From the Library of Outcast Outcast

CCNP Routing and
Switching TSHOOT 300-135
Official Cert Guide

Raymond Lacoste
CCSI/CCNP
Kevin Wallace
CCIE No. 7945

Cisco Press
800 East 96th Street

Indianapolis, IN 46240

From the Library of Outcast Outcast

ii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

CCNP Routing and Switching TSHOOT 300-135
Official Cert Guide
Raymond Lacoste, CCSI/CCNP

Kevin Wallace, CCIE No. 7945

Copyright© 2015 Pearson Education, Inc.

Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a
review.

Printed in the United States of America

First Printing December 2014

Library of Congress Control Number: 2014950275

ISBN-10: 1-58720-561-0

ISBN-13: 978-1-58720-561-3

Warning and Disclaimer
This book is designed to provide information about the 300-135 Troubleshooting and Maintaining Cisco
IP Networks (TSHOOT) exam for the CCNP Routing and Switching certification. Every effort has been
made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall
have neither liability nor responsibility to any person or entity with respect to any loss or damages
arising from the information contained in this book or from the use of the discs or programs that may
accompany it.

The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems,
Inc.

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropri-
ately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information.
Use of a term in this book should not be regarded as affecting the validity of any trademark or service
mark.

From the Library of Outcast Outcast

iii

Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training goals,
marketing focus, or branding interests), please contact our corporate sales department at corpsales@pear-
soned.com or (800) 382-3419.

For government sales inquiries, please contact governmentsales@pearsoned.com.

For questions about sales outside the U.S., please contact international@pearsoned.com.

Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise
of members from the professional technical community.

Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us
through email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.

We greatly appreciate your assistance.
Publisher: Paul Boger Copy Editor: Keith Cline

Associate Publisher: Dave Dusthimer Technical Editors: Ryan Lindfield, Diane Teare

Business Operation Manager, Cisco Press: Team Coordinator: Vanessa Evans
Jan Cornelssen
Designer: Mark Shirar
Executive Editor: Brett Bartow
Composition: Tricia Bronkella
Managing Editor: Sandra Schroeder
Indexer: Lisa Stumpf
Development Editor: Ellie Bru
Proofreader: The WordSmithery LLC
Project Editor: Mandie Frank

From the Library of Outcast Outcast

iv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

About the Authors
Raymond Lacoste is a Cisco Certified Systems Instructor (CCSI) who has dedicated his
IT career to teaching others. Starting out as a mentor at Skillsoft, he helped students with
their studies, explaining various Cisco, Microsoft, and industry-related concepts in ways
that improved the students understanding. Now he spends his days at Skillsoft teaching
the CCNA and CCNP Routing and Switching certification track. He has taught over 300
Cisco classes in addition to the countless practice labs, demonstrations, hands-on labs,
and student guides he has developed. However, it is not just about teaching, it is also
about learning. To date, Raymond has passed more than 100 IT certification exams as he
continues to keep his learning and knowledge up-to-date. His certification wall includes
various Cisco certifications, Microsoft certifications, CompTIA certifications, and the
ISC2 CISSP (Certified Information Systems Security Professional) designation. He was
also awarded the Cisco Sirius Top Quality Instructor award. His next goal is to achieve
the CCIE designation in Routing and Switching. Raymond lives in Atlantic, Canada, with
his wife, Melanie, and two children.

Kevin Wallace, CCIEx2 (Collaboration and R/S) #7945, CCSI #20061: With Cisco
experience dating back to 1989, Kevin has been a network design specialist for the Walt
Disney World Resort, an instructor of Cisco courses for Skillsoft, and a network man-
ager for Eastern Kentucky University.

Kevin currently produces video courses and writes books for Cisco Press/Pearson IT
Certification (http://kwtrain.com/books), and he lives in central Kentucky with his wife
(Vivian) and two daughters (Stacie and Sabrina).

Kevin can be followed on these social media platforms.

Blog: http://kwtrain.com

Twitter: http://twitter.com/kwallaceccie

Facebook: http://facebook.com/kwallaceccie

YouTube: http://youtube.com/kwallaceccie

LinkedIn: http://linkedin.com/in/kwallaceccie

Google+: http://google.com/+KevinWallace

From the Library of Outcast Outcast

v

About the Technical Reviewers
Ryan Lindfield is an instructor and technical consultant with Stormwind. On a typi-
cal day he’s broadcasting official Cisco training from a video studio. When not in the
virtual classroom, he can be found supporting customer networks. Ryan has nearly
20 years of technical consulting experience, and over a decade in the classroom. He
has delivered training for network, security, and data center technologies around the
world. Certifications include: CCNP Routing & Switching, CCNP Security, HP Master
Accredited Systems Engineer, VMware VCP, CEH, CISSP, SANS GFCA, CISSP, ECSA,
CHFI, CPTE, CPTC, OSWP, and many Microsoft and CompTIA certifications. Ryan
leads a 150 member Defcon user group in Tampa, FL, and has given presentations for
ISC2 and B-Sides computer security events.

Diane Teare, P.Eng, CCNP, CCDP, CCSI, PMP, is a professional in the networking,
training, project management, and e-learning fields. She has more than 25 years of
experience in designing, implementing, and troubleshooting network hardware and soft-
ware, and has been involved in teaching, course design, and project management. She
has extensive knowledge of network design and routing technologies. Diane is a Cisco
Certified Systems Instructor (CCSI), and holds her Cisco Certified Network Professional
(CCNP), Cisco Certified Design Professional (CCDP), and Project Management
Professional (PMP) certifications. She is an instructor, and the Course Director for the
CCNA and CCNP Routing and Switching curriculum, with one of the largest authorized
Cisco Learning Partners. She was the director of e-learning for the same company, where
she was responsible for planning and supporting all the company’s e-learning offerings in
Canada, including Cisco courses. Diane has a Bachelor’s degree in applied science in elec-
trical engineering and a Master’s degree in applied science in management science. She
authored or co-authored the following Cisco Press titles: the first and second editions
of Implementing Cisco IP Routing (ROUTE); the second edition of Designing Cisco
Network Service Architectures (ARCH); Campus Network Design Fundamentals; the
three editions of Authorized Self-Study Guide Building Scalable Cisco Internetworks
(BSCI); and Building Scalable Cisco Networks. Diane edited the first two editions
of the Authorized Self-Study Guide Designing for Cisco Internetwork Solutions
(DESGN), and also edited Designing Cisco Networks.

From the Library of Outcast Outcast

vi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Dedications
This book is dedicated to two very special people who supported me in my early years
of IT, without whom this book would not have been possible. I will forever be grateful
for the opportunity you gave me so many years ago to pursue my career. Thank you!

Raymond Lacoste

From the Library of Outcast Outcast

vii

Acknowledgments
A big thank you to my wife for encouraging me to write this book and supporting me
over the months that it took to complete it. Great big hugs to my two wonderful chil-
dren, ages 9 and 5, who had no idea why Daddy was always sitting at the computer; for
some strange reason, though, they knew that it was important and supported me in their
own mysterious ways. I love you guys!

An equally big thank you to my parents, without whom I would not be where I am or
who I am today, and to my sister, Terry-Anne, who always kicked me in the right direc-
tion.

Thanks to Dan Young, my mentor and the Director of Live Learning at Skillsoft, for all
the support and encouragement you have provided me all these years.

I’d like to thank Ellie Bru, my Development Editor, for organizing and putting into
action all the parts needed to develop this book (definitely not an easy task).

Thank you to Mandie Frank, my Production Editor, for putting all the final pieces of
this book together so nicely and making sure that it resembles a book.

Thank you to Diane Teare and Ryan Lindfield for reviewing the book and making sure
it’s technically sound.

Keith Cline, thank you for making sure all i’s were “crossed” and t’s “dotted” within the
book. (HaHaHa) You found some items in this book that I didn’t even know existed.
Thank you!

Thank you to Brett Bartow, my Executive Editor, for giving me the opportunity to write
this detailed book.

A big thank you to Kevin Wallace, the author of the previous edition of TSHOOT and a
friend, who passed the torch on to me for this edition. Thank you.

Lastly, thank you to the entire team at Cisco Press, their families and friends, who work
extremely hard to produce high-quality training materials.

—Raymond Lacoste

From the Library of Outcast Outcast

viii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Contents at a Glance
Introduction xxx

Part I Fundamental Troubleshooting and Maintenance Concepts
Chapter 1 Introduction to Troubleshooting and Network Maintenance 3

Chapter 2 Troubleshooting and Maintenance Tools 41

Chapter 3 Troubleshooting Device Performance 93

Part II Troubleshooting Cisco Catalyst Switch Features
Chapter 4 Troubleshooting Layer 2 Trunks, VTP, and VLANs 129

Chapter 5 Troubleshooting STP and Layer 2 EtherChannel 169

Chapter 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 209

Chapter 7 Troubleshooting Switch Security Features 247

Chapter 8 Troubleshooting First-Hop Redundancy Protocols 287

Part III Troubleshooting Router Features
Chapter 9 Troubleshooting IPv4 Addressing and Addressing Technologies 335

Chapter 10 Troubleshooting IPv6 Addressing and Addressing Technologies 367

Chapter 11 Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists 397

Chapter 12 Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels 423

Chapter 13 Troubleshooting RIPv2 and RIPng 463

Chapter 14 Troubleshooting EIGRP 513

Chapter 15 Troubleshooting OSPF 587

Chapter 16 Troubleshooting Route Maps and Policy-Based Routing 675

Chapter 17 Troubleshooting Redistribution 697

Chapter 18 Troubleshooting BGP 749

Part IV Troubleshooting Management
Chapter 19 Troubleshooting Management Protocols and Tools 815

Chapter 20 Troubleshooting Management Access 851

From the Library of Outcast Outcast

ix

Part V Final Preparation
Chapter 21 Additional Trouble Tickets 871

Chapter 22 Final Preparation 943

Part VI Appendixes
Appendix A Answers to the “Do I Know This Already” Quizzes 951

Appendix B TSHOOT Exam Updates 957

Index 960

CD-Only Appendixes and Glossary
Appendix C Memory Tables

Appendix D Memory Tables Answer Key

Appendix E Study Planner

Glossary

From the Library of Outcast Outcast

x CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Contents
Introduction xxx

Part I Fundamental Troubleshooting and Maintenance Concepts

Chapter 1 Introduction to Troubleshooting and Network Maintenance 3
“Do I Know This Already?” Quiz 3
Foundation Topics 9
Introduction to Troubleshooting 9
Defining Troubleshooting 9
The Value of Structured Troubleshooting 11
A Structured Approach 13
1. Problem Report 13
2. Collect Information 14
3. Examine Collected Information 15
4. Eliminate Potential Causes 16
5. Propose an Hypothesis 17
6. Verify Hypothesis 18
7. Problem Resolution 19
Popular Troubleshooting Methods 20
The Top-Down Method 21
The Bottom-Up Method 21
The Divide-and-Conquer Method 22
The Following the Traffic Path Method 23
The Comparing Configurations Method 23
The Component Swapping Method 24
Practice Exercise: Selecting a Troubleshooting Approach 25
Introduction to Network Maintenance 26
Defining Network Maintenance 26
Proactive Versus Reactive Network Maintenance 27
Well-Known Network Maintenance Models 28
Example of Adapting a Network Maintenance Model 28
Common Maintenance Procedures 29
Routine Maintenance Tasks 29
Scheduled Maintenance 30
Managing Network Changes 30
Maintaining Network Documentation 32

From the Library of Outcast Outcast

xi

Restoring Operations After a Failure 33
Measuring Network Performance 34
The Troubleshooting and Network Maintenance Relationship 34
Maintaining Current Network Documentation 35
Establishing a Baseline 36
Communication 36
Change Management 37
Exam Preparation Tasks 39
Review All Key Topics 39
Define Key Terms 39

Chapter 2 Troubleshooting and Maintenance Tools 41
“Do I Know This Already?” Quiz 41
Foundation Topics 45
The Troubleshooting and Network Maintenance Toolkit 45
Network Documentation Tools 46
Basic Tools 47
CLI Tools 47
GUI Tools 48
Recovery Tools 48
Logging Tools 53
Network Time Protocol as a Tool 56
Advanced Tools 57
Overview of SNMP and NetFlow 57
Creating a Baseline with SNMP and NetFlow 58
SNMP 58
NetFlow 59
Cisco Support Tools 64
Using Cisco IOS to Verify and Define the Problem 64
Ping 64
Telnet 67
Traceroute 67
Using Cisco IOS to Collect Information 68
Filtering the Output of show Commands 69
Redirecting show Command Output to a File 73
Troubleshooting Hardware 74

From the Library of Outcast Outcast

xii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Collecting Information in Transit 75
Performing Packet Captures 75
SPAN 76
RSPAN 78
Using Tools to Document a Network 80
Exam Preparation Tasks 85
Review All Key Topics 85
Define Key Terms 86
Complete Tables and Lists from Memory 86
Command Reference to Check Your Memory 86

Chapter 3 Troubleshooting Device Performance 93
“Do I Know This Already?” Quiz 93
Foundation Topics 96
Troubleshooting Switch Performance Issues 96
Cisco Catalyst Switch Troubleshooting Targets 96
TCAM Troubleshooting 101
High CPU Utilization Troubleshooting on a Switch 105
Troubleshooting Router Performance Issues 106
Excessive CPU Utilization 107
Understanding Packet-Switching Modes (Routers and Multilayer
Switches) 113
Troubleshooting Packet-Switching Modes 116
Excessive Memory Utilization 121
Exam Preparation Tasks 124
Review All Key Topics 124
Define Key Terms 124
Complete Tables and Lists from Memory 125
Command Reference to Check Your Memory 125

Part II Troubleshooting Cisco Catalyst Switch Features

Chapter 4 Troubleshooting Layer 2 Trunks, VTP, and VLANs 129
“Do I Know This Already?” Quiz 129
Foundation Topics 132
Frame-Forwarding Process 132
Troubleshooting Trunks 140
Encapsulation Mismatch 141
Incompatible Trunking Modes 143

From the Library of Outcast Outcast

xiii

VTP Domain Name Mismatch 146
Native VLAN Mismatch 146
Allowed VLANs 147
Troubleshooting VTP 148
Domain Name Mismatch 148
Version Mismatch 149
Mode Mismatch 149
Password Mismatch 151
Higher Revision Number 151
Troubleshooting VLANs 152
Incorrect IP Addressing 152
Missing VLAN 153
Incorrect Port Assignment 154
The MAC Address Table 155
Layer 2 Trouble Tickets 157
Trouble Ticket 4-1 158
Trouble Ticket 4-2 160
Exam Preparation Tasks 165
Review All Key Topics 165
Define Key Terms 165
Complete Tables and Lists from Memory 166
Command Reference to Check Your Memory 166

Chapter 5 Troubleshooting STP and Layer 2 EtherChannel 169
“Do I Know This Already?” Quiz 169
Foundation Topics 172
Spanning Tree Protocol Overview 172
Reviewing STP Operation 173
Determining Root Port 175
Determining Designated Port 176
Determining Nondesignated Port 176
Collecting Information About an STP Topology 177
Gathering STP Information 177
Gathering MSTP Information 179
STP Troubleshooting Issues 180
Corruption of a Switch’s MAC Address Table 180
Broadcast Storms 181

From the Library of Outcast Outcast

xiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Troubleshooting STP Features 182
PortFast 183
BPDU Guard 184
BPDU Filter 187
Root Guard 189
Loop Guard 190
STP Trouble Tickets 190
Trouble Ticket 5-1 191
Trouble Ticket 5-2 194
Trouble Ticket 5-3 196
Troubleshooting Layer 2 EtherChannel 199
Reviewing Layer 2 EtherChannel 199
EtherChannel Trouble Tickets 200
Trouble Ticket 5-4 201
Trouble Ticket 5-5 204
Exam Preparation Tasks 206
Review All Key Topics 206
Define Key Terms 206
Complete Tables and Lists from Memory 207
Command Reference to Check Your Memory 207

Chapter 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 209
“Do I Know This Already?” Quiz 209
Foundation Topics 212
Troubleshooting a Router-on-a-Trunk/Stick 212
Router-on-a-Trunk/Stick Trouble Tickets 213
Trouble Ticket 6-1 214
Trouble Ticket 6-2 218
Troubleshooting Switched Virtual Interfaces 221
Reviewing SVIs 221
Troubleshooting SVIs 223
SVI Trouble Tickets 224
Trouble Ticket 6-3 225
Trouble Ticket 6-4 230
Troubleshooting Routed Ports 233
Routed Ports Trouble Tickets 234
Trouble Ticket 6-5 235

From the Library of Outcast Outcast

xv

Troubleshooting Layer 3 EtherChannel 237
Layer 3 EtherChannel Trouble Tickets 239
Trouble Ticket 6-6 240
Exam Preparation Tasks 244
Review All Key Topics 244
Define Key Terms 244
Complete Tables and Lists from Memory 245
Show Command Reference to Check Your Memory 245

Chapter 7 Troubleshooting Switch Security Features 247
“Do I Know This Already?” Quiz 247
Foundation Topics 250
Troubleshooting Port Security 250
Common Port Security Issues 250
Port Security Configured but Not Enabled 250
Static MAC Address Not Configured Correctly 251
Maximum Number of MAC Addresses Reached 253
Legitimate Users Being Blocked Because of Violation 254
Running Configuration Not Saved to Startup Configuration 260
Port Security Trouble Tickets 261
Trouble Ticket 7-1 261
Troubleshooting Spoof-Prevention Features 265
DHCP Snooping 265
Dynamic ARP Inspection 267
IP Source Guard 268
Spoof-Prevention Features Trouble Tickets 270
Trouble Ticket 7-2 270
Troubleshooting Access Control 273
Protected Ports 273
Private VLANs 275
VACLs 279
Exam Preparation Tasks 281
Review All Key Topics 281
Define Key Terms 282
Command Reference to Check Your Memory 282

From the Library of Outcast Outcast

xvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Chapter 8 Troubleshooting First-Hop Redundancy Protocols 287
“Do I Know This Already?” Quiz 287
Foundation Topics 290
Troubleshooting HSRP 290
Reviewing HSRP 290
HSRP Converging After a Failure 291
HSRP Verification and Troubleshooting 292
Virtual Router MAC Address 293
Interface Tracking 293
Verifying First Hop 294
Debug 296
HSRP Trouble Tickets 297
Trouble Ticket 8-1 297
Trouble Ticket 8-2 300
Trouble Ticket 8-3 302
Troubleshooting VRRP 306
Reviewing VRRP 306
VRRP Verification and Troubleshooting 308
Virtual Router MAC Address 309
Object Tracking 309
Verifying First Hop 310
VRRP Trouble Tickets 312
Trouble Ticket 8-4 312
Trouble Ticket 8-5 315
Troubleshooting GLBP 318
Reviewing GLBP 319
GLBP Verification and Troubleshooting 321
Virtual Router MAC Addresses 323
GLBP Object Tracking 323
Verifying GLBP First Hop 325
GLBP Trouble Tickets 326
Trouble Ticket 8-6 327
Trouble Ticket 8-7 329
Comparing HSRP, VRRP, and GLBP 330
Exam Preparation Tasks 332
Review All Key Topics 332

From the Library of Outcast Outcast

xvii

Define Key Terms 333
Complete Tables and Lists from Memory 333
Command Reference to Check Your Memory 333

Part III Troubleshooting Router Features

Chapter 9 Troubleshooting IPv4 Addressing and Addressing Technologies 335
“Do I Know This Already?” Quiz 335
Foundation Topics 338
Troubleshooting IPv4 Addressing 338
IPv4 Addressing Issues 338
Determining IP Addresses Within a Subnet 341
Troubleshooting DHCP for IPv4 342
Reviewing DHCP Operations 342
Potential DHCP Troubleshooting Issues 347
DHCP Troubleshooting Commands 348
Troubleshooting NAT 350
Reviewing NAT 350
NAT Troubleshooting Issues 353
NAT Troubleshooting Commands 354
IPv4 Addressing and Addressing Technologies Trouble Tickets 356
Trouble Ticket 9-1 356
Trouble Ticket 9-2 358
Trouble Ticket 9-3 361
Exam Preparation Tasks 364
Review All Key Topics 364
Define Key Terms 365
Command Reference to Check Your Memory 365

Chapter 10 Troubleshooting IPv6 Addressing and Addressing Technologies 367
“Do I Know This Already?” Quiz 367
Foundation Topics 370
Troubleshooting IPv6 Addressing 370
IPv6 Addressing Review 370
Neighbor Solicitation and Neighbor Advertisement 370
EUI-64 373
Troubleshooting IPv6 Address Assignment 375
Stateless Address Autoconfiguration/SLAAC 375
Stateful DHCPv6 381

From the Library of Outcast Outcast

xviii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Stateless DHCPv6 382
DHCPv6 Operation 384
DHCPv6 Relay Agent 385
IPv6 Addressing Trouble Tickets 386
Trouble Ticket 10-1 386
Trouble Ticket 10-2 389
Exam Preparation Tasks 394
Review All Key Topics 394
Define Key Terms 395
Command Reference to Check Your Memory 395

Chapter 11 Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists 397
“Do I Know This Already?” Quiz 397
Foundation Topics 401
Troubleshooting IPv4 ACLs 401
Reading an IPv4 ACL 401
Using an IPv4 ACL for Filtering 403
Using a Time-Based IPv4 ACL 403
IPv4 ACL Trouble Tickets 405
Trouble Ticket 11-1 405
Troubleshooting IPv6 ACLs 407
Reading an IPv6 ACL 408
Using an IPv6 ACL for Filtering 409
IPv6 ACL Trouble Tickets 410
Trouble Ticket 11-2 410
Troubleshooting Prefix Lists 414
Reading a Prefix List 414
Prefix List Processing 415
Prefix List Trouble Tickets 416
Trouble Ticket 11-3 417
Exam Preparation Tasks 419
Review All Key Topics 419
Define Key Terms 419
Command Reference to Check Your Memory 419

From the Library of Outcast Outcast

xix

Chapter 12 Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels 423
“Do I Know This Already?” Quiz 423
Foundation Topics 427
Packet-Forwarding Process 427
Reviewing Layer 3 Packet-Forwarding Process 427
Troubleshooting the Packet-Forwarding Process 431
Troubleshooting Routing Information Sources 435
Data Structures and the Routing Table 436
Sources of Route Information 436
Troubleshooting Static Routes 438
IPv4 Static Routes 439
IPv6 Static Routes 443
Static Routing Trouble Tickets 445
Trouble Ticket 12-1 445
Trouble Ticket 12-2 448
Troubleshooting GRE Tunnels 450
Exam Preparation Tasks 459
Review All Key Topics 459
Define Key Terms 460
Complete Tables and Lists from Memory 460
Command Reference to Check Your Memory 460

Chapter 13 Troubleshooting RIPv2 and RIPng 463
“Do I Know This Already?” Quiz 463
Foundation Topics 466
Troubleshooting RIPv2 466
Missing RIPv2 Routes 466
Interface Is Shut Down 469
Wrong Subnet 469
Bad or Missing Network Statement 470
Passive Interface 471
Wrong Version 473
Max Hop Count Exceeded 475
Authentication 477
Route Filtering 479
Split Horizon 480
Autosummarization 482
Better Source of Information 483

From the Library of Outcast Outcast

xx CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

ACLs 485
Load Sharing 485
Other RIP Issues 486
Missing Default Route 486
Route Summarization 487
Troubleshooting RIPng 492
RIPv2 and RIPng Trouble Tickets 498
Trouble Ticket 13-1 498
Trouble Ticket 13-2 502
Trouble Ticket 13-3 506
Exam Preparation Tasks 509
Review All Key Topics 509
Define Key Terms 510
Command Reference to Check Your Memory 510

Chapter 14 Troubleshooting EIGRP 513
“Do I Know This Already?” Quiz 513
Foundation Topics 517
Troubleshooting EIGRP for IPv4 517
Troubleshooting EIGRP for IPv4 Neighbor Adjacencies 517
Interface Is Down 518
Mismatched Autonomous System Numbers 518
Incorrect Network Statement 520
Mismatched K Values 522
Passive Interface 523
Different Subnets 524
Authentication 525
ACLs 527
Timers 528
Troubleshooting EIGRP for IPv4 Routes 528
Bad or Missing Network Command 529
Better Source of Information 530
Route Filtering 534
Stub Configuration 535
Interface Is Shut Down 537
Split-horizon 537

From the Library of Outcast Outcast

xxi

Troubleshooting Miscellaneous EIGRP for IPv4 Issues 539
Feasible Successors 539
Discontiguous Networks and Autosummarization 542
Route Summarization 543
Load Balancing 544
EIGRP for IPv4 Trouble Tickets 546
Trouble Ticket 14-1 546
Trouble Ticket 14-2 553
Trouble Ticket 14-3 557
Troubleshooting EIGRP for IPv6 561
Troubleshooting EIGRP for IPv6 Neighbor Issues 561
Interface Is Down 561
Mismatched Autonomous System Numbers 562
Mismatched K Values 562
Passive Interfaces 562
Mismatched Authentication 562
Timers 563
Interface Not Participating in Routing Process 563
ACLs 564
Troubleshooting EIGRP for IPv6 Route 564
Interface Not Participating in Routing Process 564
Better Source of Information 565
Route Filtering 565
Stub Configuration 565
Split-horizon 566
EIGRP for IPv6 Trouble Tickets 567
Trouble Ticket 14-4 568
Troubleshooting Named EIGRP Configurations 572
Named EIGRP Verification Commands 573
Named EIGRP Trouble Tickets 577
Trouble Ticket 14-5 577
Exam Preparation Tasks 582
Review All Key Topics 582
Define Key Terms 583
Command Reference to Check Your Memory 583

From the Library of Outcast Outcast

xxii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Chapter 15 Troubleshooting OSPF 587 “Do I Know This Already?” Quiz 587 Foundation Topics 590 Troubleshooting OSPFv2 590 Troubleshooting OSPFv2 Neighbor Adjacencies 590 Interface Is Down 593 Interface Not Running the OSPF Process 593 Mismatched Timers 594 Mismatched Area Numbers 596 Mismatched Area Type 597 Different Subnets 598 Passive Interface 599 Mismatched Authentication Information 600 ACLs 601 MTU Mismatch 602 Duplicate Router IDs 603 Mismatched Network Types 604 Troubleshooting OSPFv2 Routes 606 Interface Not Running the OSPF Process 606 Better Source of Information 607 Route Filtering 611 Stub Area Configuration 613 Interface Is Shut Down 614 Wrong Designated Router Was Elected 615 Duplicate Router IDs 619 Troubleshooting Miscellaneous OSPFv2 Issues 620 Tracking OSPF Advertisements Through a Network 620 Route Summarization 622 Discontiguous Areas 624 Load Balancing 626 Default Route 627 OSPFv2 Trouble Tickets 627 Trouble Ticket 15-1 628 Trouble Ticket 15-2 635 Trouble Ticket 15-3 639 Troubleshooting OSPFv3 for IPv6 641 OSPFv3 Troubleshooting Commands 641 From the Library of Outcast Outcast .

xxiii OSPFv3 Trouble Tickets 647 Trouble Ticket 15-4 647 Trouble Ticket 15-5 650 Troubleshoot OSPFv3 Address Families 655 OSPFv3 Address Family Troubleshooting 655 OSPFv3 AF Trouble Tickets 664 Trouble Ticket 15-6 665 Exam Preparation Tasks 669 Review All Key Topics 669 Define Key Terms 670 Complete Tables and Lists from Memory 670 Command Reference to Check Your Memory 671 Chapter 16 Troubleshooting Route Maps and Policy-Based Routing 675 “Do I Know This Already?” Quiz 675 Foundation Topics 678 Troubleshooting Route Maps 678 How to Read a Route Map 678 Troubleshooting Policy-Based Routing 681 PBR 681 Policy-Based Routing Trouble Tickets 684 Trouble Ticket 16-1 685 Trouble Ticket 16-2 689 Trouble Ticket 16-3 691 Exam Preparation Tasks 693 Review All Key Topics 693 Define Key Terms 693 Command Reference to Check Your Memory 693 Chapter 17 Troubleshooting Redistribution 697 “Do I Know This Already?” Quiz 697 Foundation Topics 700 Troubleshooting IPv4 and IPv6 Redistribution 700 Route Redistribution Overview 700 Troubleshooting Redistribution into RIP 703 Troubleshooting Redistribution into EIGRP 706 Troubleshooting Redistribution into OSPF 710 Troubleshooting Redistribution into BGP 715 Troubleshooting Redistribution with Route Maps 718 From the Library of Outcast Outcast .

xxiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Redistribution Trouble Tickets 718 Trouble Ticket 17-1 719 Trouble Ticket 17-2 723 Trouble Ticket 17-3 727 Trouble Ticket 17-4 733 Troubleshooting Advanced Redistribution Issues 737 Troubleshooting Suboptimal Routing Caused by Redistribution 737 Troubleshooting Routing Loops Caused by Redistribution 739 Exam Preparation Tasks 745 Review All Key Topics 745 Define Key Terms 745 Command Reference to Check Your Memory 746 Chapter 18 Troubleshooting BGP 749 “Do I Know This Already?” Quiz 749 Foundation Topics 753 Troubleshooting BGP Neighbor Adjacencies 753 Interface Is Down 754 Layer 3 Connectivity Is Broken 754 Path to Neighbor Is via Default Route 755 Neighbor Does Not Have a Route to the Local Router 756 Incorrect neighbor Statement 757 BGP Packets Sourced from Wrong IP Address 758 ACLs 759 TTL of BGP Packet Expires 761 Mismatched Authentication 763 Misconfigured Peer Groups 764 Timers 765 Troubleshooting BGP Routes 766 Missing or Bad network mask Command 768 Next-Hop Router Not Reachable 770 BGP Split-Horizon Rule 772 Better Source of Information 773 Route Filtering 775 Troubleshooting BGP Path Selection 780 Understanding the Best Path Decision-Making Process 781 Private Autonomous System Numbers 784 Using debug Commands 784 From the Library of Outcast Outcast .

xxv Troubleshooting BGP for IPv6 786 BGP Trouble Tickets 790 Trouble Ticket 18-1 791 Trouble Ticket 18-2 796 Trouble Ticket 18-3 802 MP-BGP Trouble Tickets 807 Trouble Ticket 18-4 807 Exam Preparation Tasks 810 Review All Key Topics 810 Define Key Terms 811 Command Reference to Check Your Memory 811 Part IV Troubleshooting Management Chapter 19 Troubleshooting Management Protocols and Tools 815 “Do I Know This Already?” Quiz 815 Foundation Topics 818 Management Protocols Troubleshooting 818 NTP Troubleshooting 818 Syslog Troubleshooting 821 SNMP Troubleshooting 823 Management Tools Troubleshooting 826 Cisco IOS IPSLA Troubleshooting 827 Object Tracking Troubleshooting 833 SPAN and RSPAN Troubleshooting 835 Management Protocols and Tools Trouble Tickets 837 Trouble Ticket 19-1 838 Exam Preparation Tasks 845 Review All Key Topics 845 Define Key Terms 846 Command Reference to Check Your Memory 846 Chapter 20 Troubleshooting Management Access 851 “Do I Know This Already?” Quiz 851 Foundation Topics 854 Console and vty Access Troubleshooting 854 Console Access Troubleshooting 854 From the Library of Outcast Outcast .

xxvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide vty Access Troubleshooting 855 Telnet 855 SSH 857 Password Encryption Levels 858 Cisco IOS AAA Troubleshooting 858 Management Access Trouble Tickets 861 Trouble Ticket 20-1 862 Trouble Ticket 20-2 863 Trouble Ticket 20-3 865 Exam Preparation Tasks 868 Review All Key Topics 868 Define Key Terms 868 Command Reference to Check Your Memory 868 Part V Final Preparation Chapter 21 Additional Trouble Tickets 871 Introduction 871 Trouble Ticket 1 872 Suggested Solution 875 Trouble Ticket 2 876 Suggested Solution 879 Trouble Ticket 3 880 Suggested Solution 882 Trouble Ticket 4 884 Issue 1: Suggested Solution 891 Issue 2: Suggested Solution 897 Issue 3: Suggested Solution 897 Issue 4: Suggested Solution 898 Trouble Ticket 5 901 Suggested Solution 907 Trouble Ticket 6 910 Suggested Solution 916 Trouble Ticket 7 918 Issue 1: Forgotten Enable Secret Password 919 Issue 1: Suggested Solution 919 From the Library of Outcast Outcast .

xxvii Issue 2: An exec-timeout Parameter Set Too Low 921 Issue 2: Suggested Solution 921 Issue 3: ACL Misconfiguration 922 Issue 3: Suggested Solution 922 Trouble Ticket 8 923 Suggested Solution 926 Trouble Ticket 9 926 Issue 1: Adjacency Between Routers R1 and R2 927 Issue 1: Suggested Solution 930 Issue 2: Adjacency Between Routers R2 and BB2 930 Issue 2: Suggested Solution 931 Issue 3: Adjacency Between Routers BB1 and BB2 931 Issue 3: Suggested Solution 933 Trouble Ticket 10 934 Issue 1: Router R2 Not Load Balancing Between Routers BB1 and BB2 937 Issue 1: Suggested Solution 937 Issue 2: Backbone Routes Not Being Suppressed 938 Issue 2: Suggested Solution 939 Chapter 22 Final Preparation 943 Tools for Final Preparation 943 Exam Engine and Questions on the CD 943 Install the Exam Engine 944 Activate and Download the Practice Exam 944 Activating Other Exams 945 Premium Edition 945 The Cisco Learning Network 945 Memory Tables 945 Chapter-Ending Review Tools 946 Suggested Plan for Final Review/Study 946 Step 1: Review Key Topics and DIKTA Questions 947 Step 3: Hands-On Practice 947 Step 5: Subnetting Practice 948 Step 6: Use the Exam Engine 948 Summary 949 From the Library of Outcast Outcast .

xxviii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Part VI Appendixes Appendix A Answers to the “Do I Know This Already” Quizzes 951 Appendix B TSHOOT Exam Updates 957 Index 960 CD-Only Appendixes and Glossary Appendix C Memory Tables Appendix D Memory Tables Answer Key Appendix E Study Planner Glossary From the Library of Outcast Outcast .

