum links not met u .waiting to be aggregated d . you will see the issue. You need to solve this issue for him.default port Number of channel-groups in use: 1 Number of aggregators: 1 From the Library of Outcast Outcast . You start by checking whether the port channel is up on SW1 and SW2. Notice that the port channel is down and that all interfaces are standalone. SW1 is using PAgP. it is down/down.in use f .unsuitable for bundling w . as shown in Example 5-35.Hot-standby (LACP only) R . These EtherChannel protocols are not compatible. and SW2 is using LACP. According to the output.Layer2 U . if you look closer.bundled in port-channel I .not in use. as shown in Example 5-34.Layer3 S .

waiting to be aggregated d .Hot-standby (LACP only) R .stand-alone s .Layer3 S .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) From the Library of Outcast Outcast .suspended H .bundled in port-channel I .failed to allocate aggregator M .down P .not in use. minimum links not met u . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 205 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) PAgP Gi1/0/5(I) Gi1/0/6(I) SW2#show etherchannel summary Flags: D .unsuitable for bundling w .in use f .Layer2 U .

designated port.1w. Layer 2 EtherChannel. Table 5-5 lists a reference of these key topics and the page numbers on which each is found. 802. noted with the Key Topic icon in the outer margin of the page.1s. “Final Preparation. learning. forwarding.” and the exam simulation questions on the CD-ROM. nondesig- nated port. root port. LACP From the Library of Outcast Outcast . Chapter 22. 802. PAgP.206 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. listening. root bridge. 802. Review All Key Topics Review the most important topics in this chapter. blocking. Table 5-5 Key Topics for Chapter 5 Key Topic Key Topic Element Description Page Number List Describes root bridge election 173 Sentence Identifies the golden rule of STP 173 Table 5-2 Identifies STP port types 174 Table 5-3 Identifies STP port costs 175 Section Reviews how to determine root ports 175 Section Reviews how to determine designated ports 176 List Identifies STP port states 177 Section Identifies show commands used for troubleshooting 178 STP Section Reviews STP features and the show commands used 182 for troubleshooting List Describes issues that could prevent an EtherChannel 199 from forming Table 5-4 Identifies the EtherChannel modes that will 200 successfully form a bundle Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: Spanning Tree Protocol (STP).1D. you have a couple of choices for exam preparation: the exercises here.

revision number. Table 5-6 show Commands Introduced in Chapter 5 Task Command Syntax Displays STP information about all VLANs show spanning-tree Displays STP information about a specific VLAN show spanning-tree [vlan {vlan_id}] Displays the STP interface role. includes completed tables and lists to check your work. and show spanning-tree interface type for each VLAN on the switch interface_type interface_number Displays detailed STP information about an interface. or at least the section for this chapter. cover the right side of Table 5-6 with a piece of paper. Appendix D. Therefore. “Memory Tables Answer Key. and then see how much of the command you can remember.” (found on the disc). The 300-135 TSHOOT exam focuses on practical. port priority. To test your memory of the commands. You will need to return to the previous chapters to review information relating to those show commands. you should be able to identify the show commands needed to successfully troubleshoot the topics covered in this chapter. Command Reference to Check Your Memory This section includes the show commands introduced in this chapter. It does not include the show commands that were used in this chapter but introduced in previous chapters. cost. show spanning-tree interface including the number of BPDUs sent and received and interface_type interface_number the STP features that have been enabled specifically on detail the interface Displays the MST region name. “Memory Tables. read the description on the left side. hands-on skills that are used by a networking professional. and show spanning-tree mst the instance to VLAN mappings configuration Displays ports configured with Root Guard that have show spanning-tree received superior BPDUs and ports configured with inconsistentports Loop Guard that are in the loop inconsistent state Displays which STP features have been enabled globally show spanning-tree summary on the switch Displays the status of port-channels as well as the status show etherchannel summary of the ports within the port channel Displays the EtherChannel load-balance algorithm show etherchannel load-balance configured on the switch From the Library of Outcast Outcast . and complete the tables and lists from memory.” also on the disc. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 207 Complete Tables and Lists from Memory Print a copy of Appendix C.

■ Troubleshooting Layer 3 EtherChannel: This sec- tion focuses on the steps needed to successfully troubleshoot a Layer 3 EtherChannel that relies on routed ports. ■ Router-on-a-Trunk/Stick Trouble Tickets: This sec- tion provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a reported problem. ■ Routed Port Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem.This chapter covers the following topics: ■ Troubleshooting a Router-on-a-Trunk/Stick: This section covers how to troubleshoot inter-VLAN routing issues when using the router-on-a-trunk sce- nario. ■ SVI Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. ■ Troubleshooting Switched Virtual Interfaces: This section identifies what is necessary for an SVI to be up/up and provide inter-VLAN routing. ■ Troubleshooting Routed Ports: This section reviews what is necessary to convert a Layer 2 switchport into a routed port. ■ Layer 3 EtherChannel Trouble Tickets: This sec- tion provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a reported problem. From the Library of Outcast Outcast . You will also learn how to troubleshoot issues related to SVIs.

“Troubleshooting Layer 2 Trunks. many Cisco Catalyst switches are Layer 3 switches. This chapter focuses on how you can troubleshoot different inter-VLAN routing imple- mentations. Through the use of virtual Layer 3 interfaces (known as switched virtual interfaces [SVIs]) or by con- verting a Layer 2 switchport to a routed port. forwarding or flooding frames based on the MAC addresses in the frame. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. These switches operate at Layer 2 of the OSI model. VTP. and Layer 3 EtherChannel.” Table 6-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting a Router-on-a-Trunk/Stick 1–2 Troubleshooting Switched Virtual Interfaces 3–5 Troubleshooting Routed Ports 6–7 Troubleshooting Layer 3 EtherChannel 8–9 From the Library of Outcast Outcast .” focused on Cisco Catalyst switches as Layer 2 switches. Table 6-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. read the entire chapter. These Layer 3 switches can perform both Layer 2 and Layer 3 services. “Answers to the ‘Do I Know This Already?’ Quizzes. CHAPTER 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels Chapters 4. routed ports. and VLANs. routing is the most common that is implemented. you can assign IP addresses to these inter- faces and have the Layer 3 switch route data between VLANs and subnets.” and 5. Of the Layer 3 services. In addition. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. you can use routed ports to create Layer 3 EtherChannels. However. You can find the answers in Appendix A. You will also be exposed to a few different troubleshooting scenarios for each. “Troubleshooting STP and Layer 2 EtherChannel.

210 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Caution The goal of self-assessment is to gauge your mastery of the topics in this chap-
ter. If you do not know the answer to a question or are only partially sure of the answer,
you should mark that question as wrong for purposes of the self-assessment. Giving your-
self credit for an answer that you correctly guess skews your self-assessment results and
might provide you with a false sense of security.

1. Which command enables you to associate a VLAN with a router subinterface?

a. encapsulation

b. interface

c. ip address

d. vlan

2. Which show command enables you to verify the VLAN that has been associated
with a router subinterface?

a. show interface trunk

b. show vlan brief

c. show ip route

d. show vlans

3. What must be true for an SVI to be up/up? (Choose two answers.)

a. The VLAN associated with the SVI must exist on the switch.

b. The SVI must be disabled.

c. There must be at least one interface on the switch associated with the VLAN in
the spanning-tree forwarding state.

d. IP routing must be enabled on the switch.

4. Which show command enables you to verify the status of the SVI for VLAN 10 and
the MAC address associated with it?

a. show ip interface brief

b. show interfaces vlan 10
c. show ip interface vlan 10

d. show svi

5. Which command enables IPv4 unicast routing on a Layer 3 switch?

a. routing

b. ip route

c. ip routing

d. ip unicast-routing

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 211

6. Which command enables you to convert a Layer 2 switchport to a routed port?

a. no switchport

b. routed port
c. ip address

d. ip routing

7. Which show command enables you to verify whether interface Gigabit Ethernet
1/0/10 is a Layer 2 switchport or a routed port?

a. show gigabitethernet 1/0/10 switchport

b. show interfaces gigabitethernet 1/0/10

c. show interfaces gigabitethernet 1/0/10 switchport

d. show interfaces status

8. What flags in the show etherchannel summary output indicate that the
EtherChannel is Layer 3 and in use?

a. SU

b. SD

c. RU
d. RD

9. Which EtherChannel modes will successfully form an LACP EtherChannel?

a. Active-auto

b. Desirable-auto

c. Passive-desirable

d. Active-passive

10. Which EtherChannel flag indicates that the port is bundled in the EtherChannel
bundle?

a. R

b. S
c. P

d. H

From the Library of Outcast Outcast

212 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Foundation Topics

Troubleshooting a Router-on-a-Trunk/Stick
For traffic to pass from one VLAN to another VLAN, it has to be routed. This is easy to
remember if you recall that a VLAN = a subnet and to send traffic from one subnet to
another you route it. Therefore, to send traffic from one VLAN to another VLAN, you
also route it.

This section reviews how you can use an external router that is trunked to a switch to
perform routing between VLANs. The section also covers the various issues that could
cause this implementation to not function as expected.

Before Layer 3 switches existed, we relied on external routers to perform inter-VLAN
routing. The external router was connected to the Layer 2 switch via a trunk, which cre-
ated the router-on-a-stick or router-on-a-trunk topology, as shown in Figure 6-1.

Fa 1/1/1.1
VLAN 100
Fa 1/1/1
VLAN 200
R1 R1
Fa 1/1/1 Fa 1/1/1.2
Gig 0/2
Trunk

Gig 0/1 Gig 0/3
VLAN 100 SW1 VLAN 200
PC1 PC2
192.168.1.10/24 192.168.2.10/24
VLAN 100 VLAN 200

Figure 6-1 Router-on-a-Trunk / Router-on-a-Stick

In Figure 6-1, router R1’s Fast Ethernet 1/1/1 interface has two subinterfaces as indicated
by the period (.) in the interface identification. There is one for each VLAN, Fast Ethernet
1/1/1.1 for VLAN 100 and Fast Ethernet 1/1/1.2 for VLAN 200. Router R1 can route
between VLANs 100 and 200, while simultaneously receiving and transmitting traffic
over the trunk connection to the switch. Review Example 6-1 and Example 6-2, which
outline the configurations needed to implement a router-on-a-trunk.

Example 6-1 show run Command Output from R1
Key
Topic R1#show run
...output omitted...
interface FastEthernet1/1/1.1
encapsulation dot1Q 100

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 213

ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet1/1/1.2
encapsulation dot1Q 200
ip address 192.168.2.1 255.255.255.0
...output omitted...

Example 6-2 show run Command Output from SW1
Key
Topic SW1#show run
...output omitted...
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 100

interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

interface GigabitEthernet0/3
switchport mode access
switchport access vlan 200
...output omitted...

After reviewing Example 6-1 and Example 6-2, what are issues that could prevent inter-
Key VLAN routing from being successful?
Topic
■ Trunk encapsulation mismatch

■ Incorrect VLAN assignment on routers’ subinterfaces

■ Incorrect IP address or subnet mask on routers’ subinterfaces

■ Incorrect IP address, subnet mask, or default gateway on PCs

■ Switchport connected to router configured as an access port

■ Switchport connected to router configured to use Dynamic Trunking Protocol
(DTP), which is not supported by the router

■ Switchports connected to PCs in wrong VLAN

Being able to identify these issues and correct them is important for any troubleshooter.

Router-on-a-Trunk/Stick Trouble Tickets
This section covers various trouble tickets relating to the topics discussed earlier in the
chapter. The purpose of these trouble tickets is to give a process that you can follow
when troubleshooting in the real world or in an exam environment. All trouble tickets in
this section are based on the topology depicted in Figure 6-2.

From the Library of Outcast Outcast

214 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

192.168.1.1/24
Fa0/1.100
VLAN 100
Fa 0/1
R1 VLAN 200
R1
Fa0/1 Fa0/1.200
192.168.2.1/24

Trunk
802.1q
Fa0/24
PC1 PC2
Fa0/1 Fa0/2
SW1
VLAN 100 VLAN 200
192.168.1.10/24 192.168.2.10/24
VLAN 100 VLAN 200
DG:192.168.1.1 DG:192.168.2.1

Figure 6-2 Router-on-a-Trunk Trouble Tickets

Trouble Ticket 6-1
Problem: PC1 is not able to access resources on PC2.

As you dive deeper into trouble tickets, everything covered in the previous chapters still
applies because the PCs are still connected to the switches, there are still VLANs, and
there are trunks. As a result, having a repeatable structured troubleshooting process in
place will help you maintain focus and clarity as you troubleshoot.

The first item on the list of troubleshooting is to verify the problem. Issuing the ping
command on PC1, as shown in Example 6-3, indicates that PC1 is not able to reach PC2,
confirming the problem.

Example 6-3 Failed Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next you need to verify whether PC1 can get to its default gateway. This will help
you narrow down where the issue may be. Pinging PC1s default gateway, as shown in
Example 6-4, is not successful. This indicates that we have an issue between PC1 and the
default gateway.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 215

Example 6-4 Failed Ping from PC1 to Default Gateway
C:\PC1>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Now is an excellent time to brainstorm the likely causes of the issue based on Figure 6-2
and the fact that PC1 is not able to ping its default gateway:

■ PC1 may have an incorrect IP address, subnet mask, or default gateway configured.

■ SW1 switchport FA0/1 may not be associated with the correct VLAN.

■ VLAN 100 may not exist on SW1.

■ PC1 may physically be connected to the wrong switchport.

■ SW1 Fa0/24 may not be configured as a trunk.

■ SW1 Fa0/24 may not be allowing VLAN 100 traffic on the trunk.

■ SW1 Fa0/24 may be using the wrong trunk encapsulation.

■ R1 may not have the appropriate subinterfaces configured with the correct IP
addresses or subnet masks.

■ R1’s subinterfaces may be using the wrong trunk encapsulation.

■ R1’s subinterfaces may be disabled.

As you can see, the list is quite extensive, and it is not even a complete list. Let’s start fol-
lowing the path from PC1 and work toward the router. Issuing ipconfig on PC1 indicates
that it has the correct IP address, subnet mask, and default gateway configured, as shown
in Example 6-5, when compared to Figure 6-2.

Example 6-5 ipconfig Output on PC1
C:\PC1>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

From the Library of Outcast Outcast

216 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Issuing the show mac address-table dynamic command on SW1 will identify which
MAC address is being learned on Fa0/1 and which VLAN it is associated with. Example
6-6 is indicating that the MAC address of 0800.275d.06d6 is being learned on Fa0/1 and
that it is associated with VLAN 100. Issuing the ipconfig /all command on PC1, as shown
in Example 6-7, identifies PC1’s MAC as 0800.275d.06d6, which is the same as the one
outlined in the MAC address table. We can narrow our focus now because this proves
that PC1 is connected to the correct switchport, VLAN 100 exists, and Fa0/1 is in the
correct VLAN.

Example 6-6 show mac address-table dynamic Command Output on SW1
SW1#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
100 0800.275d.06d6 DYNAMIC Fa0/1
200 0800.27a2.ce47 DYNAMIC Fa0/2
Total Mac Addresses for this criterion: 2

Example 6-7 ipconfig /all Output on PC1
C:\PC1>ipconfig
...output omitted...
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-5D-06-D6
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
...output omitted...

Focus on Example 6-6 again. If you look closely at the MAC address table on SW1, you
will notice that no MAC addresses are being learned for VLAN 100 or VLAN 200 on
Fa0/24. Why would this be? The link between R1 and SW1 should be an 802.1Q trunk
according to Figure 6-2. If this trunk is not configured with the correct encapsulation,
or the correct trunk mode, or the trunk is pruning VLAN 100 or 200 traffic, traffic for
VLANs 100 and 200 would not pass over the link.

On SW1, start by issuing the show interfaces trunk command, as shown in Example 6-8.
The output indicates that Fa0/24 is a trunk using mode on, which means the command
switchport mode trunk was issued. It also indicates that Fa0/24 is using Inter-Switch
Link (ISL) as the trunk encapsulation method. According to Figure 6-2, the trunk should
be using 802.1Q.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 217

Example 6-8 show interfaces trunk Command Output on SW1
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 on isl trunking 1

Port Vlans allowed on trunk
Fa0/24 1-4094

Port Vlans allowed and active in management domain
Fa0/24 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,100,200

Reviewing the output of show vlans on R1 in Example 6-9 confirms that R1 is using
802.1Q for its trunk encapsulation. As a result, we have a trunk encapsulation mismatch.

Example 6-9 show vlans Output on R1
R1#show vlans
...output omitted...
Virtual LAN ID: 100 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.100

Protocols Configured: Address: Received: Transmitted:
IP 192.168.1.1 4 8
Other 0 5

4 packets, 298 bytes input
13 packets, 1054 bytes output

Virtual LAN ID: 200 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 4 8
Other 0 5

4 packets, 298 bytes input
13 packets, 1054 bytes output

You need to fix SW1 so that Fa0/24 is using the correct trunk encapsulation method. On
Fa0/24 of SW1, issue the switchport trunk encapsulation dot1q command. After you
have implemented your solution, you need to confirm that it solved the problem by ping-
ing from PC1 to PC2 again. Example 6-10 shows that the ping is successful.

From the Library of Outcast Outcast

218 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Example 6-10 Successful Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10

Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Trouble Ticket 6-2
Problem: PC1 is not able to access resources on PC2.

The problem reported in this trouble ticket is the exact same as the previous trouble tick-
et. However, do not jump to the conclusion that it is the same problem and solution. You
always want to follow your structured troubleshooting approach to make sure that you
efficiently solve the problem and waste little effort.

The first item on the list of troubleshooting is to verify the problem. Issuing the ping
command on PC1, as shown in Example 6-11, indicates that PC1 is not able to reach PC2,
confirming the problem.

Example 6-11 Failed Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next you need to verify whether PC1 can get to its default gateway. This will help
you narrow down where the issue may be. Pinging PC1’s default gateway, as shown in
Example 6-12, is successful. This indicates that we do not have an issue between PC1 and
the default gateway.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 219

Example 6-12 Successful Ping from PC1 to Default Gateway
C:\PC1>ping 192.168.1.1
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Now is a great time to check whether PC1 can ping the default gateway of VLAN 200 at
192.168.2.1. This will help you determine whether inter-VLAN routing is working on R1
between VLAN 100 and VLAN 200. The ping, as shown in Example 6-13, is successful.

Example 6-13 Successful Ping from PC1 to Default Gateway of VLAN 200
C:\PC1>ping 192.168.2.1
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

It is time to shift attention to R1 and PC2 because it appears everything is fine from
PC1 to R1’s subinterface Fa0/1.100. In this case, we will work our way backward from
R1 to PC2. For VLAN 200 traffic to flow from R1 to PC2, the subinterface Fa0/1.200
needs to be using the correct encapsulation method (802.1Q), it needs to have the cor-
rect IP address and subnet mask assigned to it (192.168.2.1/24), and it needs to have the
right VLAN assigned to it (VLAN 200). Using the command show vlans on R1 will help
to verify the subinterface configuration on R1, as outlined in Example 6-14. Notice that
subinterface Fa0/1.200 has the appropriate IP address and that it is also using 802.1Q as
the trunk encapsulation. However, it is associated with VLAN 20, not VLAN 200. This
appears to be the issue.

Example 6-14 show vlans Command Output on R1
R1#show vlans
...output omitted...
Virtual LAN ID: 20 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

From the Library of Outcast Outcast

220 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 0 0

0 packets, 0 bytes input
0 packets, 0 bytes output
...output omitted...

In subinterface configuration mode for Fa0/1.200, you execute the command encapsula-
tion dot1q 200 to change the VLAN association from 20 to 200. Once done, you review
the output of show vlans on R1, as shown in Example 6-15, to verify that subinterface
Fa0/1.200 is associated with VLAN 200.

Example 6-15 show vlans Command Output on R1 After Configuration Changes
R1#show vlans
...output omitted...
Virtual LAN ID: 200 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 0 0

0 packets, 0 bytes input
0 packets, 0 bytes output

You then confirm the issue is solved by pinging from PC1 to PC2 again. Example 6-
16 shows that the ping is successful, and so you can now conclude that the problem is
solved.

Example 6-16 Successful Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 221

Troubleshooting Switched Virtual Interfaces
On a router, an interface has an IP address that defines the subnet the interface is part
of. In addition, the IP address is usually acting as a default gateway to hosts residing off
of that interface. However, if you have a Layer 3 switch with multiple ports (access or
trunk) belonging to the same VLAN, as shown in Figure 6-3, which interface should the
IP address be configured on?
G
VL

9
ig 00

0/ 0
AN

20
0/

ig
7

AN
1

G
VL

SW1
G

8
ig

0/
VL

0/

ig 00
10
AN

G 1
AN
20
0

V L

Figure 6-3 Layer 3 Switch Without IP addresses

Since Layer 2 switchports cannot be assigned an IP address; you need to create a logi-
cal Layer 3 interface known as a switched virtual interface (SVI). These SVIs can be
assigned an IP address just like router interfaces. However, unlike router interfaces where
an IP address is associated with one interface, the SVI represents all switchports that are
part of the same VLAN the SVI is configured for. Therefore, any device connecting to
the switch that is in VLAN 100 uses SVI 100, and any device in VLAN 200 uses SVI 200,
and so on. This section explains how to configure SVIs on Layer 3 switches and the items
that you should look out for when troubleshooting SVIs.

Reviewing SVIs
Figure 6-4 shows a topology using SVIs, and Example 6-17 shows the corresponding
configuration. Notice that two SVIs are created: one for each VLAN. The SVI for VLAN
100 has the IP address 192.168.1.1/24, and the SVI for VLAN 200 has the IP address
192.168.2.1/24. Notice that these are two different subnets. As a result, devices that are
members of VLAN 100 need to have an IP address in the 192.168.1.0/24 network and

From the Library of Outcast Outcast

222 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

have their default gateway pointing to the VLAN 100 SVI IP address of 192.168.1.1.
Devices that are members of VLAN 200 need to have an IP address in the 192.168.2.0/24
network and have their default gateway pointing to the VLAN 200 SVI IP address of
192.168.2.1. An IP address is assigned to an SVI by going into interface configuration
mode for a VLAN. For example, the global configuration command interface vlan 10
enters interface configuration mode for SVI 10 and, if not previously created, will create
SVI 10. In this example, because both SVIs are local to the switch, the switch’s routing
table knows how to forward traffic between members of the two VLANs. Also, IPv4
routing is not on by default on Layer 3 switches; therefore, you need to enable it with the
ip routing global configuration command.
G
VL

9
ig 00

0/ 0
AN

20
0/

ig
7

AN
1

G
VL

SVI: VLAN 100 SVI: VLAN 200
192.168.1.1/24 192.168.2.1/24

SW1
G

8
ig

0/
VL

0/

ig 00
10
AN

G 1
N
20

A
0

VL

Figure 6-4 Layer 3 Switch with SVIs

Example 6-17 SW1 SVI Configuration
Key
Topic SW1#show run
...output omitted...
!
ip routing
!
...output omitted...
!
interface GigabitEthernet0/7
switchport access vlan 100
switchport mode access

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 223

!
interface GigabitEthernet0/8
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 200
switchport mode access
!
...output omitted...
!
interface Vlan100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan200
ip address 192.168.2.1 255.255.255.0

Troubleshooting SVIs
For an SVI to function, the SVI status has to be up and the protocol has to be up. You
can verify whether the SVI is up/up with a few different show commands, as shown in
Example 6-18. In this case, the SVI for VLAN 100 is up/up, as shown in the output of
show ip interface brief. The output of show interfaces vlan 100 also displays the SVI as
being up/up, but it provides the MAC (bia) address that will be used when devices need
to communicate directly with the SVI. For example, when hosts on VLAN 100 need to
send a frame to the default gateway (remember the SVI will be the default gateway), they
need a destination MAC address for the IP address associated for the SVI. It is this MAC
that will be used in this case. The command also provides the IP address of the SVI.
Lastly, the show ip interface vlan 100 command indicates that the SVI is up/up, in addi-
tion to providing us with the IP address.