■ Braces { } indicate a required choice. ■ Braces within brackets [{ }] indicate a required choice within an optional element. ■ Square brackets [ ] indicate optional elements. In actual configuration examples and output (not general command syntax). From the Library of Outcast Outcast . ■ Italics indicate arguments for which you supply actual values. boldface indicates commands that are manually input by the user (such as a show command). The Command Reference describes these conven- tions as follows: ■ Boldface indicates commands and keywords that are entered literally as shown. ■ Vertical bars (|) separate alternative. mutually exclusive elements. xxix Icons Used in This Book Workgroup Router Multilayer Switch Switch File/ Server PC Application Server Laptop Web IP Phone Server Phone Cisco Unified Network Cloud Communications Manager Server Serial Line Ethernet Line Command Syntax Conventions The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference.

the book is written with one goal in mind: to help you pass the exam. fully understand and remember exam topic details. The methodology of this book helps you discover the exam topics about which you need more review. the book’s title would be mis- leading. Although this book and the accompanying CD-ROM have many exam preparation tasks and example test questions. the method in which they are used is not to simply make you memorize as many questions and answers as you possibly can. To that end. In fact.xxx CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Introduction Professional certifications have been an important part of the computing industry for many years and will continue to become more important. in addition to real-world troubleshooting issues you might encounter ■ Providing practice exercises on exam topics. If you want to pass the exam. the methods used in this book to help you pass the TSHOOT exam are designed to also make you much more knowledgeable about how to do your job. From the Library of Outcast Outcast . but by helping you truly learn and understand the topics. however. if the primary objective of this book were different. This book is intended to tremendously increase your chances of passing the Cisco TSHOOT exam. presented in each chapter and on the enclosed CD-ROM Who Should Read This Book? This book is not designed to be a general networking topics book. Goals and Methods The most important and somewhat obvious goal of this book is to help you pass the 300-135 Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) exam. this book helps you pass not by memorization. Many reasons exist for these certifications. So. the certified employee/consultant/job candidate is considered more valuable than one who is not. All other consid- erations held equal. this book is for you. Although other objectives can be achieved from using this book. and the knowledge contained within is vitally important to con- sider yourself a truly skilled routing and switching expert or specialist. This book would do you a disservice if it did not attempt to help you learn the material. the book can help you pass the TSHOOT exam by using the following methods: ■ Covering the exam topics and helping you discover which exam topics you have not mastered ■ Providing explanations and information to fill in your knowledge gaps ■ Supplying multiple troubleshooting case studies with diagrams and diagnostic out- put that enhance your ability to resolve trouble tickets presented in the exam envi- ronment. and prove to yourself that you have retained your knowledge of those topics. but the most popularly cited reason is that of credibility. The TSHOOT exam is typically your final journey in pursuit of the CCNP Routing and Switching certification. although it can be used for that purpose.

if you have attended a TSHOOT course. Each core chapter covers a subset of the topics on the CCNP TSHOOT exam. The chapters can be covered in any order. From the Library of Outcast Outcast . You need to take the exam to find that out for yourself. each with an increasing level of proficiency: Entry. including the SWITCH. and CCIE (Cisco Certified Internetworking Expert) Routing and Switching. knowledge. CCNA (Cisco Certified Network Associate) Routing and Switching. structures. go to Cisco. as you will see. you might take a different approach than someone who learned troubleshooting through on-the- job training. It identifies many popular models. it is designed to be flexible and enable you to easily move between chapters to cover only the material that you need more work with. and Expert. and experience you have already obtained. Cisco does not publish the scores needed for passing. mainly based on the skills. there is no “one-stop shop for all your needs” when it comes to troubleshooting and network maintenance. If you do intend to read them all. For example. the order in the book is an excellent sequence to use. The chap- ters are organized into parts. CCNP (Cisco Certified Network Professional) Routing and Switching. ROUTE. There you can find out other exam details such as exam topics and how to register for an exam. “Introduction to Troubleshooting and Network Maintenance:” This chapter discusses the importance of having a structured troubleshooting approach and a solid network maintenance plan. Associate.com and click Training and Events. and tasks that should be considered by all organizations. Regardless of the strategy you use or the background you have. covering the following topics: ■ Chapter 1. These are commonly known by their acronyms CCENT (Cisco Certified Entry Networking Technician). For the CCNP Routing and Switching certification. Cisco Certifications and Exams Cisco offers four levels of routing and switching certification. However. To see the most current requirements for the CCNP Routing and Switching certifica- tion. this book is designed to help you gain the knowledge you need about the issues that can arise with different routing and switching technologies and get you to the point where you can apply that knowledge and pass the exam. How This Book Is Organized Although this book can be read cover to cover. It is more of an art that you will master over time. xxxi Strategies for Exam Preparation The strategy you use to prepare for the TSHOOT exam might differ slightly from strate- gies used by other readers. although some chapters are related and build upon each other. Professional. For most exams. you must pass exams on a series of CCNP topics. and TSHOOT exams.

and UDLD. SNMP. ■ Chapter 6. You will examine interface statistics. “Troubleshooting STP and Layer 2 EtherChannel:” This chapter reviews the operation of STP and focuses on troubleshooting STP topology issues such as root bridge selection. and CDP. Most of the issues you will experience with these features are configuration based. and VLANs:” This chapter begins by reviewing Layer 2 switch operations and builds from there with discus- sions on how to troubleshoot issues relating to trunks. VTP. You will also review the different types of packet switching modes on routers and multilayer switches. “Troubleshooting Layer 2 Trunks. Therefore. SPAN. and GLBP. ■ Chapter 5. PVLANs. Root Guard. and VACLs. “Troubleshooting Device Performance:” This chapter discusses common reasons for high CPU and memory utilization on routers and switches in addition to how you can recognize them. IP Source Guard. In addition.xxxii CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Chapter 2. VRRP. the blocked port. ■ Chapter 8. root port selection. as they can be an initial indication of some type of issue. and issues related to Layer 3 EtherChannels. dynamic ARP inspection. ■ Chapter 7. and finally. It also provides a collection of commands you can use to successfully troubleshoot issues related to each FHRP. subnet mask. issues related to routed ports. From the Library of Outcast Outcast . “Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels:” This chapter focuses on how you can troubleshoot issues related to different inter- VLAN routing implementations (router-on-a-trunk/stick and SVIs). RSPAN. “Troubleshooting Switch Security Features:” This chapter is dedicated to troubleshooting issues related to security features that can be implemented on switches. ■ Chapter 4. The chapter then covers issues and troubleshooting tasks related to DHCPv4 and NAT. “Troubleshooting and Maintenance Tools:” This chapter introduces you to a sampling of Cisco IOS tools and features designed for network maintenance and troubleshooting. VTP. You will also examine how to troubleshoot STP features such as PortFast. and VLANs. It identifies various elements that could cause these FHRPs not to func- tion as expected and that should be considered while you are troubleshooting. protected ports. This is extremely important as you do not want to waste your time troubleshooting a service or feature when the issue is related to the device having an inappropriate IPv4 address. Telnet. this chapter reviews how you can combine multiple physical Layer 2 switchports into a logical EtherChannel bundle and how you can troubleshoot issues related to them. This includes port security. DHCP snooping. you will focus on the configuration requirements for troubleshooting purposes. BPDU Guard. designated port selection. “Troubleshooting First-Hop Redundancy Protocols:” This chapter dis- cusses the issues that might arise when implementing FHRPs such as HSRP. You will also discover how important the information in the MAC address table can be while troubleshooting. traceroute. The tools include ping. ■ Chapter 3. ■ Chapter 9. “Troubleshooting IPv4 Addressing and Addressing Technologies:” This chapter begins by reviewing IPv4 addressing and how you can identify if address- ing is the issue. or default gateway. BPDU Filter. Loop Guard. NetFlow.

You will also learn how to recognize and troubleshoot issues related to static routing and GRE tunnels. You will learn how a router choos- es which sources of routing information are more believable so that only the best routes are in the routing table. It breaks out the troubleshooting discussions into two differ- ent parts: troubleshooting neighbor adjacencies and troubleshooting missing routes. “Troubleshooting OSPF:” This chapter covers troubleshooting of both OSPFv2 and OSPFv3. Therefore. and what to look for while troubleshooting IPv6-related issues. “Troubleshooting EIGRP:” This chapter covers troubleshooting of both EIGRP for IPv4 and EIGRP for IPv6. ■ Chapter 16. OSPFv3 address family troubleshooting is covered. and you will explore the various options for address assignment such as SLAAC and DHCPv6. To wrap up the chapter. “Troubleshooting IPv4 and IPv6 ACLs and Prefix Lists:” This chap- ter covers the ins and outs of ACLs and prefix lists. It gives you the opportunity to review how route maps are read and the commands that you can use to verify a route map’s con- figuration. You will also learn how MAC addresses are determined for known IPv6 address. ■ Chapter 12. From the Library of Outcast Outcast . In addition. “Troubleshooting RIPv2 and RIPng:” This chapter focuses on the issues that you may have to troubleshoot in a RIPv2 and RIPng domain. you will discover what could cause PBR not to behave as expected and how you can troubleshoot it. It also covers the troubleshooting of various issues that are not directly related to neighborships or routes that might arise with EIGRP. this chapter explains how you can use ACLs for traffic filtering and how a prefix list can be used for route filtering. and how you can identify issues related to them. This includes how you would recognize the issues based on the presented symptoms and the commands you would use to successfully verify the reason why the issue exists. It breaks out the troubleshooting discussions into two different parts: troubleshooting neighbor adjacencies and troubleshoot- ing missing routes. how they are read. ■ Chapter 13. “Troubleshooting Route Maps and Policy-Based Routing:” This chap- ter begins by examining route maps. You will learn the way they are processed. xxxiii ■ Chapter 10. ■ Chapter 14. The rest of the chapter is dedicated to PBR. named EIGRP troubleshooting is covered. which allows you to override the router’s default routing behavior. It also covers the troubleshooting of various issues that are not directly related to neighborships or routes that might arise with OSPF. “Troubleshooting IPv6 Addressing and Addressing Technologies:” This chapter covers how an IPv6-enabled device determines whether the destination is local or remote. “Troubleshooting Basic IPv4/IPv6 Routing and GRE Tunnels:” This chapter covers the packet-delivery process and the various commands that enable you to troubleshoot issues related to the process. To wrap up the chapter. ■ Chapter 15. ■ Chapter 11.

and Appendix B. Each chapter in the book uses several features to help you make the best use of your time in that chapter. sys- log. You will also examine the issues that may arise when exchanging IPv4 and IPv6 eBGP and iBGP routes and how you can recognize them and troubleshoot them successfully. ■ Foundation Topics: This is the core section of each chapter that explains the pro- tocols. Therefore. “Troubleshooting Management Protocols and Tools:” This chapter covers the issues you might encounter with management protocols such as NTP. “TSHOOT Exam Updates. and how you can identify them. “Answers to the ‘Do I Know This Already?’ Quizzes.” tells you how to find any updates should there be chang- es to the exam. RIP. ■ Chapter 22. to give a quick assessment of your knowledge. SPAN. You will learn what to look out for while troubleshooting so that you can quickly solve any issues related to redistribution. you will examine what could occur in environments that have multiple points of redistribution and how you can identify the issues and solve them.xxxiv CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Chapter 17. and SNMP. “Final Preparation:” This chapter identifies tools for final exam prepa- ration and helps you develop an effective study plan. ■ Chapter 19. It also covers the issues that you might encouter with management tools. The features are as follows: ■ Assessment: Each chapter begins with a “Do I Know This Already?” quiz that helps you determine the amount of time you need to spend studying each topic of the chapter. and BGP for both IPv4 and IPv6. concepts. and troubleshooting strategies for the topics in the chapter. “Troubleshooting BGP:” This chapter examines the various issues that you may face when trying to establish an IPv4 and IPv6 eBGP and iBGP neighbor adjacency and how you can identify them and troubleshoot them. “Troubleshooting Management Access:” This chapter examines the different reasons why access to the console and vty lines might fail. ■ Chapter 20. ■ Chapter 21.:” This appen- dix has the answers to the “Do I Know This Already” quizzes. You also need to be very familiar with the decision-making process that BGP uses to be an efficient troubleshooter. “Troubleshooting Redistribution:” This chapter explores the differences of redistributing into EIGRP. and RSPAN. In addition you will explore the issues that may arise when using Cisco IOS AAA authentication. If you intend to read the entire chapter. OSPF. ■ Appendix A . you will spend time exploring this process in the chapter as well. Questions are all multiple-choice. From the Library of Outcast Outcast . you can save the quiz for later use. “Additional Trouble Tickets:” This chapter is dedicated to showing you an additional ten trouble tickets and the various approaches that you can take to solve the problems that are presented. such as Cisco IOS IP SLA. ■ Chapter 18. In addition. Object Tracking. configuration.

Mastery of the topics covered by the CD-based questions. Cisco indicates this when you view the exam topics on their web- site. as posted on Cisco. and a command reference that summarizes any relevant com- mands presented in the chapter.0 Network Principles Debug. Finally. it is possible to receive questions on the exam that are not related to any of the exam topics listed. For example. par- ticularly for clues to how deeply you should know each topic. Remember that it is in your best interest to become proficient in each of the CCNP Routing and Switching subjects. Be aware that the TSHOOT exam will primarily be made up of trouble tickets you need to resolve. or FHRPs in the exam objectives. we have covered the exam topics as well as any additional topics that we considered to be necessary for your success. Note that Cisco has occasionally changed exam topics without changing the exam number. Table I-1 shows the official exam topics for the TSHOOT exam. The CD also contains the Memory Table exercises and answer keys as well as over 60mins of video walking you through an exam strategy. to ensure that you are well prepared for the exam. However. identify and describe root cause) Design and implement valid solutions Verify and monitor resolution From the Library of Outcast Outcast . Therefore. conditional debug Chapters 1 and 2 Ping and trace route with extended options Diagnose the root cause of networking issues (analyze symptoms. references to memory table exercises to be completed as memorization practice. will help equip you with the tools needed to effectively troubleshoot the trouble tickets present- ed on the exam. there is no mention of Layer 2 security. Also. com. xxxv ■ Exam Preparation Tasks: At the end of each chapter. so do not be alarmed if small changes in the exam topics occur over time. being well rounded counts more than being well tested. inter-VLAN routing. CCNP TSHOOT Exam Topics Carefully consider the exam topics Cisco has posted on its website as you study. this section collects key top- ics. key terms to define. When it is time to use what you have learned. Table I-1 CCNP TSHOOT Exam Topics Exam Topics Chapters Where Exam Topics Are Covered 1. the companion CD-ROM contains practice CCNP Routing and Switching TSHOOT questions to reinforce your understanding of the book’s concepts. Also. we have included chapters dedicated to these to make sure that you are well prepared. however. you can develop a broader knowledge of the subject matter by reading and studying the topics presented in this book.

xxxvi CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Topics Chapters Where Exam Topics Are Covered 2. 10. 19 Troubleshooting Layer 2 protocols Troubleshoot VLANs Troubleshoot trunking Troubleshoot EtherChannels Troubleshoot spanning tree Troubleshoot other LAN switching technologies Troubleshoot chassis virtualization and aggregation technologies 3. 5.0 Layer 3 Technologies Troubleshooting IPv4 addressing and Chapters 9. 12–18 subnetting Troubleshoot IPv6 addressing and subnetting Troubleshoot static routing Troubleshoot default routing Troubleshoot administrative distance Troubleshoot passive interfaces Troubleshoot VRF lite Troubleshoot filter with any protocol Troubleshoot between any routing protocols or routing sources Troubleshoot manual and autosummarization with any routing protocol Troubleshoot policy-based routing Troubleshoot suboptimal routing Troubleshoot loop prevention mechanisms Troubleshoot RIPv2 Troubleshoot EIGRP neighbor relationship and authentication From the Library of Outcast Outcast .0 Layer 2 Technologies Troubleshooting switch administration Chapters 4.

10.0 Infrastructure Security Troubleshoot IOS AAA using local database Chapters 11 and 20 Troubleshoot device access control Troubleshoot router security features 6. and 19 Troubleshoot SNMP Troubleshoot logging Troubleshoot Network Time Protocol (NTP) Troubleshoot IPv4 and IPv6 DHCP Troubleshoot IPv4 Network Address Translation (NAT) Troubleshoot SLA architecture Troubleshoot tracking objects From the Library of Outcast Outcast . 12–18 Troubleshoot EIGRP operations Troubleshoot EIGRP stubs Troubleshoot EIGRP load balancing Troubleshoot EIGRP metrics Troubleshoot OSPF neighbor relationship and authentication Troubleshoot network types. 9. 10. xxxvii Exam Topics Chapters Where Exam Topics Are Covered Troubleshoot loop free path selection Chapters 9.0 Infrastructure Services Troubleshoot device Management Chapters 2.0 VPN Technologies Troubleshoot GRE Chapter 12 5. and router types Troubleshoot OSPF path preference Troubleshoot OSPF operations Troubleshoot OSPF for IPv6 Troubleshoot BGP peer relationships and authentication Troubleshoot eBGP 4. area types.

This chapter covers the following topics: ■ Introduction to Troubleshooting: This section intro- duces you to troubleshooting and then focuses on a structured troubleshooting approach. ■ Popular Troubleshooting Methods: This section introduces you to various troubleshooting methods that can assist in narrowing your focus during your troubleshooting efforts. It also pro- vides you with some common steps to help you be more efficient. ■ The Troubleshooting and Network Maintenance Relationship: This section identifies the importance of aligning maintenance tasks with troubleshooting goals. ■ Introduction to Network Maintenance: This section introduces you to maintenance tasks and identifies a few well-known network maintenance models that you can adopt. From the Library of Outcast Outcast . ■ Common Maintenance Procedures: This section reviews the common network maintenance tasks that all organizations should perform.

However. In addition. It identifies many popular models. Table 1-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. However. depend on the reliable operation of data networks (which might also carry voice and video traffic). it is taken to a mechanic so that they may troubleshoot the issue using a structured troubleshooting process and ultimately fix the vehicle. the number of issues in a network can be reduced by following a maintenance plan. You can find the answers in Appendix A. This statement holds true regardless of the business size. and fluid top-offs are performed on a vehicle to ensure that problems do not arise and the life of that vehicle is maximized. “Answers to the ‘Do I Know This Already?’ Quizzes. structures.” Table 1-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Introduction to Troubleshooting 1–7 Popular Troubleshooting Methods 8–9 Introduction to Network Maintenance 10–12 From the Library of Outcast Outcast . and troubleshooting can be more effective with a structured approach in place. CHAPTER 1 Introduction to Troubleshooting and Network Maintenance Business operations. if an issue does arise. having a sound troubleshooting methodology in place helps ensure that when issues arise you are confident and ready to fix them. and tasks that should be considered by all organizations. read the entire chapter. This chapter discusses the importance of having a structured troubleshooting approach and a solid network maintenance plan. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. without a doubt. as you will see. Consider a vehicle as an example. Regular maintenance such as oil changes. A structured and systematic maintenance approach significantly contributes to the uptime for all networks. It is more of an art that you will master over time. Similarly. there is no “one-stop shop for all your needs” when it comes to troubleshooting and network mainte- nance. joint lubrica- tion.

Eliminate potential causes d. Find evidence that can be used to eliminate potential causes From the Library of Outcast Outcast . d. User C is unable to attach to an internal share resource of \10. and he can reach the Internet. Problem report 2. Problem replication b. Collect information c. b. Identify the three steps in a simplified troubleshooting model. Propose an hypothesis about what is most likely causing the problem d. although he can print to all network printers.1\Budget. Eliminate potential causes from consideration b. c. What troubleshooting step should you perform after a problem has been reported and clearly defined? a. Problem diagnosis c. User B recently changed his PC’s operating system to Microsoft Windows 7. The network is broken. 3.1. you should mark that question as wrong for purposes of the self-assessment.4 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Section Questions Identifying Common Maintenance Procedures 13–16 The Troubleshooting and Network Maintenance Relationship 17–20 Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. Identify indicators pointing to the underlying cause of the problem c.1. Propose an hypothesis b. Problem resolution d. User A cannot reach the network. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. What are the two primary goals of troubleshooters as they are collecting informa- tion? a. Examine collected information 4. 1. a. If you do not know the answer to a question or are only partially sure of the answer. Which of the following is the best statement to include in a problem report? a.

Independent path 8. Instruct the user to report the problem to the proper department that is autho- rized to resolve the issue. Comparing configurations d. Bottom-up b. The danger of drawing an invalid conclusion from the observed data b. and configure the network device independently because authorized personnel are not currently available. Which of the following troubleshooting models requires access to a specific applica- tion? a. and her hypothesis involves a network device that she is not authorized to configure. which cau- tion should the troubleshooter be aware of? a. instead relying on their own insight to determine the most likely cause of a problem. This illustrates what approach to network trouble- shooting? a. Top-down From the Library of Outcast Outcast . Crystal ball d. d. Shoot from the hip c. Attempt to find a temporary workaround for the issue. What should the trouble- shooter do? a. The danger of creating a new problem by implementing the proposed solution 6. Chapter 1: Introduction to Troubleshooting and Network Maintenance 5 5. The person who is authorized to configure the network device is unavailable. The danger of troubleshooting a network component over which the trouble- shooter does not have authority c. Experienced troubleshooters with in-depth comprehension of a particular network might skip the examine information and eliminate potential causes steps in a struc- tured troubleshooting model. c. A troubleshooter is hypothesizing a cause for an urgent problem. Divide-and-conquer c. based on the urgency. When performing the “eliminate potential causes” troubleshooting step. 7. b. Override corporate policy. Ad hoc b. Wait for authorized personnel to address the issue. The danger of causing disruptions in workflow by implementing the proposed solution d.

Which of the following are considered network maintenance tasks? (Choose the three best answers. F b.6 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 9. A d. Recovery tasks b. Following the traffic path b. Attending training on emerging network technologies c. Structured tasks d. you want to use a troubleshooting model that can quickly eliminate multiple layers of the OSI model as potential sources of the reported problem. Bottom-up c. Which letter in the FCAPS acronym represents the maintenance area responsible for billing end users? a. Which of the following troubleshooting methods would be most appropriate? a. P e.) a. Network maintenance tasks can be categorized into one of which two categories? a. Planning for network expansion d. Troubleshooting problem reports b. Installation tasks 12. Hardware installation 11. C c. Divide-and-conquer d. Based on your analysis of a problem report and the data collected. Component swapping 10. S From the Library of Outcast Outcast . Interrupt-driven tasks c.

Maintenance tasks should only be performed based on a scheduled maintenance schedule. c. as opposed to a proactive approach. 15. Using Cisco Prime to dynamically discover network device changes d. because of the diversity of maintenance needs. Scheduled maintenance helps ensure that important maintenance tasks are not overlooked. Making sure that digital certificates used for PKI are renewed in advance of their expiration c. to reduce unexpected workflow interruptions. What is the return on investment (ROI) of an upgrade? c. Performing scheduled backups 14. The lists of tasks required to maintain a network can vary widely. IP address assignments From the Library of Outcast Outcast . Which of the following questions are appropriate when defining your change man- agement policies? a. b. What measureable criteria determine the success or failure of a network change? d. However. Scheduled maintenance is more of a reactive approach to network maintenance. Who is responsible for authorizing various types of network changes? 16. Which three of the following components would you expect to find in a set of net- work documentation? a. Copy of IOS image d. some network maintenance tasks are common to most networks. Chapter 1: Introduction to Troubleshooting and Network Maintenance 7 13. Listing of interconnections c. Which of the following would be considered a com- mon task that should be present in any network maintenance model? a. d. What version of operating system is currently running on the device to be upgraded? b. Performing database synchronization for a network’s Microsoft Active Directory b. Scheduled maintenance is not recommended for larger networks. Which of the following statements is true about scheduled maintenance? a. Logical topology diagram b. depending on the goals and characteristics of that network.

Problem report b.8 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 17. Keep documentation in a hidden folder c. 18. Networking maintenance and troubleshooting efforts should be conducted by different personnel. What are two elements of a change management system? a. Information collection c. Schedule documentation checks d. Networking maintenance and troubleshooting efforts should be isolated from one another. Determine who can authorize a change d. Hypothesis verification d. Which three troubleshooting phases require clear communication with end users? a. Determine when changes can be made b. b. What is the ideal relationship between network maintenance and troubleshooting? a. d. c. Problem resolution 20. Determine what change should be made From the Library of Outcast Outcast . Which three of the following suggestions can best help troubleshooters keep in mind the need to document their steps? a. Networking maintenance is a subset of network troubleshooting. Automate documentation 19. Networking maintenance and troubleshooting efforts should complement one another. Determine potential causes for the problem requiring the change c. Require documentation b.

Sometimes the best approach to resolving an issue cannot be implemented immediately.m. there is definitely a more efficient and effective way to troubleshoot that all experienced troubleshooters follow. you can begin gathering further information related to it. A temporary From the Library of Outcast Outcast . and resolving the problem. the first step toward resolution is clearly defining the issue. or a business’s workflow might be disrupted by implementing such an approach during working hours. Although there is no right or wrong way to troubleshoot. and like all skills. After an issue is reported. don’t start wishing for issues to happen in your organization just so that you can get more experience. Defining Troubleshooting Troubleshooting at its essence is the process of responding to a problem report (some- times in the form of a trouble ticket). thus delaying the guest registrations further. Let’s look at an example. resulting in a Layer 2 topological loop. In such situations. the network team discovers that Spanning Tree Protocol (STP) has failed on a Cisco Catalyst switch. This section begins by introducing you to troubleshooting. After you identify a suspected underlying cause. a piece of equipment might need replacing. the more your skills will improve. you can propose an hypothesis about what is most likely causing the issue. preventing registrations and keycards from being completed because the server is not accessible. It then focuses on a structured troubleshooting approach that provides you with some common methods to enhance your efficiency. the network is being flooded with traffic. When you have a clearly defined troubleshooting target. The network team now has to decide on the best course of action at this point. After fol- lowing the documented troubleshooting procedures. the more your confidence will grow. From this information. It is 3:00 p. Then the evaluation of these likely causes leads to the identifica- tion of the suspected underlying root cause of the issue. Chapter 1: Introduction to Troubleshooting and Network Maintenance 9 Foundation Topics Introduction to Troubleshooting Troubleshooting is a skill. Although you normally think of the troubleshooting process as beginning when a user reports an issue. Thus. you will get better at it the more you have to perform it. Then based on your diagnosis. The permanent fix of replacing the failed equipment immediately would disrupt the network further and take a considerable amount of time. diagnosing the underlying cause of the problem. you need to understand that through effec- tive network monitoring you may detect a situation that could become a troubleshooting issue and resolve that situation before it impacts users. a troubleshoot- er might use a temporary fix until a permanent fix can be put in place. However. For example. at a luxury hotel in Las Vegas. you should be able to better define the issue. The more troubleshooting situations you are placed in. and as a result of this. On this day. you next define approaches to resolv- ing the issue and select what you consider to be the best approach. the hotel cannot register guests or create the keycards needed for guest rooms.

So. Table 1-2 Steps to Diagnose a Problem Key Topic Step Description Collect information Because a typical problem report lacks sufficient information to give a troubleshooter insight into a problem’s underlying cause. Problem resolution Of these three steps. perhaps using network maintenance tools or by interviewing impacted users.10 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide fix would be to disconnect the redundant links involved in the loop so that the Layer 2 loop is broken and guests can be registered at that point. and your child indicates that the toaster does not get hot. the troubleshooter should collect additional information. For example. most of a troubleshooter’s efforts are spent in the problem diagno- sis step. which depicts a simplified model of the troubleshooting steps previously described. your child reports that the toaster won’t work. Verify hypothesis The troubleshooter then tests his hypothesis to confirm or refute his theory about the problem’s underlying cause. Examine collected information After collecting sufficient information about a problem. Problem Report Problem Diagnosis Problem Resolution Figure 1-1 Simplified Troubleshooting Flow This simplified model consists of three steps: Key Topic Step 1. Table 1-2 describes key components of this problem diagnosis step. From the Library of Outcast Outcast . which is broken up into multiple subcomponents. Problem report Step 2. the network team can implement the permanent fix. When the impact on guests and guest services is minimal. The troubleshooter hypothesizes what he considers to be the most likely cause of the problem. Eliminate potential causes Based on the troubleshooter’s knowledge of the network and his interrogation of collected information. You have it clarified further. he is left with one or more causes that are more likely to have resulted in the problem. the troubleshooter then examines that information. he can begin to eliminate potential causes for the problem. That is the problem report step. This is the problem diagnosis step. Propose an hypothesis After the troubleshooter eliminates multiple potential causes for the problem. you decide to take a look at the toaster and diagnose it. perhaps comparing the information against previously collected baseline information. Problem diagnosis Step 3. Consider Figure 1-1.

From the Library of Outcast Outcast . you then had to consider whether the wall outlet was damaged. it can become confusing to remember what you have tried and what you have not. It also aids in communicating to someone else possibilities that you have already eliminated. you will start to see similar issues. your primary goal is to be efficient. you hypothesize that the power cable for the toaster is not plugged in. as a trouble- shooter. All of your effort focused on the problem diagnosis step. Problem report Key Topic Step 2. you had to figure out whether it was plugged in. in the next instance you end up taking an unac- ceptable amount of time. This method. In addition. To be efficient. Eliminate potential causes Step 5. you spent the majority of your time diagnosing the problem. and eliminating. Verify hypothesis Step 7. Problem solved. If you do not follow a structured approach. spending time methodically examining information and eliminating potential causes might actually be less efficient than immediately hypothesizing a cause after you collect information about the problem and review past documents. is often called the shoot from the hip method. illus- trated in Figure 1-3. Examine collected information Step 4. Also. your skills as a troubleshooter will get better with experience. Collect information Step 3. and it is correct. If it was plugged in. Once you determined that there was no electricity to the toaster. Being fast comes with experience. hoping it works. if another administrator comes to assist you. Propose an hypothesis Step 6. you should have excep- tional documentation on past network issues and the steps used to solve them. Although in one instance you might be fast at solving the issue. However. In such instances. but even with a toaster. Problem resolution The Value of Structured Troubleshooting Troubleshooting skills vary from administrator to administrator. you get the following struc- tured troubleshooting procedure: Step 1. By combining the three main steps with the five substeps. Chapter 1: Introduction to Troubleshooting and Network Maintenance 11 After collecting. Therefore. You test your hypothesis. With experience. This was a simple example. In addition. communicating to that administrator the steps you have already gone through becomes a challenge. you need to follow a structured troubleshooting method. following a structured troubleshooting approach helps you reduce the possibility of trying the same resolution more than once and inadvertently skipping a task. or the toast- er was too old and it broke. Eventually. you might find yourself moving around troubleshooting tasks in a fairly random way based on instinct. and as mentioned earlier. or the circuit breaker was off. but it is not worth much if you are not efficient. you find yourself repeating solutions you have already tried. A structured troubleshooting method might look like the approach depicted in Figure 1-2. examining.

12 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-2 Example of a Structured Troubleshooting Approach (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-3 Example of a Shoot from the Hip Troubleshooting Approach From the Library of Outcast Outcast .

This will allow one troubleshooter to more efficiently take over for or assist another troubleshooter if required. collect information). This section examines each step in a structured approach in more detail as shown in Figure 1-4. (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-4 A Structured Troubleshooting Approach 1. having a structured troubleshooting approach helps ensure that the organiza- tion’s troubleshooting efforts are following a similar flow each time an issue arises no matter who is assigned the task. user actions). you probably need to contact the user and ask him exactly what aspect of the network is not functioning correctly. A Structured Approach Key Topic No single collection of troubleshooting procedures is capable of addressing all conceiv- able network issues because there are too many variables (for example. Therefore. Chapter 1: Introduction to Troubleshooting and Network Maintenance 13 The danger with the shoot from the hip method is that if your instincts are incorrect.” If you receive such a vague report. However. a user might report. “The network is broken. you need to be able to revert back to the structured troubleshooting approach as needed and examine all col- lected information. you waste valuable time. Problem Report A problem report from a user often lacks sufficient detail for you to take that problem report and move on to the next troubleshooting process (that is. For example. and the problem is not solved. From the Library of Outcast Outcast .

she observes Y. as shown in Figure 1-5. For example. her browser reports a 404 error.14 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide After your interview with the user.” After you have a clear understanding of the issue. the FTP resources are acces- sible through an FTP client. For example. show. when the user does X. perhaps your organization has one IT group tasked with managing switches and another IT group charged with managing routers. you might need to determine who is responsible for working on the hardware or software associated with that issue. However. “When the user attempts to connect to a website on the Internet. the web browser reports the page can’t be displayed. (1) Problem Report (2) Collect Information Figure 1-5 A Structured Troubleshooting Approach (Collect Information) Efficiently and effectively gathering information involves focusing information gathering efforts on appropriate network entities (for example. Alternatively. the troubleshooter might swap components or use a bottom-up trouble- shooting model. If you are not sure at this point. when all they had to do was point the user to the FTP client installed on the client’s computer. Troubleshooters not aware of that might spend hours collect- ing irrelevant data with debug. or clients) from which information should be collected. to be efficient and effective. the user can successfully navigate to websites on her com- pany’s intranet. so accurate documentation is important. ping. and traceroute commands. you should be able to construct a more detailed prob- lem report that includes statements such as. start collecting information so that the picture can become clearer. servers. For example. “When the user attempts to connect to an FTP site using a web browser. as the initial point of con- tact. and information needs to be collected from a network device over which the troubleshooter has no access. the troubleshooter could waste time wading through reams of irrelevant data. the troubleshooter needs to understand what is required to access the resources the end user is unable to access. 2.” Or. and be mindful that you might have to pass this information on to another member of your IT group at some point. the troubleshooter might switch troubleshooting models. Therefore. instead of following the traffic’s path. At that point. For example. switches. perhaps a troubleshooter is using a troubleshooting model that follows the path of the affected traffic (as discussed in the “Popular Troubleshooting Methods” sec- tion of this chapter). With our FTP site problem report. From the Library of Outcast Outcast . routers. In addition. you might need to decide whether this issue is one you are authorized to address or if you need to forward the issue to someone else who is authorized. the next step is gathering relevant information pertaining to the problem. Otherwise. the troubleshooter might need to work with appropriate personnel who have access to that device. Collect Information When you are in possession of a clear problem report.

(1) Problem Report (2) Collect Information (3) Examine Information Figure 1-6 A Structured Troubleshooting Approach (Examine Information) A troubleshooter has two primary goals while examining the collected information: ■ Identify indicators pointing to the underlying cause of the problem ■ Find evidence that can be used to eliminate potential causes To achieve these two goals. This implies that as part of a routine network maintenance plan. A challenge. if the troubleshooter lacks knowl- edge of specific protocol behavior. the troubleshooter might be able to determine what is occurring on the network and how that differs from what should be occurring. the troubleshooter attempts to find a balance between two questions: ■ What is occurring on the network? ■ What should be occurring on the network? The delta between the responses to these questions might give the troubleshooter insight into the underlying cause of a reported problem. however. Examine Collected Information After collecting information about the problem report (for example. Chapter 1: Introduction to Troubleshooting and Network Maintenance 15 3. the output of show and debug commands issued on routers when the network was functioning properly. Baseline data might contain. even an inexperienced troubleshooter might be able to see the difference between the data sets. using ping. for example. or traceroute). However. thus providing a clue as to the underlying cause of the problem under investigation. Documentation plays an extremely important role at this point. the next structured troubleshooting step is to analyze the collected information as shown in Figure 1-6. By contrasting this baseline data with data collected after a problem occurred. Accurate and up-to-date documentation can assist a troubleshooter in examining the collected data to determine whether anything has changed in relation to the setup or configuration. is for the trouble- shooter to know what currently should be occurring on the network. baseline data should periodically be collected when the net- work is functioning properly. If the troubleshooter is experienced with the applications and protocols being examined. she still might be able to effectively examine the col- lected information by contrasting that information with baseline data or documentation. collecting output from show or debug commands. Going back to From the Library of Outcast Outcast . performing packet captures.

Because those routers do not recognize each other as Cisco Discovery Protocol (CDP) neighbors. The troubleshooter examines output from the show cdp neighbor command on routers R1 and R2. OSPF Area 0 PC A Switch Router Router Switch Server A SW1 R1 R2 SW2 CDP Figure 1-8 Scenario Topology From the Library of Outcast Outcast . As an example. a troubleshooter can start to form conclu- sions based on that data. 4. a quick review of the documentation related to FTP connectivity would indicate so. as shown in Figure 1-8. a troubleshooter might jump to a conclusion based on the following scenario. The troubleshooter then runs to the physical routers to verify physical connectivity. Eliminate Potential Causes Following an examination of collected data. The troubleshooter is using a troubleshooting method that follows the path of traffic through the network. Reviewing further output and docu- mentation indicates that CDP is disabled on R1 and R2 interfaces for security rea- sons. Some conclusions might suggest a potential cause for the prob- lem. if the troubleshooter was not aware that an FTP client was required. which leads to more work and slower overall response times to problems. (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes Figure 1-7 A Structured Troubleshooting Approach (Eliminate Potential Causes) It is imperative that you not jump to conclusions at this point. Jumping to conclusions can make you less efficient as a troubleshooter as you start formulating hypotheses based on a small fraction of collected data. only to see that all is fine. the trouble- shooter leaps to the conclusion that Layer 2 and Layer 1 connectivity is down between R1 and R2.16 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the FTP example. the output of show cdp neighbors alone is insufficient to conclude that Layer 2 and 1 connectivity was the problem. which results in wasted time: A problem report indicates that PC A cannot communicate with server A. This would allow the troubleshooter to move on to the next step. Therefore. whereas other conclusions eliminate certain causes from consideration (see Figure 1-7).

a troubleshooter needs to assess whether the problem can wait until authorized personnel have an opportunity to resolve the issue. Chapter 1: Introduction to Troubleshooting and Network Maintenance 17 On another note. as shown in Figure 1-9. continuing your troubleshooting efforts based on a faulty conclusion can dramatically increase the time required to resolve a problem. At this point. the show cdp neighbor output is insufficient to conclude that OSPF adjacencies have been formed between routers R1 and R2. In such a situation. the troubleshooter leaps to the conclusion that these two routers see each other as Open Shortest Path First (OSPF) neighbors and have mutually formed OSPF adjacencies. However. troubleshooters should be left with one or a few potential causes that they can focus on. The troubleshooter is using a troubleshooting method that follows the path of traffic through the network. Propose an Hypothesis By eliminating potential causes of a reported problem. as shown in Figure 1-8. if time permits. If the problem is urgent and no authorized administrator is currently available. as described in the previous process. 5. a caution to be observed when drawing conclusions is not to read more into the data than what is actually there. As an example. Because those routers recog- nize each other as Cisco Discovery Protocol (CDP) neighbors. (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an Hypothesis Figure 1-9 A Structured Troubleshooting Approach (Propose an Hypothesis) After proposing an hypothesis. As shown by the previous examples. explaining the rationale for your conclusions to a coworker can often help reveal faulty conclusions. Troubleshooters should then focus on the cause they believe is most likely to be the underlying one for the reported problem and propose an hypothesis. the troubleshooter might attempt From the Library of Outcast Outcast . The troubleshooter examines output from the show cdp neighbor command on routers R1 and R2. troubleshooters might realize that they are not authorized to access a network device that needs to be accessed to resolve the problem report. troubleshooters should rank the potential causes from most likely to least likely. a troubleshooter might reach a faulty conclusion based on the following scenario: A problem report indicates that PC A cannot communicate with server A. In addition.

the troubleshooter might wait until after business hours to execute the plan. if troubleshooters decide to implement a workaround. a troubleshooter might need to gather additional information or enlist the aid of a coworker or the Cisco Technical Assistance Center (TAC). they need to develop a plan to address the suspected cause and implement it. or if the execution of the plan resulted in one or more additional problems.18 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide to at least alleviate the symptoms of the problem by creating a temporary workaround. which ultimately affects the financial bottom line. A key (and you should make it mandatory) component in implementing a problem solu- tion is to have the steps documented. However. it might help business oper- ations continue until the main cause of the problem can be appropriately addressed. implementing a plan that resolves a network issue often causes temporary net- work outages for other users or services. if the problem is not resolved after the troubleshooter implements the plan. 6. In that case. the troubleshooter should execute the rollback plan. Although this approach does not solve the underlying cause. perhaps the solution failed to resolve that cause. Therefore. the state prior to deploying the proposed solution). Alternatively. but such a document can serve as a rollback plan if the implemented solution fails to resolve the problem. From the Library of Outcast Outcast . they need to come up with a plan and implement it while noting that a permanent solution is still needed. she can focus her attention on the next most likely cause and create an action plan to resolve that cause and implement it. the troubleshooter could create a different plan to address that cause. if the troubleshooter had iden- tified other causes and ranked them during the propose an hypothesis step. Therefore. At that point. This process can be repeated until the troubleshooter has exhausted the list of potential causes or is unable to collect information that can point to other causes. Verify Hypothesis After troubleshooters propose what they believe to be the most likely cause of a prob- lem. If the impact on workflow outweighs the urgency of the problem. Alternatively. the troubleshooter can then reevaluate her hypothesis. the troubleshooter must balance the urgency of the problem with the potential overall loss of productivity. as shown in Figure 1-10. Although the troubleshooter might have successfully identified the underlying cause. There should be a change management procedure in place that helps the troubleshooter determine the most appropriate time to make changes to the production network and the steps required to do so. After the network is returned to its previous state (that is. Not only does a documented list of steps help ensure the troubleshooter does not skip any.

it is often forgotten or overlooked. After the reported problem is resolved. Chapter 1: Introduction to Troubleshooting and Network Maintenance 19 (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes Figure 1-10 A Structured Troubleshooting Approach (Verify Hypothesis) 7. the troubleshooter should make sure that the solution becomes a documented part of the network. rather than a tangential issue. This task confirms that the troubleshooter resolved the specific issue reported in the problem report. From the Library of Outcast Outcast . Although this is one of the most important steps. a backup of that new configuration should be made part of routine net- work maintenance practices. As a final task. if the solution involves reconfiguring a Cisco IOS router. For example. Beyond simply notifying a user that a problem has been resolved. This implies that routine network maintenance will maintain the implemented solution. the troubleshooter should get user confirmation that the observed symptoms are now gone. as shown in Figure 1-11. the troubleshooter should report the problem resolution to the appropri- ate party or parties. Problem Resolution This is the final step of the structured approach.

the elimination of potential causes is a key step. Depending on your situation and the issue you are trou- bleshooting. You can use several common troubleshooting methods to narrow the field of potential causes: ■ The top-down method Key Topic ■ The bottom-up method ■ The divide-and-conquer method ■ Following the traffic path ■ Comparing configurations ■ Component Swapping This section defines each of these methods in greater detail. From the Library of Outcast Outcast .20 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide (1) Problem Report (2) Collect Information (4) Eliminate Potential (3) Examine Information Causes (5) Propose an (6) Verify Hypothesis Hypothesis Problem Solved No Yes (7) Problem Resolution Figure 1-11 A Structured Troubleshooting Approach (Problem Resolution) Popular Troubleshooting Methods As shown in the structured approach. However. keep in mind that there is no single best method. you may use one or multiple methods.

The top layer is num- bered Layer 7 and is named the application layer. A potential downside to this approach is that the troubleshooter needs access to the specific application experi- encing a problem to test Layer 7. the physical layer. The theory is. From the Library of Outcast Outcast . The bottom-up method seeks to narrow the field of potential causes by eliminating OSI layers beginning at Layer 1. as shown in Figure 1-12. your ping would have failed. as illustrated in Figure 1-13. Chapter 1: Introduction to Troubleshooting and Network Maintenance 21 The Top-Down Method The top-down troubleshooting method begins at the top layer of the Open Systems Interconnection (OSI) seven-layer model. when the troubleshooter encounters a layer that is functioning. the bottom-up method is often used after employing some other method to narrow the scope of the problem. The top-down method first checks the application residing at the application layer and moves down from there. Therefore. the bottom-up approach might not be effi- cient in larger networks because of the time required to fully test lower layers of the OSI model. Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-12 Top-Down Troubleshooting Method The Bottom-Up Method The reciprocal of the top-down method is the bottom-up method. you can assume that Layers 1–3 are functioning properly. For example. because ping uses Internet Control Message Protocol (ICMP). the assumption can be made that all lower layers are also functioning. Otherwise. if you can ping a remote IP address. which is a Layer 3 protocol. Although this is a highly effective method.

3 command. if the ping failed. From the Library of Outcast Outcast . In such a situation.2. If the result was successful. the network administrator issued the ping 10.3 Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-14 Divide-and-Conquer Troubleshooting Method In Figure 1-14. you might select the divide-and-conquer approach. the administrator could conclude that Layers 1–3 were operational.1. However. Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport ping 10. and a bottom-up approach could begin from that point. the admin- istrator could begin a top-down approach at Layer 3. as shown in Figure 1-14. which begins in the middle of the OSI stack.22 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical Figure 1-13 Bottom-Up Troubleshooting Method The Divide-and-Conquer Method After analyzing the information collected for a problem.1.2. you might not see a clear indi- cation as to whether the top-down or bottom-up approach would be most effective.

8. Clients at one of those remote offices cannot obtain an IP address via Dynamic Host Configuration Protocol (DHCP). Notepad) to see whether it is the same... If everything looks good on that link. and you were asked to spot the differences. there are addi- tional issues introduced based on an invalid configuration.8.8..8. imagine that you have multiple remote offices. Next. you could then check the connection between the switch SW1 and router R1.. One troubleshooting approach is to compare that site’s router configuration with the router configuration of another remote site that is working properly.8. and finally the link between switch SW2 and the server. you could first check the link between the client and switch SW1. For example.OUTPUT OMITTED. This methodology is often an appropri- ate approach for a less-experienced troubleshooter not well versed in the specifics of the network.1 10.255.11 From the Library of Outcast Outcast .8. Chapter 1: Introduction to Troubleshooting and Network Maintenance 23 The Following the Traffic Path Method Another useful troubleshooting approach is to follow the path of the traffic experiencing a problem.0 255. each running the same model of Cisco router. For example. However.10 ! ip dhcp pool POOL-A network 10. you would check the link between router R1 and switch SW2. the problem is more likely to recur.0 default-router 10. Step 1 Step 2 Step 3 Step 4 Client Switch Router Switch Server SW1 R1 SW2 Figure 1-15 Following the Traffic Path Troubleshooting Method The Comparing Configurations Method Did you ever find yourself looking through a Highlights magazine as a child? This maga- zine often featured two similar pictures.8.8. ip dhcp excluded-address 10. Can you spot the difference in the outputs of Example 1-1a and Example 1-1b? Example 1-1a show run R1#show run . You can also look at the configuration stored in a document (Word.255. in addition to the original issue. the problem might be resolved without a thorough understanding of what caused the problem. Therefore. if the client depicted in Figure 1-15 is unable to reach its server. what if the documentation is outdated? Now. In addition. This childhood skill can also prove valuable when troubleshooting some network issues.

1.cfg .OUTPUT OMITTED. you can conclude that the old component was faulty (either in its hardware or its configuration). As you test each component and find it is not the problem.8.2 ..11... you could connect a different laptop to switch SW1. As an example.8.8. As a next step.168.. A problem report states that the connection between laptop A and switch SW1 is not bringing up a link light on either the laptop or the switch.1. ip dhcp excluded-address 10.1..1 10.1.8.1 to 10. you could start to investigate the configura- tion of the original switch.cfg R1#more tftp://10.255.. Example 1-1b more tftp://10.1 dns-server 192.8.1. Example 1-1b has the more tftp://10.. it could help focus your troubleshooting efforts.8. you will want to undo the change you made and then move the cable from switchport 1 to switchport 2. If the problem persists.168.1.0 255.8.10/R1. you could swap out switch SW1 with another switch (SW2 in this example). As a first step.8.cfg output displaying the archived configuration that was produced as a baseline and stored on a TFTP server. If the problem goes away.8.255. undo the change.10 ! ip dhcp pool POOL-A network 10.1.1 netbios-name-server 192.8.8. you could conclude that the issue is with laptop A. show run is displaying the current running configuration.168.. consider Figure 1-16. The default router has been changed from 10. If a problem’s symptoms disappear after swapping out a particular component (for example. if swapping out the switch resolved the issue..OUTPUT OMITTED.. The Component Swapping Method Yet another approach to narrowing the field of potential causes of a problem is to physi- cally swap out components. For example. However.8. if the problem continues. checking for configuration or hardware issues..OUTPUT OMITTED.24 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide dns-server 192. From the Library of Outcast Outcast .168. you might swap out the cable interconnecting these two devices with a known working cable. Although swapping out components in this fashion might not provide great insight into the specific problem.1 netbios-name-server 192. a cable or a switch).1.1.1. In Example 1-1a.10/R1.0 default-router 10.10/R1.2 ..

a proxy configuration) that prevents them from accessing the Internet. you could From the Library of Outcast Outcast . Consider which of the previously discussed troubleshooting models might be appropriate for an issue such as the one reported. After you reach your own conclusions about which method or methods would be most appropriate. Although it is possible that 24 of the PCs have some setting in their Internet browser (for example. Therefore. starting at the application layer will probably not be effective. Therefore. ■ Bottom-up: Based on the symptom reported. and the problem is probably not application related. Currently. ■ Divide-and-conquer: The problem seems to be related to a block of PCs. The 24 PCs that cannot currently access the Internet were able to access the Internet yesterday. you might use one of the previously discussed troubleshooting methods or perhaps a combination of methods to eliminate causes. Therefore. these PCs were work- ing yesterday. the network layer). it is unlikely that these 24 PCs were all recently reconfig- ured with an incorrect application configuration. Chapter 1: Introduction to Troubleshooting and Network Maintenance 25 Port 1 Swap Cable Switch SW1 Laptop A Port 2 Swap Switch Port Switch SW1 Laptop A Port 1 Swap Laptop Switch SW1 L Laptop B Port 1 Swap Switch Switch SW2 Laptop A Figure 1-16 Component Swapping Practice Exercise: Selecting a Troubleshooting Approach As a troubleshooter. Starting at Layer 3 (that is. it is reasonable to guess that there might be an issue with an Ethernet switch (perhaps with a port density of 24). consider the following problem report: A computer lab at a university contains 48 PCs. 24 of the PCs cannot access the Internet. the other 24 PCs can. consider the following rationale: ■ Top-down: Because the application is working on some PCs in the same location. a divide-and-conquer approach could be useful. To illustrate how you might select an appropriate troubleshooting approach. a bottom-up approach stands a good chance of isolating the problem quickly.

This reactive approach is unavoidable. such as performing backups and software upgrades. However. You will combine the dif- ferent methods to produce the most accurate picture possible. It introduces us to standard network maintenance models. you could start to troubleshoot Layer 2. This section begins by identifying several common network maintenance tasks that are seen in most organizations. this section discusses how to adapt a well-known model to individual needs. Therefore. following the traffic path to the other end of the cabling (that is. Therefore. you will not usually rely on just one method while you are troubleshooting. to a switch) could prove useful. as important but not urgent. ■ Following the traffic path: The symptom seems to indicate that these 24 PCs might share a common switch. ■ Comparing configurations: If a previous troubleshooting method (for example. you need to analyze the business needs of the organization and determine which maintenance tasks From the Library of Outcast Outcast . or following the traffic path) reveals that the 24 PCs that are not working are connected to one Cisco Catalyst switch. swap- ping out the switch could help isolate the problem. if these 24 PCs connect to the same Cisco Catalyst switch.26 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide issue a series of pings to determine whether a next-hop gateway is reachable. Therefore. However. It concludes by discussing several procedures that are a must for maintenance success. bottom-up. Spending more time on the important tasks can help reduce time spent on the urgent tasks (for example. is doing whatever is required to keep the network functioning and meeting the business needs of an organization. it is unlikely that swapping cables would be useful. So. If the next-hop gateway is not reachable. However. Defining Network Maintenance Network maintenance. ■ Component swapping: Because the 24 PCs are experiencing the same problem with- in a short time frame (since yesterday). however. each has the possibility of providing valuable information that will help you solve this issue. Introduction to Network Maintenance Network maintenance is an inherent component of a network administrator’s responsi- bilities. these off-the-shelf models might not be a perfect fit for the organization. and the 24 PCs that are working are connected to another Cisco Catalyst switch. because unfore- seen issues do arise. You could think of regularly scheduled tasks. the occurrence of these interrupt-driven maintenance tasks can be reduced by proactively performing regularly scheduled maintenance tasks. responding to user connectivity issues or troubleshooting a network outage). Perhaps the switch has lost power resulting in this connectivity issue for the 24 PCs. checking the Cisco Catalyst switch to which these 24 PCs are attached. comparing the configu- ration of those two switches could prove helpful. divide-and-conquer. at its essence. that network administrator might be performing maintenance tasks in response to a reported problem. As you can see from the analysis of the different methods.

therefore. It may be your immediate attention. It reduces total network downtime because you are aware of problems and fix them before they become a major issue. you can significantly reduce their occurrence when you have a stra- tegic structured approach in place. They result from something happening in the network that requires your attention. You need to align your main- tenance tasks with your business needs. Time and money need to be spent wisely. Chapter 1: Introduction to Troubleshooting and Network Maintenance 27 are necessary for the success of the business. A structured maintenance approach also includes planning for future network capacity. or it may be something you can put off until later. are you going to back up each PC in the company on a nightly basis or are you going to have all users store resources on a central server and back up the central server? Some examples of the tasks that fall under the umbrella of network maintenance are as follows: ■ Hardware and software installation and configuration Key Topic ■ Troubleshooting problem reports ■ Monitoring and tuning network performance ■ Planning for network expansion ■ Documenting the network and any changes made to the network ■ Ensuring compliance with legal regulations and corporate policies ■ Securing the network against internal and external threats ■ Backing up files and databases Obviously. From the Library of Outcast Outcast . Implementing a structured maintenance approach confers many benefits. In addition. It is more cost-effective because fewer major problems occur. this listing is only a sampling of network maintenance tasks. you will also know which tools are required and how to use them to solve the problem. Interrupt-driven tasks can never be completely eliminated. keep in mind that the list of tasks required to maintain your network could differ significantly from the list of tasks required to maintain another network. however. resulting in less resources being consumed for problem resolution. For example. and critical business processes need more attention. Proactive Versus Reactive Network Maintenance Network maintenance tasks can be categorized as one of the following: ■ Interrupt-driven tasks: Involve resolving issues as they are reported ■ Structured tasks: Performed as a predefined plan Interrupt-driven tasks are not planned. reducing obsolescence of relatively new pur- chases. you can resolve it more quickly because a predefined plan is in place to handle that type of outage. If you do have an unplanned net- work outage (interrupt-driven). appropriate hardware and software purchases can be made early on. Also.

accounting management. Therefore. you might want to base your maintenance model on one of the well-known maintenance models and make adjustments as appropriate. you should identify specific tasks to perform on your network for each element of the FCAPS model. Once you choose the model. Configuration Require logging of any changes made to network hardware management or software configurations. Send an e-mail alert when processor utilization or bandwidth utilization exceeds a threshold of 80 percent. Respond to incoming trouble tickets from the help desk. From the Library of Outcast Outcast . To adapt the FCAPS model for your environment. you must adapt the model to your environment. resources can be allocated that complement business drivers. operate. ■ Cisco Lifecycle Services: The Cisco Lifecycle Services maintenance model defines distinct phases in the life of a Cisco technology in a network. plan. The following is a sampling of some of the more well-known maintenance models: Key Topic ■ FCAPS: FCAPS (which stands for fault management. that you have selected the ISO FCAPS model as the foundation for your maintenance model. rather than starting from scratch. ■ ITIL: IT Infrastructure Library (ITIL) defines a collection of best practice recommen- dations that work together to meet IT business management goals. Suppose. performance management. Example of Adapting a Network Maintenance Model The maintenance model you use in your network should reflect business drivers. and expertise unique to your network. Implement a change management system to alert relevant personnel of planned network changes. As a result. These phases are pre- pare. and optimize. design. Table 1-3 provides a sampling of tasks that might be categorized under each of the FCAPS management areas.28 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide A structured approach also takes into consideration underlying business goals. However. and security management) is a network maintenance model defined by the International Organization for Standardization (ISO). configuration management. resourc- es. as discussed later in this chapter. implement. for example. which is another com- ponent of a structured maintenance approach. the Cisco Lifecycle Services model is often referred to as the PPDIOO model. Well-Known Network Maintenance Models The subtleties of each network should be considered when constructing a structured net- work maintenance model. Security vulnerabilities are more likely to be discovered through ongoing network monitoring. Table 1-3 FCAPS Management Tasks Type of Management Examples of Management Tasks Fault management Use network management software to collect information from routers and switches.

However. but it can also be regular or irregular. Keeping track of what is being done on the network and when it is being done. Chapter 1: Introduction to Troubleshooting and Network Maintenance 29 Type of Management Examples of Management Tasks Accounting management Invoice IP telephony users for their long-distance and international calls. This sec- tion discusses common maintenance tasks that all organizations should be performing. Create a security policy dictating rules of acceptable network use. Performance management Monitor network performance metrics for both LAN and WAN links. infrequent. This routine can be hourly. By clearly outlining a maintenance methodology and defining actionable and measurable processes you can reduce network downtime and more effectively perform interrupt- driven tasks. backing up a server on a daily basis at 10:00 p. is frequent and regular. and accounting (AAA) server to validate user credentials. We cannot have a regular schedule for these types of tasks because they are infrequent and irregular. Security management Deploy firewall. where relocation of users from one office space to another. and no two organizations will implement them in exactly the same way. monthly. authentication. For example. the addition of temporary staffers. weekly. while prioritizing mission-critical traffic. and intrusion prevention system (IPS) technologies to defend against malicious traffic. per quarter. there will be maintenance tasks in each organization that occur routinely. Common Maintenance Procedures No two network maintenance models will be exactly the same. or per year. However. assign appropriate user privileges. there are tasks common to nearly all network maintenance models that will be implemented by all organizations regardless of the business drivers.m. and new hires are commonplace. the routine can be frequent or infrequent. network administra- From the Library of Outcast Outcast . In response to organizational changes. regular. As you can see. virtual private network (VPN). or irregular and should be present in a listing of procedures contained in a network maintenance model. adding users or moving users and updating the network based on the user changes is going to be different each time. Following is a listing of such common maintenance tasks: ■ Configuration changes: Businesses are dynamic environments. daily. and log user activity. The key with all these tasks is that they are routine regardless of them being frequent. Routine Maintenance Tasks Regardless of the organization. Use an authorization. because of the different business drivers involved. Deploy appropriate quality of service (QoS) solutions to make the most efficient use of relatively limited WAN bandwidth.

■ Replacement of older or failed hardware: As devices age. and resource utilization statistics for network devices are common goals of network monitoring. and better understand the nature of the traffic flowing through your network. Occasionally. Scheduled Maintenance Take a moment and define the network maintenance tasks for your network. perhaps a firewall From the Library of Outcast Outcast . you can better plan for future expansion (that is. bandwidth utilization statistics. These backups can also be useful in recovering important data that was deleted. ■ Scheduled backups: Recovery from a major system failure can occur much quicker if network data and device configurations have been regularly backed up. thus requiring immediate replacement. typically with better performing and more feature-rich devices. performing routine software updates becomes a key network maintenance task. Other tasks can be scheduled. For example. you might schedule weekly full backups of your network’s file servers. network administrators are less likely to forget an important task. because they were busy responding to urgent tasks. The updates often address perfor- mance issues and security vulnerabilities. a common network maintenance task is to schedule. New features are also commonly offered in software upgrades. and even network devices) are periodically released. and verify backups of selected data and configuration information. By having such a schedule for routine maintenance tasks. during which time you apply software patches. Managing Network Changes Making changes to a network often has the side effect of impacting the productivity of users relying on network resources. replacing a failed router that connects the business to the Internet). Therefore. These processes are often referred to as moves. thus minimizing the impact on workflow. a common task is the replace- ment of older hardware. rank them in order of priority. For example. ■ Monitoring network performance: The collection and interpretation of traffic sta- tistics. Therefore. users can be made aware of when various network services will be unavailable. Through effective network moni- toring (which might involve the collection and examination of log files or the imple- mentation of a high-end network management server). Also. a change to one network component might create a problem for another network component. Some tasks will undoubtedly be urgent in nature and need a quick response when things go wrong (for example.30 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide tors need to respond by performing appropriate reconfigurations and additions to network hardware and software. due to maintenance windows. anticipate potential issues before they arise. In addition. adds. production devices fail. and changes. clients. and you might have a monthly maintenance window. their reliability and com- parable performance tend to deteriorate. ■ Updating software: Updates to operating system software (for servers. capacity planning). Therefore. monitor. After doing so.

where one depart- ment announces online their intention to perform a particular maintenance task during a specified time period.m. Other departments are then notified of this upcoming change. and IMAP). such that a configuration can be restored to its previous state if the changes resulted in unexpected problems? ■ Under what circumstances can formalized change management policies be overrid- den. HTTPS. some network maintenance tasks are urgent (for example. HTTP. For example. When defining a change management system for your organization. in addition to com- mon protocols that were allowed to pass through the firewall (for example. the IT department in charge of backups should be made aware of that planned upgrade. DNS. Making different organization areas aware of upcoming maintenance operations can also aid in reducing unforeseen problems associated with routine maintenance. backing up a router’s configuration prior to installing a new module in the router)? ■ What measurable criteria determine the success or failure of a network change? ■ How will a network change be documented. because a backup of remote data (that is. The timing of network changes should also be considered. the installa- tion of a firewall to better secure a server farm resulted in a troubleshooting issue. SMTP. whereas another IT department is charged with performing network backups. the departments can work together to accommodate one another’s needs. Rather than taking a router down to upgrade its version of Cisco IOS during regular business hours. If the WAN IT department plans to upgrade the WAN link between a couple of offices at 2:00 a. Those tasks need timely responses. next Tuesday. Some organizations have a formalized change management process. consider the following: ■ Who is responsible for authorizing various types of network changes? Key Topic ■ Which tasks should only be performed during scheduled maintenance windows? ■ What procedures should be followed prior to making a change (for example. Therefore. where users could no longer reach their FTP server. POP3. and who is responsible for the docu- mentation? ■ How will a rollback plan be created. However. Of course. and determine whether the planned change will conflict with that department’s operations. If a conflict is identified. such an opera- tion should probably be performed during off hours. one of the servers in the server farm acted as an FTP server. a widespread net- work outage). suppose that one information technology (IT) department within an organization is responsible for maintaining WAN connections that interconnect various corporate offic- es. and what (if any) authorization is required for an override? From the Library of Outcast Outcast . data accessible over the WAN link to be upgraded) might be scheduled for that same time period. Chapter 1: Introduction to Troubleshooting and Network Maintenance 31 was installed to provide better security for a server farm. and the firewall configuration did not consider that server. without going through a formalized change management notification process and allowing time for other departments to respond.

and how end users interface with the net- work. These types of IP addressing specifications would be included in a set of network documentation. However. ■ Physical topology diagram: Unlike a logical topology diagram. From the Library of Outcast Outcast . and the rationale for each network change made. this diagram is not concerned with the physical locations of network components. The diagram reflects where various net- work components are physically located. in addition to a listing of network components and their configurations. buildings. to name a few. and an organization’s asset tag number. Circuit IDs for service pro- vider circuits might be included in this documentation. In addition. Alternatively. However. accurate documentation can prove to be valuable to designers who want to scale the network. just as the procedures in a network maintenance model vary. network documentation could consist of physical and logical network diagrams. including such compo- nents as formalized change management procedures. the protocols used. an organization might have public IP addresses assigned to some or all of their internal devices. a spreadsheet that lists which ports on which devices are used to interconnect network components or connect out to service provider networks. ■ Listing of interconnections: A listing of interconnections could be. floors within a build- ing. ■ Inventory of network equipment: An inventory of network equipment would include such information as the equipment’s manufacturer. However. reflecting all changes made since the network’s installation. in addition to information about the licensing of the software. version of software. Keeping documentation current helps more effectively isolate problems when trouble- shooting. While the specific components in a set of network documentation can vary. keeping that documentation current. ■ IP address assignments: An organization might use private IP address space internal- ly and use Network Address Translation (NAT) to translate those private IP address space numbers into publicly routable IP addresses. serial number. resulting in subnets with a nondefault subnet mask. using EUI-64. A classful IP address space (either public or private) might be subdivided within an organization. For IPv6 the orga- nization might be manually assigning the interface ID to each device. a physical topology diagram shows how different geographical areas (for example. model number. deployed VLANs. the following list outlines common ele- ments found in a set of network documentation: ■ Logical topology diagram: A logical topology diagram shows the interconnection Key Topic of network segments.32 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Maintaining Network Documentation Network documentation typically gets created as part of a network’s initial design and installation. for example. At a basic level. and IP addressing. or a combination of both. a listing of contact information (for example. or entire sites) interconnect. and modules installed. network documentation can be much more detailed. should be part of any network maintenance model. for service providers and points of contact in an organization’s various IT groups).

1Q trunking by setting a port’s trunk state to desirable. These two approaches are not compatible. To efficiently replace a failed (or damaged) device. oth- ers by function. water leakage due to flooding or plumbing issues could cause hardware fail- ures. at some point those approaches might conflict with one another. if different personnel troubleshoot using different approaches. ■ Original design documents: Documents created during the initial design of a net- work might provide insight into why certain design decisions were made and how the original designers envisioned future network expansion. This example illustrates the criticality of having clear communication among IT personnel and a set of standardized procedures to ensure consistency in network configuration and troubleshooting practices. Restoring Operations After a Failure Although most modern network hardware is very reliable. For example. some network administrators also maintain archival copies of previous configurations. Planning and provisioning hardware and software for such outages before they occur can accelerate recovery time. and if each of these two network admin- istrators configured different ends of what they intended to be an 802. the current con- figuration should be backed up. and a fire could render the network equipment unusable. It is a good practice to name archival copies of previous configurations based on a certain format that makes sense to you. resulting in further issues. Another network administrator within the same company configures 802. Such a structured approach to troubleshooting helps ensure that all troubleshooting personnel use a common approach. some companies name their archival copies by date. Chapter 1: Introduction to Troubleshooting and Network Maintenance 33 ■ Configuration information: When a configuration change is made. Larger network environments often benefit from having step-by-step guidelines for troubleshooting a given network issue. a device could be replaced quicker. the failure of an air conditioner unit could cause network equipment to overheat. and still others by a combination of both. From the Library of Outcast Outcast . consider one network administrator that configures IEEE 802. you should be in possession or have the ability to acquire relatively quickly the following: ■ Duplicate hardware: The hardware can be stored locally or it can be attainable through a supplier that can get you the device within a certain time based on a ser- vice level agreement (SLA). These older configurations could prove useful when attempting to roll back to a previous configuration state or when trying to duplicate a previous configuration in a new location. in the event of an outage.1Q trunk- ing on Cisco Catalyst switches by disabling Dynamic Trunking Protocol (DTP) frames and forcing a port to act as a trunk port. Although a net- work issue might be successfully resolved through various means. As a few examples. failures do occur from time to time. which creates a trunk connection only if it receives a DTP frame from the far end of the connec- tion. Aside from hardware failures.1Q trunk. With a copy of current configuration information. Beyond having a backup of current configuration information. environmental factors could cause a network outage. the trunk connection would never come up. For example.

baselines. change control. we will heavily rely on these resources when issues occur. ■ Backup of device configuration information: When a failure happens. and communication were mentioned. The Troubleshooting and Network Maintenance Relationship A structured troubleshooting approach provides step-by-step processes that offer a repeatable consistent plan that makes the troubleshooter more efficient and effective. As a result. it is advisable to have an exact copy of the operating systems and application software stored locally for each device you are using in the organization. Also. allowing you to be proactive and fix problems before they affect network users. at a minimum have the configurations documented in Notepad somewhere. However. they do not simply appear from the ether. an installer is often required to troubleshoot the installation until the new network component is functioning properly. when installing a new network component as part of ongoing network maintenance. the troubleshooter might use network documentation (for example.34 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Operating system and application software (along with any applicable licensing) for the device: Although you can get this from the manufacturer (such as Cisco). network performance monitoring can ensure that you are providing an appropriate service level to a customer. Measuring Network Performance Network monitoring is a proactive approach to network maintenance. All of these are fundamental assets to your success as a troubleshooter. Conversely. if you are a customer of a service provider. you need to restore your device to its last known good configuration. During our coverage of the structured approach you might have noticed that documen- tation. if you work for a service provider. when troubleshooting a network issue. These statistics can forecast future issues. From the Library of Outcast Outcast . if that is not pos- sible. as you have seen from the discussion of network maintenance. documentation and baselines are created at a specific point in time for a device and provide a snapshot of the health and configuration of that device at that point. It is ideal to have a backup of the configuration files on a server in the organization. For example. What happens if someone neglects to update the documentation or baselines based on changes that may have occurred during scheduled maintenance or some past issue? What happens if we have difficulty communicating with others or they withhold information from us? These assets become liabilities as they are unable to address the question: What should be occurring in the network? As you have seen. Also. However. a physical topology diagram created as part of a network maintenance task) to help isolate a problem. For example. and vice versa. You do not want to be caught in a situation where you have no information related to the configuration of a device being restored. network maintenance tasks often include troubleshooting tasks. network monitoring can confirm that the ser- vice provider is conforming to the SLA for which you are paying. enabling you to be alerted to trends and utilization statistics (as a couple of examples).

automated processes could be used to. both network troubleshooting and maintenance include a documentation component. The lack of follow-through when it comes to documenting what happened during a troubleshooting scenario is understandable. To assist with the auto- mation of backups. Because these tasks are so interrelated. This knowledge often motivates troubleshooters to perform some level of documentation (for exam- ple. The troubleshooter’s focus is on resolving a reported issue in a timely manner (that is. if a troubleshooter is following the path that spe- cific traffic takes through a network. Although few argue with the criticality of maintaining current documentation. because in the absence of documentation. compare current and backup copies of device configurations. From the Library of Outcast Outcast . physical and logical topology diagrams could help identify the next network component to check. For example. the value of a centralized repository of documentation increases as a result of its use for both maintenance and troubleshooting efforts. often falls by the wayside. docu- menting troubleshooting efforts. thus increas- ing the accuracy of the documentation. Following are a few suggestions to help troubleshooters keep in mind the need to document their steps: ■ Require documentation: By making documentation a component in the trouble- Key shooting flow. they have to create their own path. ■ Schedule documentation checks: A structured maintenance plan could include a component that routinely requires verification of network documentation and when it was last updated based on timestamps. Cisco IOS offers the Configuration Replace and Configuration Rollback feature and the Embedded Event Manager. troubleshooters are not led down the wrong path during the troubleshooting process. A danger with relying on documentation is that if the documentation is dated (not main- tained). as opposed to later trying to recall what they did from memory. troubleshooters know that before a problem report or a trouble ticket Topic can be closed out. Chapter 1: Introduction to Troubleshooting and Network Maintenance 35 This interrelationship between maintenance and troubleshooting suggests that the effec- tiveness of your troubleshooting efforts is influenced by the effectiveness of your routine network management tasks. For example. for example. troubleshooters could be led down an incorrect path because of their reliance on that documentation. an important task). scribbling notes on the back of a piece of paper) as they are performing their tasks. Any difference in the configurations indicates that someone failed to update the backup configuration of a device after making a configuration change to that device. an urgent task) rather than documenting what they are doing at the time (that is. Therefore. Maintaining Current Network Documentation A set of maintained network documentation can dramatically improve the efficiency of troubleshooting efforts. Such a scenario is often worse than not having documentation at all. they must generate appropriate documentation. you might want to take proactive measures to ensure your structured maintenance and troubleshooting processes complement one another. in practice. ■ Automate documentation: Because manual checks of documentation might not be feasible in larger environments.