Example 6-18 Verifying the Status of an SVI
Key
Topic SW1#show ip interface brief | include Vlan|Interface
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan100 192.168.1.1 YES manual up up
Vlan200 192.168.2.1 YES manual up up

From the Library of Outcast Outcast

224 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

SW1#show interfaces vlan 100
Vlan100 is up, line protocol is up
Hardware is EtherSVI, address is 000d.2829.0200 (bia 000d.2829.0200)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
...output omitted...

SW1#show ip interface vlan 100
Vlan100 is up, line protocol is up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
...output omitted...

To successfully troubleshoot SVIs, you need to understand the circumstances that are
Key necessary for an SVI to be up/up. The following list outlines what is needed for an SVI to
Topic
be up/up:

■ The VLAN the SVI is created for needs to exist locally on the switch.

■ The SVI has to be enabled and not administratively shut down.

■ At a minimum, there must be one switchport (access or trunk) that is up/up and in
the spanning-tree forwarding state for that specific VLAN.

Note To route from one SVI to another SVI, IP routing must be enabled on the Layer 3
switch with the ip routing command.

SVI Trouble Tickets
This section presents various trouble tickets relating to the topics discussed earlier in
the chapter. The purpose of these trouble tickets is to give a process that you can follow
when troubleshooting in the real world or in an exam environment. All trouble tickets in
this section are based on the topology depicted in Figure 6-5.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 225

10.1.1.10/26
PC1
SVI: VLAN 10 IP: 10.1.1.1
802.1q 10.1.1.0/26
Fa0/1
Gig0/1

SW2 Gig1/0/1

Fa0/2 SW1
PC2
SVI: VLAN 20 IP: 10.1.1.65
10.1.1.64/26
10.1.1.74/26

Figure 6-5 SVI Trouble Ticket Topology

Trouble Ticket 6-3
Problem: PC1 is not able to access resources on PC2.

Let’s start this trouble ticket by verifying the problem. Example 6-19 verifies that PC1
cannot access resources on PC2 because the ping has failed.

Example 6-19 Failed Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Pinging 10.1.1.74 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next, we ping the default gateway for PC1, and the result is not successful either, as
shown in Example 6-20. This means that we have an issue from PC1 to the default gate-
way.

Example 6-20 Failed Ping from PC1 to Default Gateway
C:\PC1>ping 10.1.1.1
Pinging 10.1.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

From the Library of Outcast Outcast

226 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Following a structured troubleshooting approach, you would verify the IP configura-
tion on PC1 as well as its MAC address using the ipconfig /all command. Example 6-21
indicates that the IP address, subnet mask, and default gateway are all correct based on
Figure 6-5. It also indicates that the MAC address is 0800:275d:06d6.

Example 6-21 Verifying PC1s Configuration with ipconfig /all
C:\PC1>ipconfig /all
...output omitted...
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-5D-06-D6
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 10.1.1.1
...output omitted...

Next we verify that SW2 is learning the MAC address of PC1 on the correct interface
and that it is associated with the correct VLAN. Example 6-22 shows that the MAC
address of PC1 (0800:275d:06d6) is associated with Fa0/1 and VLAN 10 with the com-
mand show mac address-table dynamic.

Example 6-22 Verifying SW2 Has Learned the MAC Address of PC1 on Fa0/1 and
VLAN 10
SW2#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0800.275d.06d6 DYNAMIC Fa0/1
20 0800.27a2.ce47 DYNAMIC Fa0/2
20 2893.fe3a.e342 DYNAMIC Gi0/1
Total Mac Addresses for this criterion: 3

Next we issue the show mac address-table dynamic command on SW1, as shown in
Example 6-23, to verify that the MAC address of PC1 is being learned on Gig1/0/1 and is
associated with VLAN 10. In this case, it is not being learned at all. In addition, reviewing
the output of Example 6-22 again concludes that there are no MAC addresses for VLAN
10 being learned on the Gig0/1 interface of SW2. We should see the MAC address of the
default gateway for the 10.1.1.0/26 network associated with Gig0/1, but we don’t.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 227

Example 6-23 Verifying SW1 Has Learned the MAC Address of PC1 on Gig1/0/1 and
VLAN 10
SW1#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0800.27a2.ce47 DYNAMIC Gi1/0/1
Total Mac Addresses for this criterion: 1

Because SW1 is a Layer 3 switch, it should have an SVI for VLAN 10 with an IP address
associated with it in the up/up state. Issuing the command show ip interface brief |
include Vlan10, as shown in Example 6-24, indicates that the SVI exists on SW1, it has
the IP address 10.1.1.1, and it is up/down. Therefore, the issue in this trouble ticket is
causing MAC addresses not to be learned for VLAN 10 on SW1’s Gig1/0/1 and SW2’s
Gig0/1 interfaces and is causing the SVI on SW1 to be up/down.

Example 6-24 Verifying SVI Exists on SW1 and Its Status
SW1#show ip interface brief | include VLAN10|Interface
Interface IP-Address OK? Method Status Protocol
Vlan10 10.1.1.1 YES NVRAM up down

What causes an SVIs protocol state to be down?

■ The VLAN the SVI is created for does not exist locally on the switch.

■ The SVI is administratively shut down.
■ There is no switchport (access or trunk) that is up/up and in the spanning-tree for-
warding state for that specific VLAN.

What would cause MAC addresses not to be learned on trunk interfaces?

■ The trunk has mismatched encapsulations, modes, native VLANs.
■ The trunk is manually or dynamically pruning traffic for the VLAN causing spanning
tree to have no forwarding state for the VLAN.

■ The VLAN does not exist on the switch.

Let’s compare these two lists. What do they have in common?

■ The VLAN does not exist.

■ Spanning tree is not in the forwarding state for the VLAN on at least one interface.

On SW1, the show interfaces trunk command enables you to see the spanning-tree for-
warding state for each VLAN on Gig1/0/1. Example 6-25 shows the output of the com-
mand show interfaces trunk on SW1 and highlights the fact that SW1 interface Gig1/0/1

From the Library of Outcast Outcast

228 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

is not in the spanning-tree forwarding state for VLAN 10, only for VLAN 1 and 20. If
you look further at the output, you see that VLAN 10 is not even listed in the list of
VLANs that are active in the management domain. This is a good indication that VLAN
10 does not exist on SW1.

Example 6-25 Output of show interfaces trunk on SW1
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 99

Port Vlans allowed on trunk
Gi1/0/1 1-4094

Port Vlans allowed and active in management domain
Gi1/0/1 1,20

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,20

Reviewing the output of show vlan brief on SW1 confirms that VLAN 10 does not exist,
as shown in Example 6-26. Correcting this issue requires that you create the VLAN in
global configuration mode using the vlan 10 command.

Example 6-26 Output of show vlan brief on SW1
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Te1/0/1,
Te1/0/2
20 10.1.1.64/26 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

After you have corrected the issue, you want to confirm that the VLAN exists, as shown
in the show vlan brief output of Example 6-27. You want to confirm that the output of
show interfaces trunk lists VLAN 10 in the active VLANs in the management domain
and that it is in the spanning-tree forwarding state and not pruned for interface Gig1/0/1,

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 229

as shown in Example 6-28. In addition, you want to verify that the SVI for VLAN 10
is up/up by using the command show ip interface brief | include Vlan10, as shown in
Example 6-29.

Example 6-27 Output of show vlan brief on SW1 After Changes
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Te1/0/1,
Te1/0/2
10 10.1.1.0/26 active
20 10.1.1.64/26 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

Example 6-28 Output of show interfaces trunk on SW1 After Changes
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 99

Port Vlans allowed on trunk
Gi1/0/1 1-4094

Port Vlans allowed and active in management domain
Gi1/0/1 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,10,20

Example 6-29 Output of show ip interface brief | include VLAN10 on SW1 After
Changes
SW1#show ip interface brief | include VLAN10|Interface
Interface IP-Address OK? Method Status Protocol
Vlan10 10.1.1.1 YES NVRAM up up

From the Library of Outcast Outcast

230 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Finally, you want to verify that the problem is solved by successfully pinging from PC1 to
PC2. Example 6-30 shows that the problem is solved and that the ping is successful.

Example 6-30 Successful Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Trouble Ticket 6-4
Problem: PC1 is not able to access resources on PC2.

You start by verifying the problem, as shown in Example 6-31, which confirms (because
the ping has failed) that PC1 is unable to access resources on PC2. Next you verify that
PC1 can reach the default gateway, as shown in Example 6-32, which it can since the ping
was successful. This confirms that no issue exists between PC1 and the default gateway.
Next you verify that PC1 can reach the default gateway of VLAN 20, which is 10.1.1.65.
Example 6-33 confirms that PC1 is able to reach the default gateway of VLAN 20 since
the ping was successful as well.

Example 6-31 Failed Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Pinging 10.1.1.74 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Example 6-32 Successful Ping from PC1 to VLAN 10 Default Gateway
C:\PC1>ping 10.1.1.1
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 231

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Example 6-33 Successful Ping from PC1 to VLAN 20 Default Gateway
PC1#ping 10.1.1.65
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Because all the pings were successful, this might mean that we have a problem between
SW1 and PC2. Let’s ping from SW1 to PC2 to verify this. Example 6-34 provides the
result of issuing the ping 10.1.1.74 command on SW1. Notice that the ping is successful,
which negates our hypothesis that a problem might exist between SW1 and PC2.

Example 6-34 Successful Ping from SW1 to PC2
SW1#ping 10.1.1.74
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.74, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/205/1015 ms

Let’s recap. PC1 can ping SVI 10, and PC2 can ping SVI 20. We also concluded that PC1
can ping SVI 20, which should mean that PC2 can ping SVI 10. Let’s double check by
pinging from PC2 to the IP address 10.1.1.1. As shown in Example 6-35, it is successful as
well.

Example 6-35 Successful Ping from PC2 to SVI 10
C:\PC2>ping 10.1.1.1
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

From the Library of Outcast Outcast

C . M . as shown in Example 6-37.EIGRP. H .OSPF NSSA external type 1. when you create an SVI.IS-IS inter area. E2 .1 YES NVRAM up up Vlan20 10.candidate default. you can issue the show ip route command again on SW1 to verify that directly connected entries have been added to the routing table for SVI VLAN 10 and SVI VLAN 20. What is required for the ping from PC1 to fully reach PC2? Routing. EX . By default. you execute the ip routing command in global configuration mode.mobile. SW1 cannot route traffic. Therefore.65 YES NVRAM up up Let’s check the routing table on SW1 with the command show ip route.IS-IS level-1.EIGRP external.replicated route. Remember how the SVIs work. and it is up/up. % .OSPF inter area N1 . Example 6-37 Output of show ip route on SW1 SW1#show ip route Default gateway is not set Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty After you have enabled IP routing.1.NHRP. L2 . and they are up/up. the pings are getting a little more than halfway to their destination. Example 6-38 shows a routing table that we are famil- iar with and the directly connected entries for VLAN 10 and VLAN 20.1.OSPF. they have the correct IP addresses assigned to them.per-user static route o . O . They are equivalent to router interfaces.next hop override From the Library of Outcast Outcast . IP routing is disabled.BGP D . * . L1 . R .connected.232 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide So.1.OSPF external type 1. B .OSPF NSSA external type 2 E1 .IS-IS. The problem is that IP routing is not enabled on SW1. Therefore. U . The output of show ip route.local. give it an IP address. su . Example 6-36 Output of show ip interface brief on SW1 SW1#show ip interface brief | include Vlan|Interface Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES NVRAM administratively down down Vlan10 10.periodic downloaded static route. It can only respond to pings that are sent to its local interfaces.IS-IS summary.IS-IS level-2 ia . l . To enable it. an entry for the network that the SVI belongs gets placed in the routing table.static.OSPF external type 2 i . confirms that the SVIs for VLAN 10 and VLAN 20 exist. Issuing the command show ip inter- face brief on SW1.1.LISP + . does not even look like a routing table. S . IA . The output of Example 6-37 should immediately lead you to the solution of this problem. Example 6-38 Output of show ip route on SW1 SW1#show ip route Codes: L . P . on Layer 3 switches.RIP. as shown in Example 6-36. N2 .ODR.

Average = 0ms Troubleshooting Routed Ports Although SVIs can route between VLANs configured on a switch. as shown in Example 6-40 also.74: bytes=32 time 1ms TTL=128 Reply from 10.168.1.1. we need to confirm that our solution solved the original issue. You can verify whether a port is a routed port by using the show interfaces interface_ type interface_number switchport command.1.1/24 Gig0/9 Gi0/10 192.1. the ports on many Layer 3 Cisco Catalyst switches operate as Layer 2 switch- ports.1.1.2/24 192.74 Reply from 10. Received = 4.2.0. Maximum = 0ms.1/24 Gig0/0 192.1.168. a Layer 3 switch can be configured to act more as a router (for example.0/8 is variably subnetted. Lost = 0 (0% loss). 6 subnets.1. A routed port will state Switchport: Disabled. By default.1. This sec- tion explains how to configure routed ports on Layer 3 switches so that you can identify potential problems during the troubleshooting process.1. as shown in Example 6-39. Vlan10 C 10.2.1. Vlan10 L 10. Vlan20 L 10.1.1.64/26 is directly connected. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 233 Gateway of last resort is not set 10.1.65/32 is directly connected. you have to issue the no switchport command in interface configuration mode to convert a switchport to a routed port.1. in an environment where you are replacing a router with a Layer 3 switch) by using routed ports on the switch. Pinging from PC1 to PC2. which was that PC1 could not access resources on PC2.1. Figure 6-6 and Example 6-40 illustrate a Layer 3 switch with its Gigabit Ethernet 0/9 and 0/10 ports configured as routed ports. proving that we solved the issue.74: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. is successful.1/32 is directly connected.168.0/26 is directly connected.1. Vlan20 Finally.2/24 Gig0/0 R2 SW2 SW1 Figure 6-6 Routed Ports on a Layer 3 Switch From the Library of Outcast Outcast .168.1. Example 6-39 Successful Ping from PC1 to PC2 C:\PC1>ping 10.74: bytes=32 time 1ms TTL=128 Reply from 10.1. 3 masks C 10.74: Packets: Sent = 4.74: bytes=32 time 1ms TTL=128 Reply from 10. Approximate round trip times in milli-seconds: Minimum = 0ms.1. 192.1. Therefore.0.

168. ! interface GigabitEthernet0/9 no switchport ip address 192.2 255.2 255.1.168.. ■ Does not support subinterfaces like a router. ■ Does not run switchport protocols such as Spanning Tree Protocol (STP) or Dynamic Trunking Protocol (DTP).output omitted..255. Routed Ports Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter...255.0 ! . ■ Useful for uplinks between Layer 3 switches or when connecting a Layer 3 switch to a router.2.234 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 6-40 Configuration for Routed Ports on a Layer 3 Switch Key Topic SW1#show run . From the Library of Outcast Outcast .. SW1#show interfaces gigabitEthernet 0/10 switchport Name: Gi0/10 Switchport: Disabled The following list outlines the characteristics of routed ports: ■ Has no association with any VLAN. IP routing needs to be enabled.255. All trouble tickets in this section are based on the topology depicted in Figure 6-7..0 ! interface GigabitEthernet0/10 no switchport ip address 192.255. ■ To route from one routed port to another or a routed port to an SVI and vice versa.output omitted... ■ Physical switchport that has Layer 3 (routing) capabilities. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.

and it is successful.1. They are able to access each other. Success rate is 0 percent (0/5) Next you issue the show ip interface brief command on SW1. Sending 5. You ping from PC2 to the Internet. to verify that the correct IP address is configured on interface Gig1/0/10 and that it is up/ up. timeout is 2 seconds: .1 Internet SW2 Gig1/0/1 .10..1. You ping from PC2 to its default gateway.1 Type escape sequence to abort.10..1. as shown in Example 6-41. Therefore. you ping 10. Example 6-41 Failed Ping from SW1 to R1 SW1#ping 10.10/26 PC1 SVI: VLAN 10 802.1. You ping from PC1 to its default gateway. On SW1. You ping from PC1 to PC2.1.1.1. and it is successful.0/24 Fa0/1 Gig0/1 Gig1/0/10 . and it is successful.1. 100-byte ICMP Echos to 10.. This clarification allows us to focus our attention from SW1 onward. you always need to further define the problem to make sure that it is accurate. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 235 10. as shown in Example 6-42. The output shows that there is no IP address configured on Gig1/0/10 and that the interface is up/up. skipping all the Layer 2 troubleshooting between the PCs and SW1. and it fails.1. and it fails. From the Library of Outcast Outcast .74/26 Figure 6-7 Routed Ports Trouble Tickets Topology Trouble Ticket 6-5 Problem: PC1 and PC2 are not able to access resources outside their subnet.10.2 Gig1/0 R1 Fa0/2 SW1 PC2 SVI: VLAN 20 10.1q 10.1.1.1/26 10.10.65/26 10.. the problem statement can be changed to read as follows: Problem: PC1 and PC2 are not able to access resources beyond SW1. You must always be sure that you fully understand the problem that is being submitted. Therefore.1.1. Pinging from PC1 and PC2 to R1’s Gig1/0 interface fails.1. You ping from PC1 to the Internet. and it fails.

. Also in Example 6-45. You confirm this by issuing the Topic show interface Gig1/0/10 switchport command..255. You enter interface configuration mode for Gig1/0/10 and issue the command ip address 10. GigabitEthernet1/0/9 unassigned YES unset down down GigabitEthernet1/0/10 unassigned YES unset up up GigabitEthernet1/0/11 unassigned YES unset down down ..1. Example 6-43 Error message on SW1 SW1#config t SW1(config)#interface gig 1/0/10 SW1(config-if)#ip address 10. this would indicate that it is a routed port.. From the Library of Outcast Outcast ..255..10. Key This is a good indication that it is a Layer 2 switchport.255. as shown in Example 6-45. you can see that the IP address command was successfully executed after the no switchport command was entered. If it stated Switchport: Disabled.236 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 6-42 Output of show ip interface brief on SW1 SW1#show ip interface brief Interface IP-Address OK? Method Status Protocol . As shown in Example 6-43.output omitted. you need to convert it to a routed port using the no switchport command in interface configuration mode.0..0 ^ % Invalid input detected at '^' marker.output omitted.1.. Example 6-44 Output of the show interfaces gig1/0/10 switchport Command on SW1 SW1#show interfaces gig1/0/10 switchport Name: Gi1/0/10 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) . You receive the error message dis- played in Example 6-43.. you are not able to configure an IP address on Gig1/0/10. as shown in Example 6-43...255.10.output omitted.2 255. The output displayed in Example 6-44 indicates that it is indeed a Layer 2 switchport because the output states Switchport: Enabled.. To assign an IP address to a switchport on a Layer 3 switch.2 255.

With Layer 3 EtherChannel. you can bundle them together to create Layer 3 EtherChannels.255.!!!! Success rate is 80 percent (4/5). Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 237 Example 6-45 Configuring a Routed Port on SW1 SW1#config t SW1(config)#interface gig 1/0/10 SW1(config-if)#no switchport SW1(config-if)#ip address 10.10. should be identical. Sending 5. Specifically. the pings from PC1 and PC2 to the Internet are successful (not displayed). as illustrated in Figure 6-8. native VLAN configura- tions.1.10. 100-byte ICMP Echos to 10.2 255. Also. For example. Gig 0/1-4 Gig 0/1-4 Routed Ports Routed Ports SW1 SW2 Figure 6-8 Layer 3 EtherChannel Following are common troubleshooting targets to consider when troubleshooting a Layer Key 3 EtherChannel issue: Topic ■ Mismatched port configurations: The configurations of all ports making up an EtherChannel.1. there is no need to worry about trunk mode. round-trip min/avg/max = 9/14/17 ms Troubleshooting Layer 3 EtherChannel Chapter 5 discussed how to troubleshoot Layer 2 EtherChannels between Layer 2 switchports on Cisco Catalyst switches.255.0 Now the ping from SW1 to R1 is successful. When you have multiple routed ports on Layer 3 switches. From the Library of Outcast Outcast .1 Type escape sequence to abort. which are Layer 3 ports that do not care about those parameters.1.10. on both switches. as displayed in Example 6-46. timeout is 2 seconds: . and allowed VLAN configurations because we use routed ports. Example 6-46 Successful Ping from SW1 to R1 SW1#ping 10. This section focuses on the Layer 3 EtherChannel requirements and how you can successfully trouble- shoot issues relating to it. all ports should have the same speed and duplex and port type (Layer 2 or Layer 3).1. An EtherChannel logically combines the bandwidth of multiple physical interfaces into a logical connection between switches. Figure 6-8 shows four Gigabit Ethernet routed ports logically bonded into a single EtherChannel link known as a port channel.

the port chan- nel will be a Layer 3 port channel. ■ Mismatched EtherChannel configuration: Both switches forming the EtherChannel should be configured for the same EtherChannel negotiation protocol. If you prefer to statically configure EtherChannel. it is imperative that you either make the physical interfaces routed ports with the no switchport command before creat- ing the bundle or create the Layer 3 port channel with the interface port-channel interface_number command and issue the no switchport command in interface configuration mode before you configure the physical interfaces with the channel- group command. Table 6-2 identifies which options can be configured on each switch to success- fully form an EtherChannel. ■ Inappropriate EtherChannel distribution algorithm: EtherChannel determines which physical link to use to transmit frames based on a hash calculation. If the physical interfaces are Layer 3 interfaces. If the frames are destined for only a few different MAC address- es. Order of operations is more important with Layer 3 EtherChannel than with Layer 2 EtherChannel. a hash calculation might be based only on the destination MAC address of a frame. For example. the load distribution could be uneven. Therefore. For example. The hash- ing approach selected should distribute the load fairly evenly across all physical links. Table 6-2 Options for Successfully Forming an EtherChannel Key Topic SW1 MODE PAgP PAgP Auto LACP LACP On Desirable Active Passive PAgP Yes Yes No No No Desirable SW2 PAgP Auto Yes No No No No LACP No No Yes Yes No Active LACP No No Yes No No Passive On No No No No Yes From the Library of Outcast Outcast . The options are Link Aggregation Control Protocol (LACP) and Port Aggregation Protocol (PAgP).238 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Port type during configuration: Creating an EtherChannel with the channel-group command before the port channel is created will automatically create the port channel with the same state as the physical ports bundled in the channel group. the port channel will be a Layer 2 port channel. if the physical interfaces are Layer 2 switchports. there is the on option as well.

The only other option I would like to see beside the ports is H. Example 6-47 Output of show etherchannel summary SW1#show etherchannel summary Flags: D .suspended H . the logical port channel number for the group. This is what you want to see. minimum links not met u . as shown in Example 6-47. it is a Layer 3 port channel.not in use. as indicated by the P. which is used with LACP when you have more than eight ports in the bundle. you can verify the group number. you want to see P listed by the ports. and the status of the ports. When you have more than eight ports with LACP.in use f . In this example. the ports in the bundle. and it is in use (as indicated by the RU). it means that you have a configuration issue that is preventing the port from being bundled. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. the protocol that was used. if you see anything else.failed to allocate aggregator M . the logical port channel is port channel 1.unsuitable for bundling w .Hot-standby (LACP only) R .bundled in port-channel I .Layer2 U .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) Layer 3 EtherChannel Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. Again. Link Aggregation Control Protocol (LACP) was used as the protocol in this example. From the Library of Outcast Outcast . and Gig1/0/5 and 1/0/6 are bundled in the port channel. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 239 Verifying an EtherChannel bundle is done with the show etherchannel summary com- mand.waiting to be aggregated d . All trouble tickets in this section are based on the topology depicted in Figure 6-9. it means that you have a misconfiguration that is preventing the port channel from going up.stand-alone s . if you see any other combination. the additional ports are placed in the standby state and used only if one of the main eight go down.Layer3 S . the status of the port channel.down P . With this output.

down P . Do you see the issue? Example 6-48 SW1 show etherchannel summary Output SW1#show etherchannel summary Flags: D .240 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Core Gi1/0/5 Gi1/0/5 SW1 SW2 Gi1/0/6 Gi1/0/6 Gi1/0/1 Layer 3 EtherChannel Gi1/0/2 Gi0/1 Gi0/2 Fa0/1 Figure 6-9 EtherChannel Trouble Tickets Topology Trouble Ticket 6-6 Problem: A junior network administrator has approached you indicating that the Layer 3 EtherChannel they are trying to form between SW1 and SW2 is not forming. Reviewing the flags on SW2 in Example 6-49 indicates that ports are suspended and that the port channel is Layer 3 down.not in use. Reviewing the flags on SW1 in Example 6-48 indicates that the ports are in standalone and that the port channel is Layer 2 down.failed to allocate aggregator M .in use f . You need to solve this issue for them.bundled in port-channel I .Hot-standby (LACP only) R .waiting to be aggregated From the Library of Outcast Outcast .Layer3 S . as shown in Example 6-48 and Example 6-49. minimum links not met u .Layer2 U .suspended H .unsuitable for bundling w .stand-alone s . Your first step is to verify the EtherChannel configuration on SW1 and SW2 using the show etherchannel summary command.

the junior network administrator forgot the no switchport command on SW1.in use f .not in use. as shown in Example 6-50.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) Example 6-49 SW2 show etherchannel summary Output SW2#show etherchannel summary Flags: D . minimum links not met u .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RD) LACP Gi1/0/5(s) Gi1/0/6(s) It appears that our junior network administrator failed to create a Layer 3 EtherChannel on SW1.stand-alone s . Therefore.Hot-standby (LACP only) R .Layer3 S .bundled in port-channel I .down P .waiting to be aggregated d .unsuitable for bundling w . Example 6-50 SW1 show run interface Output SW1#show run int gig 1/0/5 ! interface GigabitEthernet1/0/5 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW1#show run int gig 1/0/6 ! interface GigabitEthernet1/0/6 From the Library of Outcast Outcast . the physical ports and the port channel must be routed ports. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 241 d .suspended H .Layer2 U .failed to allocate aggregator M . If you recall. to create a Layer 3 EtherChannel.

failed to allocate aggregator M .Hot-standby (LACP only) R .Hot-standby (LACP only) R .242 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW1#show run int port-channel 1 ! interface Port-channel1 end To solve this issue.unsuitable for bundling w .down P .stand-alone s .bundled in port-channel I .down P . and then issue the channel-group mode command on Gig1/0/5 and Gig1/0/6. convert Gig1/0/5 and Gig1/0/6 to routed ports with the no switchport command.waiting to be aggregated d .not in use.waiting to be aggregated d .suspended H .suspended H . minimum links not met u . Example 6-51 SW1 and SW2 show etherchannel summary Output SW1#show etherchannel summary Flags: D .unsuitable for bundling w .Layer3 S .Layer2 U .in use f .bundled in port-channel I . Notice how the ports are bundled in the port channel and that the port channel is Layer 3 in use.not in use.stand-alone s . Example 6-51 confirms that the Layer 3 EtherChannel bundle is now formed. you need to remove the port channel and channel group configura- tion from SW1. minimum links not met u .in use f .default port From the Library of Outcast Outcast .failed to allocate aggregator M .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) ! SW2#show etherchannel summary Flags: D .Layer2 U .Layer3 S . which will create the bundle and the Layer 3 port channel.

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 243 Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) From the Library of Outcast Outcast .

noted with the Key Topic icon in the outer margin of the page. rout- ed port. router-on-a-trunk/router-on-a-stick.244 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. Table 6-3 Key Topics for Chapter 6 Key Topic Key Topic Element Description Page Number Example 6-1 show run command output from R1 212 Example 6-2 show run command output from SW1 213 List Describes issues that prevent inter-VLAN routing 213 from functioning with the router-on-a-stick approach Example 6-17 SW1 SVI configuration 222 Example 6-18 Verifying the status of an SVI 223 List Identifies the elements that must be true for an SVI 224 to be up Example 6-40 Configuration for routed ports on a Layer 3 switch 234 Paragraph Identifies how to verify whether the port is a Layer 2 236 switchport or a routed port List Describes the common Layer 3 EtherChannel 237 troubleshooting targets Table 6-2 Options for successfully forming an EtherChannel 238 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: Layer 3 switch. Chapter 22. Review All Key Topics Review the most important topics in this chapter.” and the exam simulation questions on the CD-ROM. switched virtual interface (SVI). “Final Preparation. Table 6-3 lists a reference of these key topics and the page numbers on which each is found. you have a couple of choices for exam preparation: the exercises here. Layer 3 EtherChannel From the Library of Outcast Outcast .

The 300-135 TSHOOT exam focuses on practical. Appendix D.” also on the disc. and MAC address associated with it. “Memory Tables Answer Key. Displays the Layer 1 and Layer 2 status of show interfaces [vlan {vlan-id}] an SVI on an MLS along with the IP address. subnet mask. You will need to return to the previous chapters to review information relating to those show commands. you should be able to identify the show commands needed to successfully troubleshoot the topics presented in this chapter. “Memory Tables. Show Command Reference to Check Your Memory This section includes the show commands introduced in this chapter. Table 6-4 show Commands Introduced in Chapter 6 Task Command Syntax Displays the VLANs that are associated with show vlans a router’s subinterfaces. It does not include the show commands that were used in this chapter but introduced in previous chapters. From the Library of Outcast Outcast . To test your memory of the commands. in addition to the trunk encapsulation method used on router’s subinterfaces. If IPv4 routing is enabled on a Layer 3 switch.” (found on the disc). or at least the section for this chapter. hands-on skills that are used by a networking professional. read the description on the left side. in addition show etherchannel summary to the status of the ports within the port channel. and complete the tables and lists from memory. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 245 Complete Tables and Lists from Memory Print a copy of Appendix C. Identifies if a switchport is operating as a Layer show interfaces interface_type interface_ 2 switchport or a Layer 3 routed port. number switchport Displays the status of port channels. includes completed tables and lists to check your work. Therefore. cover the right side of Table 6-4 with a piece of paper. it show ip route displays the contents of the IPv4 routing table. and then see how much of the command you can remember.

private VLANs. ■ Port Security Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem. From the Library of Outcast Outcast . Dynamic ARP Inspection. ■ Spoof-Prevention Features Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting pro- cess to solve a reported problem. ■ Troubleshooting Layer 2 Access Control: This sec- tion examines how to troubleshoot misconfigura- tions related to protected ports. and IP Source Guard.This chapter covers the following topics: ■ Troubleshooting Port Security: This section covers the various reasons why port security might not be performing as expected and how you can trouble- shoot them. ■ Troubleshooting Spoof-Prevention Features: This section explains the purpose of DHCP Snooping. you will learn what could cause these features not to perform as expected and how to troubleshoot them. and VLAN Access Control Lists. In addition.

If you do not know the answer to a question or are only partially sure of the answer. all traffic within a VLAN is free to flow between the switchports in the same VLAN. Table 7-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. you should mark that question as wrong for purposes of the self-assessment. Therefore. This might not be desired. However.” Table 7-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting Port Security 1–3 Troubleshooting Spoof-Prevention Features 4–8 Troubleshooting Layer 2 Access Control 9–10 Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. read the entire chapter. private VLANs. In addition. DHCP snooping. min- imal security is applied. Therefore. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. You can improve switch security by implementing features such as port security. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. out of the box. dynamic Address Resolution Protocol (ARP) inspec- tion. you can control the flow of traffic within the same VLAN with features such as protect- ed ports. and IP Source Guard. From the Library of Outcast Outcast . CHAPTER 7 Troubleshooting Switch Security Features By default. by default. This chapter covers all these features and explores the various reasons why you may be experiencing issues and how you can troubleshoot them. with these added features comes additional issues related to them that you will need to be able to troubleshoot. “Answers to the ‘Do I Know This Already?’ Quizzes. You can find the answers in Appendix A. switches are designed to provide connectivity. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. and VLAN access control lists (ACLs).

show ip dhcp snooping statistics From the Library of Outcast Outcast . show interfaces status d.248 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 1. show running-configuration b. c. show port-security interface interface_type interface_number c. Restrict c. show ip dhcp snooping b. show ip dhcp snooping database d. Shutdown d. show port-security address 4. What must be true for DHCP snooping to operate successfully? (Choose two. show ip dhcp snooping binding c. 5. It must be enabled for specific VLANs.) a. b. Which two commands identify the ports that are in the err-disabled state if the err- disable recovery feature has not been enabled for port security? a. The ports going to the DHCP servers need to be configured as untrusted. Disabled 3. It must be enabled globally. Which command enables you to verify the port status of a port security-enabled port? a. Which two of the following port security violation modes will generate a log mes- sage when a violation occurs? a. show port-security b. Which command enables you to verify the IP address that has been given to each client from the DHCP server along with the interface they are connected to and the VLAN the interface is a member of? a. show interfaces c. show port-security address d. Protect b. show running-configuration 2. The ports going to end stations must be configured as trusted. d.

d. Which two of the following statements are true about PVLANs? a. Protected ports c. Community ports can communicate with other community ports in a different community. show ip dhcp snooping binding 9. Isolated ports cannot communicate with other isolated ports. need to be configured as trusted interfaces. What must be true for dynamic ARP inspection to operate successfully? (Choose two answers. show interfaces status d.) a. ARP cache b. DHCP snooping must be enabled globally. d. Which command enables you to verify which interfaces have been configured with IP Source Guard? a. VLAN ACL From the Library of Outcast Outcast . DHCP snooping database d. 7. 10. DHCP snooping must be enabled for specific VLANs. Routing table 8. c. Private VLANs d. b. c. IP ARP inspection must be enabled for specific VLANs. Which of the following has the ability to deny only FTP traffic between two devices in the same VLAN? a. b. All interfaces. Community ports cannot communicate with other community ports in the same community. show ip arp b. except for upstream interfaces. Chapter 7: Troubleshooting Switch Security Features 249 6. MAC address table c. IP Source Guard b. How does IP Source Guard learn where valid source IPs are in the network? a. show ip verify source c. Community ports cannot communicate with isolated ports and vice versa.

port security will perform as expected with minimal issues. preventing access. The following is a listing of issues that may occur when working with port security: ■ Port security is configured but not enabled. This section shows you how to iden- tify and troubleshoot port security issues. port security is a must for all organizations to implement. This helps to eliminate CAM table flooding attacks. Notice that all commands start with switchport port-security. if you fail to include the command switchport port-security (which is high- lighted). Therefore.250 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting Port Security The port security feature is designed to control a specific set/number of MAC addresses that will be learned on an interface. Most issues arise from miscon- figurations. Key Topic ■ A static MAC address was not configured correctly.. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 From the Library of Outcast Outcast . port security kicks in. port security keeps waiting. However. ■ The maximum number of MAC addresses has been reached. if something goes wrong. ■ Legitimate users are being blocked because of a violation. If an attack occurs. as with all services and features.. However. where a malicious user attempts to overflow the CAM table by populating it with a large number of bogus MAC addresses. Example 7-1 Sample Port Security Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration. ■ Running configuration not saved to startup configuration. Common Port Security Issues Usually. In addition. if not. port security is not enabled on the interface regardless of the rest of the con- figuration specified. it ensures that only specific devices (based on MAC address) can connect to certain switchports. you will be troubleshooting. Port Security Configured but Not Enabled Example 7-1 provides a port security configuration on interface Fast Ethernet 0/1 of an access layer switch.

In this case.06d6.b607. it is impera- tive that they are accurate. If a user complains that he cannot access the network after receiving a new computer and your network relies on static port security addresses.06d6:10 Security Violation Count : 0 Static MAC Address Not Configured Correctly If you have implemented port security by defining MAC addresses statically.275d. Fast Ethernet 0/1 is enabled for port security.06d6 Use the commands show port-security and show port-security interface interface_type interface_number to verify whether port security is enabled on an interface. Example 7-2 Verifying Port Security Is Enabled on an Interface Key Topic SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 ASW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 0 Sticky MAC Addresses : 2 Last Source Address:Vlan : 0800.657a switchport port-security mac-address 0800.275d. Chapter 7: Troubleshooting Switch Security Features 251 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050. Example 7-3 identifies the static MAC address configuration for 0800. as shown in Example 7-2.275d. you more than likely forgot to change the port security static MAC address. From the Library of Outcast Outcast .

.657a SecureSticky Fa0/1 - 10 0800.. . . . . ----------. .b607. . : Broadcast From the Library of Outcast Outcast .06d6 SecureConfigured Fa0/1 - ----------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 Example 7-5 Verifying MAC Address of PC. as shown in Example 7-4. Example 7-4 Verifying Static Addresses Associated with Interfaces Key Topic SW1#show port-security address Secure Mac Address Table ----------------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---. . . . as shown in Example 7-5. . ---. : pc1 Primary Dns Suffix . .. . . . ------------- 10 0050. .275d. .275d. . . PC1#ipconfig /all Windows IP Configuration Host Name . . Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050. You need to compare this to the MAC address of the PC con- nected to the port with the ipconfig /all command.b607.275d. .) The show port-security address command will also identify the dynamically learned port security MAC addresses and the sticky secure MAC addresses. .252 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-3 Sample Static MAC Address Port Security Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration. . the MAC address 0800. In this example. (This is where accurate documentation is helpful.06d6 is a statically configured (SecureConfigured) port security MAC address for Fa0/1 and VLAN 10. . ----. . : Node Type . .06d6 Using the show port-security address command reveals the static MAC address con- figured for the interfaces.657a switchport port-security mac-address 0800. . .

. . . In this case. As shown in Example 7-7. . .. . . the maximum number was set to 2 so that two devices could communicate through the interface.output omitted. . and two have been learned. . : No . . . .657a switchport port-security mac-address 0800. . . . . . . Chapter 7: Troubleshooting Switch Security Features 253 IP Routing Enabled. . Example 7-6 Identifying the Maximum Number of MAC Addresses Allowed SW1#show running-config interface fastEthernet 0/1 Building configuration. you have to specify the number with the switchport port-security maximum number command. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050. . . . only one MAC address will be allowed. . . . .. : No WINS Proxy Enabled. . if you need more than one MAC address... : Description . . . . . Therefore. .06d6 You can verify the maximum number of MAC addresses allowed on an interface with the show port-security and show port-security interface interface_type interface_number commands... .b607. Maximum Number of MAC Addresses Reached By default. : AMD PCNET Family PCI Ethernet Adapter Physical Address. : 08-00-27-5D-06-D6 Dhcp Enabled. . .275d. . . . . . as shown in Example 7-6. . : No Ethernet adapter PC1 Lab: Connection-specific DNS Suffix . Example 7-7 Identifying the Maximum Number of MAC Addresses Allowed SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict From the Library of Outcast Outcast . . two MACs are allowed. when port security is enabled.

06d6:10 Security Violation Count : 0 Legitimate Users Being Blocked Because of Violation You need to make sure that you have the correct number of MAC addresses specified. any frame from the MAC addresses in violation is dropped. You can verify whether there is a violation by using the show port-security and show port-security interface interface_type interface_number commands.275d. the port is placed in the err-disabled state. Topic ■ Restrict: Any frame from the MAC addresses in violation is dropped. and any frame from any MAC address will be dropped. ■ Shutdown: When a violation occurs. Three different violations exist: ■ Protect: Any frame from the MAC addresses in violation is dropped without a noti- Key fication. The violation will occur regardless of the additional MAC addresses being accidental or malicious. If the number is not correct. there is currently no violation. the security violation count would increment. log messages will be generated. In this case. However. and the violation count is not incremented. and log mes- sages are generated. and because the violation mode is Restrict. a violation will occur if more than the specified number of MAC addresses are seen on the port. and log messages are generated. as shown in Example 7-8.254 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800. From the Library of Outcast Outcast . In addition. Tip You can remember that these get more severe in alphabetic order (P/R/S) (drop/ drop&alert/shutdown&alert). if there were.

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. changed state to down Example 7-9 Example Port That Has Been Shut Down and Placed in the Err-Disable State SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute From the Library of Outcast Outcast . as dis- played in the following syslog messages: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1. changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/1.275d.27a2. as shown in Example 7-9. caused by MAC address 0800. and a violation occurs. Chapter 7: Troubleshooting Switch Security Features 255 Example 7-8 Identifying Security Violations SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800.06d6:10 Security Violation Count : 0 If the violation mode is set to shutdown. putting Fa0/1 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred.ce47 on port FastEthernet0/1. the port status is Secure-shutdown and placed in the err-disable state.

it does not tell you what caused the err-disabled state.f34e. use the command show interfaces Key status.256 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800. ---- arp-inspection Enabled port bpduguard Enabled port channel-misconfig (STP) Enabled port community-limit Enabled port dhcp-rate-limit Enabled port dtp-flap Enabled port gbic-invalid Enabled port iif-reg-failure Enabled port inline-power Enabled port invalid-policy Enabled port From the Library of Outcast Outcast .. line protocol is down (err-disabled) Hardware is Fast Ethernet. --------. However.. SW1#show interfaces fastEthernet 0/1 FastEthernet0/1 is down. address is 081f. Example 7-10 Identifying Ports in the Err-Disabled State SW1#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX Fa0/5 notconnect 1 auto auto 10/100BaseTX Fa0/6 notconnect 1 auto auto 10/100BaseTX .27a2. Notice that they are all enabled by default and that port security is one of them (psecure-violation).b801) Example 7-11 Identifying Which Services Are Enabled for Err-Disable SW1#show errdisable detect ErrDisable Reason Detection Mode ----------------.. Example 7-11 displays all the dif- ferent services that can cause a port to go into the err-disabled state. as shown in Example 7-10. As you can see.b801 (bia 081f.output omitted.ce47:10 Security Violation Count : 1 To verify ports that are in the err-disabled state. You can also use the show interface interface_type Topic interface_number command.f34e. Fa0/1 is in the err-disabled state..

Chapter 7: Troubleshooting Switch Security Features 257 link-flap Enabled port loopback Enabled port lsgroup Enabled port mac-limit Enabled port pagp-flap Enabled port port-mode-failure Enabled port pppoe-ia-rate-limit Enabled port psecure-violation Enabled port/vlan security-violation Enabled port sfp-config-mismatch Enabled port sgacl_limitation Enabled port small-frame Enabled port storm-control Enabled port udld Enabled port vmps Enabled port psp Enabled port The best way to determine why a port is in the err-disabled state is to review syslog mes- Key sages.ce47 on port FastEthernet0/1. Make sure that logging to the console or terminal lines is enabled. %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1. In this case. SW1(config-if)# %LINK-3-UPDOWN: Interface FastEthernet0/1. one per line. changed state to up %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1. Topic the message text clearly states it was caused by a port security violation. and do not forget about the terminal monitor command if you are using Telnet or Secure Shell (SSH). the error will be detected again. and you can see that the port was err-disabled due to a port security violation. changed state to administratively down SW1(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0/1. End with CNTL/Z. which will generate a syslog message. bounce (shut/ noshut) the interface that is err-disabled. This process is shown in Example 7-12. They are listed as severity level 4. putting Fa0/1 in err- disable state SW1(config-if)# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred. SW1(config)#interface fastEthernet 0/1 SW1(config-if)#shut %LINK-5-CHANGED: Interface FastEthernet0/1. putting Fa0/1 in err-disable state Tip If for some reason you do not have access to the syslog messages. after the interface is enabled. caused by MAC address 0800. changed state to down From the Library of Outcast Outcast .27a2. Example 7-12 Bouncing the Interface to Determine Why It Is Err-Disabled SW1#config t Enter configuration commands. By doing so. and the mnemonic is ERR-DISABLE.

Therefore. This example displays all the different options available on a Catalyst 2960 switch.258 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide If you are relying on the err-disable recovery feature to enable interfaces once the viola- Key Topic tion is no longer detected. Example 7-13 Verifying the Err-Disable Recovery Feature SW1#show errdisable recovery ErrDisable Reason Timer Status ----------------. if you need to use it. Example 7-14 Enabling the Err-Disable Recovery Feature SW1(config)#errdisable recovery cause ? all Enable timer to recover from all error causes arp-inspection Enable timer to recover from arp inspection error disable state bpduguard Enable timer to recover from BPDU Guard error From the Library of Outcast Outcast . Notice that the err-disable recovery feature is disabled by default for all the different services and features. you can verify the status of the feature with the show errdis- able recovery command. as shown in Example 7-14. it has to be manually enabled by you. -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled link-flap Disabled mac-limit Disabled loopback Disabled pagp-flap Disabled port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Disabled security-violation Disabled sfp-config-mismatch Disabled small-frame Disabled storm-control Disabled udld Disabled vmps Disabled psp Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: To enable err-disable recovery for a specific feature or service. issue the errdisable recov- ery cause service/feature global configuration command. as shown in Example 7-13.

information identifies what interface is err-disabled and why. If the violation still exists at that point. for instance. you have an extra piece of information you can use. -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled link-flap Disabled mac-limit Disabled loopback Disabled pagp-flap Disabled From the Library of Outcast Outcast .1x violation error sfp-config-mismatch Enable timer to recover from SFP config mismatch error small-frame Enable timer to recover from small frame error storm-control Enable timer to recover from storm-control error udld Enable timer to recover from udld error vmps Enable timer to recover from vmps shutdown error When using the err-disable recovery feature. as shown in Example 7-15. Chapter 7: Troubleshooting Switch Security Features 259 channel-misconfig (STP) Enable timer to recover from channel misconfig error dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error dtp-flap Enable timer to recover from dtp-flap error gbic-invalid Enable timer to recover from invalid GBIC error inline-power Enable timer to recover from inline-power error link-flap Enable timer to recover from link-flap error loopback Enable timer to recover from loopback error mac-limit Enable timer to recover from mac limit disable state pagp-flap Enable timer to recover from pagp-flap error port-mode-failure Enable timer to recover from port mode change failure pppoe-ia-rate-limit Enable timer to recover from PPPoE IA rate-limit error psecure-violation Enable timer to recover from psecure violation error psp Enable timer to recover from psp security-violation Enable timer to recover from 802. it will be err-disabled again. It also indicates how much time is left until the port is automatically enabled. that you enable it for port security. Suppose. At the bottom of the show errdisable recovery output. This makes it easier for you to troubleshoot what caused the port to be err-disabled. Example 7-15 Verifying the Err-Disable Reason SW1#show errdisable recovery ErrDisable Reason Timer Status ----------------.

. the sticky-learned MAC address will not be in the configuration if the switch reboots. ----------------. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security From the Library of Outcast Outcast .657a was learned by the switch on interface Fast Ethernet 0/1. the switch placed it in the configura- tion with the switchport port-security mac-address sticky 0050.260 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Enabled security-violation Disabled sfp-config-mismatch Disabled small-frame Disabled storm-control Disabled udld Disabled vmps Disabled psp Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) --------.657a command. You now need to save the configuration. -------------- Fa0/1 psecure-violation 85 Running Configuration Not Saved to Startup Configuration This is pretty obvious: If you fail to save the running configuration to the NVRAM. Example 7-16 Port Security Sticky Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration. otherwise. However. many administrators who use the port security sticky feature forget about saving the configuration when a new PC is added..b607. the port security configuration will no longer be available when the switch reboots. Notice how the sticky feature was enabled with the switchport port-security mac-address sticky command. Once the MAC address 0050.b607. Example 7-16 displays the port security sticky con- figuration on a switch. The sticky feature allows the switch to dynami- cally learn MAC addresses and then place the MAC address in the configuration just like they had been statically configured.

and the user on PC1 has called you indicating that she is not able to access any network resources.b607.657a switchport port-security mac-address 0800. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.06d6 Port Security Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. and notice that Fa0/1 is enabled for port secu- rity and that there is a security violation count of 1. PC1 is connected to Fa0/1. You notice that port security was added to all access ports on SW1. as shown in Example 7-17. According to documentation. VLAN 10 PC1 Fa0/1 Gi0/1 SW1 Fa0/2 PC2 Figure 7-1 Port Security Trouble Ticket Topology Trouble Ticket 7-1 Problem: It is Monday morning. This leads you to examine the change control documentation to determine whether any configuration changes were done in the past 2 weeks.275d. Chapter 7: Troubleshooting Switch Security Features 261 switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050. you decide to start your troubleshooting process by examining the port security configuration on SW1. Therefore. You ask her when the last time it was that she was able to access resources. You issue the command show port-security. before she went on vacation. She indicates that it was 2 weeks ago. Example 7-17 Verifying Port Security on Fa0/1 SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 1 Shutdown Fa0/2 2 2 0 Shutdown From the Library of Outcast Outcast . All trouble tickets in this section are based on the topology depicted in Figure 7-1.