Collect information Some information collected might come from other parties (for example.09% 4. with the out- Topic put logged and archived.. observing what is currently happening on the network. you might not be able to draw a meaningful conclusion based on the command output. a routine network maintenance procedure might require that a show Key processes cpu command be periodically issued on all routers in a network.00% 4. For example.. From the Library of Outcast Outcast .. and determining the difference between the two..00% 0. When troubleshooting a performance problem on a router. 1-minute. clear communication with that user helps define the problem. Clearly communicating with those other parties helps ensure collection of the proper data.13% 0.00% 0 EDDRI_MAIN 5 43026 2180 19736 0. if she made any recent changes. Table 1-4 describes how communication plays a role in each troubleshooting phase. Table 1-4 Importance of Clear Communication During Troubleshooting Troubleshooting Steps The Role of Communication Problem report When a user reports a problem.OUTPUT OMITTED.00% 0. without a baseline as a reference before troubleshooting. and 5-minute CPU utilization averages.36 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Establishing a Baseline As previously mentioned. As shown in Example 1-2. troubleshooting involves knowing what should be happening on the network. a service provider).14% 0 Exec 4 4 1 4000 0.13% 0.00% 0 Load Meter 3 821 188 4367 0.00% 0 chunk Manager 2 4 167 23 0. To determine what should be happening on the network. the user can be asked exactly what is not working correctly.00% 0.00% 0. However. For example. Example 1-2 Monitoring Router CPU Utilization R1# show processes cpu cpu utilization for five seconds: 18%/18%.03% 0 Check heaps . the show processes cpu command demonstrates the 5-second. you could issue this command to determine how a router is currently operating.00% 0. and when the problem started. Communication Each of the troubleshooting steps outlined in the structured approach requires clear com- munication. one minute: 22%. a baseline of network performance should be measured as part of a routine maintenance procedure and updated on a regular basis. five minutes: 22% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY process 1 0 1 0 0.00% 0.

Also. no physical layer connectivity to a device). the nature and reason for an interruption should be communicated to the users impacted. Consider the following scenario. This morning. Chapter 1: Introduction to Troubleshooting and Network Maintenance 37 Troubleshooting Steps The Role of Communication Examine collected information Because a troubleshooter is often not fully aware of all aspects of a network. these two factors (that is. After clearly defining the problem. which illustrates how a maintenance change could be a clue while troubleshooting a problem report: Last week. Problem resolution After a problem is resolved. This consultation could provide insight leading to the elimination of a potential cause. it is possible that no single administrator can report on the overall status of the problem. The process of change management includes using policies that dictate rules regarding how and when a change can be made and how that change is documented. the user originally reporting the problem should be informed. Eliminate potential causes The elimination of potential causes might involve consultation with others. therefore. As a side benefit. In fact. those involved in troubleshooting the outage should divert user inquiries to a manager who is in frequent contact with the troubleshooting personnel. a network administrator attempted to better secure a Cisco Catalyst switch by administratively shutting down any ports that were in the down/down state (that is. being able to quickly divert user requests for status reports to a manager helps minimize interruptions from users. multiple network administrators could be involved in troubleshooting a problem. Because these troubleshooters might be focused on different tasks at different times. and the user should confirm that the problem has truly been resolved. Propose an Hypothesis The consultation a troubleshooter conducts with other IT personnel when eliminating potential causes might also help the troubleshooter more accurately hypothesize a problem’s underlying cause. depending on the severity of an issue. Change Management Managing when changes can be made and by whose authority helps minimize network downtime. collaboration with other IT personnel is often necessary. Verify hypothesis Temporary network interruptions often occur when verifying an hypothesis. when a change is allowed and who can authorize it) are the distinguishing factors between making a change as part of a routine maintenance plan and making a change as part of a troubleshooting process. when managing a major outage. as part of the col- From the Library of Outcast Outcast . the troubleshooter asked whether anything had changed. Therefore. a user reported that her PC could not access network resources.

The previous scenario is an excellent example of how following a structured trouble- shooting approach. having accurate documentation.38 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide lect information troubleshooting phase. the troubleshooter was able to find in the documentation that last week an administrator had adminis- tratively shut down this user’s switchport because it was down/down while the user was on vacation and his computer was shut off. From the Library of Outcast Outcast . Thanks to the network’s change management system. Even though the user was unaware of any changes. thus leading the troubleshooter to wonder if any network changes had occurred while the user was on vacation. and a sound change management policy minimized the total time it took the troubleshooter to solve the problem. she mentioned that she had just returned from vacation.

“Final Preparation. following the traffic path method. Table 1-5 lists a reference of these key topics and the page num- bers on which each is found. shoot from the hip. FCAPS. baseline. Chapter 1: Introduction to Troubleshooting and Network Maintenance 39 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. structured maintenance task. Cisco Lifecycle Services. change management. noted with the Key Topic icon in the outer margin of the page. you have a couple of choices for exam preparation: the exercises here. documentation From the Library of Outcast Outcast . bottom-up method. top-down method. comparing configurations method. Chapter 22. Table 1-5 Key Topics for Chapter 1 Key Topic Key Topic Element Description Page Number List Outlines the simplified troubleshooting flow 10 Table 1-2 Identifies the five steps used while diagnosing a 10 problem List Outlines the structured troubleshooting flow 11 Section Provides details of each step during structured 13 troubleshooting List Lists the various troubleshooting methods that can 20 be used to narrow the field of potential causes List Lists examples of network maintenance tasks 27 List Lists examples of network maintenance models 28 List Identifies questions that need to be addressed while 31 implementing a change management system List Outlines various types of documents that should 32 exist and be maintained within an organization List Examples of how to help troubleshooters remember 35 the importance of documenting their steps Paragraph Identifies the importance of a baseline 36 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: interrupt-driven task. compo- nent swapping method. Review All Key Topics Review the most important topics in this chapter.” and the exam simulation questions on the CD-ROM. divide-and-conquer method. ITIL.

■ Using Cisco IOS to Verify and Define the Problem: This section reviews the ping. ■ Collecting Information in Transit: This section iden- tifies how you can configure switches to send copies of frames to packet capturing devices using SPAN and RSPAN. telnet.This chapter covers the following topics: ■ The Troubleshooting and Network Maintenance Toolkit: This section introduces you to the essential tools for troubleshooting and maintenance tasks. From the Library of Outcast Outcast . ■ Using CLI Tools to Document a Network: This sec- tion focuses on the steps and commands required to successfully document a network diagram. ■ Using Cisco IOS to Collect Information: This sec- tion focuses on how to use the CLI to collect infor- mation for troubleshooting and maintenance. and traceroute utilities.

Table 2-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. CHAPTER 2 Troubleshooting and Maintenance Tools Collecting network information is an ongoing process. This chapter introduces you to a sampling of Cisco IOS tools and features designed for network maintenance and troubleshooting. to a syslog server). not later. There is no argument that you will be collecting network information when there is an issue. To be an efficient and effective trouble- shooter. you need to gather baseline data on a regular basis so that you have something to compare your current issue to. In addition. However.” Table 2-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions The Troubleshooting and Network Maintenance Toolkit 1–6 Using Cisco IOS to Verify and Define the Problem 7–9 Using Cisco IOS to Collect Information 10 Collecting Information in Transit 11 Using CLI Tools to Document a Network 12 From the Library of Outcast Outcast . the statistics related to certain network events (for example. processor utilization on a network server exceeding a specified threshold) could trigger the writing of log information (for exam- ple. you need network information about the good times and the bad times. Therefore. You can find the answers in Appendix A. so you have a snapshot of the device’s health at that point in time. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. and you need it now. read the entire chapter. “Answers to the ‘Do I Know This Already?’ Quizzes. you are missing the necessary key element of an efficient and effective troubleshooting process. if that is the only time you collect network information.

Wiki d. Which three of the following are components that would be most useful when recov- ering from a network equipment outage? a. Troubleshooting information collection b. show flash: | begin backup d. show backup b. Vlog c. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. Baseline information collection c. show ftp: | begin archive From the Library of Outcast Outcast .42 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. you should mark that question as wrong for purposes of the self-assessment. Backup of device configuration information b. Which command enables you to view archival copies of a router’s startup configura- tion? a. Duplicate hardware d. Physical topology c. 1. The types of information collection used in troubleshooting fall into which three broad categories? a. If you do not know the answer to a question or are only partially sure of the answer. show archive c. Which of the following would be appropriate for a collaborative web-based docu- mentation solution? a. Operating system and application software (along with any applicable licensing) for the device 2. QoS information collection d. Network event information collection 3. Podcast 4. Blog b.

telnet b. ping c. Chapter 2: Troubleshooting and Maintenance Tools 43 5. Which of the following is the ping response to a transmitted ICMP echo datagram that needed to be fragmented when fragmentation was not permitted? a. ping c. NBAR b. Collects detailed information about device statistics c. charts. Which command enables you to determine whether a routing loop exists? a. IPS 6. arp -a From the Library of Outcast Outcast .) a. c. Which of the following is a Cisco IOS technology that uses a collector to take data from monitored devices and present graphs. traceroute d. Uses a push model 7. U b. arp -a 9. telnet b. Uses a pull model d. NetFlow c. M d. . Which command can be used to determine whether transport layer connectivity is functioning? a. QDM d. Collects detailed information about traffic flows b. D 8. Which two of the following are characteristics of the NetFlow feature? (Choose the two best answers. and tables to describe network traffic patterns? a. traceroute d.

starting where the routing protocol configuration begins? a. Which of the following commands displays a router’s running configuration. show running-config | begin router c. show running-config | tee router b. show running-config | append router 11. show interface status c.44 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 10. SPRT 12. RSTP b. What feature available on Cisco Catalyst switches enables you to connect a network monitor to a port on one switch to monitor traffic flowing through a port on a dif- ferent switch? a. show running-config | redirect router d. RSPAN d. What IOS command enables you to discover the Cisco devices that are directly con- nected to other Cisco devices? a. show version From the Library of Outcast Outcast . show cdp neighbor d. show ip interface brief b. SPAN c.

Therefore. the tools we use for troubleshooting and mainte- nance will be very similar.” introduced you to a series of steps that provide a structured troubleshooting process. if that fix proves unsuccessful. ■ Examine collected information: As troubleshooters investigate the information they collected during the troubleshooting process. Specialized maintenance tools can be used in a network to collect baseline data on an ongoing basis so that it is available and current when needed. “Introduction to Troubleshooting and Network Maintenance. They can then contrast that normal behavior against what they are observing in their collected data. you might be alerted to impending performance issues before users are impacted and report it. ■ Verify hypothesis: Specialized maintenance and troubleshooting tools help a troubleshooter implement his fix for an issue. A relation- ship exists between the two. you are gathering more information that will help paint a clearer picture of the issue at hand. Chapter 1. If you look closely. if not the same. This information provides a frame of reference against which other data can be compared when we are troubleshooting an issue. ■ Collect information: The collection of information when troubleshooting a problem can often be made more efficient through the use of specialized maintenance and troubleshooting tools. troubleshooting and maintenance go hand and hand. Let’s examine four of these steps: ■ Problem report: By proactively monitoring network devices with specialized report- ing tools. Chapter 2: Troubleshooting and Maintenance Tools 45 Foundation Topics The Troubleshooting and Network Maintenance Toolkit As previously discussed. Several of these steps involve the use of tools that will help gather. in addition to fixing and possibly rolling back configurations. however. and compare information. From the Library of Outcast Outcast . the information that is collected essentially falls into one of three categories: ■ Troubleshooting information collection: This is the information collected while Key troubleshooting an issue that was either reported by a user or a network manage- Topic ment station (NMS). At this point. they need to know what normal net- work behavior looks like. examine. he can also help roll back an attempted fix. ■ Baseline information collection: This is the information collected when the network is operating normally.

they will come in handy. During the troubleshooting process. The true power of documentation is seen during the troubleshooting process. you can leverage that information and be more efficient and effective. Because such a tight relationship exists between troubleshooting and network mainte- nance. These alerts can be simple notification messages or emergency messages. and this is especially true when you have a well-organized. be current. Network Documentation Tools It is fitting that we start this chapter with a discussion on network documentation tools. and archiving trouble reports (that is. it should be easy to retrieve and. These applications are often referred to as help desk applications. Chapter 1 discussed the importance of network documentation. Get free trials and work with them for a while. However. However.wikipedia. Just because it was reported in the past and already had a resolution does not mean you can skip the documentation process. for this documentation to truly add value and be an asset. The big reason is time. and guides that can be followed to resolve issues. you can make it less challenging and less time-consuming if it is easy to update with the proper tools. more important. their useful- ness extends beyond the help desk environment. configured utilization levels on a switch. router. A couple of documentation management system examples are as follows: ■ Trouble ticket reporting system: Several software applications are available for recording. To keep the documentation current is a chal- lenge for most people. Many solutions are available on the market. searchable repository of information. you should identify the tools required to carry out your maintenance processes based on how well targeted they are toward your specific business processes and tasks. However. A popu- lar example of a wiki is Wikipedia (http://www. if you have a searchable database of past issues that were solved. At some point. trouble tickets). all the other tools we use mean nothing if we are not document- ing their findings. because without them.com). or server being exceeded). do not forget to update the documentation after you solve the ticket. an Internet-based encyclopedia that can be updated by users.46 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Network event information collection: This is the information collected when our devices automatically generate alerts in response to specific conditions (for example. you do not have to purchase the most expensive tool to get the best product. ■ Wiki: A wiki can act as a web-based collaborative documentation platform. This section focuses on tools that are necessary for trou- bleshooting and maintenance tasks. tracking. That is the only way you will be able to determine whether the product will work for you. The features you want the tool to provide will determine the overall cost. However. Shop around and communicate with the vendors to see what they have to offer you and your business needs. However. while helping you focus your troubleshooting efforts without having to wade through reams of irrelevant information. This type of wiki technology can also be used on your local network to maintain a central repository for documentation that is both easy to access and easy to update. At From the Library of Outcast Outcast .

067: OSPF: Rcv LS UPD from 10. these tools vary in their levels of complexity and usefulness for troubleshooting and maintaining specific issues.1 length 124 LSA count 1 *Mar 1 00:06:06. all Cisco troubleshooting and network maintenance toolkits will contain the command-line interface (CLI) commands that are executable from a router or switch prompt. You need to select tools that balance your troubleshooting and maintenance needs while meeting your budgetary constraints. Basic Tools Troubleshooting and network maintenance tools often range in expense from free to tens of thousands of dollars. consider Example 2-1. The debug command can provide real-time infor- mation about router or switch processes. External servers (for example. The focus of this book is on those show and debug CLI commands that will assist us in solving trouble tickets.4 on Serial1/0. or provide valuable information for day-to-day network operations and for trouble- shooting and maintenance. which displays a static snap- shot of information. which can prove invaluable when trouble- shooting a network issue.4 on Serial1/0. backup servers.4.1 length 156 LSA count 2 This is one of many show and debug examples you will see throughout this book. Example 2-1 Sample debug Output R2#debug ip ospf events OSPF events debugging is on R2# *Mar 1 00:06:06.4.691: OSPF: Rcv LS UPD from 10. store.3. CLI Tools Cisco IOS offers a wealth of CLI commands.999: OSPF: Rcv LS UPD from 10. Chapter 2: Troubleshooting and Maintenance Tools 47 some point. we may need to rely on the number of entries in a ticket reporting system to determine whether some greater issue is lurking in the shadows and causing the reoccur- rence of the same minor issues over and over.3.2 length 124 LSA count 1 *Mar 1 00:06:06. Similarly.3 on Serial1/0.3.2 length 124 LSA count 1 *Mar 1 00:06:07. In addition.3.4.4. which shows router R2 receiving Open Shortest Path First (OSPF) link-state updates from its OSPF neighbors as those updates occur. For example. can display router configuration information and the routes that have been learned by a routing process.679: OSPF: Rcv LS UPD from 10. Cisco IOS also has a CLI feature that allows a router to monitor events and automatically From the Library of Outcast Outcast . logging servers. Regardless of budget. a show command. To illustrate. and time servers) can also collect. many network devices have a graphical user interface (GUI) to assist network administrators in their configuration and monitoring tasks.3 on Serial1/0.

Therefore. you also need a backup of the failed devices configurations. However. you can use the GUI tool known as Cisco Configuration Professional (CCP) to configure and troubleshoot your Integrated Services Routers (ISRs). FTP. you might be able to back up your operating system and configuration information to a TFTP. Depending on your network device. This feature is called Cisco IOS Embedded Event Manager (EEM). which we cover in more detail later. a Cisco IOS image) and the configuration information. To illustrate. Figure 2-1 provides a sample of the CCP home page. HTTP. GUI Tools Although Cisco has a great number of GUI tools. consider Example 2-2. From the Library of Outcast Outcast . or SCP server. you need access to duplicate hardware and the IOS. However. when it comes to router and switch configuration and troubleshooting for the CCNP Routing and Switching track. External servers are often used to store archival backups of a device’s operating system (for example. as an example. do not get too comfortable with GUI tools for the Routing and Switching track.48 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide respond to a specific event (such as a defined threshold being reached) with a predefined action. you will spend all your time in the CLI. Figure 2-1 Cisco Configuration Professional Recovery Tools During the recovery process.

389 secs (427 bytes/sec) Example 2-5 shows how to add HTTP username and password credentials to the router’s configuration. R1(config)#ip http client username cisco R1(config)#ip http client password cisco R1(config)#end From the Library of Outcast Outcast .74.168.168. one per line. Example 2-3 shows how to add FTP username and password cre- dentials to the router’s configuration.168.168. Compare this to the FTP configuration commands and notice the differ- ence. Example 2-3 Adding FTP Server Login Credentials to a Router’s Configuration R1#configure terminal Enter configuration commands.74]? Destination filename [r1-confg]? Writing r1-confg ! 1446 bytes copied in 3. Example 2-5 Adding HTTP Server Login Credentials to a Router’s Configuration R1#configure terminal Enter configuration commands.1.349 secs (432 bytes/sec) In Example 2-2. End with CNTL/Z. Chapter 2: Troubleshooting and Maintenance Tools 49 Example 2-2 Backing Up a Router’s Startup Configuration to an FTP Server Key Topic R1#copy startup-config ftp://cisco:cisco@192. and Example 2-4 shows how the startup configura- tion can be copied to an FTP server without explicitly specifying those credentials in the copy command.74]? Destination filename [r1-confg]? Writing r1-confg ! 1446 bytes copied in 3. router R1’s startup configuration is being copied to an FTP server with an IP address of 192. R1(config)#ip ftp username cisco R1(config)#ip ftp password cisco R1(config)#end Example 2-4 Backing Up a Router’s Startup Configuration to an FTP Server Without Specifying Login Credentials R1#copy startup-config ftp://192. one per line.74 Address or name of remote host [192. If you intend to routinely copy backups to an FTP server. Notice that the login credentials (that is.1. In a production environment. username=cisco and password=cisco) for the FTP server are specified in the copy command.168.74 Address or name of remote host [192. the username and password should be stronger and not easily guessed.1.1.1. you can avoid specifying the login credentials each time (for security purposes). by adding those credentials to the router’s configuration. End with CNTL/Z.

..1. the router’s flash. at intervals specified in minutes) back up a copy of the configuration to a specified location (for example. The login creden- tials have already been configured in the router’s configuration.Most Recent 3 4 5 6 7 8 9 10 From the Library of Outcast Outcast .. . or an FTP server).74/R1-config-1 2 ftp://192.168. the archive feature can be configured to create an archive every time you copy a router’s running configuration to the startup configuration. Also. Example 2-7 Viewing a Configuration Archive Key Topic R1#show archive The maximum archive configurations allowed is 10.OUTPUT OMITTED..74/R1-config write-memory time-period 1440 .. ip ftp username cisco ip ftp password cisco ! archive path ftp://192.1.1.50 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The process of backing up a router’s configuration can be automated using an archiving feature.74.168.1.168.168. Example 2-6 Automatic Archive Configuration R1#show run Building configuration.168.. Example 2-6 illustrates a router configured to back up the running configuration every 1440 minutes to an FTP server with an IP address of 192...OUTPUT OMITTED.74/R1-config-3 Archive # Name 1 ftp://192.. The next archive file will be named ftp://192. You can view the files stored in a configuration archive by issuing the show archive com- mand. as demonstrated in Example 2-7.. which is part of the Cisco IOS Configuration Replace and Configuration Rollback feature.1. Specifically. In addition.74/R1-config-2 <. the write- memory command causes the router to archive a copy of the configuration whenever the router’s running configuration is copied to the startup configuration using either the write-memory or copy running-config startup-config commands. you can configure a Cisco IOS router to periodically (that is.

[OK] Writing R1-config-3 ! R1#show archive The maximum archive configurations allowed is 10. This is not entirely true. Example 2-8 Confirming Automated Backups R1#copy run start Destination filename [startup-config]? Building configuration..74/R1-config-4 Archive # Name From the Library of Outcast Outcast .168. Only the entry in show archive is removed to make space in the list.Most Recent 4 5 6 7 8 9 10 The output of show archive indicates that the maximum configurations allowed is ten. The show archive com- mand is then reissued.168.74/R1-config-4 Archive # Name 1 ftp://192. and the output confirms that an additional configuration archive (named R1-config-3) has been created on the FTP server because of the write-memory command we issued in config-archive configuration mode.1. Example 2-9 Confirming Archive Configuration R1#copy run start Destination filename [startup-config]? Building configuration.168. which copies a rout- er’s running configuration to the router’s startup configuration.168.74/R1-config-3 <. If the archive list on the router fills up (maximum ten). we are limited only by the amount of storage space on the server. the output of show archive will erase the entry for Archive 1. as shown in Example 2-9.1. The next archive file will be named ftp://192. Chapter 2: Troubleshooting and Maintenance Tools 51 Example 2-8 shows the execution of the copy run start command.1..74/R1-config-2 3 ftp://192.. [OK] Writing R1-config-3 ! R1#show archive The maximum archive configurations allowed is 10. move all entries up the list one spot. Therefore.168. The next archive file will be named ftp://192.1.1. and add the new entry to Archive 10. the router will continue to create an archive of the running configuration at its scheduled interval. Because the path is pointing to an FTP server.74/R1-config-1 2 ftp://192. Note that this does not delete anything from the FTP server..

0 .OUTPUT OMITTED. Once the startup configuration is copied to (merged with) the running configuration.. the older files will be deleted to make space.1. Interfaces that were enabled do not have a no shutdown command in the startup configuration. This is illustrated in Example 2-10.168.168. The Cisco IOS copy com- Topic mand treats this as a merge operation instead of a copy and replace operation.1.1.168.168. in addition to moving the entries listed in the show archive command output.. From the Library of Outcast Outcast .. as shown in Example 2-11.168..168.52 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 1 ftp://192. interface FastEthernet0/0 ip address 192. During this process. This merge is easily witnessed with the interfaces.OUTPUT OMITTED.1...1.11 255.74/R1-config-15 10 ftp://192. Restoring a configuration backup requires copying the configuration file from its storage Key location to the running configuration on the router or switch. after you have loaded the router to factory defaults.168.74/R1-config-8 3 ftp://192.74/R1-config-12 7 ftp://192. and the factory default setting of a router interface is shutdown and includes a shutdown command. after you have copied the startup configuration to the running configuration. which produces a merge..74/R1-config-9 4 ftp://192.1.1. Example 2-10 Comparing the Running Configuration and Startup Configuration Before Issuing the copy Command R1#show run . R1#show start .1.168. You can change the maximum number of archives with the maximum command in config-archive configuration mode.74/R1-config-11 6 ftp://192... interface FastEthernet0/0 no ip address shutdown .Most Recent However....168. To fix this.OUTPUT OMITTED.1.1.255..168. We can witness this with the password recovery process on a Cisco router.. you copy the startup configuration into the running configuration.74/R1-config-10 5 ftp://192.255. This means that copying anything into the running configuration from any source might not produce the result we desire. if you are storing the archive locally in flash as an example.168..OUTPUT OMITTED.1.74/R1-config-14 9 ftp://192. the shutdown command prevails in the running configuration because there is not a no shutdown in the startup configuration that will overwrite that. you have to issue the no shutdown command on all interfaces you want enabled.74/R1-config-16 <.74/R1-config-7 2 ftp://192.74/R1-config-13 8 ftp://192..

255.. Example 2-12 Restoring an Archived Configuration Router#configure replace ftp://192.. we are usually not staring at the console output or even connected to the console port. Notice how the IOS warns you that this is a copy replace function that completely overwrites the current configuration.. Example 2-12 shows the restora- tion of an archived configuration to a router. once in production. Many events that occur on a router are automatically reported to the router’s console. R1# On the bright side. you can restore a previously archived configuration using the Key configure replace command.. Enter Y if you are sure you want to proceed.” It was the hostname. not a partial configuration.1.74/R1-config-3 This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file. a message is written to the console. ? [no]: Y Loading R1-config-3 ! [OK . this does not merge the Topic archived configuration with the running configuration.11 255.168.444 secs (1303 bytes/sec) R1#show run . Chapter 2: Troubleshooting and Maintenance Tools 53 Example 2-11 Witnessing a Configuration Merge R1#copy start run Destination filename [running-config]? 1881 bytes copied in 1.168. interface FastEthernet0/0 ip address 192.. In most cases.255. For exam- ple. which is assumed to be a complete configuration.1.3113/4096 bytes] Total number of passes: 1 Rollback Done R1# Logging Tools Device logs offer valuable information when troubleshooting a network issue. there was only one small difference between the running configuration and the archive.OUTPUT OMITTED.0 shutdown .. However. and these logging messages are not displayed via Telnet or From the Library of Outcast Outcast ..OUTPUT OMITTED.. but rather completely replaces the running configuration with the archived configuration. if a router interface goes down or up. as indicated by the statement “Total number of passes: 1. In this case. Unlike the copy command. we would connect to the device when needed using Telnet or Secure Shell (SSH).

Logging severity levels range from 0 to 7. You can direct your router’s log output to a syslog server’s IP address using From the Library of Outcast Outcast . as shown in Table 2-2. You can view the logging messages in the buffer by issuing the show logging command. issue the clear logging command in privilege EXEC mode. create advanced alerts. To cause mes- sages to be written to a router’s buffer. a step beyond logging messages to the console is logging messages to a router’s buffer (the router’s RAM). After the buffer fills to capacity. configure advanced script actions. with corresponding names. If you are connected to a router through Telnet or SSH and want to see console messages. you enter logging console 6 and logging buffered 7 in global configuration mode. Another logging option is to log messages to an external syslog server. As part of that command. This is possible by using the logging console severity_level and logging buffered severity_level commands. older entries will be deleted to make room for newer entries. Therefore. You can also specify the severity level by name instead of number. you might be able to schedule automated log archiving. Notice that lower severity levels are more severe than those with higher levels. If you need to clear the logging messages in the buffer. By sending log messages to an external server. Table 2-2 Severity Levels Key Topic Severity Level Name 0 Emergencies 1 Alerts 2 Critical 3 Errors 4 Warnings 5 Notifications 6 Informational 7 Debugging You might want to log messages of one severity level to a router’s console and messages of another severity level to the router’s buffer. and produce statisti- cal graphs. you can issue the logging buffered command. However. vty lines. you can specify how much of the router’s RAM can be dedicated to logging. the console. and buffer will log all messages with a severity level of 7 and lower. if you want to log level 6 and lower to the console and level 7 and lower to the buffer. debugs are logged only when they are turned on with debug commands. after which those messages would no longer be visible as the session is reset. By default. you have to enter the command terminal monitor in privilege EXEC mode.54 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide SSH by default. For example. Depending on the syslog server software. A downside of solely relying on console messages is that those messages can scroll off the screen. or you might close your terminal emulator. you can keep a longer history of logging messages.

. Example 2-13 illustrates several of the logging configurations discussed here. the router is configured to log messages with a severity of 6 or lower to a syslog server with an IP address 192. The console is configured for logging events of the same severity level. 4) or less (that is. and you can specify the severity level that will be sent to the syslog server by using the logging trap severity_level command.. ! logging buffered 4096 warnings logging console warnings ! logging 192.168.. In addition. Figure 2-2 Syslog Server From the Library of Outcast Outcast .....50. events with a severity level of warning (that is. This buffer can be viewed with the show logging com- mand..1.com).OUTPUT OMITTED.168. The router can use a maximum of 4096 bytes of RAM for the buffered logging.kiwisyslog.OUTPUT OMITTED. Chapter 2: Troubleshooting and Maintenance Tools 55 the logging ip_address command.50 logging trap 6 .. Building configuration.. 0 to 4) are logged to the router’s buffer. In Example 2-13. Figure 2-2 shows logging messages being collected by a Kiwi Syslog Server (available from http://www.1. Example 2-13 Logging Configuration Key Topic R1#show run .

End with CNTL/Z.m. This implies that devices need to have a common point of reference for their time.m. You have just been assigned a trouble ticket. you will not be able to correlate the log entrees to the problem the users are reporting. In addition. Stratum 1 time sources are the most reliable and accurate.m. In this example. R1(config)#clock timezone EST -5 R1(config)#clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 R1(config)#ntp server 192. there may be a log entry for 2:25 p. one per line. Naval Observatory in Washington.56 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Network Time Protocol as a Tool Picture this scenario. For example. In such cases. Therefore. because the NTP server might be referenced by devices in different time zones.150 R1(config)#ntp server 192. Example 2-14 Configuring a Router to Point to an NTP Server R1#configure terminal Enter configuration commands. The Topic clock summer-time command defines when daylight savings time begins and ends. You are browsing the logs to see whether anything abnormal is occurring on the network at that time. Such a reference point is made possible by Network Time Protocol (NTP). for redundancy. Users are complain- ing that the network is slow at 5:30 p.. on the second Sunday in March and ends at 2:00 a. Note that a configuration can have more than one ntp server command.C.m. which indicates how many hours its time zone differs from Greenwich mean time (GMT).151 prefer R1(config)#end From the Library of Outcast Outcast . You might have heard the saying that a man with one watch always knows what time it is.168. you need to make sure the clocks are set correctly on all the devices. whereas a man with two watches is never quite sure.m. Therefore.m.S. time stamps are useless if they are not accurate. local time. that reports high network utilization. or is it 5:30 p. or you can manually specify which is most reliable by adding the prefer option to the ntp server command. D. your search will be worthwhile only if the logs have time stamps. Although you could individually set the clock on each of your devices. However.168. The ntp server command is used to point to an NTP server. those clocks might drift over time and not agree causing variations in the log entries. NTP will decide based on its protocol which is the most reliable. However. Is that really 2:25 p. this must be a reliable time source. which allows network devices to point to a device acting as an NTP server (a time source). The problem ticket indicates that this happens every day. each device has its own time zone configu- ration. on the first Sunday in November. is a stratum 1 time source. If they don’t. daylight savings time begins at 2:00 a.? Time-stamp accuracy is paramount when it comes to troubleshooting. the U.1. For example. which is 5 hours behind GMT when daylight savings time is not in effect.1. Example 2-14 shows an NTP configuration entered on a router located in the eastern Key time zone.

you may not want all of your devices pointing to the stratum 1 time source that is connected to the Internet. Because it is based on a hierarchy. and tables reflecting traffic patterns. bandwidth utilization and router CPU utilization) can help you recognize trends and forecast when upgrades will be required or if users are abusing the network resourc- es. Stratum 1 is the most reliable.” To be proactive. charts. You can then take the necessary measures to address them proactively before they become a major issue. ■ Troubleshooting performance issues: Performance issues can be difficult to trouble- shoot in the absence of a baseline. Several companies market NetFlow collectors. and EEM. you could set up a device or two in your organization to receive their time from the stratum 1 source (making them a stratum 2 source) and then configure the other devices in your organization to receive their time from these local devices in your organization (making them a stratum 3). Cisco IOS NetFlow can provide you with tremendous insight into your network traffic patterns. you have a reference point (that is. such as SNMP. a baseline) against which you can compare perfor- mance metrics collected after a user reports a performance issue. fix it. you might want to confirm that performance levels to and from the service provider’s cloud are conforming to the agreed-upon service level agreement (SLA). Advanced Tools Keeping an eye on network traffic patterns and performance metrics can help you antici- pate problems before they occur. a router or a switch) to run an SNMP agent that collects data such as utilization statistics for processors and memory. By routinely monitoring network performance. The saying “If it ain’t broke don’t fix it” does not apply in a proactive network maintenance environment. which are software applications that can take the NetFlow information reported from a Cisco device and convert that raw data into useful graphs. From the Library of Outcast Outcast . Chapter 2: Troubleshooting and Maintenance Tools 57 NTP uses a hierarchy of time servers based on stratum levels from 1 to 15. ■ Trend monitoring: Monitoring resource utilization on your network (for example. Your stance in this type of environment should be “If it appears that it will break. In these instances. An SNMP server can then query the SNMP agent to retrieve those statistics to determine the overall health of that device. You need advanced tools to proactively monitor the health of your devices and the health of your network traffic. Overview of SNMP and NetFlow Simple Network Management Protocol (SNMP) allows a monitored device (for example. you need more than just basic show and debug commands. Reasons to monitor network traffic include the following: ■ Ensuring compliance with an SLA: If you work for a service provider or are a cus- tomer of a service provider. This is in contrast to taking a reactive stance where you continually respond to problem reports as they occur. NetFlow.

From the Library of Outcast Outcast . for an NMS to be allowed to read data from a device running an SNMP agent. Specifically. Today. to establish a Topic baseline that can be used in a troubleshooting scenario or in proactive network manage- ment and maintenance. using the SNMP protocol. To enhance the security available with SNMPv2c. SNMP is primarily focused on device sta- tistics (the health of a device). statistics pulled from a monitored device by a network management station [NMS]) Available on nearly all enterprise network devices NetFlow Collects detailed information about traffic flows Uses a push model (that is. These statistics can be used. they target different fundamental functions. Before SNMPv3. the most popular SNMP version was SNMPv2c. platform resource utilization. For example. and error counts) Uses a pull model (that is. whereas NetFlow is primarily focused on traffic statistics (the health of network traffic). In the topology.58 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Creating a Baseline with SNMP and NetFlow SNMP and NetFlow are two technologies available on most Cisco IOS platforms that can Key automate the collection statistics. SNMP A device being managed by SNMP runs a process called an SNMP agent. Table 2-3 Comparing SNMP and NetFlow Technology Characteristics SNMP Collects device statistics (for example. the NMS must be configured with a community string that matches the managed device’s read-write community string. the NMS must be configured with a community string that matches the managed device’s read-only community string. many SNMP deployments are still using version 2c because of its simplicity. A network management system (NMS) can then query the agent for information in the MIB. router R1 is running an SNMP agent that the NMS server can query. Figure 2-3 shows a topology using SNMP. which collects statistics about the device and stores those statistics in a Management Information Base (MIB). For the NMS to change the information on the managed device. SNMP Version 3 (SNMPv3) supports encryption and hashed authentication of SNMP messages. statistics pushed from the monitored device to a NetFlow collector) Available on routers and high-end switches Although both SNMP and NetFlow are useful for statistical data collection. you can create an access list that determines valid IP addresses or network addresses for NMS servers that are allowed to manage or collect information from the MIB of the device. for example. traffic counts. Table 2-3 contrasts these two technologies. which used community strings for authentication.

notice the snmp-server ifindex persist command. Chapter 2: Troubleshooting and Maintenance Tools 59 SW1 R1 NMS Managed Device Running an SNMP Agent Figure 2-3 SNMP Sample Topology Example 2-15 illustrates the SNMPv2c configuration on router R1. ro) community string of CISCO and a read-write (that is. all of which have shared header information such as source and destination IP addresses. After the NetFlow collector has received flow information over a period of time.168. protocol numbers. or fills to capacity. Such a standalone configuration might prove useful for troubleshooting because you can observe flows being created as packets enter a router. Only NMSs permitted in access list 10 and 11 will be able to read. Finally.1. NetFlow can keep track of the number of packets and bytes observed in each flow. In addi- tion. port numbers. However. From the Library of Outcast Outcast . analysis software running on the NetFlow collector can produce reports detailing traffic statistics. they are entering the same interface on the device.local R1(config)#snmp-server location 3rd Floor of Lacoste Building R1(config)#snmp-server ifindex persist NetFlow NetFlow can distinguish between different traffic flows. and a NetFlow collector is configured on a PC at IP address 192. Example 2-15 SNMP Sample Configuration R1#configure terminal R1(config)#snmp-server community CISCO ro 10 R1(config)#snmp-server community PRESS rw 11 R1(config)#snmp-server contact demo@ciscopress. Contact and location information for the device is also specified. rw) community string of PRESS. This information is stored in a flow cache. rather than using just a standalone implementation of NetFlow. and type of service (TOS) field information. A flow is a series of packets. Figure 2-4 shows a sample topology in which NetFlow is enabled on router R4. this device using SNMP. The snmp-server community string [ro | rw] [access_list_number] commands specify a read-only (that is. You can use the NetFlow feature as a standalone feature on an individual router. even if the device is rebooted. This consistency is important when data is being collected for baselin- ing purposes. or read/write. times out.50. Flow information is removed from a flow cache if the flow is terminated. respectively. This command ensures that the SNMP interface index stays consistent during data collection. you can export the entries in a router’s flow cache to a NetFlow collector. which is a software application running on a computer/ server in your network.