262 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Fa0/3 2 0 0 Shutdown Fa0/4 2 0 0 Shutdown Fa0/5 2 0 0 Shutdown Fa0/6 2 0 0 Shutdown Fa0/7 2 0 0 Shutdown Fa0/8 2 0 0 Shutdown Fa0/9 2 0 0 Shutdown Fa0/10 2 0 0 Shutdown Fa0/11 2 0 0 Shutdown Fa0/12 2 0 0 Shutdown Fa0/13 2 0 0 Shutdown Fa0/14 2 0 0 Shutdown Fa0/15 2 0 0 Shutdown Fa0/16 2 0 0 Shutdown Fa0/17 2 0 0 Shutdown Fa0/18 2 0 0 Shutdown Fa0/19 2 0 0 Shutdown Fa0/20 2 0 0 Shutdown Fa0/21 2 0 0 Shutdown Fa0/22 2 0 0 Shutdown Fa0/23 2 0 0 Shutdown Fa0/24 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 8192 To verify the status of port security for Fa0/1 you issue the command show port-securi- ty interface fastEthernet 0/1. as shown in Example 7-18. Port security is enabled but it is in the Secure-shutdown state.06d6 for VLAN 10. The last MAC address that was received on the interface was 0800.275d.275d.06d6:10 Security Violation Count : 1 From the Library of Outcast Outcast . Example 7-18 Verifying Port Security Status on Fa0/1 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 2 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0800.

. . . . . . . . . . . : Description . . : AMD PCNET Family PCI Ethernet Adapter From the Library of Outcast Outcast . . and there are 2 MAC addresses configured (one for the phone and one for PC1).06d7 no lldp transmit spanning-tree portfast spanning-tree bpduguard enable spanning-tree guard root end You decide to confirm the MAC addresses of the IP Phone and PC1. . . . . Chapter 7: Troubleshooting Switch Security Features 263 Next you issue the show run interface fa0/1 command to verify the port security con- figuration on Fa0/1. . . . confirms that PC1s MAC address is not one of the addresses configured. . . Example 7-20 Reviewing the MAC Address on PC1 C:\>ipconfig /all Windows IP Configuration Host Name . Comparing the MAC address of PC1 to the addresses statically configured on Fa0/1. . . . it has been enabled. the maximum MAC addresses is set to 2. . . : pc1 Primary Dns Suffix . . : Node Type . . . Example 7-19 Verifying Port Security Configuration on Fa0/1 SW1#show run interface fa0/1 Building configuration. . . . . . as shown in Example 7-20. : Broadcast IP Routing Enabled. . . . .657a switchport port-security mac-address 0800. . . you issue the ipconfig /all command. The MAC address of PC1 is 08-00-27-5D-06-D6. . . : No WINS Proxy Enabled. Starting with the PC. which happens to be the same MAC address that caused the violation shown in Example 7-18.275d. .. . . . .. . Current configuration : 352 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security mac-address 0050.b607. . as shown in Example 7-19. . As shown in Example 7-19. . : No Ethernet adapter PC1 Lab: Connection-specific DNS Suffix .

06d6 You confirm the port is still in the err-disabled state with the show interfaces status command. ... Example 7-21 Solving the Issue by Configuring the Correct Static MAC Address SW1#config t Enter configuration commands.b607. The interface successfully goes up/up.. .166 Subnet Mask . . : 255. Example 7-22 Confirming Fa0/1 is in the Err-Disabled State SW1#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX .output omitted. you bounce the interface by issuing the shutdown and then no shutdown commands. From the Library of Outcast Outcast . one per line. It appears that the static MAC address was misconfigured with a 7 at the end rather than a 6. . . .1. . .1.0.. .06d7 SW1(config-if)#switchport port-security mac-address 0800.254.. . . The issue has been solved.264 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Physical Address. .1. . It is successful. . : 169. changed state to up You confirm the problem is solved by accessing PC1 and pinging the default gateway at 10. SW1(config)#interface fastEthernet 0/1 SW1(config-if)#no switchport port-security mac-address 0800. .275d.b607. and you receive the following syslog messages: %LINK-3-UPDOWN: Interface FastEthernet0/1. . . .275d. : 08-00-27-5D-06-D6 Dhcp Enabled. . .output omitted. as shown in Example 7-23. .06d7 is not correct. The output shown in Example 7-22 confirms it is. .. .657a is correct but that the command switchport port-security mac-address 0800. You proceed to remove the incorrect static MAC address with the no switchport port- security mac-address 0800.06d7 command and replace it with the MAC address of PC1.. you conclude that the command switchport port-security mac-address 0050.275d.275d. : Yes Autoconfiguration IP Address. : Yes Autoconfiguration Enabled . . End with CNTL/Z. . . .0 .180. Example 7-21 provides the configuration that is needed to solve the issue. . . . After confirming that the IP Phone’s MAC address is 0050. .657a. To recover from the err- disabled state. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. . ..255.

Average = 0ms Troubleshooting Spoof-Prevention Features Features such as DHCP snooping. This section explains what you should look for while troubleshooting these three security features.1.1: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. Take a moment to examine Example 7-24. and IP addressing. you can implement DHCP snooping. DHCP snooping also creates a binding table that keeps track of which devices are connected to which interfaces based on the IP addresses that were handed out by the DHCP server.1: bytes=32 time 1ms TTL=128 Reply from 10.1. With DHCP snooping. This comes in handy with DAI and IP Source Guard. which displays a sample DHCP snooping con- figuration. Received = 4.1.1. Lost = 0 (0% loss). ■ All other interfaces need to be untrusted.1: Packets: Sent = 4. you can define which interfaces will accept all DHCP messages and which interfaces will accept only Discover and Request DHCP messages.1.1.1.1. What is required for DHCP snooping to operate successfully? Let’s make a list: ■ DHCP snooping is enabled globally with the ip dhcp snooping command.1: bytes=32 time 1ms TTL=128 Reply from 10. which is the default. Key Topic ■ DHCP snooping is enabled for specific VLANs with the ip dhcp snooping vlan com- mand.1.1. Approximate round trip times in milli-seconds: Minimum = 0ms.1 Reply from 10. as you will see later. and IP Source Guard are designed to protect your network from spoofing attacks against the Dynamic Host Configuration Protocol (DHCP) service. DHCP Snooping To prevent rogue DHCP servers from handing out IP addresses in your network. From the Library of Outcast Outcast .1. ARP. Maximum = 0ms. ■ If the DHCP server does not support option 82 it needs to be disabled on the switch with the no ip dhcp snooping information option command. Chapter 7: Troubleshooting Switch Security Features 265 Example 7-23 Successful Ping from PC1 to Default Gateway C:\>ping 10. ■ Interfaces that need to accept all DHCP message types are configured as trusted with the ip dhcp snooping trust command.1: bytes=32 time 1ms TTL=128 Reply from 10. dynamic ARP inspection.

You can verify whether it is enabled globally with the line that states Switch DHCP snooping is enabled. Gigabit Ethernet 0/1 and 0/2 are trusted interfaces. it is only VLAN 10...f34e. In this case. you can verify which interfaces are trusted.. as shown in Example 7-25. Example 7-25 Verifying DHCP Snooping Key Topic SW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 DHCP snooping is operational on following VLANs: 10 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 081f. which interfaces are untrusted. ------. use the show ip dhcp snooping command.b800 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------. To verify DHCP snooping... and which interfaces have a DHCP rate limit applied.. ---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: GigabitEthernet0/2 yes yes unlimited Custom circuit-ids: From the Library of Outcast Outcast . -----------.output omitted.output omitted..output omitted. In this case.266 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-24 Sample DHCP Snooping Configuration SW1#show run . You can verify whether option 82 is enabled or disabled. ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping . interface GigabitEthernet0/1 ip dhcp snooping trust interface GigabitEthernet0/2 ip dhcp snooping trust .. and all other interfaces that are not listed are automatically untrusted.. Finally. You can verify which VLANs are enabled and operational for DHCP snooping....

In addition.. issue the show ip dhcp snooping bindings command.10 67720 dhcp-snooping 10 FastEthernet0/1 Total number of bindings: 1 Dynamic ARP Inspection Dynamic ARP inspection (DAI) is used to prevent ARP spoofing attacks. the PC with the MAC address 08:00:27:5D:06:D6 is located out Fast Ethernet 0/1. -------------- -- 08:00:27:5D:06:D6 10.10 from a DHCP server. you have to be able to troubleshoot the commands related to DAI. and has been assigned the IP address 10. ip dhcp snooping vlan 10 ip arp inspection vlan 10 no ip dhcp snooping information option ip dhcp snooping .. This is because DAI relies on the DHCP snooping binding table to identify appropriate IP address to MAC address bindings.. -------------. It relies on DHCP snooping and the binding table that is created by it.... In addition. Refer to Example 7-27.1. you need to be able to troubleshoot DHCP snooping issues when dealing with DAI issues.. Chapter 7: Troubleshooting Switch Security Features 267 To verify the bindings in the DHCP snooping database.. When DAI detects an invalid ARP request or response on an untrusted interface it will generate syslog messages with a severity level of 4 with the mnemonic of DHCP_ SNOOPING_DENY.1.1. interface GigabitEthernet0/1 ip dhcp snooping trust ip arp inspection trust interface GigabitEthernet0/2 ip dhcp snooping trust ip arp inspection trust .1. it needs to be enabled per VLAN with the ip arp inspection vlan command. ---------.. Example 7-27 Sample DAI Configuration Key Topic SW1#show run . as shown in Example 7-26. Because of this. In this example.. ---.output omitted. In these syslog messages From the Library of Outcast Outcast . interfaces where DAI should not be performed (where there are no DHCP snooping bindings) need to be configured as trusted interfaces with the ip arp inspection trust command. For DAI to function.. which is part of VLAN 10. ------------.output omitted.output omitted.. Example 7-26 Verifying DHCP Snooping Bindings Key Topic SW1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface -----------------.

. From the Library of Outcast Outcast . you issue the ip verify source port-security command.1.. interface FastEthernet0/1 ip verify source interface GigabitEthernet0/1 ip dhcp snooping trust interface GigabitEthernet0/2 ip dhcp snooping trust .10 are the only ones allowed inbound on interface Fa0/1.1.fe3a.e345/10. In addition..657a is being denied because its ARPs are invalid since the addresses do not match the addresses in the bind- ing table.10 and a MAC of 0050. ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping . In Example 7-30.. on interface Fast Ethernet 0/1 (which connects to an end station).1/18:43:15 UTC Mon Mar 1 1993]) IP Source Guard IP Source Guard is used to prevent IP address spoofing. If you want to include the MAC address with the IP address when verifying the source of packets. as shown in Example 7-29. Because of this. and the packets with the source IP address 10.657a/10..1.fe3a. b607.1. Notice in Example 7-28 that the same DHCP snooping configuration example is listed. In this case.1. you can see that the MAC address is included now and the filter type is ip-mac. b607.output omitted.b607..output omitted.1. however.. you have to be able to identify issues related to IP Source Guard configurations.([0050.([0050. vlan 10.1/18:42:55 UTC Mon Mar 1 1993]) %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1.1. you need to be able to trouble- shoot DHCP snooping issues when dealing with IP Source Guard issues.1. vlan 10.output omitted.. the ip verify source com- mand has been added.10/2893. %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/1. You can verify which interfaces have IP Source Guard enabled with the show ip verify Key Topic source command. Fa0/1 on SW1 has been enabled with IP Source Guard.. This enables IP Source Guard on the interface..657a/10. Example 7-28 Sample IP Source Guard Configuration SW1#show run .1.10/2893. With the ip verify source command. It relies on DHCP snooping and the binding table that is created by it. you are filtering based on IP address only.1. Notice how the Mac-address column is blank and the Filter-type is IP.1.1.268 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide a device with the IP address 10..e345/10..

----------------. --------------. -------------- -- 08:00:27:5D:06:D6 10. all ingress traffic on Fa0/2 will be denied. If port security is not enabled. ----------.1.1. ---- Fa0/1 ip-mac active 10.1. ---. ----------. ------------.10 08:00:27:5D:06:D6 10 Fa0/2 ip-mac active 10. IP Source Guard is enabled on the inter- face. ----------. ---- Fa0/1 ip-mac active 10.20 permit-all 10 Also. --------------. ---- Fa0/1 ip-mac active 10. --------------.10 70453 dhcp-snooping 10 FastEther- net0/1 Total number of bindings: 1 From the Library of Outcast Outcast . ----------------.1. ----------------. ----------.10 08:00:27:5D:06:D6 10 Fa0/2 ip-mac active deny-all permit-all 10 SW1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface -----------------. However.1. ----------------. --------------. as shown in Example 7-31.1. ----------. Because IP Source Guard relies on DHCP snooping and there is no binding in the table. Therefore. there is no DHCP snooping binding for Fa0/2 because it has a static IP configured.1.1. ----------.10 10 Example 7-30 Verifying IP Source Guard (IP and MAC) SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. the specific MAC address will not be learned. and all MAC addresses will be permitted as a result.1. Example 7-31 IP MAC Filtering Without Port Security Enabled on Interface SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. you need to have port security enabled on the interface. if there is no binding in the DHCP snooping database for the port. remember that IP Source Guard relies on DHCP snooping. ----------.1. In this example. ---- Fa0/1 ip active 10.1.10 08:00:27:5D:06:D6 10 If you are using the ip-mac filter type.1. as shown in Example 7-32. because the secure MAC addresses are used. ---------. --------------. all traffic will be blocked for all IPs. Example 7-32 Fa0/2 Sourced Traffic Denied Because There Is No Binding SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. Chapter 7: Troubleshooting Switch Security Features 269 Example 7-29 Verifying IP Source Guard (only IP) SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. ----------.

so that all traffic sent or received by Fa0/1 is captured and sent to Fa0/24. End with CNTL/Z.1. To assist with the issue.10.20.1 PC4 SVI . one per line.1. They also indicate that they verified the DHCP pool on the DHCP server and that the default gateway address for the VLAN 10 pool is configured for 10. The trouble ticket indicates that users in VLAN 10 are not able to access any resources outside their own subnet.1.100 when documentation shows that the default gateway should be configured as 10. ASW1(config)#monitor session 1 source interface fastEthernet 0/1 both ASW1(config)#monitor session 1 destination interface fastEthernet 0/24 From the Library of Outcast Outcast .10. where your laptop is connected and running packet-capturing software. VLAN10 . they are con- fused as to why they would be receiving the default gateway address of 10. you decide to connect your laptop to Fast Ethernet 0/24 on ASW1.270 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Spoof-Prevention Features Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. This is the port on ASW1 that is used as the Switched Port Analyzer (SPAN) destination port. Example 7-33 Configuring a SPAN Session on ASW1 ASW1#config t Enter configuration commands. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. You configure ASW1. All trouble tickets in this section are based on the topology depicted in Figure 7-2.VLAN10 10.10.20.1.10.0/24 VLAN 10 and 20 VLAN 10 PC1 PC2 Gi1/0/24 Fa0/1 Fa0/2 Gi0/1 Fa0/3 ASW1 Gi1/0/1 PC3 Fa0/4 DSW1 SVI .1.10.0/24 DHCP Server for VLAN20 . as shown in Example 7-33. However. They have verified that the clients receive their IP addressing information via a DHCP server.1.10.1.VLAN20 10.1.10.1.1 VLAN 20 Figure 7-2 Spoof-Prevention Features Trouble Ticket Topology Trouble Ticket 7-2 Problem: A junior administrator has approached you for assistance with a trouble ticket that she is having an issue with.

The DHCP packets between the server and PC1 are successfully copied by SPAN to your laptop running packet-capturing software. Based on the output. ----------.34 and MAC 28:93:fe:3a:e3:45. You review your network documentation and trace the port to a PC that is being used for study purposes by an employee that currently enabled DHCP and just happened to use the same network that VLAN 10 is using in the production net- work. which is part of VLAN 10. you issue the ipconfig /renew command on all of them. You review the DHCP offer message in your packet-capture software and notice that it is sourced from IP 10. They receive the correct default gateway of 10. Example 7-34 Renewing a DHCP Address ASW1#show mac address-table dynamic address 28:93:fe:3a:e3:45 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---. Therefore. information option 82 is disabled. you decide to dig deeper. DAI. By your enabling of DHCP snooping for VLAN 10. You have identified the problem. and IP Source Guard. it is enabled for VLAN 20. and Gig0/1 is trusted. Your network is configured with DHCP snooping. You ask the employee to disable the DHCP server. as shown in Example 7-35. Chapter 7: Troubleshooting Switch Security Features 271 You access PC1 and issue the ipconfig /renew command to trigger the DHCP process so that you can identify who is providing the IP addressing. Using the show mac address- table dynamic address 28:93:fe:3a:e3:45 command to follow the path. DHCP snooping is enabled globally. this issue should have never happened. as shown in Example 7-34. Fa0/17 would become an untrusted port by default and prevent DHCP Offer and Acks from being accepted inbound. you verify that the device with that MAC address is reachable out Fa0/17. and she does.1.10. DHCP snooping has not been enabled for VLAN 10. However. You decide to issue the show ip dhcp snooping command on ASW1 to verify the DHCP snooping configuration. which is connected to Fa0/24.10. Example 7-35 Reviewing the DHCP Snooping Configuration ASW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 20 DHCP snooping is operational on following VLANs: 20 DHCP snooping is configured on the following L3 Interfaces: From the Library of Outcast Outcast . As a result.1 now. the DHCP server that was configured on Fa0/17 is able to hand out DHCP addresses on the network. -------.1. ----- 10 28:93:fe:3a:e3:45 DYNAMIC Fa0/17 Total Mac Addresses for this criterion: 1 The issue is solved. To update all the client PCs.

20 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 001c. Example 7-36 Configuring DHCP Snooping for VLAN 10 ASW1#config t Enter configuration commands. ASW1(config)#ip dhcp snooping vlan 10 You verify the configuration with the show ip dhcp snooping command again and con- firm that VLAN 10 is now enabled for DHCP snooping. End with CNTL/Z.f600 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------.f600 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------. ------. as shown in Example 7-37.57fe. as shown in Example 7-36. ---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: To fix the DHCP snooping configuration. -----------. ------. Example 7-37 Verifying DHCP Snooping Is Enabled for VLAN 10 ASW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10. -----------.272 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 001c. one per line. you issue the ip dhcp snooping vlan 10 com- mand in global configuration mode.57fe. ---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: From the Library of Outcast Outcast .20 DHCP snooping is operational on following VLANs: 10.

This is because that traffic is never sent to the router interface. you are usually dealing with the following issues: ■ Traffic is flowing between two interfaces when it should not be. If traffic arrives inbound on a protected port. Protected Ports The purpose of a protected port is to deny all traffic from flowing between devices con- Key nected to two interfaces in the same VLAN on the same switch. Therefore. both these issues would be the result of a misconfig- uration. VLAN 10 PC1 Fa0/1 Gi0/1 SW1 Fa0/2 PC2 Figure 7-3 Protected Ports From the Library of Outcast Outcast . Because the devices are in the same VLAN/subnet that you are trying to filter traffic to or from. Both ports are members of VLAN 10. which are used to filter traffic between devices within the same subnet/VLAN. and VLAN access control lists (VACLs). Keep in mind that a protected port can only communicate with ports that are not protected ports. Example 7-38 displays the interface configura- tion command switchport protected that is used to configure the ports as protected. However. Chapter 7: Troubleshooting Switch Security Features 273 Troubleshooting Access Control Access control between devices within the same VLAN/subnet can be implemented using features such as protected ports. Figure 7-3 displays an access layer switch with PC1 and PC2 connected to it on Fa0/1 and Fa0/2. Therefore. and VACLs. It stays within the local subnet/VLAN between the Layer 2 switchports. This section explains what is involved when troubleshooting issues related to protected ports. if two devices are able to communi- cate when they should not. When dealing with protected ports. private VLANs. for security reasons. when trouble- Topic shooting protected ports. ■ Traffic is not flowing between two interfaces when it should be. traffic is not allowed to flow between Fa0/1 and Fa0/2. it will not be forwarded if the egress port is also a protected port. private VLANs. regular router-based ACLs that are applied to router interfaces will not filter this traffic. it might be because one port is a protected port and the other is not a protected port when it should be.

... Example 7-39 Verifying Protected Ports SW1#show interfaces fastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (10.output omitted. interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport protected end SW1#show run interface fastEthernet 0/2 . you can use the com- mand show interfaces interface_type interface_number switchport to verify whether a port is configured as a protected port.1.output omitted.1. as shown in Example 7-39. it states Protected: true. In the output for Fa0/1.. which means Fa0/1 is a protected port..0/26) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL From the Library of Outcast Outcast .. interface FastEthernet0/2 switchport access vlan 10 switchport mode access switchport protected end Besides using the running configuration to verify protected ports.274 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-38 Sample Protected Port Configuration SW1#show run interface fastEthernet 0/1 ...

■ DNS1. ■ FS1 and FS2 are not able to communicate with each other because they are members of an Isolated VLAN. when troubleshooting PVLANs. which will be used for our PVLAN examples. both these issues would be the result of a misconfigura- tion. ■ Traffic is not flowing between two interfaces when it should be. Just like protected ports. Refer to Figure 7-4. Chapter 7: Troubleshooting Switch Security Features 275 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: true Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Private VLANs Private VLANs (PVLAN) take the protected port concept further by enabling you to con- trol which ports in the same VLAN can communicate with each other and which ports cannot. based on the rules of PVLANs. From the Library of Outcast Outcast . DNS2. FS1 and FS2 are in the secondary isolated VLAN 502. Therefore. ■ DNS1 and DNS2 are not able to communicate with FS1 and FS2 because DNS1 and DNS2 are members of a community VLAN and FS1 and FS2 are members of an iso- lated VLAN. you are usually dealing with the following issues: ■ Traffic is flowing between two interfaces when it should not be. FS1. DNS1 and DNS2 are in the secondary community VLAN of 501. which is within the primary VLAN 200. which is within the primary VLAN 200. and FS2 are able to communicate out to the cloud because Gi1/0/10 is the promiscuous port. When dealing with PVLANs. This is accomplished by grouping ports together in secondary VLANs that are members of a Private VLAN. the following are true: ■ DNS1 and DNS2 are able to communicate with each other because they are mem- bers of the same community VLAN.

The only way to determine from this output that the interface is in the correct secondary VLAN is to examine the switchport private-vlan host-association primary_vlan secondary_vlan command and compare the secondary VLAN ID to the VLAN configuration information. the VTP mode has to be transparent or off. the secondary community VLAN needs to be iden- tified with the private-vlan community command. To associate a port with a secondary VLAN. In this example. ■ Community and isolated ports can communicate with the promiscuous port.276 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide VLAN 200 Secondary Community DNS1 Primary VLAN 501 DNS2 Gi1/0/x Promiscuous Port 21 22 Gi1/0/10 23 Gi1/0/10 FS1 24 SW2 SW1 FS2 Secondary Isolated VLAN 502 Figure 7-4 PVLANs To successfully troubleshoot PVLANs. you use the switchport private-vlan host-association primary_vlan secondary_vlan command in interface configuration mode along with the command switchport mode private-vlan host. ■ Isolated ports cannot communicate with other isolated ports. VTP Versions 1 and 2 cannot carry PVLAN information like VTPv3. Example 7-40 displays the commands required to successfully implement the PVLANs in Figure 7-4. you need to remember the following PVLAN rules: ■ Community ports can communicate with other community ports in the same com- Key munity. unless you are using Virtual Trunking Protocol (VTP) Version 3. as identified by the commands switch- port private-vlan mapping 200 501-502 and switchport mode private-vlan promiscu- ous. In addition. After the VLANs have been identified. First. From the Library of Outcast Outcast . Topic ■ Community ports cannot communicate with other community ports in a different community. and the secondary isolated VLAN needs to be identified with the private-vlan isolated command. The primary VLAN needs to be identified with the private-vlan primary command and associated with the secondary VLANs with the private-vlan association command. Gig1/0/10 is the promiscuous port for the secondary VLANs 501 and 502 that are mapped to the primary VLAN 200. ■ Community ports cannot communicate with isolated ports and vice versa. you can associate the ports on the switch with the appropriate VLANs.