Although not required. regardless of direction.168.1.50 5000 command is issued to specify that the NetFlow collector’s IP address is 192.50 NetFlow Collector Figure 2-4 NetFlow Sample Topology Example 2-16 illustrates the NetFlow configuration on router R4.228 Cisco Unified Communications Manager Server Web Server Fa 0/1 Fa 0/0 SW1 SW2 R4 NetFlow Enabled Router 10.6 IP Phone 192. A NetFlow Version of 5 was specified.168. Finally.1.168. can be monitored. You should check the documentation for your NetFlow collector software to confirm which version to configure.1. and communi- cation to the NetFlow collector should be done over UDP port 5000. The ip flow-export source lo 0 command indicates that all communication between router R4 and the NetFlow collec- tor will be via interface Loopback 0. Example 2-16 NetFlow Sample Configuration R4#configure terminal R4(config)#int fa 0/0 R4(config-if)#ip flow ingress R4(config-if)#exit R4(config)#int fa 0/1 R4(config-if)#ip flow ingress From the Library of Outcast Outcast .0. the ip flow-export destination 192. check your NetFlow collector’s documenta- tion when selecting a port. router R4 is configured to report its NetFlow infor- mation to a NetFlow collector at IP address 192.50.50. Because NetFlow does not have a standardized port number. Notice that the ip flow ingress command is issued for both the Fast Ethernet 0/0 and Fast Ethernet 0/1 inter- faces.1.8. This ensures that all flows passing through the router.8.168.60 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 192.168.

6 11 6002 6BD2 9166 Fa0/1 10.4 ICMP 41 0.8. Chapter 2: Troubleshooting and Maintenance Tools 61 R4(config-if)#exit R4(config)#ip flow-export source lo 0 R4(config)#ip flow-export version 5 R4(config)#ip flow-export destination 192.0.1. Although an external NetFlow collector is valuable for longer-term flow analysis and can provide detailed graphs and charts.6 Fa0/0 192.8.0 50 40 0.3.5 UDP-TFTP 225 0.7 14.OUTPUT OMITTED.50 11 6BD2 6002 9166 Fa0/0 10.4 12. you can issue the show ip cache flow command at a router’s CLI prompt to produce a summary of flow information.2 TCP-WWW 12 0. monitoring network devices for significant events and responding to those events is a From the Library of Outcast Outcast .0.4 UDP-other 122 0.6 Fa0/0 192.1.6 (a Cisco IP Phone) and 192.9 15.5 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa0/0 10.1 11.0.168.168.168.3.228 Fa0/1 10.8.8.168.1.0 40 785 0.8.4 Total: 949 0.228 06 C2DB 07D0 2 Fa0/0 192.0 389 60 0.2 06 38F2 0017 438 Providing Notifications for Network Events Whereas responding to problem reports from users is a reactive form of troubleshooting.10 58 0000 0000 62 Fa0/1 10.2 TCP-other 536 0.3 10.8.6 06 07D0 C2DB 1 Fa0/0 192.1 3.3.0 13 91 0.8.168.0 4 59 0.0.Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 12 0.8.1.0.3.50 5000 R4(config)#end Using your favorite search engine..1.2 0.0 114 284 3. Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) ---------..1 6. search for images of “NetFlow collector” (without the quotes) to see various sample images of what a NetFlow collector can provide you.1 15.1 Null 224.1 7.9 15. Example 2-17 Viewing NetFlow Information R4#show ip cache flow .8.1 49.228 (a Cisco Unified Communications Manager server). for example.8 9.. A troubleshooter can look at the output displayed in Example 2-17 and be able to confirm.2 18 255 3.8.1 1 55 0.2 Local 10.50 Fa0/1 10.9 15.168.0 1797.0 15.6 IP-other 1 0. that traffic is flowing between IP address 10.. as shown in Example 2-17.

thus resolving the problem without users being impacted. from the agent to the NMS. a network device running an SNMP agent can also initiate communication with an NMS. you may do so by adding the individual trap keyword to the snmp-server enable traps command (for example. However. The redundant link can then be repaired.62 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide proactive form of troubleshooting.50 version 2c CISCOPRESS command points router R4 to Topic an SNMP server (that is.. third-party software is avail- able that can selectively alert appropriate personnel when specific events are logged. Earlier.168. These messages.OUTPUT OMITTED. and NetFlow can report events related to network traffic flows. These traps require the NMS to interpret them because they are not in an easy.168.168. we include that information on the router for communication purposes with the NMS. The Key snmp-server host 192. Example 2-18 demonstrates how to enable a router to send SNMP traps to an NMS. before a user loses connectivity with the Internet. If you only need to enable specific traps. an NMS) at IP address 192. the SNMP agent on a managed network device can send a message containing informa- tion about the interface state change to an NMS. a router that is dual-homed to the Internet might report the event of one of its Internet connections going down. If an interface goes down. readable format. and then the NMS can notify a network administrator via e-mail. The snmp-server enable traps command is used to enable all traps on the router. in response to the notification. From the Library of Outcast Outcast .1. this section discussed how a network device running an SNMP agent can be que- ried for information from an NMS. Although these protocols by themselves lack a mechanism to alert a network administra- tor (for example. Example 2-18 Enabling SNMP Traps R4#configure terminal R4(config)#snmp-server host 192. The SNMP server is con- figured for SNMP version 2c and a community string of CISCOPRESS.150 version 2c CISCOPRESS R4(config)#snmp-server enable traps R4(config)#end R4#show run | include traps snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps ds1 snmp-server enable traps gatekeeper snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps xgcp snmp-server enable traps ds3 . are called traps. You can view the enabled traps by using the show run | include traps command.. via e-mail) when a network event is logged.1. for example.50..1. snmp-server enable traps bgp). Both syslog and SNMP are protocols that can report the occurrence of specific events on a network device. therefore. For example..

To illustrate the basic configuration steps involved in configuring an EEM applet. Note that the clear counters command would be detected even if a shortcut (for example. the action is given a locally significant name of A and is assigned a syslog priority level of informational. the clear counters command is executed in Example 2-20. From the Library of Outcast Outcast . sending an e-mail to an appropriate party. The sync no parameter says that the EEM policy will run asynchronously with the CLI command. resulting in generation of a syslog message reminding an administrator to document the reason they cleared the interface counters. as just a few examples. capturing output of specific show commands. you are looking for the CLI command clear counters. The purpose of this configuration is to create a syslog message that will Topic be displayed on the router console when someone clears the router’s interface counters using the clear counters command. Finally." R4(config-applet)#end The event manager applet COUNTER-RESET command creates an EEM applet named COUNTER-RESET and enters applet configuration mode. To verify the operation of the EEM configuration presented in Example 2-19. The message reminds the administrator to update the network documentation and lists the rationale for clearing the interface counters. Chapter 2: Troubleshooting and Maintenance Tools 63 The messages received via syslog and SNMP are predefined within Cisco IOS. In response to a defined event. or executing a tool command language (Tcl) script. executing specified Cisco IOS commands. The specific action to be taken is producing this informational message saying: Please update network documentation to record why the counters were reset. The skip no param- eter says that the CLI command will not be skipped (that is. In Example 2-19. the EEM policy will not be executed before the CLI command executes. consid- Key er Example 2-19. Cisco IOS also supports a feature called Embedded Event Manager (EEM) that enables you to create your own event definitions and specify custom responses to those events. the occurs 1 parameter indicates that the EEM event is triggered by a single occurrence of the clear counters command being issued. cle co) were used. EEM can perform various actions. Notice that entering the clear counters command triggers the custom-defined event. An event can be defined and triggered based on a sys- log message. Example 2-19 EEM Sample Configuration R4#configure terminal R4(config)#event manager applet COUNTER-RESET R4(config-applet)#event cli pattern "clear counters" sync no skip no occurs 1 R4(config-applet)#action A syslog priority informational msg "Please update network documentation to record why the counters were reset. SNMP trap. the CLI command will be executed). and even the issuing of a specific Cisco IOS command. Although this is a rather large collection of predefined messages and should accommodate most network management requirements. Specifically. The action command is then entered to indicate what should be done in response to the defined event. includ- ing sending an SNMP trap to an NMS. writing a log message to a syslog server. The event command specifies what you are looking for in your custom-defined event. In this example. From this short list. you can already see how powerful the EEM can be.

and traceroute. If you recall from Chapter 1. an exclamation point appears in the output. you focus your troubleshooting on the lower layers of the OSI model. and maintenance tools available on its website: http://www. and traceroute can verify the problem and help focus our efforts. 2. A basic ping command sends Internet Control Message Protocol (ICMP) echo messages to a specified destination. and so you can focus your attention on higher OSI layers. is the ping com- Key mand. timeout is 2 seconds: !!!!! The ping command does have several options that can prove useful during troubleshoot- ing.cisco. troubleshooting.com/en/US/support/tsd_most_requested_tools. and 3 of Topic the OSI model are functioning. This section discusses how ping. Ping A common command. Telnet. a successful ping indicates that Layer 1. They are ping. Sending 5. Using Cisco IOS to Verify and Define the Problem When you receive a trouble ticket. Three easy-to-use tools built in to the Cisco IOS can help you verify connectivity and further define the problem.4. which you can use to check network connectivity.4.4.4 Type escape sequence to abort. The same holds true in reverse with an unsuccessful ping. If it is unsuccessful.4. Example 2-21 Basic ping Command R1#ping 10. 100-byte ICMP Echos to 10. Telnet. including the following: From the Library of Outcast Outcast .html Some of the tools available at this website require login credentials with appropriate privilege levels. For every ICMP echo reply received from that specified desti- nation. R4# Cisco Support Tools Cisco has several other configuration. as shown in Example 2-21.64 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-20 Testing EEM Configuration R4#clear counters Clear "show interface" counters on all interfaces [confirm] R4# %HA_EM-6-LOG: COUNTER-RESET: Please update network documentation to record why the counters were reset. your first couple of tasks should be to verify and define the problem. Some relatively simple tasks can confirm the issue reported and in most cases help to focus your troubleshooting efforts.4.

.. as shown in Example 2-22................. For example.. you can conclude that a link between the source and destination is using a nonstandard MTU (that is........ 1500-byte ICMP Echos to 10......OUTPUT OMITTED. Example 2-23 shows the sending of pings with the do not fragment bit set... in this case... Chapter 2: Troubleshooting and Maintenance Tools 65 ■ size: Specifies the number of bytes per datagram (defaults to 100 bytes on Cisco IOS) ■ repeat: Specifies the number of ICMP echo messages sent (defaults to 5) ■ timeout: Specifies the number of seconds to wait for an ICMP echo reply (defaults to 2) ■ source: Specifies the source of the ICMP echo datagrams ■ df-bit: Sets the do not fragment bit in the ICMP echo datagram Not only can a ping command indicate that a given IP address is reachable..... Notice the M in the ping responses........... You can also use the ping command to create a load on the network to troubleshoot the network under heavy use......4.. For example. generic routing encapsulation (GRE) tunnels....... These failures occurred because of the 0-second timeout...... which is commonly seen with Q-n-Q tunnels...4...4... timeout is 0 seconds: . whereas traffic flowing over the other path is failing... Perhaps you suspect that an interface has a nondefault maximum transmission unit (MTU) size.....!. Notice that all the pings failed... ............ you can specify a datagram size of 1500 bytes.... To ver- ify your suspicion.. The router did not wait before considering the ping to have failed and sending another ICMP echo message.. The df-bit option instructs a router to drop this datagram rather than fragmenting it if fragmentation is required. Sending 9999. along with a large byte count (repeat value) and a timeout of 0 seconds............ .... we are doing this for the artificial load generated for testing purposes.. you could send ICMP echo messages across that interface using the df-bit and size options of the ping command to specify the size of the datagram to be sent.. Traffic flowing across one path is successful.. ....4 size 1500 repeat 9999 timeout 0 Type escape sequence to abort........ !... but the response to a ping command might provide insight into the nature of a problem. if the ping results indicate alternating failures and successes (that is.... From the Library of Outcast Outcast ........................ Example 2-22 Creating a Heavy Load on the Network R1#ping 10..4............ Therefore. a troubleshooter might conclude that traffic is being load balanced between the source and destination IP addresses........4.....!).... an MTU less than 1500 bytes)................ we do not care that it failed.... which indicates that fragmentation was required but could not be performed because the do not fragment bit was set...... Remember........ and even Point-to-Point Protocol over Ethernet (PPPoE) interfaces.....

M.1500]-byte ICMP Echos to 10.4. Consider Example 2-24. [1400.M.M. because the M ping responses begin after 51 ICMP echo datagrams were sent (with datagram sizes in the range of 1400 to 1450 bytes). Success rate is 50 percent (51/101). Sending 5. Strict.M.4.M. Specifically.M.66 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-23 Pinging with the Do Not Fragment Bit Set R1#ping 10. in Example 2-24 you could deter- mine that the MTU across at least one of the links from the source to the destination IP address was set to 1450 bytes. you could specify a range of datagram sizes to use in your pings to help determine the size of a nondefault MTU.M. An extended ping can help with such a scenario. round-trip min/avg/max = 60/125/232 ms From the Library of Outcast Outcast .4 size 1500 df-bit Type escape sequence to abort.M.4.M.M. Record.. Sending 101. 1500-byte ICMP Echos to 10.M.M.M.M. The extended ping feature enables you to granularly customize your pings.4.M. timeout is 2 seconds: Packet sent with the DF bit set !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!M. This invokes the extended ping feature.M.M.M.M.4 Repeat count [5]: 1 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: yes Validate reply data? [no]: Data pattern [0xABCD]: Loose.M.4.M. Verbose[none]: Sweep range of sizes [n]: y Sweep min size [36]: 1400 Sweep max size [18024]: 1500 Sweep interval [1]: Type escape sequence to abort.4. For example.M .4. Timestamp. which issues the ping command without command-line parameters. timeout is 2 seconds: Packet sent with the DF bit set M.4.M. Example 2-24 Extended Ping Performing a Ping Sweep R1#ping Protocol [ip]: Target IP address: 10.4.M.M The challenge is how to determine the nondefault MTU size without multiple manual attempts.4.M.

you could use telnet to test the transport layer.4 command to get an idea of where the ping is failing.. if we issue the command ping 10.1. Example 2-25 Using Telnet to Test the Transport Layer (Success) R1#telnet 192.50 80 Trying 192. you can specify an alternate port number to see whether a particular TCP Layer 4 service is running at a destination IP address.51.50 80 command issued in Example 2-25.168.. To illustrate.4. The telnet command is useful for troubleshooting Layer 4 (that is.51 25 Trying 192. the application layer).168.4. however. The second valuable piece of information is the path that the trace took through the network.50. the Topic transport layer) and Layer 7 (that is. the network Key layer) connectivity.1. Example 2-27 displays the output of a successful trace to the router that has the IP address 10. we have Topic verified Layer 3 connectivity.168.50 using port 80 (the HTTP port).4.51. 25 .168.168. This command causes router R1 to attempt a TCP connection with 192. Telnet uses TCP port 23.1. 80 .4. Chapter 2: Troubleshooting and Maintenance Tools 67 Telnet As you just read.4 and it fails.1. Therefore.1. notice the telnet 192.1. This is something that the ping command does not provide. you may want to start by checking whether the server is operational and verifying that no access control lists (ACLs) are denying connectivity to port 25. we could then issue the traceroute 10..168. If the trace completes successfully. Such an approach might prove useful if you are using a divide-and-conquer approach.168. From the Library of Outcast Outcast . the ping command is useful for testing Layer 3 (that is. Example 2-26 Using Telnet to Test the Transport Layer (Failure) R1#telnet 192. Therefore. which is what the ping command provides us. Open Let’s consider a situation where users indicate that they are unable to connect to the mail server at 192. By default.. The response of Open indicates that 192. % Connection refused by remote host Traceroute The traceroute command provides valuable information during the troubleshooting Key process.4. The mail server uses SMTP port 25.50 is indeed running a service on port 80. The first is verified connectivity.168.4.1. At this point. or a bottom-up approach (which has also confirmed Layer 3 to be operational). The result of using Telnet to test the transport layer shows that port 25 is not responding on the mail server as shown in Example 2-26. starting at Layer 3 (which was determined to be operational as a result of a successful ping).1.4.

Would you prefer to search for the needle in a haystack by moving one piece of straw at a time.1.2 44 msec 36 msec 44 msec 2 10.2.3.2).1. the first step in diagnosing that problem is col- lecting information.1.4 Type escape sequence to abort.1. 10.OUTPUT OMITTED. This section introduces basic Cisco From the Library of Outcast Outcast .4.4.4. Tracing the route to 10.68 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 2-27 Using Traceroute R1#traceroute 10.4.4.4. Time is valuable. or would you prefer to use the biggest strongest magnet in the world and attract the needle out of the haystack? I choose the magnet. Example 2-28 Using Traceroute to Follow The Path R1#ping 10. We then use traceroute to get a better picture of where this ping is failing so we can focus our attention around that part of the network. vrf out name/id) 1 10.1.4.4.4.2.4.. 10.4 Type escape sequence to abort.1. You do not want to spend your time looking for the needle in a haystack. as described in Chapter 1.2..4.3.2. 10.2 24 msec 44 msec 28 msec 2 10. the ability to quickly collect appropriate information becomes a valuable troubleshooting skill..1. If you see a repeating pattern of IP addresses in the output of traceroute (for example.1..4.2. Sending 5.1.2 68 msec 88 msec 88 msec 3 * * * 4 * * * 5 * * * 6 * * * ..2 24 msec 64 msec 36 msec 3 10. 10. timeout is 2 seconds: .4.3..4.2. Success rate is 0 percent (0/5) R1#traceroute 10.4 VRF info: (vrf in name/id.1.2.2.4.4. vrf out name/id) 1 10.2.. you have a routing loop.2. Using Cisco IOS to Collect Information After a problem has been clearly defined.. Because the collection of information can be one of the most time-consuming of the troubleshooting processes.4. 100-byte ICMP Echos to 10. 10.1. 10.4 Type escape sequence to abort.2 64 msec 52 msec 84 msec 4 10.3.4 VRF info: (vrf in name/id. Tracing the route to 10.4 100 msec * 72 msec Example 2-28 shows an unsuccessful ping from R1 to 10.1.1.1.

Throughout this book.00% 0. Example 2-29 show processes cpu Command Output R1#show processes cpu CPU Utilization for five seconds: 0%/0%.OUTPUT OMITTED. you could take the output of the show processes cpu command and pipe From the Library of Outcast Outcast .00% 0 Crash Writer 9 0 302 0 0. Consider the output shown in Example 2-29.00% 0.00% 0 APR Input .00% 0.00% 0.00% 0.00% 0 Resource Measure 175 12 6 2000 0.00% 0.08% 0.00% 0.00% 0.00% 0 Chunk Manager 2 7245 1802 4020 0.00% 0.32% 0.00% 0.00% 0.00% 0.00% 0 Media Record 174 0 1 0 0.00% 0 IP NAT WALN 179 8 314 25 0.00% 0 Session Applicat 176 12 151 79 0. The output from the show processes cpu command generated approximately 180 lines of output.08% 0 Load Meter 3 56 2040 27 0.00% 0.00% 0.00% 0 CEF Scanner Perhaps you were only looking for CPU utilization statistics for the Check heaps process. Also included in this section are com- mands helpful in diagnosing connectivity and hardware issues. Filtering the Output of show Commands Cisco IOS offers multiple show commands and debug commands that are useful for gath- ering information.00% 0 Environmental mo 10 731 1880 388 0.00% 0.00% 0 RTPSPI 177 4 17599 0 0.00% 0.. you will be introduced to a considerable num- ber of show and debug commands.00% 0 EDDRI_MAIN 5 21998 1524 14434 0.00% 0 OSPF Hello 1 4 4 1 4000 0.00% 0..00% 0.00% 0.00% 0.00% 0. Chapter 2: Troubleshooting and Maintenance Tools 69 IOS commands useful in gathering information and discusses the filtering of irrelevant information from the output of those commands.00% 0.00% 0. making it challenging to pick out a single process. one minute: 0%.00% 0 IP NAT Ager 178 0 1 0 0.00% 0. 171 0 1 0 0.00% 0.08% 0..00% 0 Timers 8 0 1 0 0.00% 0. five minute: 0% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTy process 1 4 3 1333 0.00% 0.00% 0. many of these commands produce a large quantity of output.00% 0 Voice Player 173 0 1 0 0. Because you know that the content of the one line you are looking for contains the text Check heaps.00% 0.25% 0 Check heaps 6 0 1 0 0.00% 0.00% 0.00% 0..00% 0.00% 0.00% 0 Pool Manager 7 0 2 0 0.00% 0 lib_off_app 172 4 2 2000 0.00% 0. However.

you can sort by 5-second. you could alternatively pipe output to the exclude option. From the Library of Outcast Outcast . as demonstrated in Example 2-30. Similar to piping output to the include option. However. Example 2-31 Filtering the show processes cpu Command Output with Column Headers R1#show processes cpu | include Check heaps|^CPU|^ PID CPU utilization for five seconds: 3%/100%. one minute: 4%. 1-minute. Notice that when specifying the additional pipes (|) there is no space because it is an “or” operation. In addition. you will notice column headers that were omitted in Example 2-30.26% 0. five minutes: 4% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 5 24710 1708 14467 1. The exclude option can display all lines of the output except lines con- taining the string you specify.24% 0 Check heaps Example 2-30 gave us some interesting values.” Therefore. This type of filtering can help trouble- shooters more quickly find the data they are looking for. Therefore. check heaps is not the same as Check heaps. with the show processes cpu command.14% 0. Now those interesting values have meaning because the column headers are included. use the | character) to the include Check heaps statement. The ^ is a regular expression that represents “begins with. Therefore. but what do they mean? If you go back to Example 2-29. This allows you to place in descend- ing order those processes that are consuming the most CPU resources.26% 0. these additions state to include any line that begins with CPU or (space)PID. we have to tweak our command so that we can receive the column headers as shown in Example 2-31. and 5-minute utilization with the sorted parameter. the show ip interfaces brief command can display IP addresses and interface status information for interfaces on a router and switch.70 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide that output (that is.24% 0 Check heaps In Example 2-31 we modified the show processes cpu | include Check heaps command to include |^CPU|^ PID. Example 2-30 Filtering the show processes cpu Command Output R1#show processes cpu | include Check heaps 5 24710 1708 14467 1. The piping of the output causes the output to be filtered to only include lines that include the text Check heaps. realize the information you are looking for is case sensitive. For example.14% 0. as shown in Example 2-32.

1 YES NVRAM up up As another example. as illustrated in Example 2-33.168.168.11 YES NVRAM up up Serial0/1 unassigned YES NVRAM administratively down down NVI0 unassigned YES unset up up Loopback0 10.1.255.168. you might be troubleshooting an OSPF routing protocol issue and want to see the section of your running configuration where the routing protocol config- uration begins.1 YES NVRAM up up Notice in Example 2-32 that some of the interfaces have an IP address of unassigned.OUTPUT OMITTED. If you want to only view information pertaining to interfaces with assigned IP addresses.11 YES NVRAM up up FastEthernet0/1 192.168.11 YES NVRAM up up Loopback0 10.11 YES NVRAM up up Serial0/0 unassigned YES NVRAM administratively down down FastEthernet0/1 192.. as shown in Example 2-34.1. Example 2-33 Filtering Output from the show ip interface brief Command Using exclude R1#show ip interface brief | exclude unassigned Interface IP-Address OK? Method Status Protocal FastEthernet0/0 192.0.0.1.0.0. skips the initial portion of the show running-config output and begins displaying the output where the first instance of router is seen in the running configuration..0 router ospf 1 log-adjacency-changes network 0. Piping the output of the show running-config command to begin router.1.255 area 0 .1. you can pipe the output of the show ip interface brief command to exclude unassigned.0.0..1. From the Library of Outcast Outcast .1.0 network 192. Chapter 2: Troubleshooting and Maintenance Tools 71 Example 2-32 show ip interface brief Command Output R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.. Example 2-34 Filtering Output from the show running-config Command Using begin R1#show running-config | begin router router eigrp 100 network 10.168.255.0 255.

6 subnets. Loopback0 O 10. 00:50:58.mobile.2.0. 3 masks O 10. FastEthernet0/1 O 10.OSPF external type 1. we pipe the output of the show running-config command to section router ospf and only get output from the router ospf section.IS-IS summary. Example 2-36 Sample show ip route Command Output R1#show ip route Codes: C .22.2. 00:50:57. but section GigabitEthernet 0/1. FastEthernet0/1 C 192. P .2. EX .1. M .255 area 0 .22..255.EIGRP external.OUTPUT OMITTED. FastEthernet0/1 O 10.0..22.0. section Gigabitethernet0/1. 00:50:57.168.. R . L1 . we can pipe the output to a section. IA . U .0.EIGRP.OSPF external type 2 i . O .0. section GigabitEthernet0/1 works.0 255. 2 subnets O 172. 00:50:58.0.connected.IS-IS inter area.168.OSPF NSSA external type 2 E1 .22. 00:50:57.IS-IS level-2 ia .0/30 [110/129] via 192. for example. S . FastEthernet0/1 O 172.OSPF inter area N1 . As stated earlier.16.22.1.168.3/32 [110/66] via 192.0/24 [110/75] via 192. * . E2 . Because we are trying to find a specific section (in this case OSPF) in the running configuration.22.4/32 [110/66] via 192. especially in larger environ- ments.0/24 is directly connected.periodic downloaded static route Gateway of last resort is not set 172. when piping. L2 .168.72 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide However.1/32 is directly connected. 00:50:57.2.ODR.0/8 is variably subnetted.3.OSPF NSSA external type 1.per-user static route o .IS-IS. su . if the first instance of router appears in the running configuration before the router ospf section (as in Example 2-34).0.16.RIP. FastEthernet0/1 O 10.168.3.3. you will still have to sift through the running configuration until you get to the router ospf section.candidate default.0. N2 .0.22.1.0 [110/65] via 192.0.168.0.0 [110/65] via 192.0/30 is subnetted. the output of show ip route presented in Example 2-36.2/32 [110/2] via 192. FastEthernet0/0 From the Library of Outcast Outcast .. 00:50:57. FastEthernet0/1 10. you need to specify the exact case and the exact spacing.0. For example. and section Gi0/1 do not work. Example 2-35 Filtering Output from the show running-config Command Using section R1#show running-config | section router ospf router ospf 1 log-adjacency-changes network 0.1.OSPF.0/24 is directly connected. FastEthernet0/1 C 192.1.168.1. is the show ip route command. B . FastEthernet0/1 C 10.static.IS-IS level-1.BGP D .4.0. Consider.4.168.16. Another command that often generates a lengthy output.255.168. In Example 2-35.

0 longer-prefixes Codes: C .0/16 address space.0. FastEthernet0/1 Redirecting show Command Output to a File Imagine that you are working with Cisco Technical Assistance Center (TAC) to trouble- shoot an issue.16. IA . 00:52:08 ago Routing Descriptor Blocks: * 192. U . 00:51:39. 00:51:39.2. P . E2 . From the Library of Outcast Outcast .0/16. N2 .22. In that event. Example 2-38 Filtering Output from the show ip route Command with the longer-prefixes Option R1#show ip route 172.16.168.OSPF NSSA external type 1.16.0.IS-IS inter area.mobile. 2 subnets O 172.22.0. distance 110.OSPF.per-user static route o . L1 .16.EIGRP.OSPF inter area N1 .periodic downloaded static route Gateway of last resort is not set 172. traffic share count is 1 Perhaps you are looking for all subnets of the 172.0.IS-IS.0/30 is subnetted. Example 2-39 shows how you can use the | redirect option to send output from a show command to a file.0 is present in a routing table.RIP. you could specify the subnet mask and the longer-prefixes argument as part of your command.22.1.ODR.2.0. 00:52:08 ago.1.16.255.22 on FastEthernet0/1. S .16.candidate default. Are you going to issue the command and then copy and paste it from your terminal window to a text editor? That is one option.0.0. M . If you want to determine whether a route for network 172.EIGRP external.168.0/30 Known via "ospf 1".16. from 10. * . Example 2-37 Specifying a Specific Route with the show ip route Command R1#show ip route 172.0. FastEthernet0/1 O 172.16.16.IS-IS level-1. it is the show tech-support command being sent to a file on a TFTP server.connected. su .OSPF external type 1. EX . L2 . some IP routing tables contain hundreds or even thousands of entries.1. as depicted in Example 2-37.OSPF external type 2 i . R .0 255.0 Routing entry for 172.static. O . metric 65.0.1.IS-IS summary.IS-IS level-2 ia . you could issue the com- mand show ip route 172. In this case.2.16.0 [110/65] via 192.1. via FastEthernet0/1 Route metric is 65.168. B . type intra area Last update from 192. Chapter 2: Troubleshooting and Maintenance Tools 73 Although the output shown in Example 2-36 is relatively small.0.168.2. Such a command.OSPF NSSA external type 2 E1 . and they want a file containing output from the show tech-support command issued on your router.BGP D .0 [110/65] via 192. as demonstrated in Example 2-38. for instance. shows all subnets of net- work 172. However.

50/tac.txt ! R1# Troubleshooting Hardware In addition to software configurations. you can pipe the output with the tee option. a network’s underlying hardware often becomes a troubleshooting target. If you want the show command to be displayed onscreen and stored to a file. Example 2-39 Redirecting Output to a TFTP Server R1#show tech-support | redirect tftp://192.168.4(3b). C2600 Software (C2600-IPVOICE_IVS-M). Note that this does not overwrite the existing file. Example 2-41 Appending Output to an Existing File R1#show ip interface brief | append tftp://192..txt ! R1# Example 2-40 Redirecting Output While Also Displaying the Output Onscreen R1#show tech-support | tee tftp://192.168..168.txt that was created at an earlier time and already contains information. you can pipe the output of your show command with the append option.1.50/baseline. Compiled Thu 08-Dec-05 17:35 by alnguyen .txt ! ---------------------show version--------------------- Cisco IOS Software. Example 2-41 shows how to use the append option to add the output of the show ip interface brief command to a file named base- line.OUTPUT OMITTED.1. Inc. as demonstrated in Example 2-40.. Table 2-4 offers a collection of Cisco IOS com- mands used to investigate hardware performance issues. RELEASE SOFTWARE (fc3) Technical Support: http://www.74 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Notice that directing output to a file suppresses the onscreen output.50/tshoot. Version 12. it simply adds the new information to it.1.com/techsupport Copyright (c) 1986-2005 by Cisco Systems. In situations where you already have an output file created and you want to append the output of another show command to your existing file.cisco. From the Library of Outcast Outcast .. as shown in Example 2-39. As a reference.

This section discusses how we can capture packets on the network that are flowing through our switches. the type of connected cable might be displayed for a serial interface and whether it is the DCE side or DTE side of the cable) show platform Provides detailed information about a router or switch hardware platform Collecting Information in Transit Information you collect while troubleshooting is not always going to be at rest. in addition to a listing of processes running on a platform along with each process’s utilization statistics show memory Displays summary information about processor and I/O memory. interface load information. where the information varies for different interface types (for example. a cyclic redundancy check (CRC) error occurred). and error statistics including the following: input queue drops: Indicates a router received information faster than the information could be processed by the router output queue drops: Indicates a router is not able to send information out the outgoing interface because of congestion (perhaps because of an input/output speed mismatch) input errors: Indicates frames were not received correctly (for example. error statistics). show controllers Displays statistical information about an interface (for example. perhaps due to a duplex mismatch Note Prior to collecting statistics. 1-minute. and 5-minute CPU utilization statistics. followed by a more comprehensive report of memory utilization show interfaces Shows Layer 1 and Layer 2 interface status. Chapter 2: Troubleshooting and Maintenance Tools 75 Table 2-4 Cisco IOS Commands for Hardware Troubleshooting Key Topic Command Description show processes cpu Provides 5-second. Performing Packet Captures You can use dedicated appliances or PCs running packet capture software to collect and store packets flowing across a network link. perhaps indicating a cabling problem or a duplex mismatch output errors: Indicates frames were not transmitted correctly. When troubleshooting. You will sometimes need to collect information while it is in transit. interface counters can be reset using the clear coun- ters command. analysis of captured From the Library of Outcast Outcast .

for example. You can also look inside Layer 2.76 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide packets can provide insight into how a network is treating traffic flow. Therefore. however. Capturing and analyzing packets. as shown in Figure 2-5.org). First. and 4 headers using a packet-capture application. For example. 3. if the frame is not destined (based on the From the Library of Outcast Outcast . presents two major obstacles. This is because of how the switch is designed to behave. Therefore. When a frame is received. the packets traveling between Topic those two devices will not be seen by your packet-capturing device. A switch is designed to forward frames based on the destination MAC address of a frame. traffic flow between Key two network devices connected to a switch. For example. the switch looks in the MAC address table to determine which port the frame should be forwarded out based on the destination MAC address. By default. you should understand how to use your packet capture application’s filtering features. a packet capture data file can show whether packets are being dropped or if sessions are being reset. An example of a popular and free packet-capture utility you can download is Wireshark (http://www. the vol- ume of data collected as part of a packet capture can be so large that finding what you are looking for can be a challenge. Figure 2-5 Wireshark Packet-Capture Application SPAN A second challenge occurs when you want to monitor.wireshark. you can view a packet’s Layer 3 header to determine that packet’s Layer 3 quality of service (QoS) priority marking.

Fortunately. the frame will not be sent out the port connected to that device. SW1(config)#monitor session 1 source interface gig 0/1 SW1(config)#monitor session 1 destination interface gig 0/3 SW1(config)#end SW1#show monitor From the Library of Outcast Outcast . Cisco IOS supports a feature known as Switched Port Analyzer (SPAN). as shown in Figure 2-6. Then the monitor session id destination interface interface_type interface_number command is used to specify port Gigabit Ethernet 0/3 as the destina- tion port for those copied packets. Example 2-42 SPAN Configuration SW1#conf term Enter configuration commands. This behavior ensures that end-user devices do not see frames that are not intended for them. Gig 0/1 Gig 0/2 Gig 0/3 Server Client Copy of Traffic Copy of Traffic Sent To Sent From the Server the Server Laptop Running Packet Capture Application Figure 2-6 Cisco Catalyst Switch Configured for SPAN Notice that Figure 2-6 depicts a client (connected to Gigabit Ethernet 0/2) communicat- ing with a server (connected to Gigabit Ethernet 0/1). the laptop running the packet capture application will not see any of these frames. A laptop running packet capture software connected to port Gigabit Ethernet 0/3 will now receive a copy of all traffic the server is sending or receiving. Chapter 2: Troubleshooting and Maintenance Tools 77 MAC address) for the device with the packet-capturing software. To cause port Gigabit Ethernet 0/3 to receive a copy of all frames sent or received by the server. End with CNTL/Z. because the switch’s default behav- ior prevents frames that are flowing between the client and server from being sent out any other port. SPAN instructs a switch to send copies of packets seen on one port (or one VLAN) to another port where the packet capturing device is connected. as shown in Example 2-42. SPAN is configured on the switch. Notice that Example 2-42 uses the monitor session id source interface interface_type interface_number command to indicate that a SPAN monitoring session with a locally significant identifier of 1 will copy packets crossing (that is. entering and exiting) port Gigabit Ethernet 0/1. one per line. A troubleshooter inserts a packet capture device into Gigabit Ethernet 0/3. However.

Therefore. The traf- fic that needs to be captured is traffic coming from and going to the server connected to port Gigabit Ethernet 0/1 on switch SW1. VLAN 20) and to specify that RSPAN should monitor port Gigabit Ethernet 0/1 and send packets sent and received on that port out of Gigabit Ethernet 0/3 on VLAN 20. Example 2-43 shows the configuration on switch SW1 used to create the RSPAN VLAN (that is. Remote SPAN (RSPAN) makes such a scenario possible. where a troubleshooter has her laptop running a packet capture application connected to port Fast Ethernet 5/2 on switch SW2. a trunk exists between switches SW1 and SW2 to carry the SPAN VLAN in addition to a VLAN carrying user data. (Note that the reflector-port parameter is not required on all switches [for example.78 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Session 1 ------------ Type : Local Session Source Ports : Both : Gi0/1 Destination Ports : Gi0/3 Encapsulation : Native Ingress : Disabled RSPAN In larger environments. a 2960]. a network capture device connected to one switch might need to Key Topic capture packets flowing through a different switch. A VLAN is configured whose purpose is to carry captured traffic between the switches. Consider Figure 2-7. Also. Example 2-43 RSPAN Configuration on Switch SW1 SW1#conf term SW1(config)#vlan 20 SW1(config-vlan)#name SPAN SW1(config-vlan)#remote-span SW1(config-vlan)#exit SW1(config)#monitor session 1 source interface gig 0/1 SW1(config)#monitor session 1 destination remote vlan 20 reflector-port gig 0/3 SW1(config)#end SW1#show monitor Session 1 ------------ Type: Remote Source Session Source Ports: Both: Gi0/1 Reflector Port: Gi0/3 Dest RSPAN VLAN: 20 From the Library of Outcast Outcast .) The show monitor command is then used to verify the RSPAN source and destination. note that by default the monitor session id source command monitors both incoming and outgoing traffic on the monitored port.

Example 2-44 RSPAN Configuration on Switch SW2 SW2#conf term SW2(config)#vlan 20 SW2(config-vlan)#name SPAN SW2(config-vlan)#remote-span SW2(config-vlan)#exit SW2(config)#monitor session 2 source remote vlan 20 SW2(config)#monitor session 2 destination interface fa 5/2 SW2(config)#end SW2#show monitor Session 2 ------------ Type : Remote Destination Session Source RSPAN VLAN : 20 Destination Ports : Fa5/2 From the Library of Outcast Outcast . Chapter 2: Troubleshooting and Maintenance Tools 79 Gig 0/1 Gig 0/2 SW1 Gig 0/3 Trunk Carrying Server SPAN VLAN Client Fa 5/1 SW2 Fa 5/2 Copy of Traffic Copy of Traffic Sent To Sent From the Server the Server Laptop Running Packet Capture Application Figure 2-7 Cisco Catalyst Switch Configured for RSPAN Example 2-44 shows the configuration on switch SW2 used to create the RSPAN VLAN to specify that RSPAN should receive captured traffic from VLAN 20 and send it out port Fast Ethernet 5/2.

16. As stressed throughout this book.1 R1 Figure 2-9 Discovered Ethernet and Serial Interfaces on R1 From the Library of Outcast Outcast .1 YES manual up up FastEthernet0/1 unassigned YES TFTP administratively down down Serial0/0/0 172. Therefore. FastEthernet 0/0 Serial 0/0/0 192. You can add this information to your diagram.1. Your first task is to find out the types of interfaces that are Topic up/up. It also has Serial 0/0/0 up/up with an IP address of 172. as shown in Figure 2-9. Your network currently has no network diagram.16.168.168. this sec- tion covers the CLI commands that enable you to build a network diagram.1.1.1. as shown in Figure 2-8.1 YES manual up up Serial0/0/1 unassigned YES NVRAM administratively down down Serial0/2/0 unassigned YES NVRAM administratively down down Serial0/2/1 unassigned YES NVRAM administratively down down You can gather from the output in Example 2-45 that R1 has Fast Ethernet 0/0 up/up with an IP address of 192.16.1. you issue the show ip interface brief command.1. as shown in Example 2-45. accurate documentation is a must. To accomplish this.168.80 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Using Tools to Document a Network An important undertaking for every network team is documenting the existing network.1 172. You are connected to R1 via the console Key port. and the IP addresses associated with them.1.1. R1 Figure 2-8 Connected to R1 via the Console Port Example 2-45 Output of show ip interface brief Command on R1 R1#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.

B . C . You can also use the IEEE standard Link Layer Discovery Protocol (LLDP) to discover neighboring Cisco and Non-Cisco devices if you have enabled it. In addition. H .16. T . as shown in Figure 2-11. You also observe that R1 is connected to a 2811 series router named R2 out Serial 0/0/0 and that R2 is using Serial 0/0/0 to connect to R1. Chapter 2: Troubleshooting and Maintenance Tools 81 Next. You add this infor- mation to the diagram.2 From the Library of Outcast Outcast .16. the show cdp neighbors detail command will also provide the Cisco IOS Software version that is running on the neighbor. You accomplish this using the show cdp neighbors command.Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Fas 0/0 139 S I WS-C2960.CVTA.168.168.IGMP. To accomplish this.Switch.Phone. r .1.Repeater. Example 2-46 Output of the show cdp neighbors Command on R1 R1#show cdp neighbors Capability Codes: R . Example 2-47 Output of the show cdp neighbors Command on R1 R1#show cdp neighbors detail ------------------------- Device ID: SW1 Entry address(es): IP address: 192.1. as shown in Example 2-47. as shown in Example 2-46.1. It also indicates that SW1 is using Fast Ethernet 0/24 to connect to R1. P .1.1 172. D . you use the show cdp neighbors detail command.168.2 and that the management IP address on SW1 is 192. you want to determine which Cisco devices are connected to R1. FastEthernet 0/0 Serial 0/0/0 192.2.Host. I .Remote. You add this information to the diagram.Source Route Bridge S . as shown in Figure 2-10.Router.Fas 0/24 R2 Ser 0/0/0 133 S I 2811 Ser 0/0/0 You observe from the output in Example 2-46 that R1 is connected to a Catalyst 2960 switch named SW1 out Fast Ethernet 0/0.Trans Bridge.1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 2811 Figure 2-10 Adding SW1 and R2 to the Diagram You need to discover the IP address of Serial 0/0/0 on R2 and the management IP address on SW1. M . You observe from the output that Serial 0/0/0 on R2 has the IP address 172.1.

Version 15. Port ID (outgoing port): FastEthernet0/24 Holdtime : 153 sec Version : Cisco IOS Software. value=00000000FFF FFFFF010220FF000000000000081FF34EB800FF0000 VTP Management Domain: '' Native VLAN: 1 Duplex: full ------------------------- Device ID: R2 Entry address(es): IP address: 172.16.1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 172. 2800 Software (C2800NM-ADVENTERPRISEK9-M). Capabilities: Switch IGMP Interface: FastEthernet0/0.82 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Platform: cisco WS-C2960-24TT-L.1.1.1 172.168.2 Platform: Cisco 2811.1(4)M5. C2960 Software (C2960-LANBASEK9-M). Compiled Tue 04-Sep-12 15:56 by prod_rel_team advertisement version: 2 VTP Management Domain: '' FastEthernet 0/0 Serial 0/0/0 192. Version 15. Protocol ID=0x0112.1. RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.1.16. Capabilities: Switch IGMP Interface: Serial0/0/0. Inc. Compiled Sat 28-Jul-12 00:29 by prod_rel_team advertisement version: 2 Protocol Hello: OUI=0x00000C.cisco. payload len=27.2 2811 Management IP 192. Inc.16.168.2 Figure 2-11 Updating IPs in Diagram for SW1 and R2 From the Library of Outcast Outcast .0(2)SE.com/techsupport Copyright (c) 1986-2012 by Cisco Systems. RELEASE SOFTWARE (fc1) Technical Support: http://www.1.com/techsupport Copyright (c) 1986-2012 by Cisco Systems. Port ID (outgoing port): Serial0/0/0 Holdtime: 127 sec Version : Cisco IOS Software.

which indicates it is also a 2811 series router.output omitted.. Configuration register is 0x2102 You add the type of router to your diagram as shown in Figure 2-12.. ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO2811 . and the configuration register. Processor board ID FTX1023A49D 2 FastEthernet interfaces 4 Serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled..... Chapter 2: Troubleshooting and Maintenance Tools 83 Finally. Example 2-48 Output of the show version Command on R1 R1#show version Cisco IOS Software.. Version 15.. ROM: System Bootstrap. 2800 Software (C2800NM-ADVENTERPRISEK9-M).. You use the show version command. RELEASE SOFTWARE (fc1) R1 uptime is 14 minutes System returned to ROM by power-on System image file is "flash:c2800nm-adventerprisek9-mz. From the Library of Outcast Outcast ..output omitted. the system bootstrap version. as shown in Example 2-48. the number of inter- faces.output omitted.bin" Last reload type: Normal Reload .151-4. you need to include the type of router R1 is..output omitted..0) with 247808K/14336K bytes of memory.. Version 12. RELEASE SOFTWARE (fc1) .4(1r) [hqluong 1r]..1(4)M5. You can also verify the Cisco IOS Software version. Cisco 2811 (revision 1.. 125440K bytes of ATA CompactFlash (Read/Write) .M5. 239K bytes of non-volatile configuration memory..

and show version.16.1 SW1 FastEthernet 0/24 R1 Serial 0/0/0 R2 2960 2811 172.1.2 Figure 2-12 Updating R1’s Router Type in the Diagram As you can see.2 2811 Management IP 192. you were able to gather quite a bit of information from just four com- mands: show ip interface brief. show cdp neighbors.84 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide FastEthernet 0/0 Serial 0/0/0 192. show cdp neighbors detail.168.168.1.1. Your next step in the process of building your diagram is to connect to SW1 and R2 via their console ports or via Telnet/SSH and issue the same four commands to gather infor- mation about the devices connected to them.1. From the Library of Outcast Outcast .16.1 172.

Chapter 2: Troubleshooting and Maintenance Tools 85 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. Table 2-5 lists a reference of these key topics and the page numbers on which each is found. Table 2-5 Key Topics for Chapter 2 Key Topic Key Topic Element Description Page Number List Identifies the three categories that collected 45 information essentially falls into Example 2-2 Backing up a router’s startup configuration to an 49 FTP server Example 2-7 Viewing a configuration archive 50 Paragraph Reviews how copying configurations into RAM is a 52 merge operation Paragraph Identifies how the configure replace command is 53 used to restore an archived configuration Table 2-2 Severity levels 54 Example 2-13 Logging configuration 55 Paragraph Identifies the importance of an NTP server and how 56 to configure your device to use one Paragraph Discusses how you can use SNMP and NetFlow to 58 establish baselines Paragraph Discusses how to set a device to send SNMP traps 62 to an SNMP server Paragraph Discusses how you can use EEM to monitor and 63 maintain a device Section Ping 64 Section Telnet 67 Section Traceroute 67 Table 2-4 Cisco IOS commands for hardware troubleshooting 75 From the Library of Outcast Outcast . Review All Key Topics Review the most important topics in this chapter. Chapter 22. noted with the Key Topic icon in the outer margin of the page. “Final Preparation.” and the exam simulation questions on the CD-ROM. you have a couple of choices for exam preparation: the exercises here.

ping. Appendix D. HTTP. TFTP. SNMP. FTP. Telnet. Command Reference to Check Your Memory This section includes the most important configuration and EXEC commands covered in this chapter. cover the right side of Tables 2-6 and 2-7 with a piece of paper. “Memory Tables Answer Key. “Memory Tables.” (found on the disc). NetFlow. hands-on skills that are used by a net- working professional. traceroute. Therefore. merge.” also on the disc. To test your memory of the commands. or at least the section for this chapter. but you should be able to remember the basic keywords that are needed. you should be able to identify the commands needed to configure and troubleshoot routers and switches. used to archive enter archive configuration mode Archive configuration mode command that path ftp://IP_address/filename_prefix specifies the IP address of an FTP server and filename prefix a router uses to write its archival configuration files From the Library of Outcast Outcast . and then see how much of the com- mand you can remember. and complete the tables and lists from memory. read the description on the left side. archive. includes completed tables and lists to check your work. RSPAN. SPAN. configure replace. Table 2-6 CLI Configuration Commands Task Command Syntax Global configuration mode command. It might not be necessary to memorize the complete syntax of every com- mand. CDP Complete Tables and Lists from Memory Print a copy of Appendix C.86 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Key Topic Element Description Page Number Paragraph Identifies the need for SPAN when collecting data in 76 transit through a switch Paragraph Identifies the need for RSPAN when collecting data 78 in transit through multiple switches Paragraph Discuss the commands and procedures needed to 80 document a network diagram Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: CLI. Cisco TAC. GUI. The 300-135 TSHOOT exam focuses on practical. running configuration. EEM. NTP. wiki. syslog.

which no longer necessitates the user entering the username Global configuration mode command used to ip http client password password specify an HTTP password credential. which no longer necessitates the user entering the password Global configuration mode command used to ip http client username username specify an HTTP username credential. optionally with a minimum severity level of an event to be logged Global configuration mode command used logging ip_address to specify the IP address of a syslog server to which a router’s log files are written Global configuration mode command used to clock timezone time_zone_name {+ | -} specify a router’s local time zone and number hours of hours the time zone varies from Greenwich mean time (GMT) From the Library of Outcast Outcast . Chapter 2: Troubleshooting and Maintenance Tools 87 Task Command Syntax Archive configuration mode command write-memory that causes an archival backup of a router’s configuration to be written each time the router’s running configuration is copied to its startup configuration Archive configuration mode command that time-period seconds specifies the interval used by a router to automatically back up its configuration Global configuration mode command used to ip ftp username username specify an FTP username credential. which no longer necessitates the user entering the password Global configuration mode command used logging buffered {max_buffer_size} to log events to a router’s internal buffer. which no longer necessitates the user entering the username Global configuration mode command used ip ftp password password to specify an FTP password credential. {minimum_severity_level} optionally with a maximum number of bytes to be used by the buffer and optionally the minimum severity level of an event to be logged Global configuration mode command used logging console {minimum_severity_level} to log events to a router’s console.

which specifies the source or interface interface_type interface_number destination interface for traffic monitoring VLAN configuration mode command that remote-span indicates a VLAN is to be used as an RSPAN VLAN Global configuration mode command that monitor session id destination remote vlan configures RSPAN on a monitored switch. a 2960). Global configuration mode command that ip flow-export source interface_type specifies the source interface used when interface_number communicating with an external NetFlow collector From the Library of Outcast Outcast . Global configuration mode command that monitor session id source remote vlan configures RSPAN on a monitoring switch.port port_id where the RSPAN VLAN is specified in addition to the port identifier for the port being used to flood the monitored traffic to the monitoring switch Note The reflector-port parameter is not required on all switches (for example. and when daylight month time {1-4} ending_day ending_ savings time begins and ends month time Global configuration mode command used to ntp server ip_address specify the IP address of an NTP server Global configuration mode command that monitor session id {source | destination} configures SPAN. VLAN_id where the RSPAN VLAN is specified Global configuration mode command that snmp-server community community_ defines an SNMP server read only or read/write string {ro | rw} community string Global configuration mode command that snmp-server contact contact_info specifies SNMP contact information Global configuration mode command that snmp-server location location specifies SNMP location information Global configuration mode command that snmp-server ifindex persist forces an SNMP interface index to stay consistent during data collection.88 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Global configuration mode command used clock summer-time time_zone_name to specify a router’s time zone when daylight recurring {1-4} beginning_day beginning_ savings time is in effect. VLAN_id reflector. even if a device is rebooted Interface configuration mode command that ip flow ingress | egress enables NetFlow for that interface inbound or outbound.

where the ftp://username:password@ip_ login credentials are provided by the username and address password parameters Performs a backup of a router’s startup configuration copy startup-config ftp://ip_ to an FTP server at the specified IP address. Chapter 2: Troubleshooting and Maintenance Tools 89 Task Command Syntax Global configuration mode command that ip flow-export version {1 | 5 | 9} specifies the NetFlow version used by a device Global configuration mode command that ip flow-export destination ip_address specifies the IP address and port number of an port external NetFlow collector Global configuration mode command that snmp-server host ip_address version {1 | specifies the IP address. and 2c | 3} community_string community string of an NMS Global configuration mode command that snmp-server enable traps enables all possible SNMP traps Global configuration mode command that event manager applet name creates an embedded event manager applet and enters applet configuration mode Table 2-7 CLI EXEC commands Task Command Syntax Performs a backup of a router’s startup configuration copy startup-config to an FTP server at the specified IP address. and 5-minute CPU show processes cpu utilization averages. in addition to a listing of running processes with their CPU utilization Shows all subnets within the specified address space show ip route network_address in the routing table subnet_mask longer-prefixes From the Library of Outcast Outcast . where the address login credentials have previously been added to the router’s configuration Displays files contained in a router’s configuration show archive archive Replaces (as opposed to merges) a router’s running configure replace ftp://ip_address/ configuration with a specified configuration archive filename Displays 5-second. 1-minute. SNMP version.

including input queue drops: Indicates a router received information faster than the information could be processed by the router output queue drops: Indicates a router is not able to send information out the outgoing interface because of congestion (perhaps because of an input/output speed mismatch) input errors: Indicates frames were not received correctly (for example. perhaps indicating a cabling problem or a duplex mismatch output errors: Indicates frames were not transmitted correctly. a CRC error occurred). and error statistics. ping ip_address {size bytes} {repeat with options that include number} {timeout seconds} {df-bit} size: The number of bytes in the ICMP echo packet repeat: The number of ICMP echo packets sent timeout: The number of seconds the router waits for an ICMP echo reply packet after sending an ICMP echo packet df-bit: Sets the do not fragment bit in the ICMP echo packet Connects to a remote IP address via Telnet using TCP telnet ip_address {port} port 23 by default or optionally through a specified TCP port Displays summary information about processor and show memory I/O memory. From the Library of Outcast Outcast . interface show interfaces load information. interface counters can be reset using the clear coun- ters command. perhaps due to a duplex mismatch Note Prior to collecting statistics. followed by a more comprehensive report of memory utilization Shows Layer 1 and Layer 2 interface status.90 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Sends ICMP echo packets to the specified IP address.

the type of connected cable might be displayed for a serial interface) Provides detailed information about a router or switch show platform hardware platform From the Library of Outcast Outcast . error statistics) where the information varies for different interface types (for example. Chapter 2: Troubleshooting and Maintenance Tools 91 Task Command Syntax Displays statistical information for an interface (for show controllers example.

■ Troubleshooting Router Performance Issues: This section identifies common reasons why a router might not be performing as expected. From the Library of Outcast Outcast .This chapter covers the following topics: ■ Troubleshooting Switch Performance Issues: This section identifies common reasons why a switch might not be performing as expected.

and building all the necessary tables and structures needed to perform various tasks. They are also responsible for performing many different tasks. they contain a processor. read the entire chapter. switching. This chapter discusses common reasons for high CPU and memory utilization on rout- ers and switches. or the interface buffers are full. in addition to how we can recognize them. the memory is over- loaded. such as routing. these devices will experience performance issues. if a router’s or switch’s CPU is constantly experiencing high utilization. CHAPTER 3 Troubleshooting Device Performance Switches and routers consist of many different components. and various interfaces. The storage of these tables and structures is in some form of memory.” Table 3-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting Switch Performance Issues 1–4 Troubleshooting Router Performance Issues 5–8 From the Library of Outcast Outcast . This chapter also covers interface statistics because they sometimes provide the initial indication of some type of issue. Therefore. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. For example. The routers and switches forward traffic from one interface to another interface based on these tables and structures. The building of the tables and structures is done by the CPU. “Answers to the ‘Do I Know This Already?’ Quizzes. You can find the answers in Appendix A. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. Table 3-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. memory (volatile such as RAM and nonvolatile such as NVRAM and flash).

10 percent b. What are good indications that you have a duplex mismatch? (Choose two. c.) a. 7 percent c. OSPF sends a multicast routing update. d. b. 1. b. 3. An administrator telnets to a switch. The full-duplex side of the connection has a high number of FCS errors. Forwarding logic 2. what percent of the switch’s CPU is being consumed with interrupts? a. 12 percent d. c. The full-duplex side of the connection has a high number of late collisions.) a.94 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. 4. Memory c. 6 percent From the Library of Outcast Outcast . Backplane b. The half-duplex side of the connection has a high number of late collisions. What are the components of a switch’s control plane? (Choose two. Which of the following are situations when a switch’s TCAM would punt a packet to the switch’s CPU? (Choose the three best answers. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. one minute: 12%.) a. five minutes: 6% Based on the output. An ACL is applied to a switchport. CPU d. If you do not know the answer to a question or are only partially sure of the answer. The output of a show processes cpu command on a switch displays the following in the first line of the output: CPU utilization for five seconds: 10%/7%. A switch’s TCAM has reached capacity. you should mark that question as wrong for purposes of the self-assessment. d. The half-duplex side of the connection has a high number of FCS errors.

Which router process is in charge of handling interface state changes? a. BGP filtering From the Library of Outcast Outcast . Fast switching b. (Choose the two best answers. show processes cpu c. show ip cache b. Which of the following is the least efficient (that is. the most CPU intensive) of a router’s packet-switching modes? a. Chapter 3: Troubleshooting Device Performance 95 5. show ip route d. Identify common reasons that a router displays a MALLOCFAIL error. ARP Input process 6. show ip cef 8. Net Background process d. Optimum switching d. CEF c. Process switching 7. IP Background process c. Security issue c.) a. TCP Timer process b. QoS issue d. What command is used to display the contents of a router’s FIB? a. Cisco IOS bug b.

the ingress port).96 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting Switch Performance Issues Switch performance issues can be tricky to troubleshoot because the problem reported is often subjective. Also. an indirect relationship exists between frame forwarding and the control plane. an egress port). For example. impact the rate at which the switch forwards frames. If you do determine that the network performance is not meeting technical expectations (as opposed to user expectations). Therefore. Therefore. Rather than a switch or a router. if a user reports that the network is running “slowly. with different port densities. This section assumes that you have isolated the device causing the performance issue. over time. troubleshooting switches will be platform dependent. differ- ent levels of performance. and that device is a Cisco Catalyst switch. and are forwarded out of another port (that is. However. frames flowing through a switch enter through a port (that is. However. Cisco Catalyst Switch Troubleshooting Targets Cisco offers a variety of Catalyst switch platforms. you need to determine what network component is responsible for the poor performance. the MAC address table and the spanning-tree topology to name a few. Notice that the control plane does not directly participate in the frame-forwarding process. Key These ports (also known as interfaces) allow a switch to receive and transmit traffic. Topic ■ Forwarding logic: A switch contains hardware that makes forwarding decisions based on different tables in the data plane. depending on the specific switch architecture. As a result. however. a continuous load on the control plane could.” the user’s perception might mean that the network is slow compared to what he expects. Therefore. ■ Control plane: A switch’s CPU and memory reside in the control plane. server. Many similarities do exist. you should isolate the source of the problem and diag- nose the problem on that device. network performance might very well be operating at a level that is hamper- ing productivity and at a level that is indeed below its normal level of operation. as part of the troubleshooting process. At that point. Figure 3-1 depicts these components within a switch. or application could be the cause of the performance issue. the user’s client. all Cisco Catalyst switches include the following components: ■ Ports: A switch’s ports physically connect the switch to other network devices. if the forwarding hardware is operating at maximum capac- From the Library of Outcast Outcast . the forwarding logic contained in the forwarding hardware comes from the control plane. flow across the switch’s backplane. ■ Backplane: A switch’s backplane physically interconnects a switch’s ports. For example. and different hardware. This control plane is responsible for running the switch’s operating system and building the neces- sary structures used to make forwarding decisions—for example.

Notice that this output shows the number of inbound and outbound frames seen on the specified port. a good first step is to check port statistics. the reason might be that TCP flows are going into TCP slow start. From the Library of Outcast Outcast . because dropped UDP segments are not retransmitted. Chapter 3: Troubleshooting Device Performance 97 ity. Although dropped frames are most often attributed to network congestion. of TCP flows to be reduced. it should be consid- ered when troubleshooting. Similarly. Control Plane Memory CPU Ingress Data Plane Egress Port Forwarding Hardware Port Forwarding Logic Backplane Figure 3-1 Cisco Catalyst Switch Hardware Components The following are two common troubleshooting targets to consider when diagnosing a suspected switch issue: ■ Port errors ■ Mismatched duplex settings The sections that follow evaluate these target areas in greater detail. Port Errors When troubleshooting a suspected Cisco Catalyst switch issue. packet drops for a UDP flow used for voice or video could result in noticeable quality degradation. the control plane begins to provide the forwarding logic. If a TCP application is run- ning slowly. To check port statistics. another pos- sibility is that the cabling could be bad. examining port statistics can let a troubleshooter know whether an excessive number of frames are being dropped. which shows the output of the show interfaces gig 1/0/9 counters command on a Cisco Catalyst 3750-E switch. which causes the window size. For example. although the control plane does not architecturally appear to impact switch performance. So. and therefore the bandwidth efficiency. A common reason that a TCP flow enters slow start is packet drops. a troubleshooter could leverage the show interfaces command. Consider Example 3-1.

Example 3-2 illustrates sample output from the show interfaces gig 1/0/9 counters errors command. you could add the keyword of errors after the show interfaces interface_type interface_number counters command. although the frame has no framing errors. Xmit-Err) occurs when a port’s transmit buffer overflows. while simultaneously having a bad cyclic redundancy check (CRC). A speed mismatch between inbound and outbound links often results in a transmit error.98 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-1 show interfaces gig 1/0/9 counters Command Output SW1#show interfaces gig 1/0/9 counters Port InOctets InUcastPkts InMcastPkts InBcastPkts Gi1/0/9 31265148 20003 3179 1 Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts Gi1/0/9 18744149 9126 96 6 To view errors that occurred on a port. FCS-Err A frame check sequence (FCS) error occurs when a frame has an invalid checksum. Congestion on a switch’s backplane could cause the receive buffer on a port to fill to capacity. as frames await access to the switch’s backplane. most likely. Example 3-2 show interfaces gig 1/0/9 counters errors Command Output SW1#show interfaces gig 1/0/9 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize Gi1/0/9 0 0 0 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/0/9 5603 0 5373 0 0 0 0 Table 3-2 provides a reference for the specific errors that might show up in the output of the show interfaces interface_type interface_number counters errors command. UnderSize An undersize frame is a frame with a valid checksum but a size less than 64 bytes. a Rcv-Err is indicating a duplex mismatch. However. Like the Align-Err error. Table 3-2 Errors in the show interfaces interface_type interface_number counters errors Key Command Topic Error Counter Description Align-Err An alignment error occurs when frames do not end with an even number of octets. Xmit-Err A transmit error (that is. but it also occurs when there is a duplex mismatch. An alignment error normally suggests a Layer 1 issue. Rcv-Err A receive error (that is. This issue suggests that a connected host is sourcing invalid frame sizes. such as cabling or port (either switchport or network interface card [NIC] port) issues. an FCS-Err often points to a Layer 1 issue. Rcv-Err) occurs when a port’s receive buffer overflows. From the Library of Outcast Outcast .

other than shared media hubs. Multi-Col A Multi-Col error occurs when more than one collision occurs before a port successfully transmits a frame. The jumbo frame has a frame size greater than 1518 bytes. From the Library of Outcast Outcast . but it has a valid FCS. Therefore. all devices should be run- ning in full-duplex mode. Giants A giant is a frame size greater than 1518 bytes (assuming that the frame is not a jumbo frame) that has a bad FCS. Typically. if you have no hubs in your network. Excess-Col The Excess-Col error occurs when a frame experiences 16 successive collisions. Keep in mind that almost all network devices. a giant is caused by a problem with the NIC in an attached host. a duplex mismatch. Late-Col A late collision is a collision that is not detected until well after the frame has begun to be forwarded. A runt could result from a duplex mismatch or a Layer 1 issue. Mismatched Duplex Settings As shown in Table 3-2. it is better for a switchport to negotiate down to half-duplex and run properly than to be forced to run full-duplex. While a Late-Col error could indicate that the connected cable is too long. which would result in multiple errors. or too many devices on a segment. which is the default setting. can run in full- duplex mode. duplex mismatches can cause a wide variety of port errors. common reasons for a Multi-Col error include high bandwidth utilization on an attached link or a duplex mismatch. Carri-Sen The Carri-Sen counter is incremented when a port wants to send data on a half-duplex link. Runts A runt is a frame that is less than 64 bytes in size and has a bad CRC. This error could result from high bandwidth utilization. after which the frame is dropped. however. Similar to the Single-Col error. This operation is the carrier sense procedure described by the carrier sense multiple access with collision detect (CSMA/CD) operation used on half-duplex connections. Chapter 3: Troubleshooting Device Performance 99 Error Counter Description Single-Col A Single-Col error occurs when a single collision occurs before a port successfully transmits a frame. do not use CSMA/CD. this is an extremely common error seen in mismatched duplex conditions. Common reasons for a Single-Col error include high bandwidth utilization on an attached link or a duplex mismatch. because the port is checking the wire to make sure that no traffic is present prior to sending a frame. Full-duplex connections. This is normal and expected on a half-duplex port. Cisco Catalyst switchports should be configured to autonegotiate both speed and duplex. Two justifications for this recommendation are as follows: ■ If a connected device supports only half-duplex.

examine Examples 3-3 and 3-4. link type is auto. the auto-MDIX feature requires that the port autonegotiate both speed and duplex. Example 3-3 shows the half-duplex end of a connection. When the collision occurs in this example. which display output based on the topol- ogy depicted in Figure 3-2. To illustrate. two of the biggest indicators of a duplex mismatch are a high FCS-Err counter and a high Late-Col counter. whereas a switchport at the other end of a connection is configured for half-duplex. However. media type is 10/100/1000BaseTX SW1# From the Library of Outcast Outcast . and we have FCS errors on the full-duplex side. The full-duplex end sends a frame because it is always safe to send and a collision should not occur. Gig 0/9 Fa 5/47 SW1 Half-Duplex Full-Duplex SW2 Figure 3-2 Topology with Duplex Mismatch Example 3-3 Output from the show interfaces gig 1/0/9 counters errors and the show interfaces gig 1/0/9 | include duplex Commands on a Half-Duplex Port SW1# show interfaces gig 1/0/9 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize Gi1/0/9 0 0 0 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/0/9 5603 0 5373 0 0 0 0 SW1#show interfaces gig 1/0/9 include duplex Half-duplex. You can enable this feature in interface configuration mode with the mdix auto command on some models of Cisco Catalyst switches. Therefore. a high FCS-Err counter is common to find on the full-duplex end of a connection with a mismatched duplex. and Example 3-4 shows the full-duplex end of a connection. SW2 will continue to send and receive frames. The frames it receives will not be complete because SW1 did not send the entire frame. 100Mb/s. Among the different errors previously listed in Table 3-2. Specifically. the FCS (mathemati- cal checksum) of the frame does not match. a switchport at one end of a connection is config- ured for full-duplex. In a mismatched duplex configuration. However. whereas a high Late-Col counter is common on the half-duplex end of the connection. The half-duplex end sends a frame because it thinks it is safe to send based on the CSMA/CD rule. SW1 will cease to transmit the remainder of the frame (because the port is half-duplex) and will record that a late collision occurred.100 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ The automatic medium-dependent interface crossover (auto-MDIX) feature can automatically detect whether a port needs a crossover or a straight-through cable to interconnect with an attached device and adjust the port to work regardless of which cable type is connected.

you must be very familiar with the architecture of the switch with which you are working. A multilayer switch’s forwarding logic can impact switch performance. if you suspect a duplex mismatch. it is conceivable that in a modular switch chassis. Then. TCAM works with a switch’s Cisco Express Forwarding (CEF) feature in the data plane (hardware) to provide extreme- ly fast forwarding decisions. 100Mb/s SW2# In your troubleshooting. By comparing the current performance to the performance experienced by the user. TCAM Troubleshooting As previously mentioned. the backplane will not have the throughput to support a fully populated chassis. multicast routing. However. However. A switch’s forwarding logic is compiled into a special type of memory called ternary content- addressable memory (TCAM). However. you might be able to conclude that the problem has been resolved by correcting a mismatched duplex configuration. This is accomplished because information from the control plane relating to routing processes such as unicast routing. Chapter 3: Troubleshooting Device Performance 101 Example 3-4 Output from the show interfaces fa 5/47 counters errors and the show interfaces fa 5/47 | include duplex Commands on a Full-Duplex Port SW2#show interfaces fa 5/47 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Fa5/47 0 5248 0 5603 27 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Fa5/47 0 0 0 0 0 227 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Fa5/47 0 0 0 0 0 SW2#show interfaces fa 5/47 include duplex Full-duplex. you could change the duplex settings on the switch over which you do have control. is rarely the cause of a switch performance issue. however. is populated into the TCAM tables at the data plane (hardware). the two primary components of forwarding hardware are forwarding logic and backplane. you might experience a performance gain by simply moving a cable from one switchport to another. because most Cisco Catalyst switches have high-capacity backplanes. The architecture of some switches allows groups of switchports to be handled by sepa- rate hardware. even if you only have access to one of the switches. to strategically take advantage of this design characteristic. You could also perform the same activity (for example. performing a file transfer) that the user was performing when he noticed the performance issue. Therefore. and policy- based routing. as illustrated in Figure 3-3. where each card in the chassis supports the highest combination of port densities and port speeds. as well as information related to traffic policies such as security and qual- ity of service (QoS) access control lists (ACLs). if a switch’s TCAM is unable to forward traffic (for From the Library of Outcast Outcast . you could clear the interface counters to see whether the errors continue to increment. A switch’s backplane.