... Example 7-40 PVLAN Configuration Example Key Topic SW2#show run .. if you compare the secondary VLAN ID of 502 in the command switch- port private-vlan host-association 200 502 of interface Gig1/0/23 with the VLAN 502 configuration... ! interface GigabitEthernet1/0/10 switchport private-vlan mapping 200 501-502 switchport mode private-vlan promiscuous ! . ! interface GigabitEthernet1/0/21 switchport private-vlan host-association 200 501 switchport mode private-vlan host ! interface GigabitEthernet1/0/22 switchport private-vlan host-association 200 501 switchport mode private-vlan host ! interface GigabitEthernet1/0/23 switchport private-vlan host-association 200 502 switchport mode private-vlan host ! interface GigabitEthernet1/0/24 switchport private-vlan host-association 200 502 switchport mode private-vlan host ! ...output omitted.. Chapter 7: Troubleshooting Switch Security Features 277 For example. you will notice that VLAN 502 is an isolated VLAN.output omitted.. ! vtp mode transparent ! vlan 200 private-vlan primary private-vlan association 501-502 ! vlan 501 private-vlan community ! vlan 502 private-vlan isolated ! ....output omitted. end From the Library of Outcast Outcast ....output omitted.

------------------------------------------ 200 501 community Gi1/0/10. Gi1/0/22 200 502 isolated Gi1/0/10.1. Therefore. with all the different parameters. Further down. The first port. it is very easy to misconfigure PVLANs.0/24) 501 (VLAN0501) Administrative private-vlan mapping: none From the Library of Outcast Outcast . As shown in Example 7-42. Example 7-42 Verifying Private VLAN Information for a Specific Port SW2#show interfaces gigabitEthernet 1/0/22 switchport Name: Gi1/0/22 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: private-vlan host Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 200 (primary) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: 200 (10. In addition. Gi1/0/10. and determine where the misconfiguration is that is causing traffic to be forwarded to ports it should not be forwarded to or causing traffic to not be for- warded to ports it should be forwarded to. it is the promiscuous port. as shown in Example 7-41.200. you can see the host association. and Gi1/0/24. it is imperative that you can read a PVLAN configuration. Example 7-41 Verifying Private VLANs and Associated Ports Key Topic SW2#show vlan private-vlan Primary Secondary Type Ports ------. Gi1/0/24 You can also use the command show interfaces interface_type interface_number switchport to verify the PVLAN status and configuration of a specific interface. and Gi1/0/22. as indicated by the line Access Mode VLAN: 200 (primary). Gi1/0/21. The ports associated with the isolated VLAN are Gi1/0/10. Gi1/0/21. You can see in this output the primary VLAN 200 and its associated community VLAN 501 and isolated VLAN 502. In addition. you can verify the private VLANs and the ports associated with each pri- vate VLAN using the show vlan private-vlan command. The primary VLAN in this case is VLAN 200. Gi1/0/23. compare it to a topological diagram.--------. Gi1/0/23. the administrative mode and operational mode is private-vlan host. If it stated private-vlan promiscuous. indicating that it is either a member of a community vlan or isolated vlan.----------------. which indicates that the primary VLAN is VLAN 200 and that this specific port is a member of the secondary VLAN 501. The ports associated with the community VLAN are Gi1/0/10.278 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide As you can see. is the promiscuous port in both cases. the Operational private-vlan output states the same.

Use the show run | include vlan filter command or the show vlan filter command to verify the configured VLAN filter list. which is in the same VLAN. will immediately execute the actions upon a match... they lack granular control. it uses top-down processing. Use the show access-lists command to verify the configured ACLs. Refer to the sample VACL in Example 7-43. it is all traffic or no traffic that is being forwarded between the ports. and prefix list.output omitted. wrong protocol.0/24) 501 (VLAN0501) . From the Library of Outcast Outcast . Notice all the different configurations that could cause the VACL to not function as expected. However. which was used to configure SW1 in Figure 7-5. ■ VLAN filter list: Used to define which VLANs the VLAN access map will apply to. However. This VACL is designed to prevent PC1 from being able to ping or telnet to PC2. Topic ■ The VLAN access map could be in the wrong sequence order: Just like an ACL. Because you are able to control traffic on a more granular level. Topic ■ VLAN access map: Used to define the action that will be taken on the traffic that is matched in the ACLs. If you do need to control the type of traffic that is flowing between ports in the same VLAN/subnet on a switch.1. route map. PC1 will be able to access other resources and services on PC2.. Therefore. ■ The VLAN access map could be misconfigured: Matching the wrong ACL. and there is an implicit deny all at the end. when troubleshooting VACLs you need to examine a few different compo- nents that make up the VACL: ■ ACLs: Used to define the traffic that will be examined by the VLAN access map (IP Key or MAC). the action could be incorrect. VACLs Protected ports and PVLANs are excellent features that help you control the traffic that can flow between ports in the same subnet/VLAN. wrong ports. Use the show run | section vlan access-map command or the show vlan access-map command to verify the configured VLAN access maps.200. you can implement VLAN access control lists (VACLs). wrong Key addresses. such as drop versus forward. Chapter 7: Troubleshooting Switch Security Features 279 Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: 200 (10. You can- not pick which type of traffic to control.. ■ The ACL could be misconfigured: Permit versus deny.

1.1.1.1.1.1. it could be configured with the wrong VLAN list.20 eq telnet SW1#show run | section vlan access-map vlan access-map TSHOOT 10 match ip address 100 action drop vlan access-map TSHOOT 20 action forward SW1#show run | include vlan filter vlan filter TSHOOT vlan-list 10 VLAN 10 PC1 Fa0/1 Gi0/1 10.1.1.1. or it may be missing completely.0 SW1 10.2.1.10 host 10.1.1. Example 7-43 Sample VLAN ACL Configuration SW1#show access-lists Extended IP access list 100 10 permit icmp host 10.10 host 10.20 20 permit tcp host 10.280 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ The VLAN filter could be misconfigured: The filter may be referencing the wrong VLAN access map.0 Fa0/2 PC2 Figure 7-5 VACL From the Library of Outcast Outcast .1.

noted with the Key Topic icon in the outer margin of the page. Table 7-2 lists a reference of these key topics and the page num- bers on which each is found. Chapter 22. Review All Key Topics Review the most important topics in this chapter.” and the exam simulation questions on the CD-ROM. “Final Preparation. Table 7-2 Key Topics for Chapter 7 Key Topic Key Topic Element Description Page Number List Identifies issues that may be the reason why port 250 security is not behaving as expected Example 7-2 Verifying port security 251 Example 7-4 Verifying static addresses associated with interfaces 252 List Outlines the different port security violation modes 254 Paragraph Describes how to verify a port is in the err-disable 256 state Paragraph Describes how to determine why a port is in the err. you have a couple of choices for exam preparation: the exercises here. Chapter 7: Troubleshooting Switch Security Features 281 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction.257 disable state and provides a valuable tip Paragraph Describes the error disable recovery feature and the 258 commands used for verification purposes List Provides a listing of items that must be true for 265 DHCP snooping to operate correctly Example 7-25 Verifying DHCP snooping 266 Example 7-26 Verifying DHCP snooping bindings 267 Example 7-27 Sample DAI configuration 267 Paragraph Describes how to verify that IP Source Guard has 268 been configured correctly Section Protected ports 273 List Outlines the PVLAN rules that are required when 276 troubleshooting PVLANs Example 7-40 PVLAN configuration example 277 Example 7-41 Verifying Private VLANs and associated ports 278 From the Library of Outcast Outcast .

DHCP snooping (untrusted port). IP Source Guard.282 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Key Topic Element Description Page Number List Identifies the components involved with VACLs that 279 you may have to troubleshoot List Identifies what could be misconfigured with a VACL 279 that could be causing issues Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: port security. but you should be able to remember the basic keywords that are needed. and then see how much of the command you can remember. hands-on skills that are used by a net- working professional. The 300-135 TSHOOT exam focuses on practical. dynamic ARP inspection. the current number learned. the maximum number of MAC addresses allowed. restrict violation mode. you should be able to identify the commands needed to successfully verify and troubleshoot the topics covered within this chapter. whether there is a security violation. private VLANs. To test your memory of the commands. protected ports. community VLAN. shutdown violation mode. read the description on the left side. and the action that is taken if a violation occurs. sticky secure MAC address. It might not be necessary to memorize the complete syntax of every command. isolated VLAN. DHCP snooping (trusted port). Therefore. protect violation mode. Table 7-3 show Commands Used for Verification and Troubleshooting Task Command Syntax Displays the ports that have port security show port-security enabled. From the Library of Outcast Outcast . cover the right side of Table 7-3 with a piece of paper. promiscuous port. primary VLAN. VLAN access control list Command Reference to Check Your Memory This section includes the most important show commands covered in this chapter. DCHP snooping. err-disabled.

the number of sticky addresses. Displays the Layer 1 and Layer 2 status of an show interface status interface. and the trusted ports. and whether a violation has occurred. and the aging type and time. Displays which features are enabled and show errdisable recovery disabled for the error disable recovery feature. the current number of MAC addresses. the violation mode that is configured. the port security status. the VLANs it is enabled for. and any ports that are currently in the err-disable state (along with the reason why). It identifies whether interface_number port security is enabled or disabled. it displays the last seen MAC on the port. show ip dhcp snooping including whether it is enabled or disabled globally. SecureSticky. the number of statically configured addresses. Displays which features are able to use the show errdisable detect error disable recovery feature on the switch and the mode they will use. Displays the MAC address to IP address show ip dhcp snooping binding DHCP snooping mappings. and SecureConfigured). It also displays the maximum max addresses allowed. From the Library of Outcast Outcast . Displays the configuration within the running show running-config interface interface_ configuration for a specific interface. and PVLANs. and the type (SecureDynamic. whether option 82 is enabled or disabled. DHCP snooping. the MAC address. In addition. You can type interface_number verify configurations related to port security. Also helps identify which ports are in the err-disable state. DAI. protected ports. which is helpful for troubleshooting. along with the port and VLAN they are mapped to. Chapter 7: Troubleshooting Switch Security Features 283 Task Command Syntax Displays the secure MAC addresses that show port-security address have been learned on each port security enabled port. It displays the port and associated VLAN. the timer that has been set. Displays the status of DHCP snooping. IP Source Guard. Displays detailed port security information show port-security interface interface_type for the interface.

284 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Displays the interfaces that have been show ip verify source enabled with IP Source Guard. PVLAN. and VLAN number that source packets and frames will need to match. show vlan access-map Displays the VLAN access map to VLAN show run | include vlan filter mapping on the switch. the filter type being used. and show interfaces interface_type interface_ protected port information related to an number switchport interface. along with the IP address. MAC address. that are configured on the switch. trunking. Displays all access lists. Displays the primary and secondary PVLAN show vlan private-vlan mappings along with the member interfaces. including IP and show access-list MAC. Displays the VLAN access map configuration show run | section vlan access-map on the switch. Displays VLAN. show vlan filter From the Library of Outcast Outcast .

This page intentionally left blank From the Library of Outcast Outcast .

It reviews the VRRP features and functions as well as how you can verify VRRP con- figurations and troubleshoot VRRP issues. It reviews the HSRP features and functions and how you can verify HSRP configurations and trouble- shoot HSRP issues. and GLBP: This section provides a close-up comparison of the different first- hop redundancy protocols (FHRPs) covered in the chapter. ■ HSRP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. From the Library of Outcast Outcast . ■ Troubleshooting VRRP: This section focuses on the industry standard Virtual Router Redundancy Protocol (VRRP). It reviews the GLBP features and functions and how you can verify GLBP configurations and trouble- shoot GLBP issues. ■ Troubleshooting GLBP: This section focuses on the Cisco Gateway Load Balancing Protocol (GLBP). VRRP. ■ GLBP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. ■ VRRP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem.This chapter covers the following topics: ■ Troubleshooting HSRP: This section focuses on the Cisco Hot Standby Router Protocol (HSRP). ■ Comparing HSRP.

such as PCs. Fortunately. VRRP. GLBP 10 From the Library of Outcast Outcast . and GLBP. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. Cisco devices such as routers and Layer 3 switches offer technologies known as first-hop redundancy protocols (FHRPs) that provide next-hop gateway redundancy. CHAPTER 8 Troubleshooting First-Hop Redundancy Protocols Many devices.” Table 8-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting HSRP 1–4 Troubleshooting VRRP 5–6 Troubleshooting GLBP 7–9 Comparing HSRP. Table 8-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. devices that relied on the default gateway’s IP address would be unable to send traffic off their local subnet. if that router were to become unavailable. and provides a collection of Cisco IOS commands you can use to troubleshoot issues related to them. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. The default gateway parameter identifies the IP address of a next-hop router on the local-area network (LAN) that serves as the exit point for the LAN. even if the Layer 3 switch or router that had been servicing that IP address becomes unavailable. As a result. which allow clients to continue to reach their default gateway’s IP address. read the entire chapter. are configured with a default gateway. and GLBP. These technologies include HSRP. “Answers to the ‘Do I Know This Already?’ Quizzes. This chapter reviews HSRP. You can find the answers in Appendix A. VRRP. VRRP.

What command enables you to verify the virtual MAC address of an HSRP group? a. Virtual forwarder b. show standby brief 4. 0 b. 32768 2. No limit 3. If you do not know the answer to a question or are only partially sure of the answer. 4 d. 5. 2 c. What is the name for the router in a VRRP virtual router group that is actively for- warding traffic on behalf of the virtual router group? a. 256 d. Preemption is on by default. you should mark that question as wrong for purposes of the self-assessment. b. Virtual router master d. d. Active virtual forwarder From the Library of Outcast Outcast . Preemption is off by default. What is the default priority for an HSRP interface? a. Active virtual gateway c. 1. show hsrp b.288 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. How many active forwarders can be in an HSRP group? a. 100 c. c. The virtual router IP address can be an unused IP in the LAN or an IP associ- ated with a router’s LAN interface. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. show hsrp brief c. The virtual router IP address has to be an unused IP in the LAN. show standby d. 1 b. Which two of the following are true about HSRP? a.

Preemption is off by default. show glbp d. The virtual router IP address has to be an unused IP in the LAN. GLBP allows multiple routers to simultaneously forward traffic. HSRP b. show arp c. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 289 6. b. IRDP From the Library of Outcast Outcast . VRRP c. Host dependent c. Weighted b. Which of the following is the default GLBP method for load balancing? a. 10. Round-robin 9. GLBP is an industry-standard FHRP. show glbp brief 8. d.) a. 7. Server dependent d. A GLBP group has multiple active virtual gateways. The virtual router IP address can be an unused IP in the LAN or an IP associ- ated with a router’s LAN interface. Preemption is on by default. b. c. Which show commands enable you to verify the virtual MAC addresses that an AVF is responsible for? (Choose two answers. The active virtual forwarder in a GLBP group is responsible for responding to ARP requests with different MAC addresses. c. Which of the following statements is true concerning GLBP? a. GLBP d. show run b. d. Which two of the following are true about VRRP? (Choose two answers.) a.) a. Which of the following are Cisco proprietary FHRPs? (Choose two answers.

2 Workstation A Next-Hop Gateway = 172. In this section you will review the concepts of HSRP as well as how to verify and troubleshoot HSRP configurations. HSRP Group 10 Active Router Virtual Router Standby Router R1 Virtual R2 Fa 0/0 172.16. The end-stations’ default gateway IP address is the IP address of the virtual router. As a troubleshooter you will need to have a very solid understanding of how HSRP func- tions in order to resolve any issues related to HSRP. They will simply sit and wait for the active or standby to fail so they can elect a replacement among them.1. they are given the virtual MAC address.16. Figure 8-1 illustrates a basic HSRP topology.3 Figure 8-1 Basic HSRP Operation From the Library of Outcast Outcast . Reviewing HSRP HSRP uses a virtual IP address and MAC address to represent a virtual router within an HSRP group.1. This router is wait- ing for the active router to fail or experience a link/reachability failure so that it can take over the active router role and forward traffic and respond to ARP requests.1 172. but they will not be active or standby. When implemented.1.16. It is this virtual layer 3 gateway that the clients point to as their default gateway. Within an HSRP group. When the end-stations ARP for the MAC address of the default gateway IP address. This router is responsible for forwarding data sent to the MAC address of the default gateway and responding to ARP requests asking for the MAC associated with the IP address of the default gateway.3 Et 0/0 172.290 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting HSRP Hot Standby Router Protocol (HSRP) is a Cisco Proprietary FHRP that was designed to provide default gateway redundancy. HSRP operates on both Cisco routers and Cisco multilayer switches. Under no circumstances should the end-stations ever be given the real MAC address of the device that is acting as the default gateway when they are ARPing for the MAC of the virtual IP address.16. it allows multiple physical layer 3 gateways to appear as a single virtual layer 3 gateway. Another router in the HSRP group is known as the standby router.1. one router is the active router. You can have additional routers in an HSRP group.

interface Ethernet0/0 ip address 172... convergence happens more rapidly if an interface is administratively shut down. If it were configured for preemption. If.255.3 standby 10 priority 150 standby 10 preempt . an active router sends a resign mes- sage if its active HSRP interface is shut down. if the standby router does not hear a hello message within ten seconds by default. the newly added router were not configured for preemption. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 291 Examples 8-1 and 8-2 show the HSRP configuration for routers R1 and R2..16. Also. The standby router then assumes the active role. Router R1 is configured with a higher pri- Topic ority using the standby 10 priority 150 command.255..2 255. Example 8-1 HSRP Configuration on Router R1 R1#show run .. Example 8-2 HSRP Configuration on Router R2 R2#show run . the currently active router would remain the active router... From the Library of Outcast Outcast . interface FastEthernet0/0 ip address 172.OUTPUT OMITTED.3 for an HSRP group of 10.1.OUTPUT OMITTED. Specifically.. which means that if router R1 loses its active status. Router R2 has a default HSRP prior- ity of 100 for group 10.1.16.3 . the newly added router would send a coup message.1. perhaps because it is powered off. however. higher priority values are more preferable. and with HSRP.. Notice that both routers R1 and R2 have been configured with the same virtual IP Key address of 172. to inform the active router that the newly added router was going to take on the active role..1. Also.OUTPUT OMITTED. it will regain its active status when it again becomes available..OUTPUT OMITTED. Although this ten-second convergence time applies for a router becoming unavailable for a reason such as a power outage or a link failure.1 255. notice that router R1 is configured with the standby 10 preempt command.0 standby 10 ip 172. HSRP Converging After a Failure By default.16.255...255. HSRP sends hello messages every three seconds.0 standby 10 ip 172..1. consider the addition of another router to the network segment whose HSRP prior- ity for group 10 is higher than 150.16. Also. the standby router considers the active router to be down..16..

where router R1 is currently the active router for group 10 with a virtual IP of 172. and if the current local priority is different than the configured local prior- ity. you should begin by determining the following information about the HSRP group under inspection: ■ Which router is the active router? Key Topic ■ Which routers. It also has a priority of 150 with preemption enabled.0c07.1. the HSRP timers. In this case.1.16. the show standby interface_type interface_number command also displays the HSRP group’s virtual MAC address. and the virtual IP address for the HSRP group. as shown in Example 8-4.292 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide HSRP Verification and Troubleshooting When verifying an HSRP configuration or troubleshooting an HSRP issue.16.16. the standby routers priority is 100.1. as shown in Example 8-5. the standby rout- ers priority. From the Library of Outcast Outcast . Additionally. the router that is currently the standby router. are configured with the preempt option? ■ What is the virtual IP address? ■ What is the virtual MAC address? ■ Is interface or object tracking on? The show standby brief command can be used to show which interface is participating in an HSRP group.2 is the standby router.1. the priority of the interface. this command identifies the router that is currently the active router. which happens to be R2. if any. | Interface Grp Prio P State Active Standby Virtual IP Fa0/0 10 150 P Active local 172. the timers are default at 3 and 10.ac0a. and the local routers current priority is the same as the configured priority.16.3 Example 8-4 show standby brief Command Output on Router R2 R2#show standby brief P indicates configured to preempt.2 172. shows that the virtual MAC address for HSRP group 10 is 0000.16. and if preemption is enabled or not.3. Examples 8-3 and 8-4 show the output from the show standby brief command issued on routers R1 and R2.1 local 172. Issuing this command on router R1.3 In addition to an interface’s HSRP group number. the router with the IP address 172. the interface’s state.1. and the HSRP group’s virtual IP address. | Interface Grp Prio P State Active Standby Virtual IP Et0/0 10 100 Standby 172.16. Example 8-3 show standby brief Command Output on Router R1 Key Topic R1#show standby brief P indicates configured to preempt.1. It identifies the HSRP group number.

The last two hexadecimal digits are the hexadecimal representation of the HSRP group number. is based on the HSRP group number. as shown in Figure 8-2. an HSRP group of 10 yields a default virtual MAC address of 0000. followed with a well-known HSRPv1 code of 07.Group 10 State is Active 1 state change.1. Therefore.0c07. you can have up to 256 HSRPv1 groups.044 secs Preemption enabled Active router is local Standby router is 172. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 293 Example 8-5 show standby fastethernet 0/0 Command Output on Router R1 R1#show standby fastethernet 0/0 FastEthernet0/0 .2.16. HSRP Code known Group HSRP Number Code in Hex Figure 8-2 HSRP Virtual MAC Address The default virtual MAC address for an HSRPv2 group begins with a vendor code of 0000.ac0a (v1 default) Hello time 3 sec.3 Active virtual MAC address is 0000. followed with a well-known HSRPv2 code of 9F.321 sec) Priority 150 (configured 150) IP redundancy name is "hsrp-Fa0/0-10" (default) Virtual Router MAC Address The default virtual MAC address for an HSRPv1 group.0c07. last state change 01:20:00 Virtual IP address is 172.1. because 10 in deci- mal equates to 0a in hexadecimal. Interface Tracking HSRP interface tracking is a feature that most organizations will deploy. Topic What about the uplinks from the routers running HSRP? If they fail. HSRP Key will only detect a failure of the device itself or the path that is used by the hello packets.ac0a. HSRP Group 10 Key Topic 0000.ac0a Vendor Well. hold time 10 sec Next hello sent in 1. For example. Therefore.ac.0c.ac0a Local virtual MAC address is 0000. hello packets are From the Library of Outcast Outcast . the virtual MAC address for an HSRP group begins with a vendor code of 0000. priority 100 (expires in 8. and then the last three hexa- decimal digits represent the HSRPv2 group. Specifically. you can have a total of 4096 HSRPv2 groups. By default.0c.0c07.16.0c07.F.

if the uplink is down.1. Its priority has been lowered to 99 from 110 because the interface state is down. which allows you to track IP-related information such as a route. you can use object tracking.294 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide still exchanged successfully. Now you would have to troubleshoot why the interface is down. which is beyond the scope of our HSRP discussion.0c07. In addition to interface tracking. last state change 00:02:16 Virtual IP address is 172. Example 8-7 shows a successful ping from Workstation A. You implement interface tracking with the standby group_number track interface_type interface_num- ber decrement_value command. packets are dropped at the active router because it cannot forward them.3 Active virtual MAC address is 0000. Example 8-6 show standby Command Output on Router R1 R1#show standby fa 0/0 FastEthernet0/0 . reviewing the configured priority of 110 and the current priority of 99 indicates why this router is not the active router at the moment. the status of a service level agreement (SLA). you might then check to see whether Key a host on the HSRP virtual IP address’s subnet can ping the virtual IP address. Therefore.0c07. Based on Topic the topology previously shown in Figure 8-1.Group 10 State is Standby 2 state changes.ac0a Local virtual MAC address is 0000. Verifying First Hop Once you know the current HSRP configuration. a group of objects.1. If the interface is anything but up/up. We discuss this type of tracking in the “Troubleshooting VRRP” section. and the status of an interface. and the active router is still available. Interface tracking allows you to control the priority of a router in an HSRP group based on the status of an interface. You can use the show standby command to verify whether interface tracking is configured and the state of the tracked interface. However. it will take over as the active forwarder because it now has the higher priority. and if preemption is enabled on the standby router. hold time 10 sec Next hello sent in 0.ac0a (v1 default) Hello time 3 sec.2.16.16. From the Library of Outcast Outcast .312 sec) Standby router is local Priority 99 (configured 110) Track interface FastEthernet2/0 state Down decrement 11 Group name is "hsrp-Gi0/0-10" (default) In the case of Example 8-6. as shown in Example 8-6. you can decrement the priority of the router to a value that is lower than the standby router.784 secs Preemption enabled Active router is 172. you can see that the tracked interface state is down. When it is down. priority 100 (expires in 9. This is where interface tracking comes into play. the priority will be decremented by 11.