TCAMs cannot be upgraded. On most switch platforms. ■ Packets using a feature not supported in hardware (for example. packets traveling over a generic routing encapsulation [GRE] tunnel) are sent to the CPU for process- ing. TCAM verification commands vary among platforms.102 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide example. if you conclude that a switch’s TCAM is the source of the performance problems being reported. establishing a Telnet or Secure Shell [SSH] session with the switch) will have his packets sent to the CPU for processing. ■ Someone connecting to a switch administratively (for example. Control Plane Routing Processes Traffic Policies Data Plane TCAM Figure 3-3 Populating the TCAM The process of the TCAM sending packets to a switch’s CPU is called punting. that traffic is sent (punted) to the CPU so that it can be forwarded by the switch’s CPU. so make sure to check the documentation for your switch model. This is not generally a good practice. additional packets are punted to the CPU. when troubleshooting switch performance. This is usually the case when you attempt to use a lower-end switch in place of a higher-end switch to save money. ■ If a switch’s TCAM has reached capacity. the event most likely to cause a switch performance issue is a TCAM filling to capacity. From the events listed. in addition to other control plane protocols such as Spanning Tree Key Protocol (STP). that send multicast or broadcast traffic will have that traffic sent to Topic the CPU for processing. you might want to investigate the state of the switch’s TCAM. which has a limited forwarding capability. Consider a few reasons why a packet might be punted from a TCAM to its CPU: ■ Routing protocols. Therefore. A TCAM might reach capacity if it has too many installed routes or configured access control lists. the TCAM table is full and does not have the information needed to forward the traffic). Therefore. you could either use a switch with higher-capacity TCAMs or reduce the number of entries From the Library of Outcast Outcast .

3560. there- fore. you can change the SDM template. Example 3-6 show sdm prefer Command Output on a Cisco Catalyst Switch SW2#show sdm prefer The current template is "desktop default" template. Refer to Example 3-5. This can be accomplished by changing the Switch Database Management (SDM) template on the switch. which displays the TCAM resource utilization on a Catalyst 3750E switch. Chapter 3: Troubleshooting Device Performance 103 in a switch’s TCAM. In this case. It appears from this example that SW2 has maxed out the amount of resources that are reserved for IPv4 unicast indirectly connected routes. This allows you to “borrow” TCAM memory that was reserved for one feature and use it for another feature. as well as QoS and security access control entries. The selected template optimizes the resources in the switch to support this level of features for From the Library of Outcast Outcast . There is a maximum value for unicast MAC addresses. the template needs to be changed. more resources need to be reserved for IPv4 routing. Notice how a finite amount of resources has been reserved for various services and features on the switch. Therefore.” which is the default template on a 3750E Catalyst switch. it will be punted to the CPU. Using the show sdm prefer command on SW2. some switches (for example. Example 3-5 show platform tcam utilization Command Output on a Cisco Catalyst Switch SW2#show platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 6364/6364 35/35 IPv4 IGMP groups + multicast routes: 1120/1120 1/1 IPv4 unicast directly-connected routes: 6144/6144 9/9 IPv4 unicast indirectly-connected routes: 2048/2048 2048/2048 IPv4 policy based routing aces: 442/442 12/12 IPv4 qos aces: 512/512 21/21 IPv4 security aces: 954/954 42/42 Note: Allocation of TCAM entries per feature uses a complex algorithm. optimizing the resources on the switch. indicates that the current SDM template is “desktop default. you could try to optimize your ACLs by being more creative with the entries or leverage route summarization to reduce the number of route entries maintained by a switch’s TCAM. For example. or 3750 series switches) enable you to change the amount of TCAM memory allocated to different switch features. if a packet needs to be forwarded and the needed information is not in the TCAM. The above information is meant to provide an abstract view of the current TCAM utilization To reallocate more resources to IPv4 routing. IPv4 unicast and multicast routes. as shown in Example 3-6. Cisco Catalyst 2960. Also.

one per line. but cannot take effect until the next reload. as shown in Example 3-7. Reload Reason: Reload command.5K number of IPv4/MAC security aces: 0. End with CNTL/Z. In this case. Use 'show sdm prefer' to see what SDM preference is currently active. Save? [yes/no]: yes Building configuration. notice how the SDM template is listed as “desktop routing” in Example 3-8 and that more resources are now dedicated to IPv4 indirect routes. also notice that while more resources are allocated to IPv4 unicast routes.104 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 8 routed interfaces and 1024 VLANs. Example 3-7 Changing the SDM Template on a Cisco 3750E Catalyst Switch SW2#config t Enter configuration commands. allows you to change the SDM template. [OK] Proceed with reload? [confirm] %SYS-5-RELOAD: Reload requested by console. fewer resources are allocated to other resources.. From the Library of Outcast Outcast .875k Using the global configuration command sdm prefer. SW2(config)#exit SW2#reload System configuration has been modified. However.. such as unicast MAC addresses. the SDM template is being changed to routing so that more resources will be used for IPv4 unicast routing. SW2(config)#sdm prefer ? access Access bias default Default bias dual-ipv4-and-ipv6 Support both IPv4 and IPv6 indirect-ipv4-and-ipv6-routing Supports more V4 and V6 Indirect Routes lanbase-routing Supports both IPv4 and IPv6 Static Routing routing Unicast bias vlan VLAN bias SW2(config)#sdm prefer routing Changes to the running SDM preferences have been stored. number of unicast mac addresses: 6K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0. After the reload.

The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. the used masks/values are now 3148. From the Library of Outcast Outcast .5K number of IPv4/MAC qos aces: 0. as demonstrated in Example 3-10. and therefore. In addition. they were 2048. the Topic CPU is rarely tasked to forward traffic. number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K number of directly-connected IPv4 hosts: 3K number of indirect IPv4 routes: 8K number of IPv4 policy based routing aces: 0. the TCAM can for- ward traffic without having to punt the packets to the CPU. Example 3-9 Verifying the tcam utilization on the 3750E Catalyst Switch SW2#show platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 3292/3292 35/35 IPv4 IGMP groups + multicast routes: 1120/1120 1/1 IPv4 unicast directly-connected routes: 3072/3072 8/8 IPv4 unicast indirectly-connected routes: 8144/8144 3148/3148 IPv4 policy based routing aces: 490/490 13/13 IPv4 qos aces: 474/474 21/21 IPv4 security aces: 964/964 42/42 Note: Allocation of TCAM entries per feature uses a complex algorithm. Chapter 3: Troubleshooting Device Performance 105 Example 3-8 Verifying That the SDM Template Was Changed After Reload SW2#show sdm prefer The current template is "desktop routing" template. before. Because the TCAM maintains a switch’s forwarding logic at the data plane. thanks to the Key TCAM.5K number of IPv4/MAC security aces: 1K In Example 3-9. The above information is meant to provide an abstract view of the current TCAM utilization High CPU Utilization Troubleshooting on a Switch The load on a switch’s CPU is often low. The show processes cpu command can be used on a Cisco Catalyst switch to display CPU utilization levels. even under high utilization. the output of show platform tcam utilization shows that the max masks/ values are now 8144/8144 for IPv4 unicast indirectly connected routes.

00% 0. a Cisco Catalyst switch’s performance can be the source of network problems. Recall that an STP failure could lead to a broadcast storm. If you determine that a switch’s high CPU load is primarily the result of interrupts.00% 0. the output given in Example 3-10 shows a 15 percent utiliza- tion. Of course. Notice in the output in Example 3-10 that the switch is reporting a 19 percent CPU load. Such a level implies that the switch’s CPU is actively involved in forwarding packets that should normally be handled by the switch’s TCAM. where Layer 2 broadcast frames endlessly circulate through a network. Similarly. If the interrupt percent is greater than 10. Consider the following reasons that might cause a switch’s CPU utilization to spike: ■ The CPU is processing routing updates.106 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-10 show processes cpu Command Output on a Cisco Catalyst Switch SW1#show processes cpu CPU utilization for five seconds: 19%/15%. However. when troubleshooting a performance issue. realize that a switch’s high CPU utilization might be a symptom of another issue. Although such load utilization values might not be unusual for a router. these values might be of concern for a switch. take time to look into the reason why..00% 0. A value as high as 10 percent is consid- ered acceptable. this value might be normal for your organization based on baseline information. Therefore. Specifically. A high CPU utilization on a switch might be a result of STP.OUTPUT OMITTED. ■ The administrator is issuing a debug command (or other processor-intensive com- mands).00% 0. From the Library of Outcast Outcast . Periodic spikes in processor utilization are also not a major cause for concern if such spikes can be explained.00% 0. one minute: 20%. with 15 percent of the CPU load used for interrupt processing. exam- ine the switch’s packet-switching patterns and check the TCAM utilization. ■ Simple Network Management Protocol (SNMP) is being used to poll network devices. five minutes: 13% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 1 0 4 0 0. take the time to investigate those specific processes. a router performance issue can impact user data flowing through the network. Troubleshooting Router Performance Issues As you have seen..00% 0 crypto sw pk pro 4 2100 315 6666 0.00% 0 Chunk Manager 2 0 610 0 0.00% 0.00% 0..05% 0 Check heaps .00% 0 Load Meter 3 128 5 25600 0.05% 0. even though according to Cisco it is a cause for concern. a typical CPU load percentage dedicated to interrupt processing is no more than 5 percent.. which is considered high for a Catalyst switch. If the high CPU utilization is primarily the result of processes.

each of which might result in poor router performance ■ Excessive CPU utilization ■ The packet-switching mode of a router ■ Excessive memory utilization Excessive CPU Utilization A router’s processor (that is. In these examples.0 0.0. instead of ARPing for the MAC address of a next-hop IP address. However. such a configura- tion should be avoided because an ARP Request has to be sent for every destination IP address in every packet that is received by the router and forwarded out Fa0/1. That will result in an excessive number of ARP requests. One configuration that can cause such a high number of ARP requests is having a default route configured that points to an Ethernet interface. As a result. Chapter 3: Troubleshooting Device Performance 107 As an administrator.0. you ARP for the MAC address of the destination IP address in each packet. This is because the ip route command is stating that all IP addresses (0. Following are four such processes that can result in excessive CPU utilization: ■ ARP Input process: The ARP Input process is in charge of sending Address Key Resolution Protocol (ARP) requests. Processes That Commonly Cause Excessive CPU Utilization One reason that the CPU of a router might be overloaded is that the router is running a process that is taking up an unusually high percentage of its CPU resources. This process can consume an inordinate per- Topic centage of CPU resources if the router has to send numerous ARP requests. the router’s CPU is so busy it does not have time to respond to your Telnet session or the pings you have sent.0. if a router’s CPU utilization continually remains at a high level. however.0. For example.0) are reachable through the directly connected interface fastethernet 0/1.0. CPU) utilization escalating to a high level but only remaining at that high level for a brief time could represent normal behavior. routing protocol adjacencies can fail.0.0. Aside from latency that users and administrators can experience. Therefore.0 fastethernet 0/1 command entered in global con- figuration mode so that all packets with no explicit route in the routing table will be forwarded out Fa0/1. many of the ARP requests will go unanswered and result in dropped packets. The better option is to specify the next-hop IP address because the router will only have From the Library of Outcast Outcast . Such symptoms might indicate a router performance issue. you might notice a sluggish response to Telnet sessions or SSH sessions that you attempt to establish with a router. resulting in some net- works becoming unreachable. network performance issues might result. In addition. perhaps a router had the ip route 0.0 0. which will cause strain on the CPU. At first. This section investigates three potential router issues. this appears harmless. a router whose CPU is overtaxed might not send routing protocol messages to neighboring routers in a timely fashion.0. Or. you might experience longer- than-normal ping response times from a router.

might result in the IP Background process consuming a high percentage of CPU resources. a ping sweep) of a subnet. An established TCP connection is one that has successfully completed the three-way handshake. many connections can result in high CPU utilization by the TCP Timer process. From the Library of Outcast Outcast . ignored. whether they are established or embryonic. This could be due to connectivity issues or mali- cious intent. If several entries are in the Incomplete state. and overrun parameters are incrementing on an interface. A state change might be an interface going from an Up state to a Down state. If the throttles. you might suspect a malicious scan (for example. For example. Another example of state change is an interface’s IP address changing. or vice versa. Therefore. Table 3-3 Commands for Troubleshooting High CPU Utilization Key Topic Command Description show ip arp Displays the ARP cache for a router. and then the server sends a SYN/ACK back. An embryonic con- nection occurs when the TCP three-way handshake is only two-thirds completed. Cisco IOS Commands Used for Troubleshooting High Processor Utilization Table 3-3 offers a collection of show commands that can be valuable when troubleshoot- ing high CPU utilization on a router. If an interface needs to store a packet in a buffer but all interface buffers are in use. the interface can pull from a main pool of buffers that the router maintains. ■ Net Background process: An interface has a certain number of buffers available to store packets. At this point. such as bad cabling. or you have a route pointing out an Ethernet interface as described in our ARP Input process discussion. the server is in the embryonic state (waiting for an ACK from the client to complete the three-way handshake and establish the connec- tion). The pro- cess that allows an interface to allocate one of these globally available buffers is Net Background. the underlying cause might be the Net Background process consuming too many CPU resources. the server will sit in the embryonic state until it times out. the client sends the SYN packet to the server. However. Therefore. if the client does not send the ACK back. These buffers are sometimes referred to as the queue of an interface.108 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide to ARP for the MAC of the next-hop IP address when forwarding the packets out Fa0/1. ■ IP Background process: The IP Background process handles an interface changing its state. ■ TCP Timer process: The TCP Timer process runs for each TCP router connection. anything that can cause repeated state changes.

established. However. show processes cpu Displays average CPU utilization over 5-second. If these counters continue to increment. interface_number overruns.1.b7fa. and ignored counters. If the throttles. show processes cpu history Displays a graphical view of CPU utilization over the past 60 seconds. Note the throttles. and closed.2 61 0009. which might indicate malicious reconnaissance traffic or that you have a route pointing out an Ethernet interface instead of to a next-hop IP address. In the output. This graphical view can indicate whether an observed high CPU utilization is a temporary spike in utilization or whether the high CPU utilization is an ongoing condition. you might be under a denial-of-service (DoS) attack. 1-minute.d1e0 ARPA Ethernet0/0 Internet 10.3. and 5-minute intervals. A high number of connections can explain why the TCP Timer process might be consuming excessive CPU resources. you might suspect that the Net Background process is attempting to allocate buffer space for an interface from the main buffer pool of the router.3. If you see an excessive number of embryonic connections.3. in addition to listing all the router processes and the percentage of CPU resources consumed by each of those processes. accepted. Chapter 3: Troubleshooting Device Performance 109 Command Description show interface interface_type Displays a collection of interface statistics. or ignored counters continually increment. Example 3-11 shows sample output from the show ip arp command.168.06fe. 1 hour. show tcp statistics Provides information about the number of TCP segments a router sends and receives.9ea0 ARPA Ethernet0/0 Internet 192.50 0 Incomplete ARPA Example 3-12 shows sample output from the show interface interface_type interface_ number command. overrun. including the number of connections initiated. only a single instance exists of an Incomplete ARP entry. and 3 days. Example 3-11 show ip arp Command Output R2#show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.3. the Net Background process might be consuming excessive CPU resources while it allocates buffers from the main buffer pool of the router. a high number of such entries can suggest the scanning of network resources. 00d0.1 . From the Library of Outcast Outcast .

1/24 MTU 1500 bytes. 0 collisions. 0 output buffers swapped out Example 3-13 shows sample output from the show tcp statistics command. txload 1/255. reliability 255/255. 0 overrun. Example 3-13 show tcp statistics Command Output R2#show tcp statistics Rcvd: 689 Total. 0 late collision. BW 10000 Kbit. 0 packets/sec 2156 packets input. 0 no port 0 checksum error. DLY 1000 usec. 0 giants. 0 ignored 0 input packets with dribble condition detected 2155 packets output. 0 no buffer Received 861 broadcasts. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). 164787 bytes. rxload 1/255 Encapsulation ARPA. 0 CRC. 1 packets/sec 5 minute output rate 0 bits/sec. This might be due to a DoS attack that is attempting to consume all the TCP connection slots.3. 0 frame.9ea0 (bia 00d0. If the output indicates numerous connections. 0 too short 474 packets (681 bytes) in sequence 0 dup packets (0 bytes) 0 partially dup packets (0 bytes) 0 out-of-order packets (0 bytes) 0 packets (0 bytes) with data after window 0 packets after close 0 window probe packets. output 00:00:02.3. 0 no carrier 0 output buffer failures. the TCP Timer process might be consuming excessive CPU resources while simultaneously maintaining all those connections. address is 00d0.9ea0) Internet address is 10. Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec. 0 window update packets From the Library of Outcast Outcast .06fe. 0 bad offset. line protocol is up Hardware is AmdP2. 7 interface resets 0 babbles. 212080 bytes.110 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-12 show interface interface_type interface_number Command Output R2#show interface ethernet 0/0 Ethernet0/0 is up.06fe. If you have a high number of initiated connections with a low number of established connections. 0 throttles 0 input errors. 0 underruns 0 output errors. ARP Timeout 04:00:00 Last input 00:00:02. it indi- cates that the three-way handshake is not being completed. loopback not set Keepalive set (10 sec) ARP type: ARPA. 0 deferred 0 lost carrier. 0 runts.

00% 0.00% 0. Chapter 3: Troubleshooting Device Performance 111 1 dup ack packets.00% 0 SSS Test Client 47 84 711 118 0. Individual processes running on the router are also shown.00% 0 HC Counter Timer 14 0 5 0 0.OUTPUT OMITTED.00% 0 GraphIt 19 0 2 0 0. 0 urgent packets 1 control packets (including 0 retransmitted) 562 data packets (14206 bytes) 0 data packets (0 bytes) retransmitted 0 data packets (0 bytes) fastretransmitted 7 ack only packets (7 delayed) 0 window probe packets.00% 0 TCP Timer 48 4 3 1333 0.00% 0. 0 window update packets 0 Connections initiated. 1 connections accepted.00% 0 Logger .00% 0.00% 0.00% 0...00% 0.00% 0.00% 0. TCP Timer..00% 0.00% 0. one minute: 36%. 1 connections established 0 Connections closed (including 0 dropped. The out- put in this example indicates a 34 percent CPU utilization in the past 5 seconds.00% 0.00% 0.00% 0. The output also shows the 1-minute CPU utilization average as 36 percent and the 5-minute average as 32 percent. 12 4 69 57 0.00% 0 DDR Timers 15 12 2 6000 0. Net Background. Example 3-14 show processes cpu Command Output R2#show processes cpu CPU utilization for five seconds: 34%/13%.. Note the ARP Input.00% 0.. 0 embryonic dropped) 0 Total rxmt timeout. along with their CPU utilization levels.00% 0 Critical Bkgnd 21 132 418 315 0. 46 0 521 0 0.00% 0 Socket Timers 50 0 15 0 0.00% 0.00% 0.OUTPUT OMITTED.00% 0.00% 0.00% 0.00% 0 Net Background 22 0 15 0 0.00% 0.00% 0.00% 0. 0 connections dropped in rxmt timeout 0 Keepalive timeout.00% 0 PPP IP Route 52 4 5 800 0.00% 0 SERIAL A'detect 18 0 3892 0 0. 0 ack packets with unsend data 479 ack packets (14205 bytes) Sent: 570 Total.00% 0. and IP Background processes referred to in this section..00% 0.00% 0.00% 0 TCP Protocols 49 0 1 0 0.00% 0.. 0 Connections dropped in keepalive Example 3-14 shows sample output from the show processes cpu command. 0 keepalive probe.00% 0 HTTP CORE 51 12 5 2400 0.00% 0 Entity MIB API 16 4 2 2000 0.00% 0.00% 0. with 13 percent of CPU resources being spent on interrupts.00% 0.00% 0. five minutes: 32% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process .00% 0.00% 0..00% 0 ARP Input 13 0 1 0 0.00% 0 ATM Idle Timer 17 0 1 0 0.00% 0.00% 0 PPP IPCP From the Library of Outcast Outcast .00% 0.00% 0.00% 0 Dialer event 20 0 1 0 0.

.112 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 53 273 157 1738 0...3..2.6 0 5 0 5 0 5 0 5 0 5 0 From the Library of Outcast Outcast .......5...5.1.2.00% 0.........5..4..1.....5.........2...3...3.. Example 3-15 shows sample output from the show processes cpu history command..00% 0 IP Background 54 0 74 0 0..00% 0...3..OUTPUT OMITTED....4...00% 0...1........... The graphical output produced by this command is useful in determining whether a CPU spike is temporary or whether it is an ongoing condition.....5.....1.4.5..2.6 0 5 0 5 0 5 0 5 0 5 0 CPU% per second (last 60 seconds) 611111111112111221131111111111111121111111111111211111111111 376577846281637117756665771573767217674374737664008927775277 100 90 80 70 60 * 50 * 40 * * 30 * * 20 ******* * *** ************ ** *** **** * * *** * ** **** 10 ########################################################## 0.....00% 0.4...00% 0 IP RIB Update . Example 3-15 show processes cpu history Command Output R2#show processes cpu history 4 11111 4444411111 11111 944444555554444444444777775555588888888887777755555777775555 100 90 80 70 60 50 * ***** 40 * ***** 30 * ***** 20 * ***** ********** ***** 10 * ***** ************************************* 0.

............1.. performs packet switching)..3.6.. 0 5 0 5 0 5 0 5 0 5 0 5 0 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% Understanding Packet-Switching Modes (Routers and Multilayer Switches) In addition to the high CPU utilization issues previously discussed....3. the router removes the packet’s Layer 2 header. Therefore.. for real-world trouble- shooting. however....5..4. Before discussing the most common switching modes.5.. In general. examines the Layer 3 addressing.1...2.. Chapter 3: Troubleshooting Device Performance 113 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 56434334644444334443442544453443 46868692519180723579483247519306 100 90 80 70 * * 60 * * 50 *** * * * * ** * * *** 40 *************** ****** ********* 30 ********************** ********* 20 ******************************** 10 ################################ 0.......4...5..7.... Cisco routers and multilayer switches support the following three primary modes of packet switching: ■ Process switching Key Topic ■ Fast switching (route caching) ■ Cisco Express Forwarding (topology-based switching) Packet switching involves the router making a decision about how a packet should be for- warded and then forwarding that packet out of the appropriate router interface.. realize that the way a router handles packets (or is capable of handling packets) largely depends on the router’s architecture.2. consult the documentation for your router to determine how it implements packet switching.6. a router’s packet- switching mode can impact router performance.... Operation of Process Switching When a router routes a packet (that is. and decides how to forward From the Library of Outcast Outcast .

With process switching. and then the packet is forwarded out of the appropriate interface. From the Library of Outcast Outcast . as illustrated in Figure 3-4. The interface configuration mode command used to disable fast switch- ing and CEF at the same time is no ip route-cache. the first packet in a data flow is process-switched by a router’s CPU. as opposed to being process-switched. Subsequent packets in that same data flow are forwarded based on information in the fast cache. After the router determines how to forward the first packet of a data flow. As shown in Figure 3-5. You can enable fast switching by turning off CEF in interface configuration mode with the no ip route-cache cef command.114 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the packet. As a result. that forward- ing information is stored in the fast cache. fast switching reduces a router’s CPU utilization when compared to process switching. Operation of Fast Switching (Route Caching) Fast switching uses a fast cache maintained in a router’s data plane. the router’s CPU becomes directly involved with packet-switching decisions. Incoming Packets Outgoing Packets Control Plane CPU Pa ow ck Fl et et Fl ck ow Ingress Egress Pa Interface Interface Data Plane Figure 3-4 Data Flow with Process Switching An interface can be configured for process switching by disabling fast switching and CEF on that interface. As a result. the performance of a router configured for process switching can suffer significantly. The Layer 2 header is then rewritten (which involves changing the source and destination MAC addresses and computing a new FCS). The fast cache con- tains information about how traffic from different data flows should be forwarded.

an entire data flow can be for- warded at the data plane. as shown in Figure 3-6. Specifically. populated from a router’s IP routing table and ARP cache. CEF can efficiently make forwarding decisions. the Forwarding Information Base (FIB) maintains Layer 3 forwarding information. whereas the Adjacency Table maintains Layer 2 information for next hops listed in the FIB. Incoming Packets Outgoing Packets Control Plane IP Routing CPU ARP Cache Table La n ye io r3 CEF Data at rm Inf Structures or fo ma In tio FIB r2 n ye Ingress Egress La Interface Adjacency Interface Data Flow Data Flow Table Data Plane Figure 3-6 Data Flow with Cisco Express Forwarding From the Library of Outcast Outcast . Unlike fast switching. Using these tables. Chapter 3: Troubleshooting Device Performance 115 Incoming Packets Outgoing Packets Control Plane CPU in Pac #1 w a D ke k et Flo ata t #1 c ta Forwarding Information Pa Da Flo a w in Subsequent Subsequent Ingress Packets in a Packets in a Egress Interface Data Flow Fast Data Flow Interface Cache Data Plane Figure 3-5 Data Flow with Fast Switching Operation of Cisco Express Forwarding (Topology-Based Switching) Cisco Express Forwarding (CEF) maintains two tables in the data plane. CEF does not require the first packet of a data flow to be process-switched. Rather.

” Finally. she has to call us ten times. if we are using “CEF” with the babysitter. we take out the cookie jar. you can enable CEF for a specific interface with the interface configuration mode command ip route-cache cef. just give them more without calling us. every time our children ask the babysitter for a cookie. show ip cache Displays the contents of the route cache from a router if fast switching is enabled.116 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide On many router platforms. we say yes and then create a “route cache” for the babysitter that states. number including information about the packet- switching mode of an interface. The CPU utilization for this process might show a high value if the CPU of a router is actively engaged in process-switching traffic because you turned off fast switching and CEF. and tell her to have an awesome evening with the kids. If the children ask ten times. “if the kids want more. show processes cpu | include IP Input Displays information about the IP input process on a router. If we are “Process Switching” with the babysitter. show adjacency detail Provides information contained in the adjacency table of a router. show ip cef Displays the contents of a router’s FIB. she has to call us to ask for permission to give the children a cookie. CEF is enabled by default. show ip cef adjacency egress_interface_id Displays destinations reachable through the next_hop_ip_address detail combination of the specified egress interface and next-hop IP address. Troubleshooting Packet-Switching Modes Table 3-4 provides a selection of commands that you can use when troubleshooting the packet-switching modes of a router. If it is not. date night is better when we use CEF. From the Library of Outcast Outcast . before we leave for dinner. Table 3-4 Commands for Troubleshooting a Router’s Packet-Switching Modes Key Topic Command Description show ip interface interface_type interface_ Displays multiple interface statistics. including protocol and timer information. If we are “Fast Switching” with the babysitter. you can globally enable it with the ip cef command. As you can see from this example. Date Night Example of Process-Switching Modes Let’s pretend that my wife and I are going out to dinner and we are leaving our two chil- dren with a babysitter. place it on the counter. Alternatively. the first time she calls us.

quiet interval 3 seconds.6/32 00:00:10 FastEthernet0/1 10. From the Library of Outcast Outcast .3.OUTPUT OMITTED.0.8..8..4 10.3.168. Example 3-17 shows sample output from the show ip cache command. a router begins to populate its route cache.8. If fast switching is enabled and CEF is disabled. However. Example 3-17 show ip cache Command Output R4#show ip cache IP routing cache 3 entries.. The output indicates that fast switching and CEF switching are enabled on interface Fast Ethernet 0/0. Example 3-16 show ip interface interface_type interface_number Command Output R4#show ip interface fastethernet 0/0 FastEthernet0/0 is up.OUTPUT OMITTED. This command shows the contents of a router’s route cache. threshold 0 requests Invalidation rate 0 in last second.0/24 00:00:10 FastEthernet0/0 10.. In the output.8. The reference to flow switching being disabled refers to the Cisco IOS NetFlow feature.08 percent of its router’s CPU capacity during the last 5-second interval. which you can use to collect traffic statistics.4/32 00:00:07 FastEthernet0/1 10. 0 refcounts Minimum invalidation interval 2 seconds.8.. maximum interval 5 seconds. 9 invalidates. CEF .8.8. where the CPU was directly involved in packet switching.1 Example 3-18 shows sample output from the show processes cpu | include IP Input command. Chapter 3: Troubleshooting Device Performance 117 Example 3-16 shows sample output from the show ip interface interface_type interface_number command. the IP input process was using only 0. a high percentage value might indicate that a router was performing process switching... 0 in last 3 seconds Last full cache invalidation occurred 04:13:57 ago Prefix/Length Age Interface Next Hop 10..8. line protocol is up .6 192. ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast. 588 bytes 12 adds.

0/24 10.3.1 FastEthernet0/0 224. local host IP addresses.1. and then the interface that will be used to reach it.7.118 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-18 show processes cpu | include IP Input Command Output R4#show processes cpu | include IP Input 63 3178 7320 434 0.3.4 FastEthernet0/1 10.8.3.255/32 receive 10.3.7.08% 0.1 FastEthernet0/0 10.8.5 FastEthernet0/1 10.8.8.8. Note that if a next hop of the network prefix is set to receive.255/32 receive From the Library of Outcast Outcast .1.6/32 10.7.0.0.0. The output con- tains the contents of the FIB for a router.3.2/32 10.0/24 10.1/32 10.4.8.04% 0 IP Input Example 3-19 shows sample output from the show ip cef command.255.255.8.7.7 FastEthernet0/1 10.8.0/32 receive 10. that network/ IP is local to the router.8.8.8.0/4 drop 224.0. followed by the next hop that will be used to reach the prefix.8.1 FastEthernet0/0 10. Notice that the prefix is listed.3. The attached next hop indicates that the net- work is a directly connected route on the router.3.3.4/32 10.6 FastEthernet0/1 10.0/24 attached FastEthernet0/0 10.1.8.8.3. Examining the output closely.0.8.3.3.3.8.1.0/0 drop Null0 (default route handler entry) 0.3. you will see that the receive entries are subnet IDs.1 FastEthernet0/0 10.8.8.3.0.3.0/24 attached FastEthernet0/1 10.8. and broadcast addresses.3.3.4.8.1/32 receive 10.8.1 FastEthernet0/0 10.0.2/32 10.3.0/24 10.5/32 10.0/24 receive 255.8.5.0/24 10. Example 3-19 show ip cef Command Output R4#show ip cef Prefix Next Hop Interface 0.168.3.06% 0.0/32 receive 10.7/32 10.3.2/32 receive 10.0.3.8.1 FastEthernet0/0 10.3.3. and any packets destined to that specific IP will be processed by the CPU of the router.3.0/24 10.0.1 FastEthernet0/0 10.3. ensuring that they are processed by the router and not forwarded.1 FastEthernet0/0 10.5.255/32 receive 192.0/32 receive 10.3.8.

90 inserts.6 detail IP CEF with switching (Table Version 25). 5632 node Table epoch: 0 (25 entries at this epoch) Adjacency Table has 5 adjacencies 10.1. 0 bytes via 10. peak 1s) 0 in-place/0 aborted modifications refcounts: 5702 leaf. In this case. 0 new). Therefore. Chapter 3: Troubleshooting Device Performance 119 Example 3-20 shows sample output from the show ip cef adjacency egress_interface_id next_hop_ip_address detail command. which requires a Layer 2 frame with a source and destination MAC address. This command shows the IP addresses that the router knows how to reach using the specified combination of next-hop IP address and egress interface. Example 3-20 show ip cef adjacency egress-interface-id next-hop-IP-address detail Command Output R4#show ip cef adjacency fa 0/1 10. When you see a particular adjacency listed in the FIB. 21 nodes. In this example. FastEthernet0/1 valid cached adjacency Example 3-21 shows sample output from the show adjacency detail command.8. id 24360DB1 5(2) CEF resets.8.6 is the IP address of a host and not a router. These MAC addresses are already listed in the adjacency table. no other IP addresses are known to have a next-hop IP address of 10.6/32.8. epoch 0.6. flags=0x0 25 routes. we will send the packet out Fast Ethernet 0/0. FastEthernet0/1.8. 0 reresolve.8.8.6 with an egress interface of Fast Ethernet 0/1.8. peak 0 25 leaves.8. 1 revisions of existing leaves Resolution Timer: Exponential (currently 1s. you can issue this command to confirm that the router has information about how to reach that adjacency. 10. cached adjacency 10.3. 0 unresolved (0 old.8. The value 00D006FE9EA00009B7FAD1E00800 can be broken into three parts: ■ 00D006FE9EA0 = Destination MAC address ■ 0009B7FAD1E0 = Source MAC address ■ 0800 = Well-know Ethertype value for IP From the Library of Outcast Outcast .8.8.8. 25640 bytes. 0 dependencies next hop 10.8. 65 invalidations 0 load sharing elements. if we need to send a packet to 10.8. version 10.6 0 packets.6. 0 references universal per-destination load sharing algorithm.3. 0 bytes.

Following is a list of trouble- shooting steps that you can follow if you suspect that network traffic is being impacted by a performance problem on one of the routers along the path from the source to the destination: Step 1. use the show processes cpu command to see the CPU utilization of that router and iden- tify any processes that might be consuming an unusually high percentage of the CPU. Step 5. Use the show ip route ip_address command to verify that the router has a route to the destination IP address.3. After you identify a router that is causing unusually high delay.. Step 7. From the Library of Outcast Outcast .8.. Step 3. along with the egress interface used to send traffic to that next hop. Topic Step 2. With the show ip arp command. Use the show ip cef command to determine whether all the router interfaces are configured to use CEF. Use the show ip cef ip_address 255.3.255.1(19) 32 packets. you can then confirm that the router knows the MAC address associated with the next-hop IP address shown in the out- put from Step 6. Step 6.8. you can better analyze how a router is forwarding specific traffic..255 command to verify that CEF has an entry in its FIB that can reach the specified IP address.255.120 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 3-21 show adjacency detail Command Output R4#show adjacency detail Protocol Interface Address IP FastEthernet0/0 10. Issue the show adjacency interface_type interface_number detail command to verify that CEF has an entry in its adjacency table for the egress interface identified in Step 5. Step 4.OUTPUT OMITTED. Now that you have reviewed the different packet-switching options for a router. 264 bytes 0008A3B895C40009B7FAD1E10800 ARP 03:53:35 Epoch: 0 . 1920 bytes 00D006FE9EA00009B7FAD1E00800 ARP 03:53:01 Epoch: 0 IP FastEthernet0/1 10. Part of the output from this command will be the next-hop adjacency to which traffic should be forwarded.6(5) 4 packets. Use the traceroute command to determine which router along the path is Key causing excessive delay..

its performance might be sluggish. Example 3-22 shows sample output from the show memory allocating-process totals command. The Head column in the output refers to the address (in hexadecimal) of the memory allocation chain. perhaps you install a version of Cisco IOS on a router.. For Key example. From the Library of Outcast Outcast .. consider the following as potential memory utilization issues. requiring an upgrade of the router’s Cisco IOS image. You can then connect to the next-hop device and verify that the MAC address identified in Step 7 is indeed correct. and the total amount of memory that is being used by the various processes. the process should return its allocated memory to the router’s pool of memory. and that router does not Topic have the minimum amount of memory required to support that specific Cisco IOS image. Example 3-22 show memory allocating-process totals Command Output R4#show memory allocating-process totals Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 83D27480 67463064 15347168 52115896 50311080 50127020 I/O 7C21800 4057088 2383016 1674072 1674072 1674044 Allocator PC Summary for: Processor PC Total Count Name 0x809D7A30 1749360 180 Process Stack 0x80A7F664 918024 10 Init 0x81CEF6A0 882576 4 pak subblock chunk 0x81C04D9C 595344 54 TCL Chunks 0x800902A4 490328 6 MallocLite . Memory Leak When a router starts a process. You can repeat these steps on the next-hop device or on another router whose response time displayed in the output from Step 1 is suspect. Excessive Memory Utilization Much like a PC. The output shows information about memory availability on a router after the Cisco IOS image of the router has been decompressed and loaded. Chapter 3: Troubleshooting Device Performance 121 Step 8..OUTPUT OMITTED.. When the process completes. router performance can suffer if it lacks sufficient available memory. Assuming that a router does have the recommended amount of memory for its installed Cisco IOS image. If not all allocated memory is returned to the router’s main memory pool. This command can help identify memory leaks. that process can allocate a block of memory. The Total column is the total amount of memory available in bytes. Even though the router might load the image and function. a memory leak occurs. Such a condition usually results from a bug in the Cisco IOS version running on the router.