3: Packets: Sent = 4.3: bytes=32 time=2ms TTL=255 Reply from 172.0x4 Internet Address Physical Address Type 172. Approximate round trip times in milli-seconds: Minimum = 1ms.3 with 32 bytes of data: Reply from 172. With traceroute. However.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 172. This is the IP address of R1’s LAN interface.1. Example 8-8 shows Workstation A’s Address Resolution Protocol (ARP) cache entry for the HSRP virtual IP address of 172. Example 8-8 Workstation A’s ARP Cache C:\>arp -a Interface: 172.1 .0.16. we can conclude the R1 is the active forwarder at the moment. The ARP cache would still be the same on the PC.1..16.16. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 295 Example 8-7 Ping Test from Workstation A to the HSRP Virtual IP Address C:\>ping 172. one of the best tools to use with FHRPs to verify the path is traceroute.2.1.16.2. suppose that a failure happened and R2 became the active forwarder.1. Therefore. From the Library of Outcast Outcast . Received = 4.3: bytes=32 time=1ms TTL=255 Ping statistics for 172. However.1.output omitted.1.16.1. Example 8-9 displays the tracert command executed on a PC.2. you can identify the physical first-hop router that the packets are traversing.3.4 --.1.. Notice in the output that the MAC address learned via ARP does match the HSRP virtual MAC address reported by the active HSRP router.3 Pinging 172.16.16.16.16. Average = 1ms A client could also be used to verify the appropriate virtual MAC address learned by the client corresponding to the virtual MAC address reported by one of the HSRP routers.1. Trace complete. Maximum = 2ms. Notice that it states that the first hop is 172.16. Lost = 0 (0% loss).3: bytes=32 time=1ms TTL=255 Reply from 172.3 00-00-0c-07-ac-0a dynamic However.1 Tracing route to 192.16.1..16.0.. the output of tracert on the PC would now display that the first hop is 172.16.1.3: bytes=32 time=1ms TTL=255 Reply from 172.1.1.1. Example 8-9 A Trace from Workstation A Confirming That R1 Is the First Hop (Active Forwarder) C:\>tracert 192. as shown in Example 8-10.

1 Active pri 150 vIP 172. Example 8-12 debug standby terse Command Output on Router R2: Changing HSRP to Standby R2# *Mar 1 01:27:57.2 .output omitted.1 Tracing route to 192.979: HSRP: Et0/0 Grp 10 Coup in 172.16..1..930: HSRP: Et0/0 Grp 10 Standby router is unknown.16.2. The output shown in Example 8-12 demonstrates how router R2 receives a coup message.930: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Standby -> Active *Mar 1 01:25:48. letting router R2 know that router R1 is taking back its active role.16. because router R1 is configured with the preempt option.1) *Mar 1 01:25:45.1 over a maximum of 30 hops 1 3 ms 2 ms 4 ms 172..0.16.1.. Debug You can also use the debug standby terse command to view important HSRP changes.930: HSRP: Et0/0 Grp 10 Standby: c/Active timer expired (172.930: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 10 state Standby -> Active *Mar 1 01:25:45.936: HSRP: Et0/0 Grp 10 Redundancy group hsrp-Et0/0-10 state Active -> Active When router R1’s Fast Ethernet 0/0 interface is administratively enabled. notice that router R2’s state changes from standby to active. Trace complete.1 *Mar 1 01:25:45.1.1. Example 8-11 shows this debug output on router R2 when router R1’s Fast Ethernet 0/0 interface is shut down.930: HSRP: Et0/0 Grp 10 Active router is local. router R1 reas- sumes its previous role as the active HSRP router for HSRP group 10.935: HSRP: Et0/0 Grp 10 Redundancy group hsrp-Et0/0-10 state Active -> Active *Mar 1 01:25:51.2.1) From the Library of Outcast Outcast .3 *Mar 1 01:27:57.930: HSRP: Et0/0 Grp 10 Standby -> Active *Mar 1 01:25:45.296 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-10 A Trace from Workstation A Confirming That R2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192. was local *Mar 1 01:25:45. was 172.1.1.16.979: HSRP: Et0/0 Grp 10 Active: j/Coup rcvd from higher pri router (150/172.16. Example 8-11 debug standby terse Command Output on Router R2: Changing to Active R2# *Mar 1 01:25:45. such as a state change.0.

1.0.1.979: HSRP: Et0/0 Grp 10 Active router is 172.979: HSRP: Et0/0 Grp 10 Standby router is local *Mar 1 01:28:07. all traffic for VLAN 10 is flowing through SW2 to reach the core instead of SW1.979: HSRP: Et0/0 Grp 10 Speak -> Standby *Mar 1 01:28:07.2.62 SW3 PC1 IP 10.979: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Speak -> Standby HSRP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.1/26 IP 10.979: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Active -> Speak *Mar 1 01:28:07.1.1.979: HSRP: Et0/0 Grp 10 Speak: d/Standby timer expired (unknown) *Mar 1 01:28:07. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 297 *Mar 1 01:27:57.1.1.979: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 10 state Active -> Speak *Mar 1 01:27:57.1 Gig 1/0/10 Gig 1/0/10 Int VLAN 10 Int VLAN 10 SW1 SW2 IP 10.1.1.62 Figure 8-3 HSRP Trouble Ticket Topology Trouble Ticket 8-1 Problem: According to traffic statistics.1.979: HSRP: Et0/0 Grp 10 Active -> Speak *Mar 1 01:27:57.10/26 DG 10.1. All trouble tickets in this section are based on the topology depicted in Figure 8-3.2/26 Active HSRP GROUP 10 Standby IP 10. From the Library of Outcast Outcast .16. 192.1. was local *Mar 1 01:27:57.1.

The HSRP router that has the higher priority is the active forwarder.1 or 10. Example 8-15 indicates that SW1 is indeed the standby router for group 10.1. From the Library of Outcast Outcast . if you look very closely at Examples 8-14 and 8-15. Example 8-13 indicates that SW2 is in fact the HSRP active forwarder for the 10. Now is an excellent time to review the output of show standby brief on SW1 to see whether anything stands out that might be the issue. and SW2 has a priority of 100.1.1. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 100 P Active local 10.1. Next you need to confirm that this is in fact true by reviewing the output of HSRP show commands.0.1.1.62 However.1 Tracing route to 192.2 .2 local 10. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 10 P Standby 10. All you care about is the first hop. In this case.1.0/26 network because it was the first hop returned for the tracert command output.1. Notice that under the Active column it states local and that under the Standby column it displays 10.2. Example 8-14 show standby brief Command Output on SW2 SW2#show standby brief P indicates configured to preempt.output omitted Trace complete. you should notice that SW1 has a priority of 10. Example 8-14 displays the output of show standby brief on SW2.1.1.298 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide You start by verifying the problem from PC1 on VLAN 10. the best tool is traceroute because it will identify the router hops (real IPs) along the path.2? This will identify whether traffic is flowing though SW1 or SW2 to reach the core.1.1.1.1.1.1 over a maximum of 30 hops 1 6 ms 1 ms 2 ms 10.1 10. You should check the output of show standby on SW1 to determine whether that is the configured priority or if some tracked object is down and causing the priority to be lowered..2.1. Example 8-13 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192. SW1. Example 8-16 displays the output of show standby on SW1.1.1. Notice that the priority is listed as 10 and that it states it is configured as 10.0. is it 10. which is the IP address of the standby router.1.62 Reviewing Figure 8-3 indicates that SW1 should be the active forwarder for group 10.. Example 8-15 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt.

488 sec) Standby router is local Priority 10 (configured 10) Track interface GigabitEthernet1/0/10 state Up decrement 11 Group name is "hsrp-Vl10-10" (default) Example 8-17 displays the interface VLAN 10 configuration.0c07.1.1.1..016 secs Preemption enabled Active router is 10.1.. last state change 00:06:51 Virtual IP address is 10.ac0a Local virtual MAC address is 0000. Example 8-17 show run interface vlan 10 Command Output on SW1 SW1#show run interface vlan 10 Building configuration.1. and confirm that SW1 is in fact the active forwarder now.2.192 standby 10 ip 10.1.ac0a (v1 default) Hello time 3 sec. which shows that the prior- ity was configured to 10 instead of 110. hold time 10 sec Next hello sent in 2.255. Checking your documentation indicates that the priority should be configured to 110. as shown in Example 8-18.1.62 Active virtual MAC address is 0000. Current configuration : 163 bytes ! interface Vlan10 ip address 10. you see the following syslog message confirming that SW1 is now the active forwarder: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active You then reissue the tracert command on PC1. priority 100 (expires in 9.Group 10 State is Standby 4 state changes. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 299 It must have been mistyped.255.62 standby 10 priority 10 standby 10 preempt standby 10 track 1 decrement 11 end After fixing the issue by executing the command standby 10 priority 110 in VLAN 10 interface configuration mode on SW1.1.0c07.1 255. From the Library of Outcast Outcast . Example 8-16 show standby Command Output on SW1 SW1#show standby Vlan10 .

62 Reviewing Figure 8-3 indicates that SW1 should be the active forwarder for group 10. all traffic for VLAN 10 is flowing through SW2 to reach the core instead of SW1. is it 10..300 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-18 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.1 over a maximum of 30 hops 1 6 ms 1 ms 2 ms 10.1 .1. Notice that under the Active column it states local and that under the Standby column it displays 10.output omitted.1..0.1. Example 8-20 displays the output of show standby brief on SW2. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 100 P Active local 10.1. Example 8-20 show standby brief Command Output on SW2 SW2#show standby brief P indicates configured to preempt. Trace complete. Example 8-21 indicates that SW1 is indeed the standby router for group 10..1.2? This will identify whether traffic is flowing through SW1 or SW2 to reach the core.1.0. In this case. Example 8-19 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192. Next you need to confirm that this is in fact true by reviewing the output of HSRP show commands. Now is an excellent time to review the output of show standby brief on SW1 to see whether anything stands out that might be the issue.1.0.1. Example 8-19 indicates that SW2 is in fact the HSRP active forwarder for the 10. From the Library of Outcast Outcast .2 ..1 Tracing route to 192.1 10.1.1. Trouble Ticket 8-2 Problem: According to traffic statistics.1.1 or 10.1 Tracing route to 192.2.2.output omitted Trace complete.1.1...1. You start by verifying the problem from PC1 on VLAN 10. the best tool is traceroute because it will identify the router hops (real IPs) along the path.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10. which is the IP address of the standby router.2.2.1.1. All you care about is the first hop. SW1.0.0/26 network because it was the first hop returned for the tracert command output.1.

as indicated by the missing P in the output.ac0a (v1 default) Hello time 3 sec. if you look very closely at Examples 8-20 and 8-21. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 301 Example 8-21 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt. However. From the Library of Outcast Outcast .ac0a Local virtual MAC address is 0000. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 110 Standby 10. in this case.1.1.1.62 Active virtual MAC address is 0000. it is not.1. After fixing the issue by executing the command.1.62 However. You check the output of show standby on SW1.112 sec) Standby router is local Priority 110 (configured 110) Track interface GigabitEthernet1/0/10 state Up decrement 11 Group name is "hsrp-Vl10-10" (default) If SW1 is expected to take over as the active forwarder when it has a higher priority. and it indi- cates that preemption is disabled. last state change 02:39:07 Virtual IP address is 10. The HSRP router that has the higher priority should be the active forwarder.1. Example 8-22 show standby Command Output on SW1 SW1#show standby Vlan10 .1.1. as shown in Example 8-22.2. and confirm that SW1 is in fact the active forwarder now. you see the following syslog message confirming that SW1 is now the active forwarder: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active You then reissue the tracert command on PC1. Taking an even closer look at Examples 8-20 and 8-21. hold time 10 sec Next hello sent in 1. you notice that SW1 does not have pre- emption enabled. as shown in Example 8-23. you should notice that SW1 has a priority of 110 and that SW2 has a priority of 100.0c07.0c07. standby 10 preempt in VLAN 10 interface configuration mode on SW1.2 local 10.Group 10 State is Standby 7 state changes. pre- emption needs to be on. priority 100 (expires in 10.520 secs Preemption disabled Active router is 10.

62 Reply from 10. You ping the default gateway of PC1. Lost = 0 (0% loss). Received = 4.. Trouble Ticket 8-3 Problem: Users in VLAN 10 are reporting that they are not able to reach any resources outside their LAN. as shown in Example 8-24.0. and it is successful.2.62: bytes=32 time 1ms TTL=128 Reply from 10.1.302 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-23 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.0.62: bytes=32 time 1ms TTL=128 Reply from 10.62: bytes=32 time 1ms TTL=128 Reply from 10.2. Lost = 4 (100% loss).62: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. Request timed out. which is the virtual router IP address of 10.2. You ping 192. Approximate round trip times in milli-seconds: Minimum = 0ms. You start by verifying the problem from PC1 on VLAN 10.1.1. as shown in Example 8-25..0.1. Example 8-25 Successful Ping from PC1 to Default Gateway C:\PC1>ping 10. Ping statistics for 192.1. Trace complete.1.1.62.1.0.output omitted. and it fails. Example 8-24 Failed Ping from PC1 to Destination Outside LAN C:\PC1>ping 192. Maximum = 0ms.1. Request timed out. Request timed out.1 Tracing route to 192..62: Packets: Sent = 4.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10. Average = 0ms From the Library of Outcast Outcast .2.2.1.1.1 .1.0.1: Packets: Sent = 4.1 Pinging 192.1 with 32 bytes of data: Request timed out.0.1..1. Received = 0.1.1.2.

there is no connected route for Gig1/0/10. P .1. Remember how the tracert command output is failing at SW1? This is a good indication that SW1 cannot route the packet to 192.2. Example 8-28 show ip route Command Output on SW1 SW1#show ip route Codes: L . l .EIGRP external. L1 . Chapter 8: Troubleshooting First-Hop Redundancy Protocols 303 So far. which is the IP address of the standby router. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 109 P Active local 10. Example 8-26 confirms that it is SW1 at 10.RIP. su . IA . Next you need to confirm that SW1 is in fact the active forwarder by reviewing the out- put of HSRP show commands. you have confirmed that connectivity beyond the default gateway is not possible but that connectivity to the default gateway is. % .OSPF NSSA external type 2 E1 .0.OSPF.1.1.1 reports: Destination host unreachable. E2 .LISP + .NHRP. H . as shown in Example 8-28.EIGRP.1. Example 8-27 displays the output of show standby brief on SW1.0. C .1.IS-IS inter area.1. However.1. You decide to use traceroute to determine which router is currently the active forwarder.OSPF external type 2 i .1. Example 8-27 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt.1.2.next hop override From the Library of Outcast Outcast .IS-IS.static. Notice that under the Active column it states local and that under the Standby column it displays 10.1. Example 8-26 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192. U .candidate default.1. B . However.62 Review Example 8-26 again.mobile.local. we will come back to it.2.BGP D . Keep this in mind.OSPF external type 1. L2 .IS-IS level-2 ia .1.connected. S .IS-IS level-1.1. You issue the show ip route command on SW1. All you see are con- nected and local routes.1 Tracing route to 192. N2 . EX . notice how no other hop is displayed and you receive a destination host unreachable message from 10.1.1. SW2. Trace complete. R . * . M . O .IS-IS summary.2 10.ODR.per-user static route o .OSPF inter area N1 .1 over a maximum of 30 hops 1 4 ms 2 ms 2 ms 10.0.replicated route.periodic downloaded static route. nor are there any routes learned from a neighboring router in the core on Gig1/0/10.2.1.1 2 10.1.OSPF NSSA external type 1.

1.10.1. Using the command show standby on SW1 indicates that you are tracking interface Gigabit Ethernet 1/0/10. Example 8-29 show ip interface brief | exclude unassigned Command Output on SW1 SW1#show ip int brief | ex unassigned Interface IP-Address OK? Method Status Protocol Vlan10 10. hold time 10 sec Next hello sent in 0.1.0/26 is directly connected. 4 subnets. Example 8-30 show standby Command Output on SW1 SW1#show standby Vlan10 .ac0a Local virtual MAC address is 0000.760 sec) Priority 109 (configured 110) Track interface GigabitEthernet1/0/10 state Down decrement 1 Group name is "hsrp-Vl10-10" (default) From the Library of Outcast Outcast . This ensures that the active forwarder does not maintain the active status if it is not fit to do so.Group 10 State is Active 8 state changes. you need to determine in the meantime why HSRP did not successfully fail over to SW2 as the active forwarder for group 10 in case this happens again. as shown in Example 8-30.1/32 is directly connected. If it did. last state change 00:14:11 Virtual IP address is 10. Vlan20 You issue the command show ip interface brief | exclude unassigned. Vlan10 C 10.1.736 secs Preemption enabled Active router is local Standby router is 10.1.0. However.64/26 is directly connected. Vlan20 L 10.1. as shown in Example 8-29.1.65/32 is directly connected.0c07.0.1. it might black hole traffic as it did in this scenario.1.1.2.0/8 is variably subnetted.1. 2 masks C 10.62 Active virtual MAC address is 0000.1 YES NVRAM up up Vlan20 10.1.1. on SW1 and notice that Gig1/0/10 is down/down.304 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Gateway of last resort is not set 10. It also shows that it is down and that the current priority is 109 instead of the configured 110.0c07.1. You escalate the problem because it is beyond your control.65 YES NVRAM up up GigabitEthernet1/0/10 10.1.2 YES NVRAM down down Interface tracking is a feature that allows an HSRP-enabled router to decrement its pri- ority by a specified value if the status of an interface goes down. priority 100 (expires in 7.ac0a (v1 default) Hello time 3 sec. Vlan10 L 10.1.1. There is an issue between SW1 and the core.

1.62 standby 10 priority 110 standby 10 preempt standby 10 track 1 decrement 1 end After you solve this problem by changing the decrement value to a value of 11 or higher (so that the priority of SW1 will be 99 or lower). It appears that whoever configured it thought that the decrement value identified what the new priority should be if the interface goes down. Interface tracking was configured incorrectly. which displays the output of show run interface vlan 10.255... and confirm that SW2 is the active forwarder.1 over a maximum of 30 hops 1 3 ms 2 ms 4 ms 10.1. Example 8-31 show run interface vlan 10 Command Output on SW1 SW1#show run interface vlan 10 Building configuration. it states how much to lower the configured priority by.1.1. These are examples of the syslog messages: SW1# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Active -> Speak SW1# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby SW1# SW2# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active SW2# You then reissue the tracert command on PC1.1 255. the decrement value was set to 1. But in reality. you will notice a syslog message on SW1 indicating that SW1 is no longer in the active state. Therefore. as shown in Example 8-32.1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 305 The problem in this case is clear.0. the con- figured priority is 110 and you minus 1.1. and on SW2 you will see a sys- log message indicating that it is now in the active state. Current configuration : 163 bytes ! interface Vlan10 ip address 10.192 standby 10 ip 10. as verified in Example 8-31. Example 8-32 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.255.1 Tracing route to 192.0.2.2.2 From the Library of Outcast Outcast . which gives you 109. In this case.

2. 7 48 ms 40 ms 30 ms 192.1: bytes=32 time 1ms TTL=128 Ping statistics for 192. It is. This section focuses on the behavior of VRRP and how to verify and troubleshoot VRRP issues. Lost = 0 (0% loss).2. as shown in Figure 8-4.2.1: Packets: Sent = 4. In addition.1: bytes=32 time 1ms TTL=128 Reply from 192. Therefore. The IP address can be the address of a routers physical inter- face on the LAN. VRRP and HSRP are not compatible. Approximate round trip times in milli-seconds: Minimum = 0ms. Unlike HSRP. your knowledge of HSRP can transfer over to VRRP.1 Reply from 192. The virtual router backups are waiting for the master to fail so that one of them can take over the virtual master router role.0. is an IETF standard FHRP based on Cisco’s HSRP protocol.1 Trace complete.0.2. as shown by the successful ping in Example 8-33. Maximum = 0ms. VRRP allows a collection of routers to service traffic destined for a single IP Key address. Reviewing VRRP Like HSRP. Average = 0ms Troubleshooting VRRP Virtual Router Redundancy Protocol (VRRP). From the Library of Outcast Outcast . the IP address serviced by a VRRP group does not have to be a Topic unique/unused IP address.0.output omitted. In addition. you need to understand the differences of VRRP so that you can successfully troubleshoot issues related to it.2. although they are similar. Received = 4.2.2. However.0.0..) The virtual master router is responsible for handing out the virtual MAC address associated with the LAN’s default gateway IP address and forwarding traffic sent to the default gateway...1: bytes=32 time 1ms TTL=128 Reply from 192. (Note that the VRID is the same concept as an HSRP group.0. Example 8-33 Successful Ping from PC1 C:\PC1>ping 192.0. you need to ping from a client to make sure that the problem is officially solved. as a trouble- shooter.306 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide .1: bytes=32 time 1ms TTL=128 Reply from 192. A VRRP virtual router identifier (VRID) is made up of a virtual master router and multiple routers acting as virtual router backups..

.1.1.65 255. SW2 will automatically be the virtual router master because it owns that IP address.1..1.66 VRM=Virtual Router Master SW3 PC1 IP 10.OUTPUT OMITTED.1..1.1.66 .1.1..66 255..255. interface vlan 20 ip address 10. As a result of this..1. Example 8-35 VRRP Configuration on Router R2 SW2#show run .192 vrrp 20 ip 10..255.1.1.66 . Notice in Examples 8-34 and 8-35 that the VRRP group IP address is the same as the SVI on SW2.OUTPUT OMITTED.74/26 DG 10.. interface vlan 20 ip address 10.1..1.OUTPUT OMITTED.1.1..66/26 IP 10.1 Gig 1/0/10 Gig 1/0/10 20 Int VLAN 10 Int VLAN 10 20 SW1 SW2 IPIP10.1.1. Example 8-34 VRRP Configuration on Router R1 SW1#show run .2/26 Backup VRRP GROUP 20 VRM IP 10.OUTPUT OMITTED..1.2.255..0..1.255.1.1.192 vrrp 20 ip 10.. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 307 192.1/26 10. regardless of what the priority is because it will give itself a pri- From the Library of Outcast Outcast .65/26 10...66 Figure 8-4 Basic VRRP Operation Examples 8-34 and 8-35 show the VRRP configuration for SW1 and SW2.

It identifies the VRRP group number. Notice how SW2 is currently the master router for group 20. this command will identify the current state of the router along with the master address and the group address.1.66 10. You can also see that preemption is enabled and that SW2 owns the IP address that is being used as the virtual router IP address. Example 8-36 show vrrp brief Command Output on Router SW1 Key Topic SW1#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3609 Y Backup 10. VRRP uses a priority of 100 like HSRP.1. In addition. In the previous con- figuration examples. the show vrrp interface interface_type interface_number command also displays the VRRP group’s virtual MAC address and the VRRP timers.1. SW1 is in the backup state.308 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ority of 255 automatically. you do not have to manually enable it. you should begin by determining the following information about the VRRP group under inspection: ■ Which router is the virtual router master? Key Topic ■ How was the virtual router master chosen? ■ Which routers.1. Also make note that preemption is on by default. whether it owns the IP being used as the virtual router IP. We kept it at the default of 100. the priority. it is 255 because SW2 owns the IP that is being used as the virtual IP address. and whether preemption is enabled. VRRP Verification and Troubleshooting When verifying a VRRP configuration or troubleshooting a VRRP issue.66 Example 8-37 show vrrp brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 255 3003 Y Y Master 10.66 10.1. if any. are configured with the preempt option? (Enabled by default) ■ What is the IP address of the virtual router? ■ What is the virtual MAC address? ■ Is object tracking on? You can use the show vrrp brief command to show which interface is participating in a VRRP group.1. and the VRRP group’s virtual IP address.1. By default. Examples 8-36 and 8-37 show the output from the show vrrp brief command issued on SW1 and SW2. From the Library of Outcast Outcast . the priority of the interface. notice how SW2 has a priority of 255.66 In Examples 8-36 and 8-37. it automatically changes its priority to 255 so that it becomes the virtual router master for the group. Therefore. Therefore.1. In addition to an interface’s VRRP group number. In this case. the state. we did not configure the priority.

5e00. a VRRP group of 20 yields a default virtual MAC address of 0000. as shown in Figure 8-5.000 sec Master Down interval is 3. hello packets are still exchanged successfully. and the virtual master router is still available. Therefore.1. the From the Library of Outcast Outcast . VRRP Code known Group (IANA) VRRP Number Code in Hex Figure 8-5 VRRP Virtual MAC Address Object Tracking Object tracking is a feature that most organizations will deploy when using VRRP.1. because 20 in decimal equates to 14 in hexadecimal. a group of objects. priority is 255 Master Advertisement interval is 1.000 sec Preemption enabled Priority is 255 Master Router is 10. followed with a well-known VRRP address block of 00. packets are dropped at the virtual master router because it cannot forward them. is based on the VRRP VRID.5e (IANA’s organizationally unique identifier [OUI]).1. For example.5e00.5e00.66 Virtual MAC address is 0000. VRRP will only detect a failure of the device itself or the path that is used by the Topic hello packets. This is where object tracking comes into play.003 sec Virtual Router MAC Address The default virtual MAC address for a VRRP group. The last two hexadecimal digits are the hexadecimal representation of the VRID (group) number. VRRP timers are 1 second for the Advertisement interval and 3 seconds for the Master Down interval. the priority is 255. which is just a fancy way to identify the group number. What about the uplinks from the routers running VRRP? If they fail. Issuing this command on SW2. the timers are default at 1 and 3.Group 20 State is Master Virtual IP address is 10.0114. and SW2 is the master router. Object tracking enables you to control the priority of a router in a VRRP group based on the status of an object. VRRP VRID 20 Key (Group) Topic 0000.0114 Vendor Well. The object can be IP-related information such as a route.5e00. if the uplink is down.66 (local).0114 Advertisement interval is 1.0114. the virtual MAC address for a VRRP group begins with a vendor code of 0000. Example 8-38 show vrrp interface vlan 20 Command Output on SW2 SW2#show vrrp interface vlan 20 Vlan20 .01. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 309 By default. shows that the virtual MAC address for VRRP group 20 is 0000. Specifically. as shown in Example 8-38.1. By Key default.

you need to find out what the tracked object is specifically so that you can trou- bleshoot further.0114 Advertisement interval is 1.5e00. the standby router will take over as the virtual master router because it now has the higher priority. Verifying First Hop Once you know the current VRRP configuration. last change 00:05:13 Tracked by: VRRP VLAN20 20 Now you would have to troubleshoot why the interface is down. Based on the Topic topology previously shown in Figure 8-4.Group 20 State is Backup Virtual IP address is 10. It is admin-down and being tracked by VRRP group 20.65. which is beyond the scope of our VRRP discussion.000 sec Master Down interval is 3. If the object is anything but up. and the status of an interface. You can use the show vrrp command to verify whether object tracking is configured. Example 8-40 show track Command Output on Router SW2 SW2#show track Track 1 Interface GigabitEthernet1/0/10 line-protocol Line protocol is Down (hw admin-down) 2 changes. priority is 100 Master Advertisement interval is 1. the priority of the router can be decremented to a value that is lower than the standby router.1. Example 8-39 show vrrp Command Output on Router SW2 SW2#show vrrp VLAN 20 . However.570 sec (expires in 3.026 sec) In the case of Example 8-39.310 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide status of an SLA probe. and because preemption is enabled by default.1.1. it will decrement the priority by 11. as shown in Example 8- 39.000 sec Preemption enabled Priority is 99 (cfgd 110) Track object 1 state Down decrement 11 Master Router is 10.126 Virtual MAC address is 0000. From the Library of Outcast Outcast . Using the command show track you can verify what tracked object num- ber 1 is tracking. you can see that the tracked object 1 is in a state of down. you might then check to see whether a Key host on the VRRP virtual IP address’s subnet can ping the virtual IP address. You can see the current priority is 99 and the configured priority is 110 (110 – 11 = 99). and the state of the tracked object. Example 8-41 shows a successful ping from PC1. you can verify that it is the status of the line protocol on interface Gigabit Ethernet 1/0/10. In Example 8-40.1. and when it is down.

74 --. the output of tracert on the PC would now display that the first hop is 10.1. however.1. Example 8-43 displays the tracert command executed on PC1. Approximate round trip times in milli-seconds: Minimum = 1ms.1.2.1. you can identify the physical first-hop router that the packets are traversing. one of the best tools to use with FHRPs to verify the path is traceroute. as shown in Example 8-44. that a failure happened and SW1 became the virtual router master.. Received = 4.66 with 32 bytes of data: Reply from 10. Notice that it states that the first hop is 10.0.1 Tracing route to 192.66: bytes=32 time=1ms TTL=255 Ping statistics for 10.1. This is the IP address of SW2’s VLAN 20 SVI.2.1. Therefore.1.1.1. Lost = 0 (0% loss).66 . Maximum = 2ms. Suppose..66: Packets: Sent = 4.1.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10. From the Library of Outcast Outcast .1. from the client. that does not prove that we are using the virtual MAC address and VRRP.65. Therefore.1.1.1.0.. Example 8-42 PC1 ARP Cache C:\PC1>arp -a Interface: 10.1. Average = 1ms However.. Example 8-43 A Trace from PC1 Confirming That SW2 Is the First Hop (Virtual Router Master) C:\PC1>tracert 192.1.1. you should also verify the virtual MAC address learned by the client corresponds to the virtual MAC address reported by the VRRP virtual router master.0x4 Internet Address Physical Address Type 10. as discussed with HSRP.1. The ARP cache would still be the same on PC1. you can conclude the SW2 is the virtual router master at the moment. Notice in the output that the MAC address learned via ARP does match the VRRP virtual MAC address of the master router.66.66 Pinging 10. Trace complete. however.1.1.1.1. With traceroute. Example 8-42 shows Workstation A’s ARP cache entry for the VRRP virtual IP address of 10.66 00-00-5e-00-01-14 dynamic However.66: bytes=32 time=1ms TTL=255 Reply from 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 311 Example 8-41 Ping Test from PC1 to the VRRP Virtual IP Address C:\PC1>ping 10.1.1.1.66: bytes=32 time=2ms TTL=255 Reply from 10.66.output omitted.1.66: bytes=32 time=1ms TTL=255 Reply from 10.

312 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-44 A Trace from PC1 Confirming That SW1 Is the First Hop (Virtual Router Master) C:\PC1>tracert 192.1. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment..0.1.1.1 Tracing route to 192.0.1.1 Gig 1/0/10 Gig 1/0/10 Int VLAN 10 20 Int VLAN 10 20 SW1 SW2 IPIP10.66/26 Backup VRRP GROUP 20 VRM IP 10.66 Figure 8-6 VRRP Trouble Ticket Topology Trouble Ticket 8-4 Problem: According to traffic statistics.1.65 .2.1/26 IP 10..66 VRM=Virtual Router Master SW3 PC1 IP 10.74/26 DG 10.1..65/26 10.1. 192. From the Library of Outcast Outcast . All trouble tickets in this section are based on the topology depicted in Figure 8-6..1. VRRP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.1.1.2/26 10. all traffic for VLAN 20 is flowing through SW1 to reach the core instead of SW2.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10.output omitted.0.1.1.1.1.2.1.1. Trace complete.2.

Example 8-45 A Trace from PC1 Confirming That SW1 Is the First Hop (Master) C:\PC1>tracert 192.66. Example 8-47 show standby brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 255 3003 Y Y Master 10. and it appears that it is. you issue the arp -a com- mand.5e00.1.66 10.66 address. Next you need to confirm that this is in fact true by reviewing the output of VRRP show commands. the best tool is traceroute because it will identify the router hops (real IPs) along the path. Therefore.output omitted. It does not appear that the client is learning a VRRP MAC address.1. Example 8-47 indicates that SW2 is in the master state.1.1 Tracing route to 192.1. because none of the MAC addresses listed start with 0000. because it was the first hop returned for the tracert command.1.66? This will identify whether traffic is flow- ing though SW1 or SW2 to reach the core. All you care about is the first hop.66 10. is it 10.1.1. From the Library of Outcast Outcast .1. as shown in Example 8-49. with a MAC of 28-93-fe-3a-e3-43.1. Notice that under the State column it states Backup and the Master addr is 10. On PC1.1.2. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 313 You start by verifying the problem from PC1 on VLAN 20.66 What would be causing SW1 and SW2 to be in their correct states. Also notice how the Internet address listed is 10.1. In this case.1.65.1.65 .01.1. to verify the MAC address being used by the client for the 10.65 or 10.66 Reviewing Figure 8-6 indicates that SW2 should be the virtual router master of the group.1 over a maximum of 30 hops 1 2 ms 2 ms 1 ms 10.1.1.1.0. In this case. That is the IP and MAC address of interface VLAN 20 on SW1.1.1.5e00. Example 8-46 show vrrp brief Command Output on SW1 SW1#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3609 Y Backup 10... as shown in Example 8-48.. Now is an excellent time to review the output of show vrrp brief on SW2 to verify this. Example 8-45 indicates that SW1 should be the VRRP virtual router master for the 10. which is also the virtual IP address for the group. it should be 0000.2. Example 8-46 displays the output of show vrrp brief on SW1. yet the wrong device being used as the first hop? Recall that when a client makes an ARP request for the VRRP group MAC address.1. the virtual router master will respond with the group MAC address. Trace complete. SW1 is not the VRRP master.1.0114 for group 20.0.1.. which displays the output of the show interface vlan 20 command.64/26 network. even though it is being used as the first hop.

255.1.0x2 Internet Address Physical Address Type 10. : 10. .65 28-93-fe-3a-e3-43 dynamic Example 8-49 Verifying SW1’s SVI IP Address and MAC Address SW1#show interface vlan 20 Vlan20 is up. . . . .66. . . . Example 8-50 Verifying the Default Gateway on PCs C:\PC1>ipconfig Windows IP Configuration Ethernet adapter PC1: Connection-specific DNS Suffix .1. .74 --. . . .1.255. : 10. it seems as if they are using 10.65 as the default gateway address instead of the VRRP virtual IP of 10. .1. .1.. From the show commands you just reviewed. . .74 Subnet Mask .1. . . line protocol is up Hardware is EtherSVI. . as shown in Example 8-51.1. : fe80::a00:27ff:fea2:ce47%4 Default Gateway . .1. . . .66) is being used as the first hop. . Using the command ipconfig on PC1. .1. . . .1.fe3a. After the adjustments are made and the clients have the correct default gateway. .1. .1. It appears that the PCs might be configured with the wrong default gateway IP address.output omitted. .1.e343) Internet address is 10.66. . . . .192 IP Address. .1. . . . . : 2001:20::20 IP Address.e343 (bia 2893. . .74 From the Library of Outcast Outcast .1. .. address is 2893.1.314 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-48 Verifying PC1’s ARP Cache C:\PC1>arp -a Interface: 10.1. : 10.. Example 8-51 Verifying the Default Gateway on PCs After Adjustments C:\PC1>ipconfig Windows IP Configuration Ethernet adapter PC1: Connection-specific DNS Suffix . . .65 and not 10. . . you confirm that the default gateway is 10. . . : IP Address.1. .1. . as shown in Example 8-51 as well. .fe3a. . . : IP Address. . ..1. : 255. .65 You contact the administrator of the DHCP server and inform him of the issue.65/26 . .1. . .1. . . as shown in Example 8-50. you reissue the tracert command and confirm that SW2 (10.

65 or 10. You then trace the path from PC1 to an IP address outside the LAN.1 Tracing route to 192.255.66 ..1. . .1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10. Example 8-52 Verifying PC1’s ARP Cache After Adjustments C:\PC1>arp -a Interface: 10.) If the uplink between SW3 and SW2 is not available. Example 8-53 A Trace from PC1 Confirming That SW2 Is the First Hop (Master) C:\PC1>tracert 192.1.2.1.1. . Example 8-53 indicates that SW2 is in fact the VRRP vir- tual router master for the 10.192 IP Address. is it 10. . . . it is important that you confirm the correct VRRP MAC address is being used by checking the ARP cache on the PCs. (Note that the default gateway IP address differs from the previous figures.1. . . SW1. you confirm with the arp -a command that the MAC address of 0000.2.1 Tracing route to 192. . . . .1.1.1..74 --. . ..255. . All you care about is the first hop. . .0. . all traffic for VLAN 20 is flowing through SW3..1. : fe80::a00:27ff:fea2:ce47%4 Default Gateway . Trace complete. You start verifying the problem by shutting down the link between SW3 and SW2.1. . : 255. . as shown in Figure 8-7. SW1 should become the VRRP vir- tual router master so that traffic flow is optimized in the LAN. .66 .0. .66 C:\PC1>tracert 192.66 00-00-5e-00-01-14 dynamic Trouble Ticket 8-5 Problem: According to traffic statistics. In Example 8-52. and then SW2 and routed out to the core. . .1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 315 Subnet Mask . ... However.2.1. .2. From the Library of Outcast Outcast .1..64/26 network. .1. . . : 10.1 over a maximum of 30 hops 1 3 ms 1 ms 2 ms 10.0. .0. : 2001:20::20 IP Address. . . . Trace complete. .1. because it was the first hop returned for the tracert command.0114 for group 20 is being used.0x2 Internet Address Physical Address Type 10.1. .5e00. .66? This will identify whether traffic is flowing though SW1 or SW2 to reach the core..output omitted. . . .output omitted. . when the uplink between SW3 and SW2 goes down.

1.126 VRM=Virtual Router Master SW3 PC1 IP 10. it has been decremented dynami- cally.1.1.65/26 10. This can be verified with the tracked object that is currently down.1.126 Next you review the output of show vrrp. Example 8-54 show vrrp brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3570 Y Master 10.1. The config- ured priority is 110.1.1.1.126 Figure 8-7 VRRP Suboptimal Traffic Flow Topology Next you need to confirm that this is in fact true by reviewing the output of VRRP show commands.1.74/26 DG 10.Group 20 State is Master From the Library of Outcast Outcast .1.1. Notice that under the State column it states Master and the Master addr is 10.1.66/26 10.1.1. In this output.0.1.1.1 Gig 1/0/10 Gig 1/0/10 Int VLAN 20 10 SW1 Int VLAN 10 20 IPIP10. you notice that SW2 is the master but that there is a problem with the priority. and when it is down. the priority will be decremented by 10 (110 – 10 = 100).1/26 SW2 IP 10.66 10.1.1.1. but the current is 100.1.126. Example 8-55 show vrrp Command Output on SW2 SW2#show vrrp Vlan20 . As a result. It indicates that the tracking object 1 is down. as shown in Example 8-55.2/26 Standby Backup VRRP GROUP 20 VRM Gi1/0/2 IP 10.66 (SW2) for the group address 10. All looks fine so far.316 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 192.1. Example 8-54 displays the output of show vrrp brief on SW2.2.1.

1. why is SW2 the virtual router master? When priority is tied.Group 20 State is Backup Virtual IP address is 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 317 Virtual IP address is 10. Example 8-57 show vrrp Command Output on SW1 SW1#show vrrp Vlan20 .0114 Advertisement interval is 1.575 sec) From the Library of Outcast Outcast . If that is the case. Because SW2 has the higher LAN IP address.1. which is the same as SW2. the IP address of the LAN interface participating in VRRP is used as the tiebreaker.609 sec (expires in 3. it is the virtual router master.000 sec Preemption enabled Priority is 100 (cfgd 110) Track object 1 state Down decrement 10 Master Router is 10.570 sec What is tracking object 1? To verify. Gigabit Ethernet 1/0/2 is down. and as a result. As Example 8-56 displays. However. priority is 100 Master Advertisement interval is 1.1.000 sec Preemption enabled Priority is 100 Master Router is 10. The output clearly shows that the priority of SW1 is 100. and the priority is tied.000 sec Master Down interval is 3. as you saw in Example 8-55.5e00. the output of show track indicates that you are tracking the line protocol of Gigabit Ethernet 1/0/2 for VRRP on interface VLAN 20 for group 20.0114 Advertisement interval is 1. priority is 100 Master Advertisement interval is 1. Example 8-56 show track Command Output on SW2 SW2#show track Track 1 Interface GigabitEthernet1/0/2 line-protocol Line protocol is Down (hw down) 6 changes.1.126 Virtual MAC address is 0000. SW2 is still the virtual router master for group 20 even though the priority is being decremented. as shown in Example 8-57.1.66. last change 01:39:45 Tracked by: VRRP Vlan20 20 Next you verify the priority on SW1 with the show vrrp command.1. Reviewing the output of show vrrp for SW1 and SW2 identifies that preemption is enabled. just like HSRP. VRRP decremented the pri- ority by 10.126 Virtual MAC address is 0000.1.66 (local).000 sec Master Down interval is 3. you execute the show track command on SW2.5e00. At this point in time.1.

Trace complete.. Trace complete.0.1.. as shown in Example 8-59. make sure that the priority of SW2 is dropped below that of SW1.1.66 . From the Library of Outcast Outcast . Gateway Load Balancing Protocol (GLBP) can have multiple forwarders for each group. the tracking object is up..2.. Troubleshooting GLBP Whereas HSRP can only have one active forwarder for each group.1. It is now SW1. you issue the vrrp track 1 decrement 11 command in interface VLAN 20 configuration mode. as shown in Example 8-58.0.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10. and SW2 becomes the virtual router master..65 . It is now SW2.1. Example 8-58 A Trace from PC1 Confirming That SW1 Is the First Hop (Master) C:\PC1>tracert 192. GLBP can load balance traffic destined for a next-hop gateway across a collection of routers within the GLBP group. the following syslog message is displayed: %VRRP-6-STATECHANGE: Vl20 Grp 20 state Backup -> Master You now reissue the tracert command on PC1 to verify the first hop..output omitted. You then reissue the trac- ert command on PC1 to verify the first hop.2.0.. as follows: %VRRP-6-STATECHANGE: Vl20 Grp 20 state Master -> Backup On SW1. This section explains the GLBP active virtual gateway (AVG) and active virtual forwarder (AVF) concepts and how to verify and troubleshoot issues related to GLBP. On SW2. a syslog message is dis- played on SW2. which means that SW2’s priority goes back to 110..1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10.1 Tracing route to 192.0.318 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide How can you make sure that SW1 takes over as the virtual router master if the uplink between SW3 and SW2 fails? In this case. As soon as you do this. Next you enable the interface between SW3 and SW2 with the no shutdown command and receive the following syslog message on SW2: %TRACKING-5-STATE: 1 interface Gi1/0/2 line-protocol Down->Up %VRRP-6-STATECHANGE: Vl20 Grp 20 state Backup -> Master Because the interface is up.1 Tracing route to 192.2. Example 8-59 A Trace from PC1 Confirming That SW2 Is the First Hop (Master) C:\PC1>tracert 192.output omitted. Therefore.2.

1.1.1.62.1. 192.62 Virtual MAC = 0007.2.1. it is responsible Topic for replying to ARP requests for the MAC address of the default gateway. and Workstation B sends default gateway destined traffic to R2.1 Active Virtual Gateway (AVG) Core Active Virtual Forwarder (AVF) AVF GLBP IP Address = 10. R1 is the AVG.1.1.1.. b400. R1 (AVG) responds with the MAC of 0007.1. The next workstation that sends an ARP request will get 0007.62 Next-Hop GW = 10.0a01 and then 0007.1. When Workstation B sends an ARP request for the MAC address of 10.1.0a02 Gi0/0 R1 ARP Reply R2 10.b400.1. Figure 8-8 shows a GLBP topology example. Therefore.1. Workstation A sends default gateway destined traffic to R1. there is one AVG and up to four AVFs in a group. The AVG is responsible for Key handing out the AVF MAC addresses to the hosts in the LAN.0a01.62 with a MAC of with a MAC of 0007.20 Figure 8-8 Basic GLBP Operation Examples 8-60 and 8-61 show the possible GLBP configurations for routers R1 and R2.62 GLBP IP Address = 10. Note that the AVG is usually an AVF as well.0a02.. The AVFs are responsible for processing the frames that are sent to their MAC address.0a01 0007. This is the default behavior known as round-robin.b400.b400.1.b400.2 Gi0/0 10.62.0a02.0. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 319 Reviewing GLBP With GLBP. As you can see from Figure 8-8.62. which can be changed with the glbp group_id load-balancing interface configuration command.1. Example 8-60 Possible GLBP Configuration on Router R1 R1#show run interface gigabitethernet 0/0 Building configuration. When Workstation A sends an ARP request for the MAC address of 10. The virtual router IP address that will be used as the default gateway on all the hosts is 10.b400.1. R1 (AVG) responds with the MAC of 0007.1 ARP Request ARP Reply ARP Request Next-Hop GW = 10. The other options are host-dependent and weighted. Current configuration : 269 bytes ! From the Library of Outcast Outcast .b400. and R1 and R2 are AVFs.1.b400.1.1.10 10.1.0a02 Workstation A Workstation B 10.0a01 Gi3/0 Virtual MAC = 0007.1.1. and so on.

1.2 255. and with GLBP.255. However.1. Referring to Example 8-60 again.1.1. or 11:10 ratio.1.62 for GLBP group 10. Remember that preemption is not enabled by default for the AVG election process.1. in these examples.192 glbp 10 ip 10. Also. By default.255.62 glbp 10 priority 150 glbp 10 preempt glbp 10 weighting 110 lower 90 upper 100 glbp 10 load-balancing weighted end Example 8-61 Possible GLBP Configuration on Router R2 R2#show run interface gigabitethernet 0/0 Building configuration. It will regain its ability to forward traf- fic for its virtual MAC address if its weighting goes back above 100. This means that R1’s virtual MAC address will be given to clients 11 times for every 10 times that R2’s virtual MAC address will be given out.. Current configuration : 237 bytes ! interface GigabitEthernet0/0 ip address 10. the MACs will be handed out in a round-robin fashion. This means that R1 will lose its ability to forward traffic for its vir- tual MAC address if its weighting drops below 90.62 glbp 10 preempt glbp 10 weighting 100 lower 80 glbp 10 load-balancing weighted end Notice that both routers R1 and R2 have been configured with the same virtual IP address of 10. R1 will handle more hosts on average than R2. In this case. This ensures that the router with the higher priority will be the AVG.1 255. The initial weighing From the Library of Outcast Outcast . load balancing has been configured to weighted. notice that both routers are configured with the glbp 10 preempt command.1. Therefore.1.255. higher-priority values are more preferable.. notice that R1’s lower limit is 90.192 glbp 10 ip 10. Router R2 has a default GLBP priority of 100.255. The lower and upper values are related to when the AVF will lose its ability to forward traffic for its virtual MAC address and when it will regain its ability to forward traffic for its virtual MAC address. the AVG will hand out the MAC addresses in a 110:100 ratio. Router R1 is configured to be the AVG with a higher priority using the glbp 10 priority 150 command. and whether they will be allowed to forward traffic. This means that the initial weighting value defined in the glbp 10 weighting command will determine the ratio that will be used to hand out MAC addresses. The last two commands in Examples 8-60 and 8-61 relate to the AVFs and how their MAC addresses will be handed out to hosts on the LAN by the AVG.320 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide interface GigabitEthernet0/0 ip address 10.1.1.

The output identifies the interfaces that are participating in a GLBP group.62 10. Active 0007.1. The State column identifies the state of the device for the group. In these examples. and standby means that it is waiting to become the AVG if the AVG fails.1. Examples 8- 62 and 8-63 provide samples of the show glbp brief command.1.0a01 10. The Priority column is used to display the priority used dur- ing the AVG election process. begin by deter- mining the following information about the GLBP group under inspection: ■ Which router is the AVG? Key Topic ■ Which routers are the AVFs? ■ How was the AVG chosen? ■ Which routers.1 - Gi0/0 10 2 . Listen means that the router is waiting to take over the forwarding process for the virtual MAC address in the Address column if the router listed in the Active Router column is no longer able to forward traffic for the virtual MAC address.0a01 local - Gi0/0 10 2 . 100 Standby 10. If it is the AVG row. Listen 0007.0a02 10.2 - Example 8-63 show glbp brief Command Output on Router R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .1.b400.1 local Gi0/0 10 1 .1. active means that the router is forwarding for the virtual MAC address in the Address column.b400.1.1. Notice that R2 in Example 8-61 has no upper weighting.1. The – refers to the AVG information. it is referring to the state of the AVF. which means that it is the same as the initial weighting. Active 0007. and the numbers 1 and 2 refer to the AVFs in the group.b400. Example 8-62 show glbp brief Command Output on Router R1 Key Topic R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . if any.1.62 local 10.1. For the second and third rows. Listen 0007. active means that it is the AVG. 150 Active 10.1.2 Gi0/0 10 1 . Chapter 8: Troubleshooting First-Hop Redundancy Protocols 321 value is 110. are configured with the preempt option? ■ What is the IP address of the virtual router? ■ What are the AVFs virtual MAC addresses? ■ Is object tracking on? The show glbp brief command displays a great deal of GLBP information.b400. It identifies who the AVFs are under the Fwd column. in this case the top row. GLBP Verification and Troubleshooting When verifying a GLBP configuration or troubleshooting a GLBP issue.0a02 local - From the Library of Outcast Outcast .1.

min delay 30 sec Active is 10. the hello and hold timers. the type of load balancing being used. as shown in Example 8-64. min delay 0 sec Active is local Standby is 10. you will be able to verify the active or standby routers IP address and its priority.0a02 (learnt) Owner ID is ca12.1.1. Example 8-64 show glbp Command Output on Router R1 R1#show glbp gigabitethernet0/0 GigabitEthernet0/0 . This is a great command to verify the weight- ing values.1.Group 10 State is Active 1 state change.0008 Redirection enabled Preemption enabled.62 Hello time 3 sec. last state change 00:03:35 MAC address is 0007. upper 100 Track object 1 state Up decrement 25 Load balancing: weighted Group members: ca12. min delay 30 sec Active is local. The virtual IP address.322 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The show glbp command output provides significant details about the GLBP groups.0008 (10.984 sec) Priority 150 (configured) Weighting 110 (configured 110). forwarder time-out 14400 sec Preemption enabled.0854. which are identified by their physical MAC address and IP address associated with the interface participating in the GLBP group.0a01 (default) Owner ID is ca13.2. You can determine whether it is the AVG based on whether it is active or standby.000 sec (maximum 14400 sec) Preemption enabled.1. weighting 100 (expires in 11. you can verify the group number and the interface associated with it. In the output.0008 Redirection enabled. and the status of preemption is also listed.2 (primary).b400.b400.1) local There are 2 forwarders (1 active) Forwarder 1 State is Active 3 state changes.000 sec remaining (maximum 600 sec) Time to live: 14400.1.1.0854.0854.0854. weighting 110 Forwarder 2 State is Listen MAC address is 0007. priority 100 (expires in 9.568 secs Redirect time 600 sec. last state change 00:31:34 Virtual IP address is 10.2) ca13.1.1. Depending on the state of the device. 600.232 sec) From the Library of Outcast Outcast . and the members of the group. hold time 10 sec Next hello sent in 1. thresholds: lower 90.0008 (10. You will also be able to see your current local priority and the configured priority.1.1.

2b02 Well. the status of an SLA probe. Object tracking allows you to control the weighting of an AVF in a GLBP group based on the status of an object. From the Library of Outcast Outcast .b400. focus on the area related to the forwarders.b400. because 43 in decimal equates to 2b in hexadecimal.2b03.b400. meaning that it is waiting for the current owner of the virtual MAC 0007. and for AVF 3. you can implement object tracking. That is perfectly Topic fine for the AVG because a failure of an uplink outside the LAN will not affect the AVG because hello packets are still exchanged successfully. By default. R1 is in the listen state for Forwarder 2. and the state of the tracked object.0a02 to no longer be able to forward for the MAC so that it can take over. based on the physical MAC address of the device. is based on the group number and the AVF forwarder ID within the group. GLBP AVF known Group ID GLBP Number Code in Hex Figure 8-9 GLBP Virtual MAC Address GLBP Object Tracking As with VRRP. a GLBP group of 43 yields a default virtual MAC address for AVF 1 of 0007. and the status of an interface. as shown in Figure 8-9. a group of objects. This is where object tracking comes into play for the AVFs. This router is currently active for Forwarder 1. Virtual Router MAC Addresses The default virtual MAC address for the AVFs in a GLBP group. For AVF 2. the AVF cannot forward packets for the virtual IP and MAC it owns. This informa- tion is related to the AVFs in the group. However.2b01. b400. For example. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 323 Still referring to Example 8-64. and the AVG is still reachable.b400.0a01 that is listed. you can verify that there are two AVFs.b400. If the object is anything but up. as shown in Example 8-65. Specifically.2b02. You can use the show glbp command to verify whether object tracking is configured. GLBP will only detect a Key failure of the device itself or the path that is used by the hello packets. meaning that it is forwarding for the MAC address 0007. The object can be IP-related information such as a route. It also states who the current owner is of the virtual MAC address. In this case. what about the AVFs? If the uplinks fail. GLBP Group 43 Key Topic 0007. The last two hexa- decimal digits represent the forwarder ID within the group. it would be 0007. The next two hexadecimal digits represent the group number. The owner is the device currently responsible for forwarding traffic for the virtual MAC address. the virtual MAC address for a GLBP group begins with a well-known GLBP code of 0007. the weight of the router can be decremented to a value that is lower than a configured threshold so that another AVF can forward on behalf of the rout- er that cannot.b400. it would be 0007.

0a02 (learnt) Owner ID is ca12.2 (primary). as shown in Example 8-66.b400.324 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-65 show glbp Command Output on Router R1 R1#show glbp GigabitEthernet0/0 .1. priority 100 (expires in 9.1.62 Hello time 3 sec.1.b400. min delay 30 sec Active is local. min delay 30 sec Active is 10.1. upper 100 Track object 1 state Up decrement 25 Load balancing: weighted Group members: ca12.1.0854. and as a result.232 sec) In the case of Example 8-65.0008 Redirection enabled. last state change 00:03:35 MAC address is 0007. weighting 100 (expires in 11.1. AVF2. you can see that the tracked object 1 is in a state of up.Group 10 State is Active 1 state change. 600. will have to forward for both MAC addresses at this point.568 secs Redirect time 600 sec.000 sec remaining (maximum 600 sec) Time to live: 14400.1. However. if the tracked object goes down.000 sec (maximum 14400 sec) Preemption enabled.1.1. In this output.1) local There are 2 forwarders (1 active) Forwarder 1 State is Active 3 state changes.2) ca13. the line protocol of interface Gigabit Ethernet 3/0 is being tracked by GLBP.0008 (10. forwarder time-out 14400 sec Preemption enabled.0854.0854.0008 Redirection enabled Preemption enabled. min delay 0 sec Active is local Standby is 10. However. if you need to find out what the tracked object is specifically so that you can troubleshoot further. the weighting will be decremented by 25.0854. weighting 110 Forwarder 2 State is Listen MAC address is 0007. the weighting will be lower than the lower threshold of 90 and R1 will no longer be able to be the AVF for MAC 0007.984 sec) Priority 150 (configured) Weighting 110 (configured 110).0a01 (default) Owner ID is ca13. use the command show track.b400. hold time 10 sec Next hello sent in 1.0008 (10.0a01. last state change 00:31:34 Virtual IP address is 10. thresholds: lower 90.2.1. From the Library of Outcast Outcast . which is R2.

1.1. Example 8-68 Workstation A’s ARP Cache C:\>arp -a Interface: 10. Example 8-67 Ping Test from Workstation A to the GLBP Virtual IP Address C:\>ping 10.1.62 00-07-b4-00-0a-01 dynamic From the Library of Outcast Outcast .62 with 32 bytes of data: Reply from 10. Received = 4. you should also verify that the virtual MAC address learned by the client corresponds to the virtual MAC address reported by the GLBP AVG.1.1. Based on Topic the topology previously shown in Figure 8-8.62: Packets: Sent = 4.1.1. Example 8-67 shows a successful ping from Workstation A. Maximum = 2ms.1.1.10 --.1. that does not prove that we are using the virtual MAC address and GLBP suc- cessfully.62. Average = 1ms However.1.0x4 Internet Address Physical Address Type 10.1. you might then check to see whether Key a host on the GLBP virtual IP address’s subnet can ping the virtual IP address.1.1. Therefore.1. last change 00:05:56 Tracked by: GLBP GigabitEthernet0/0 10 Verifying GLBP First Hop Once you know the current GLBP configuration.1. Example 8-68 shows Workstation A’s ARP cache entry for the GLBP virtual IP address of 10. Lost = 0 (0% loss). Chapter 8: Troubleshooting First-Hop Redundancy Protocols 325 Example 8-66 show track Command Output on R1 R1#show track Track 1 Interface GigabitEthernet3/0 line-protocol Line protocol is Up 3 changes.1.62: bytes=32 time=2ms TTL=255 Reply from 10.1.62: bytes=32 time=1ms TTL=255 Reply from 10.62: bytes=32 time=1ms TTL=255 Reply from 10. Notice in the output that the MAC address learned via ARP does match the GLBP virtual MAC address of the first AVF. Approximate round trip times in milli-seconds: Minimum = 1ms.1.62: bytes=32 time=1ms TTL=255 Ping statistics for 10.1.62 Pinging 10. from the client.

Notice that it states that the first hop is 10.1.1 Tracing route to 192. one of the best tools to use with FHRPs to verify the path is traceroute. Notice that it states that the first hop is 10. Example 8-69 A Trace from Workstation A Confirming That R1 Is the First Hop (AVF) C:\>tracert 192. All trouble tickets in this section are based on the topology depicted in Figure 8-10. From the Library of Outcast Outcast . Example 8-70 displays the tracert command executed on Workstation B.1.2. as discussed with HSRP and VRRP. Example 8-70 A Trace from Workstation B Confirming That R2 Is the First Hop (AVF) C:\>tracert 192.1..1. Trace complete.2..0.1.2..output omitted.62 and are dynamically provided a virtual MAC address based on the AVG load-balancing method.1.2 .0.2.2. This is the IP address of R1’s Gig0/0 interface. But remember in both cases they are configured to use the vir- tual IP 10.. This is the IP address on R2’s Gig0/0 interface..1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10.output omitted.1 .326 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide However.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10.1 Tracing route to 192. Trace complete. GLBP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.0..1..1.0. With traceroute..1.1. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.1. Example 8-69 displays the tracert command executed on Workstation A. you can identify the physical first- hop router that the packets are traversing.

0a02 local - Example 8-72 Output of show glbp brief on R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . Chapter 8: Troubleshooting First-Hop Redundancy Protocols 327 192. Example 8-71 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .1.0a02 Workstation A Workstation B 10.0a02 local - The junior administrator indicates that R1 and R2 are both in group 10.1.1.1.62 local unknown Gi0/0 10 1 .1. you ask the junior admin to show you what she means.1. Active 0007. Active 0007. R1 and R2 are both stating that they are the AVFs for the MAC addresses listed.0a01 local - Gi0/0 10 2 . Active 0007.0a01 Virtual MAC = 0007.1. 150 Active 10.b400. Active 0007. You review them.62 GLBP IP Address = 10. they are both indicating that they are the AVG for the virtual address 10.1.1.1.62 with a MAC of with a MAC of 0007.0a01 0007.1.1 Active Virtual Gateway (AVG) Core Active Virtual Forwarder (AVF) AVF GLBP IP Address = 10.b400. 100 Active 10. and R2 has a priority of 100.1.2 Gi0/0 Next-Hop GW = 10. From the Library of Outcast Outcast . In addition.1.1.1.1. With a puzzled look on your face.10 10.0a02 R1 R2 Gi0/0 10.2. and then ask the junior administrator to explain.1.1.62 local unknown Gi0/0 10 1 . The junior admin provides the output shown in Example 8-71 and Example 8-72.1 10.20 Figure 8-10 GLBP Trouble Ticket Topology Trouble Ticket 8-6 Problem: A junior administrator has stated that GLBP is behaving strangely.62. However.62 Next-Hop GW = 10.b400. R1 has a priority of 150.b400.0.1.b400.b400.1.62 Virtual MAC = 0007.1.b400.b400.0a01 local - Gi0/0 10 2 .1.

Group 10 State is Active 3 state changes.62 Hello time 3 sec.328 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide You then ask the junior admin. and R2 is using message digest 5 (MD5) GLBP authentication. and reviews them hoping to spot the difference. although they do not have to be as long as they do not cause flapping neighbor relationships. “That is correct.62. last state change 00:23:29 Virtual IP address is 10... they know each other is there.288 secs Redirect time 600 sec. as displayed in Examples 8-73 and 8-74. Therefore. output omitted. “They don’t know each other is on the LAN and participating in GLBP group 10.1. Do you see it? Example 8-73 Output of show glbp on R1 R1#show glbp brief GigabitEthernet0/0 . hold time 10 sec Next hello sent in 0. but because they cannot From the Library of Outcast Outcast . Example 8-74 Output of show glbp on R2 R2#show glbp brief GigabitEthernet0/0 ..592 secs Redirect time 600 sec.1.. The virtual IP is the same at 10. string "TSHOOT" Preemption enabled.62 Hello time 3 sec. The timers are the same. key-string Preemption enabled.output omitted. Now find out why!” The junior admin issues the command show glbp on R1 and R2. hold time 10 sec Next hello sent in 2.1...1. R1 is using plain-text GLBP authentication.” You grin and state. last state change 00:21:32 Virtual IP address is 10. The output confirms that both R1 and R2 are the AVG for group 10 because it states “State is Active” near the top.1. forwarder time-out 14400 sec Authentication MD5. forwarder time-out 14400 sec Authentication text. but the type of authentica- tion does not match. They are both using authentication.. min delay 0 sec Active is local Standby is unknown Priority 100 (default) .. At this point. min delay 0 sec Active is local Standby is unknown Priority 150 (configured) . the junior admin spots the difference. “Why would they both consider themselves as the AVG and AVFs?” The junior admin replies.Group 10 State is Active 8 state changes.1.

0a01 local - Gi0/0 10 2 . Therefore. It has.62 From the Library of Outcast Outcast .0a02 local - Trouble Ticket 8-7 Problem: The uplink has failed between R2 and the core.b400.62 10.Group 10 State is Standby 10 state changes.1. Let’s shoot from the hip this time! Brainstorm: Uplink failed + R2 still AVF when it should not be = object tracking and weight issue? Let’s use the show glbp command to see what the weight of R2 is and whether object tracking is enabled.1. and when it is down. Your security policy states to use MD5 authentication. Listen 0007.0a01 10. to verify whether the output has changed. Example 8-77 displays the output of show glbp on R2. however. it will still be the AVF for the MAC address assigned to it by the AVG.1. Active 0007. Active 0007.1.1. 150 Active 10. last state change 00:20:58 Virtual IP address is 10.2 Gi0/0 10 1 . Example 8-75 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .b400. and it clearly indicates that we are tracking object 1. Example 8-77 Output of show glbp on R2 R2#show glbp GigabitEthernet0/0 .62 local 10. You then check the output of show glbp brief on R1 and R2. as shown in Examples 8-75 and 8-76.1.1. the weighting will be decremented by 20.1 local Gi0/0 10 1 .1 - Gi0/0 10 2 .1. Listen 0007.1.1. and R2 is standby and the AVF for the second MAC.b400. R2 is still the AVF for MAC 0007.2 - Example 8-76 Output of show glbp brief on R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . so you change R1 with the com- mand glbp 10 authentication md5 key-string TSHOOT in interface configuration mode. which it has been because the configured weight is 100 and the current weight is 80. However. they consider each other to be rogue GLBP devices and will not accept the GLBP information from each other.0a02 when it should be R1. R1 is the AVG and AVF for the first MAC.b400.1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 329 authenticate each other.1.0a02 10.1. 100 Standby 10. which is down.b400.1. R2’s weighting still has not passed the lower threshold.

Example 8-78 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . and GLBP are very similar.b400. HSRP. you need to modify the glbp 10 weighting track 1 command so that the decrement is greater than 20 (for example. When you do so.1. VRRP. Table 8-2 Comparing HSRP. VRRP. it is important for you as a troubleshooter to understand the differences to make sure that you are troubleshooting as efficiently as possible. as shown in Example 8-78. VRRP. and GLBP As you have witnessed in this chapter.0a02 local - Comparing HSRP. Active 0007.1. forwarder time-out 14400 sec Authentication MD5. It is important to note that the issues will be similar with these FHRPs. glbp 10 weighting track 1 decrement 21). although HSRP. However.0a01 local - Gi0/0 10 2 . you can confirm this with the show glbp brief command. and GLBP have commonalities. VRRP.1. On R1. The output provided by the show commands is similar as well.736 secs Redirect time 600 sec. hold time 10 sec Next hello sent in 0. min delay 0 sec Active is 10. Active 0007.480 sec) Standby is local Priority 100 (default) Weighting 80 (configured 100). 150 Active 10. Table 8-2 compares several characteristics of these FHRPs. and GLBP Key Topic Characteristic HSRP VRRP GLBP Cisco proprietary. Yes No Yes Interface IP address can act as No Yes No virtual IP address. thresholds: lower 80.330 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Hello time 3 sec.1. Hello timer default value. making them easy to troubleshoot for most.1.1. priority 150 (expires in 8.b400.2 Gi0/0 10 1 . R1 will be the AVF for both MACs.1. upper 100 Track object 1 state Down decrement 20 Load balancing: weighted To solve this problem.62 local 10. key-string Preemption enabled. 3 seconds 1 second 3 seconds From the Library of Outcast Outcast . More than one router in a group No No Yes can simultaneously forward traffic for that group.

— — 100 Authentication supported. V1: 0000.acxx 0000.102 Virtual MAC address.18 224.b400. Yes Yes Yes Multicast address. No Yes No for AVG. Yes for AVFs Default priority.0c9f.0.fxxx From the Library of Outcast Outcast .0.0.0.5e00.xxyy (xx = group number)(yy = AVF) V2: 0000. 224.0.0.01xx 0007.0c07. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 331 Characteristic HSRP VRRP GLBP Hold timer default value. 10 seconds 3 seconds 10 seconds Preemption enabled by default.2 224. 100 100 100 Default weight.

you have a couple of choices for exam preparation: the exercises here.332 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. noted with the Key Topic icon in the outer margin of the page. Table 8-3 lists a reference of these key topics and the page numbers on which each is found. Table 8-3 Key Topics for Chapter 8 Key Topic Key Topic Element Description Page Number Paragraph Describes how to configure an HSRP group and 291 explains priority and preempt List Identifies HSRP parameters that should be verified 292 while troubleshooting HSRP issues Example 8-3 show standby brief command output on Router R1 292 Figure 8-2 HSRPv1 virtual MAC address 293 Section Interface tracking 293 Section Verifying first hop 294 Section Reviewing VRRP 306 List Identifies VRRP parameters that should be verified 308 while troubleshooting issues Example 8-36 show vrrp brief command output on router SW1 308 Figure 8-5 VRRP virtual MAC address 309 Section Object tracking 309 Section Verifying first hop 310 Section Reviewing GLBP 319 List Identifies GLBP parameters that should be verified 321 while troubleshooting HSRP issues Example 8-62 show glbp brief command output on router SW1 321 Figure 8-9 GLBP virtual MAC address 323 Section GLBP object tracking 323 Section Verifying GLBP first hop 325 Table 8-2 Comparing HSRP. Review All Key Topics Review the most important topics in this chapter. and GLBP 330 From the Library of Outcast Outcast . “Final Preparation. VRRP. Chapter 22.” and the exam simulation questions on the CD-ROM.

virtual MAC address. you should be able to identify the commands needed to troubleshoot issues related to the topics covered in this chapter. including timers and tracked objects interface_number Displays the tracking objects configured on the router or show track switch Displays a summary of the GLBP group configuration on a show glbp brief switch or router Displays details of the GLBP group configuration on a router show glbp interface_type interface. “Memory Tables Answer Key. in addition to tracked objects From the Library of Outcast Outcast . Therefore. Command Reference to Check Your Memory This section includes the most important show commands covered in this chapter. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 333 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: HSRP. AVG. Appendix D. but you should be able to remember the basic keywords that are needed. Table 8-4 show commands Task Command Syntax Displays a summary of the HSRP standby group show standby brief configuration on a switch or router Displays details of the HSRP standby group configuration show standby interface_ on a switch or router interface. virtual router backup. AVF. including timers. object tracking. who the AVFs interface_number are. or at least the section for this chapter. cover the right side of Table 8-4 with a piece of paper. priority. preempt. virtual master router. weighting Complete Tables and Lists from Memory Print a copy of Appendix C. includes completed tables and lists to check your work. VRRP. including timers and tracked type interface_number interfaces or objects Displays the commands configured on a router or switch show run interface_type interface interface_number Displays a summary of the VRRP group configuration on a show vrrp brief switch or router Displays details of the VRRP group configuration on a switch show vrrp interface_type or router interface. active forwarder. standby router. interface tracking. virtual rout- er. who the AVG is. It might not be necessary to memorize the complete syntax of every command.” also on the disc. To test your memory of the commands. and then see how much of the command you can remember. The 300-135 TSHOOT exam focuses on practical. “Memory Tables.” (found on the disc). hands-on skills that are used by a net- working professional. and complete the tables and lists from memory. GLBP. read the description on the left side.

■ IPv4 Addressing and Addressing Technologies Trouble Tickets: This section provides trouble tick- ets that demonstrate how you can use a structured troubleshooting process to solve a reported problem.This chapter covers the following topics: ■ Troubleshooting IPv4 Addressing: This section focuses on how you can verify that devices are addressed correctly in the network during your troubleshooting process. From the Library of Outcast Outcast . ■ Troubleshooting NAT: This section explains the rea- sons why NAT may not be translating addresses and how to recognize them. ■ Troubleshooting DHCP for IPv4: This section reviews the DHCP for IPv4 operations and identi- fies how you can successfully troubleshoot DHCP related issues.

when deploying IPv4 addresses. or even the address of the default gateway.” Table 9-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting IPv4 Addressing 1–4 Troubleshooting DHCP for IPv4 5–7 Troubleshooting NAT 8–10 From the Library of Outcast Outcast . it is being done at a slow pace. Therefore. you need the skills neces- sary to successfully identify issues related to improper IPv4 addressing on devices. as a troubleshooter. you need a solid understanding of how DHCP operates and how to identify the issues that would prevent a client from obtaining an IP address from a DHCP server. most networks are still relying on IPv4. It might be a bad address. DHCP for IPv4-related issues. read the entire chapter. issues may arise that prevent a device from successfully obtaining an IPv4 address from the DHCP server. subnet mask. Because RFC 1918 addresses are not routable on the Internet. Typically. Therefore. Dynamic Host Configuration Protocol (DHCP) will be used so that they can be dynamically assigned. Table 9-1 lists the major headings in this chapter and their corresponding “Do I Know This Already