These values indicate that an input queue of the interface has a capacity of 75 packets and that the queue currently has 76 packets. Buffer Leak Similar to a memory leak.. For example. Notice the numbers 76 and 75 highlighted in the output. Alternatively. and Free indicates how much is remaining.. the router does not for- ward traffic coming into the wedged interface. the block of memory remains reserved and will be released only when the router is reloaded. You can use the Cisco Bug Toolkit (available from www.. I have witnessed the MALLOCFAIL error message when using an Integrated Services Router (ISR) that was running Network Address Translation (NAT). a MALLOCFAIL error might result from a bug in the router’s version of Cisco IOS. From the Library of Outcast Outcast .122 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The Used column indicates how much has been used. Therefore. a virus or a worm that has infested the network can result in a MALLOCFAIL error.pl) to research any such known issues with the version of Cisco IOS run- ning on a router. The Lowest column shows the lowest amount of free memory (in bytes) that has been available since the router last booted. These values indicate an oversubscription of the queue space. Input queue: 76/75/780/0 (size/max/drops/flushes). The best solution is to upgrade the Cisco IOS Software to a version that fixes the issue. a buffer leak occurs when a process does not return a buffer to the router when the process has finished using the buffer. Personally.. Example 3-23 Identifying a Wedged Interface R4#show interfaces . memory leaks result from bugs or poor coding in the Cisco IOS Software. in which a process does not return all of its allocated memory to the router upon terminating.cisco. Typically. Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) ..com/cgi-bin/Support/Bugtool/ launch_bugtool. An interface in this condition is called a wedged interface.OUTPUT OMITTED. Memory-Allocation Failure A memory-allocation failure (which produces a MALLOCFAIL error message) occurs when a process attempts to allocate a block of memory and fails to do so. Following this summary information.. Consider the output of the show interfaces command shown in Example 3-23. and another instance when I tried to load the complete Intrusion Prevention System (IPS) Signature Definition File on another ISR when I knew it could not handle it. the output shows detailed memory allocation information for each process running on a router. One com- mon cause for a MALLOCFAIL error is a security issue.OUTPUT OMITTED.. The Largest column indicates the larg- est block of available memory. it is likely because of a memory leak. If a process is consuming a larger-than-normal amount of memory. In such a condition. A memory leak occurs when a process does not free the memory that it is finished using..

600 bytes (total 49. Such a result might indicate a process allocating buffers but failing to deallocate them. or running BGP on a different platform that has more memory.. Example 3-25 show processes memory | include BGP Command Output R1#show processes memory | include BGP|^ PID PID TTY Allocated Freed Holding Getbufs Retbufs Process 184 0 0 0 7096 0 0 BGP Task 198 0 0 0 10096 0 0 BGP Scheduler 229 0 38808 0 11520 0 0 BGP Router 231 0 0 0 10096 0 0 BGP I/O 262 0 0 0 10096 0 0 BGP Scanner 284 0 0 0 7096 0 0 BGP Event Depending on the router platform. consider the output of the show buffers command shown in Example 3-24. 0 trims. a buffer leak might require updating the Cisco IOS image of a router. 1119 created Public buffer pools: Small buffers. 7 misses. 24 created .. permanent 25. 21 created 0 failures (0 no memory) Middle buffers. upgrading the memory on that router. Excessive BGP Memory Use If a router is running Border Gateway Protocol (BGP). as shown in Example 3-25. peak 71 @ 00:21:43): 53 in free list (20 min. 0 misses. you might consider filtering out unneeded BGP routes.. permanent 50. The show processes memory | include BGP command. Chapter 3: Troubleshooting Device Performance 123 The show buffers command can also help to diagnose a buffer leak. Example 3-24 show buffers Command Output R4#show buffers Buffer elements: 1118 in free list (500 max allowed) 570 hits. can show you how much memory the various BGP processes of a router are consuming. peak 49 @ 00:21:43): 5 in free list (10 min. 150 max allowed) 122 hits. The show diag command can help you isolate a specific line card that is running low on memory. perhaps because that line card is running BGP. but only 5 of those 49 buffers are available. To illustrate. This output indicates that the router has 49 middle buffers. If BGP is consuming a large percentage of your router memory. 104 bytes (total 71.OUTPUT OMITTED.. 0 trims. be aware that BGP runs multiple pro- cesses and can consume significant amounts of router memory. 150 max allowed) 317 hits. 8 misses. your router might have multiple line cards with differ- ent amounts of memory available on each line card. From the Library of Outcast Outcast . Like a memory leak.

fast switching. Chapter 22. forwarding logic. Table 3-5 lists a reference of these key topics and the page numbers on which each is found.” and the exam simulation questions on the CD-ROM. Review All Key Topics Review the most important topics in this chapter. memory leak. Table 3-5 Key Topics for Chapter 3 Key Topic Key Topic Element Description Page Number List Components in a Catalyst switch 96 Table 3-2 Errors in the show interfaces interface_type 98 interface_number counters errors command List Reasons why a packet could be punted from a 102 switch’s TCAM to its CPU Section High CPU utilization troubleshooting on a switch 105 List Identifies processes that cause excessive router CPU 107 utilization Table 3-3 Commands for troubleshooting high CPU utilization 108 List Three primary modes of packet switching 113 Table 3-4 Commands for troubleshooting a router’s packet. memory-allocation failure. CEF. buffer leak From the Library of Outcast Outcast . ingress port. full-duplex. noted with the Key Topic icon in the outer margin of the page. TCAM. 116 switching modes Step list Example of troubleshooting the forwarding of 120 packets Section Excessive memory utilization 121 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: backplane. egress port. TCP Timer process. control plane. you have sev- eral choices for exam preparation: the exercises here. process switching. “Final Preparation.124 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. Net Background process. ARP Input process. IP Background process. half-duplex.

) Shows a collection of interface statistics. Chapter 3: Troubleshooting Device Performance 125 Complete Tables and Lists from Memory Print a copy of Appendix C. “Memory Tables Answer Key. It might not be necessary to memorize the complete syntax of every command. hands-on skills that are used by a net- working professional. or ignored counters continually interface_number increment. Command Reference to Check Your Memory This section includes the most important EXEC commands covered in this chapter.” (found on the disc). Displays a router’s ARP cache. (Note: If the show interface interface_type throttles. Table 3-6 EXEC Commands Task Command Syntax A Cisco Catalyst 3750E series switch command that show platform tcam utilization can be used to verify the maximum and used TCAM resources for various services and features on the switch. cover the right side of Table 3-6 with a piece of paper. you might suspect a malicious scan [for example. including the number of connections initiated. The 300-135 TSHOOT exam focuses on practical. overruns. established. “Memory Tables. (Note: A high number of connections might explain why the TCP Timer process is consuming excessive CPU resources. you might suspect that the Net Background process is attempting to allocate buffer space for an interface from the router’s main buffer pool. includes completed tables and lists to check your work.) From the Library of Outcast Outcast . read the description on the left side. (Note: If a large number show ip arp of the entries are in the Incomplete state. but you should be able to remember the basic keywords that are needed.” also on the disc. A Cisco Catalyst switch command that can be used to show sdm prefer display the current SDM template being used on the switch.) Provides information about the number of TCP seg. or at least the section for this chapter. show tcp statistics ments a router sends and receives. accepted. a ping sweep] of a subnet. you should be able to identify the commands needed to verify router and switch configurations. To test your memory of the commands. Appendix D. and complete the tables and lists from memory. Therefore. and then see how much of the command you can remember. and closed.

) Shows how many buffers (of various types) are current. (Note: This graphical view can indicate whether an observed high CPU utili- zation is a temporary spike in utilization or whether the high CPU utilization is an ongoing condition. Verifies that a valid adjacency exists for a connected show adjacency host. From the Library of Outcast Outcast . (Note: The CPU utilization for this process Input might show a high value if the CPU of a router is active- ly engaged in process-switching traffic. including protocol and timer information. Shows information about memory availability on a show memory allocating-process router after the router’s Cisco IOS image has been totals decompressed and loaded. bgp Shows the memory available on the line cards of a show diag router. Shows a graphical view of CPU utilization over the past show processes cpu history 60 seconds. 1 hour. including informa. and 3 days. and local IP addresses.126 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Displays average CPU utilization over 5-second.) Displays the router’s Layer 3 forwarding information.show buffers ly free.) Shows how much memory is being consumed by the show processes memory | include various BGP processes of a router. broadcast. in addition to listing all the router processes and the percentage of CPU resources consumed by each of those processes. and 5-minute intervals. in show ip cef addition to multicast. 1-min. (Note: This command can be helpful in diagnos- ing a buffer leak. Displays information about the IP Input process on show processes cpu | include IP a router.show ip interface interface_type tion about the packet-switching mode of an interface. show ip cef adjacency egress_ tion of the specified egress interface and next-hop IP interface_id next_hop_ip_address address. (Note: This command can help identify memory leaks.) Displays multiple interface statistics. Displays information about packets forwarded by the show cef not-cef-switched router using a packet-switching mechanism other than CEF. detail Provides information contained in a router’s adjacency show adjacency detail table. Displays destinations reachable through the combina. interface_number Shows the contents of the fast cache for a router if fast show ip cache switching is enabled. show processes cpu ute.

This page intentionally left blank From the Library of Outcast Outcast .

■ Troubleshooting VTP: This section focuses on how to troubleshoot issues relating to VLAN Trunking Protocol. From the Library of Outcast Outcast . ■ The MAC address table: This section reviews how to use the MAC address table during your trouble- shooting process. ■ Troubleshooting VLANs: This section identi- fies how to troubleshoot general issues relating to VLANs and end-user port assignments. To success- fully troubleshoot Layer 2 issues. you need to have a complete understanding of this process.This chapter covers the following topics: ■ Frame-Forwarding Process: This section reviews the Layer 2 frame-forwarding process. ■ Troubleshooting Trunks: This section focuses on how to troubleshoot Layer 2 trunking issues. ■ Layer 2 Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem.

Virtual Trunking Protocol (VTP). or Gigabit Ethernet). and VLANs. your overall campus design will deter- mine whether you need to worry about Layer 2 technologies such as trunks. read the entire chapter. Table 4-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions.” Table 4-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Frame-Forwarding Process 1–3 Troubleshooting Trunks 4–6 Troubleshooting VTP 7 Troubleshooting VLANs 8 The MAC Address Table 9–10 From the Library of Outcast Outcast . you need to have the skills necessary to troubleshoot these Layer 2 technologies. In addition. “Answers to the ‘Do I Know This Already?’ Quizzes. and virtual local-area net- works (VLANs). You can find the answers in Appendix A. If your campus design has any Layer 2 links from the distribution layer to the access layer. Ethernet. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. Fast Ethernet. VTP. VTP. Dynamic Trunking Protocol (DTP). which will factor into discus- sions in future chapters. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. CHAPTER 4 Troubleshooting Layer 2 Trunks. However. This chapter sets the stage by reviewing basic Layer 2 switch operations. before you master the skills for troubleshooting these Layer 2 technologies. It then moves on to troubleshooting trunks. and VLANs Most enterprise LANs rely on some flavor of Ethernet technology (for example. you need to have an understanding of Ethernet switch operations at Layer 2.

Which header information is used by switches to forward frames? a. Missing VLAN 5. Password mismatch d. Which two are examples of issues that could prevent a trunk from forming? a. Source MAC address d. Trunk – Dynamic auto d. Source MAC address d. Destination IP address c. Drop it b. Incompatible trunking modes c.130 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. Flood it out all ports except the port it was received on 4. Destination MAC address 2. Encapsulation mismatch b. Destination IP address c. Which header information is used by switches to learn which MAC address is reach- able out a specific interface? a. Dynamic Auto – Dynamic auto c. you should mark that question as wrong for purposes of the self-assessment. Use ARP to determine the MAC address of the IP address in the packet d. What does a switch do with an unknown unicast frame? a. If you do not know the answer to a question or are only partially sure of the answer. Destination MAC address 3. Which two of the trunk mode examples will successfully form a trunk? a. Forward it out the port it is associated with c. 1. Source IP address b. Source IP address b. Access – Dynamic desirable b. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. Trunk – Trunk nonegotiate From the Library of Outcast Outcast .

show interfaces interface_type interface_number switchport c. show vlan brief b. The port a MAC address was learned on b. show interfaces trunk b. Which two commands enable you to verify which VLAN a port is assigned to? a. show interfaces trunk d. show mac address-table dynamic 10. What can we confirm when examining the MAC address table of a switch? (Choose two answers. show interfaces c. show interfaces 7. show vlan brief b. show interfaces trunk d. The number of devices physically connected to an interface From the Library of Outcast Outcast . show vtp status d. The VLAN the MAC address is associated with c. show run b. show mac address-table dynamic 9. show interfaces interface_type interface_number switchport c. Which command enables you to verify VTP configurations? a. show run interface interface_type interface_number c. The administrative and operational mode of an interface d. Which command enables you to verify which port a MAC address is being learned on? a. Which command enables you to verify the administrative mode and operational mode of an interface? a. show vtp configurations 8. show interfaces interface_type interface_number switchport d.) a. Chapter 4: Troubleshooting Layer 2 Trunks. and VLANs 131 6. VTP.

132 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Foundation Topics

Frame-Forwarding Process
To successfully troubleshoot Layer 2 forwarding issues, you need a solid understand-
ing of how a switch operates. You would have learned this back in CCNA Routing and
Switching. However, we spend time here reviewing switch operations because our trou-
bleshooting efforts will be based on this knowledge. This section reviews how a switch
populates its MAC address table and how it decides what to do with a frame based on
the information in the MAC address table.

Unlike Ethernet hubs, which take bits in one port and send those same bits out all other
Key ports, Ethernet switches learn about the devices connected to their ports. Therefore,
Topic
when an Ethernet switch sees a frame destined for a particular MAC address, the switch
can consult its MAC address table to determine which port to forward the newly arrived
frame out. This behavior results in more-efficient bandwidth utilization and improved
security on a LAN. In addition, it eliminates the concern of collisions. Specifically, in a
hub environment, if two endpoints each transmitted a data frame at the same time, those
two frames would collide, resulting in both frames being corrupted because all ports on
a hub are in a common collision domain. This collision would require each endpoint to
retransmit its data frame. This is not a concern with switches because every port on an
Ethernet switch is in its own collision domain.

Ethernet switches can dynamically learn the MAC addresses attached to various switch-
ports by looking at the source MAC address on frames coming into a port. For example,
if switchport Gigabit Ethernet 1/1 received a frame with a source MAC address of
DDDD.DDDD.DDDD, the switch could conclude that MAC address DDDD.DDDD.
DDDD resided off of port Gigabit Ethernet 1/1. As a result, it places an entry in the
MAC address table indicating so. In the future, if the switch received a frame destined for
a MAC address of DDDD.DDDD.DDDD, the switch would only send that frame out of
port Gigabit Ethernet 1/1 because of the entry in the MAC address table.

Initially, however, a switch is unaware of what MAC addresses reside off of which
ports (unless MAC addresses have been statically configured). Therefore, when a switch
receives a frame destined for a MAC address not yet present in the switch’s MAC address
table, the switch floods that frame out of all the switchports in the same VLAN, other
than the port on which the frame was received. Similarly, broadcast frames (that is,
frames with a destination MAC address of FFFF.FFFF.FFFF) are always flooded out all
switchports in the same VLAN except the port on which the frame was received. The
reason broadcast frames are always flooded is that no endpoint will have a MAC address
of FFFF.FFFF.FFFF, meaning that the FFFF.FFFF.FFFF MAC address will never be
learned dynamically in the MAC address table of a switch. In addition, if you look at the
output of the MAC address table, you will notice that the all F’s MAC address is stati-
cally bound to the CPU, ensuring that it can never be learned dynamically, as shown in
Example 4-1.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 133

Example 4-1 show mac address-table Command Output
SW1#show mac address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
10 0050.b60c.f258 DYNAMIC Gi0/1
10 0800.2757.1b86 DYNAMIC Gi0/1
10 0800.275d.06d6 DYNAMIC Fa0/1
10 0800.27a2.ce47 DYNAMIC Fa0/2
10 2893.fe3a.e301 DYNAMIC Gi0/1
...output omitted...

To illustrate how a switch’s MAC address table becomes populated, consider an endpoint
named PC1 that wants to form a Telnet connection with a server, as shown in Figure 4-
1. Also, assume that PC1 and its server reside on the same subnet (that is, no routing is
required to get traffic between PC1 and its server) and are therefore in the same VLAN,
in this case VLAN 100. Before PC1 can send a Telnet segment to its server, PC1 needs to
know the IP address (that is, the Layer 3 address) and the MAC address (that is, the Layer
2 address) of the server. The IP address of the server is typically known or is resolved
via a Domain Name System (DNS) lookup. In this example, assume that the server’s
IP address is known. To properly communicate over Ethernet, PC1 needs to know the
server’s Layer 2 MAC address. If PC1 does not already have the server’s MAC address in
its Address Resolution Protocol (ARP) cache, PC1 can send an ARP request to learn the
server’s MAC address.

From the Library of Outcast Outcast

134 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

ARP
Gig 0/3 Gig 0/3
Request
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
Gig 0/1 Empty Gig 0/1 Empty
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-1 Endpoint Sending an ARP Request

When switch SW1 sees PC1’s ARP request enter port Gig0/1, the PC1 MAC address of
AAAA.AAAA.AAAA is added to the MAC address table of switch SW1 and associ-
ated with interface Gig0/1. Because Gig0/1 is a member of VLAN 100, the MAC is also
associated with VLAN 100. Because the ARP request is a broadcast, its destination
MAC address is FFFF.FFFF.FFFF (all F’s). As discussed earlier, frames with a destination
of all F’s will be copied and flooded out all switchports except the port on which the
frame was received. However, notice that port Gig0/1 on switch SW1 belongs to VLAN
100, whereas port Gig0/4 belongs to VLAN 200. This is important because frames are
constrained to the VLAN from which they originated unless routed by a Layer 3 device.
Therefore, the broadcast frame in this case is not flooded out Gig0/4 because Gig0/4 is a
member of a different VLAN. Port Gig0/2, however, is a trunk port, and a trunk can carry
traffic for multiple VLANs. Therefore, the ARP request is flooded out of port Gig0/2
and Gig0/3, as illustrated in Figure 4-2. Because the ARP request is for the MAC of the
server, PC2 will ignore the ARP request.

When switch SW2 receives the ARP request inbound on its Gig0/1 trunk port, the source
MAC address of AAAA.AAAA.AAAA is added to switch SW2’s MAC address table,
associated with Gig0/1 and VLAN 100. Also, similar to the behavior of switch SW1,
switch SW2 floods the broadcast frame out of port Gig0/3 (a member of VLAN 100) and
out of port Gig0/2 (also a member of VLAN 100), as depicted in Figure 4-3.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 135

PC2 PC4

ARP
Request
ARP Gig 0/3 Gig 0/3
Request VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
ARP
VLAN 200 VLAN 200
AAAA.AAAA.AAAA Request BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA Gig 0/1 Empty
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-2 Switch SW1 Flooding the ARP Request

PC2 PC4

ARP ARP
Request Request
ARP Gig 0/3 Gig 0/3 ARP
Request VLAN 100 VLAN 100 Request
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 ARP VLAN 200
AAAA.AAAA.AAAA Request BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-3 Switch SW2 Flooding the ARP Request

The server receives the ARP request and responds with an ARP reply, as shown in Figure
4-4. In addition, the server updates its ARP cache with a mapping of the IP and MAC
address of PC1. Unlike the ARP request, the ARP reply frame is not a broadcast frame; it
is a unicast frame. The ARP reply in this case has a destination MAC address of AAAA.
AAAA.AAAA and a source MAC address of BBBB.BBBB.BBBB.

From the Library of Outcast Outcast

136 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

ARP
Gig 0/3 Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty Gig 0/2 Empty

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-4 ARP Reply Sent from the Server

Upon receiving the ARP reply from the server, switch SW2 adds the server’s MAC
address of BBBB.BBBB.BBBB to its MAC address table, as shown in Figure 4-5. Also, the
ARP reply is sent out only port Gig0/1 because switch SW2 knows that the destination
MAC address of AAAA.AAAA.AAAA is reachable out port Gig0/1.

PC2 PC4

ARP ARP
Gig 0/3 Reply Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
Gig 0/2 Empty 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-5 Switch SW2 Forwarding the ARP Reply

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 137

When receiving the ARP reply in its Gig0/2 port, switch SW1 adds the server’s MAC
address of BBBB.BBBB.BBBB to its MAC address table. Also, like switch SW2, switch
SW1 now has an entry in its MAC address table for the frame’s destination MAC address
of AAAA.AAAA.AAAA. Therefore, switch SW1 forwards the ARP reply out port Gig0/1
to the endpoint of PC1, as illustrated in Figure 4-6.

PC2 PC4

ARP ARP ARP
Reply Gig 0/3 Reply Gig 0/3 Reply
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-6 Switch SW1 Forwarding the ARP Reply

After receiving the server’s ARP reply, PC1 now knows the MAC address of the server.
Therefore, PC1 can send a properly constructed Telnet segment destined for the server,
as depicted in Figure 4-7. The source MAC of the Layer 2 frame will be AAAA.AAAA.
AAAA, and the destination MAC will be BBBB.BBBB.BBBB.

Switch SW1 has the server’s MAC address of BBBB.BBBB.BBBB in its MAC address table.
Therefore, when switch SW1 receives the frame from PC1, that frame is forwarded out of
the Gig0/2 port of switch SW1, as shown in Figure 4-8.

From the Library of Outcast Outcast

138 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

PC2 PC4

Telnet Gig 0/3 Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-7 PC1 Sending a Telnet Segment

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-8 Switch SW1 Forwarding the Telnet Segment

Similar to the behavior of switch SW1, switch SW2 forwards the frame out its Gig0/2
port. This forwarding, shown in Figure 4-9, is possible because switch SW2 has an entry
for the segment’s destination MAC address of BBBB.BBBB.BBBB in its MAC address
table.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 139

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3 Telnet
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-9 Switch SW2 Forwarding the Telnet Segment

Finally, the server responds to PC1, and a bidirectional Telnet session is established between
the PC and the server, as illustrated in Figure 4-10. Because PC1 learned the MAC address
of the server and the server learned the MAC address of PC1, as a result of PC1’s earlier
ARP request, both devices stored the MAC addresses in their local ARP caches; therefore,
the transmission of subsequent Telnet segments does not require additional ARP requests.
However, if unused for a period of time, entries in a devices ARP cache will time out.

PC2 PC4

Telnet Gig 0/3 Telnet Gig 0/3 Telnet
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-10 Bidirectional Telnet Session Between PC1 and the Server

From the Library of Outcast Outcast

140 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

When troubleshooting an issue involving Layer 2 switch communication, a thorough
understanding of the preceding steps can help you identify potential problems quickly
and efficiently. Take a moment and review Figure 4-10. Consider where issues might arise
in the topology that would prevent PC1 and Server from communicating. The following
list outlines a few potential issues that could arise:

■ PC1 and Server have IP addresses in different subnets because of incorrect address
Key or subnet mask.
Topic
■ Interface Gig0/1 on SW1 or Gig0/2 on SW2 are not members of the correct VLAN.

■ VLAN 100 is missing on SW1 or SW2.

■ The trunk between SW1 and SW2 is not passing traffic for the necessary VLANs
(VLAN 100 in this case).

■ The trunk is not formed between SW1 and SW2.

■ A VACL is denying PC1 from communicating with Server.

■ Interface Gig0/1 on SW1, Gig0/2 on SW2, or the trunk interfaces are shut down or in
the err-disabled state.

Troubleshooting Trunks
Trunks support multiple VLANs on a single physical link. A trunk can be between two
switches, a switch and a router, and a switch and a server that is providing services for
multiple VLANs. This section focuses on issues that prevent a trunk from being formed
or passing traffic for a VLAN. Figure 4-11 serves as the topology for all of the examples.

PC2 PC4

Gig 0/3 Gig 0/3
VLAN 100 VLAN 100
Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2
VLAN 100 SW1 SW2 VLAN 100
Trunk
Gig 0/4 Gig 0/4
PC1 Server
VLAN 200 VLAN 200
AAAA.AAAA.AAAA BBBB.BBBB.BBBB
PC3 PC5

VLAN Port MAC Addresses VLAN Port MAC Addresses
100 Gig 0/1 AAAA.AAAA.AAAA 100 Gig 0/1 AAAA.AAAA.AAAA
100 Gig 0/2 BBBB.BBBB.BBBB 100 Gig 0/2 BBBB.BBBB.BBBB

SW1 MAC Address Table SW2 MAC Address Table

Figure 4-11 Troubleshooting Trunks

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 141

Encapsulation Mismatch
Two types of trunking encapsulations are supported by Cisco Catalyst switches: 802.1Q,
which is an IEEE standard; and ISL (Inter-Switch Link), which is Cisco proprietary. 802.1Q
adds a 4-byte tag to the Ethernet frame, whereas ISL encapsulates the entire Ethernet
frame, resulting in an additional 30 bytes. Not all switches support both. For example,
a Catalyst 2960 switch supports only 802.1Q, whereas a Catalyst 3560 and a Catalyst
3750-E support both. To form a trunk between two switches, the interfaces that will be
forming the trunk must be using the same encapsulation type. By default, Cisco Catalyst
switches that support only 802.1Q will use 802.1Q, Catalyst switches that support both
802.1Q and ISL will autonegotiate the encapsulation using DTP. Therefore, if you connect
a Catalyst 2960 and a Catalyst 3750-E together, they will use 802.1Q because that is all
the Catalyst 2960 can support. However, if you connect two 3750-Es together, they will
negotiate the use of ISL because it is Cisco proprietary. If you are required to use 802.1Q
trunks in your environment, you must manually change it from ISL to 802.1Q in that situ-
ation.

Because autonegotiation of encapsulation works very well, you will usually only have an
encapsulation mismatch if someone is manually setting the trunking encapsulation. To
verify the encapsulation type used on an interface, issue the show interfaces interface_
type interface_number switchport command, as shown in Examples 4-2 and 4-3.

Example 4-2 Output of show interfaces switchport Command on SW1 to Verify
Key Encapsulation
Topic
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-3 Output of show interface switchport Command on SW2 to Verify
Key Encapsulation
Topic
SW2#show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: isl

From the Library of Outcast Outcast

142 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Operational Trunking Encapsulation: isl
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

From the show interfaces switchport output of Example 4-2 and Example 4-3, you can
see that SW1 and SW2 are not using the same trunking encapsulation. SW1 is using
802.1Q, and SW2 is using ISL. Therefore, a trunk will not successfully form in this case.

You can also verify which trunking encapsulation is being used by looking at the output
of show interfaces trunk, as shown in Example 4-4 and Example 4-5.

Example 4-4 Output of show interfaces trunk Command on SW1 to Verify
Encapsulation
SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/2 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/2 1-4094

Port Vlans allowed and active in management domain
Gi0/2 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/2 1,100,200

Example 4-5 Output of show interface trunk Command on SW2 to Verify
Encapsulation
SW2#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Gi0/1 on isl trunking 99
Port Vlans allowed on trunk
Gi0/1 1-4094

Port Vlans allowed and active in management domain
Gi0/1 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,100,200

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 143

Incompatible Trunking Modes
There are different administrative trunking modes an interface can be configured to use
when forming a trunk, as follows:

■ Access: In this administrative mode, a switchport is manually configured to never
become a trunk even if DTP messages are received. This mode is designed for ports
that are connecting to, for example, end stations, servers, and printers, where a trunk
should never be required because only a single VLAN is needed. This mode can be
verified as shown in Example 4-6.

■ Trunk: In this administrative mode, a switchport is manually configured to always be
a trunk. This mode can be verified as shown in Example 4-7.

■ Dynamic desirable: In this administrative mode, a switchport is aggressively try-
ing to become a trunk by negotiating with the other end of the link to form a
trunk using DTP. If the other end of the link agrees then a trunk is formed; if not, it
remains an access port that will listen for DTP messages in addition to periodically
sending DTP messages as it continues to try and form a trunk. This mode can be
verified as shown in Example 4-8.

■ Dynamic auto: In this administrative mode, a switchport is passively waiting for DTP
messages to arrive asking it to form a trunk. If it receives them, it will form a trunk.
If it does not receive any, it remains an access port that will listen for DTP messages.
This mode can be verified as shown in Example 4-9.

Example 4-6 Verifying Trunking Administrative Mode (Access)
Key
Topic SW1#show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 100 (VLAN100)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-7 Verifying Trunking Administrative Mode (Trunk)
Key
Topic SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q

From the Library of Outcast Outcast

144 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-8 Verifying Trunking Administrative Mode (Dynamic Desirable)
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

Example 4-9 Verifying Trunking Administrative Mode (Dynamic Auto)
SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (NATIVE)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
...output omitted...

The default administrative mode varies by Catalyst switch model. To verify the default
administrative mode on your model, issue the show interfaces interface_type interface_
number switchport command for an interface that is still using factory default settings.
Example 4-10 shows that interface Gigabit Ethernet 0/1 is using factory default settings,
because no other configurations have been applied to the interface, as shown in the show
run interface gigabitethernet 0/1 output. The output of show interfaces gigabitethernet
0/1 switchport | include Administrative Mode indicates that the trunking administrative

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 145

mode is dynamic auto. Therefore, we can conclude dynamic auto is the default on this
switch because there is no command in the running configuration that indicates other-
wise.

Example 4-10 Verifying Default Trunking Mode on SW2
SW2#show run interface gigabitethernet 0/1
Building configuration...

Current configuration : 50 bytes
!
interface GigabitEthernet0/1
end

SW2#show interfaces gig 0/1 switchport | include Administrative Mode
Administrative Mode: dynamic auto

Some of these administrative modes are compatible with each other and will form a
trunk, whereas others are not, as shown in Table 4-2. While you are looking at Table 4-12,
remember that dynamic auto, dynamic desirable, and trunk all use DTP by default.

Table 4-2 Comparing Trunking Administrative Modes

SW1
Dynamic Dynamic Trunk Trunk Access
Auto Desirable Nonegotiate
Dynamic Access Trunk Trunk Limited Access
Auto connectivity
Dynamic Trunk Trunk Trunk Limited Access
Desirable connectivity
SW2
Trunk Trunk Trunk Trunk Trunk Limited
connectivity
Trunk Limited Limited Trunk Trunk Limited
Nonegotiate connectivity connectivity connectivity
Access Access Access Limited Limited Access
connectivity connectivity

As you can see in Table 4-2, if both switchports are configured as dynamic auto, a trunk
will not form. The switchports will remain as access ports and pass traffic for the VLAN
the port is a member of. To form a trunk with a switchport that is dynamic auto, the
other switchport must be using dynamic desirable or trunk (using DTP). Limited con-
nectivity is a result of one side being operationally a trunk and the other side being
operationally an access port. Connectivity will occur only if the access port VLAN on
one switch happens to be the same as the native VLAN for the 802.1Q trunk on the other

From the Library of Outcast Outcast

146 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

switch. If not, connectivity will be broken. The reason is because the access port sends
the frames untagged, and once the trunk port receives them at the other end, it considers
them as part of the native VLAN because of the lack of a tag. If these VLAN numbers
match, the frames can be successfully forwarded without a problem. However, if the
native VLAN does not match with the VLAN configured on the access port, the frames
when entering or leaving the trunk port on the switch will be part of a different VLAN
than the access port and the frames are no longer forwarded correctly, and connectivity is
broken. Memorizing Table 4-2 will definitely prove beneficial if you ever have to trouble-
shoot trunk links that are not forming.

VTP Domain Name Mismatch
We will cover VTP in detail shortly. However, if you are using DTP to dynamically form
trunks and the VTP domain name does not match between the two switches, a trunk will
not be formed, as shown in Example 4-11.

Example 4-11 VTP Domain Name Mismatch Causes Trunk Not to Form
SW1#
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Gi0/2 because of
VTP domain mismatch.

Native VLAN Mismatch
Trunk issues with the native VLAN only surface when we are using IEEE 802.1Q trunk-
ing encapsulation. The concept of a native VLAN does not exist with Cisco ISL trunking
encapsulation. The native VLAN by default is VLAN 1 and is used to carry untagged
traffic across an 802.1Q trunk. It is imperative that the native VLAN matches on both
sides of a trunk link. If it does not, it is possible for traffic to leak from one VLAN to
another, resulting in an undesired forwarding behavior and possible errors with Spanning
Tree Protocol.

With a native VLAN mismatch, the trunk forms, and syslog messages are generated, as
shown in Example 4-12. From the example, you can see that Cisco Discovery Protocol
(CDP) is warning you about the native VLAN mismatch; however, if CDP is not enabled,
this message would not appear. Example 4-13 displays the output of show interfaces
trunk on SW1 and SW2, confirming that we have a native VLAN mismatch.

Example 4-12 Result of a Native VLAN Mismatch on a Trunk
Key
Topic SW1#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/2
(1), with SW2 GigabitEthernet0/1 (99).
SW2#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1
(99), with SW1 GigabitEthernet0/2 (1).

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 147

Example 4-13 Confirming the Native VLAN Mismatch with the show interfaces trunk
Command
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/2 desirable n-802.1q trunking 1
...output omitted...

SW2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 desirable n-802.1q trunking 99
...output omitted...

Allowed VLANs
By default, traffic for all VLANs will be forwarded on a trunk. You can modify this
Key behavior by identifying which VLANs are allowed on the trunk. You can accomplish
Topic
this manually or dynamically. If you are using VTP to propagate VLAN configuration
information, you can use the VTP pruning feature, which dynamically determines which
VLANs are needed on each of the trunks. You can enable VTP pruning with the vtp
pruning global configuration command. Many prefer to control the VLANs allowed on
trunks manually with the switchport trunk allowed vlans vlan_id command in interface
configuration mode. You can verify which VLANs are allowed on a trunk a few differ-
ent ways. You can use the show interfaces trunk command, the show interface inter-
face_type interface_number switchport command, or review the interface configuration
in the running configuration. Example 4-14 displays the output from these three com-
mands. Focus on the highlighted text because it identifies which VLANs are allowed on
the trunk. If traffic is not flowing across a trunk for a specific VLAN, make sure that the
VLAN is allowed on the trunk.

Example 4-14 Verifying Allowed VLANs on a Trunk
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/2 desirable n-802.1q trunking 99

Port Vlans allowed on trunk
Gi0/2 100,200

Port Vlans allowed and active in management domain
Gi0/2 100,200

Port Vlans in spanning tree forwarding state and not pruned
Gi0/2 100,200

SW1#show interfaces gigabitethernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled

From the Library of Outcast Outcast

148 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

...output omitted...
Trunking VLANs Enabled: 100,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
...output omitted...

SW1#show run interface gigabitethernet 0/2
Building configuration...

Current configuration : 167 bytes
!
interface GigabitEthernet0/2
switchport trunk native vlan 99
switchport trunk allowed vlan 100,200
switchport mode dynamic desirable
end

Troubleshooting VTP
Picture a network with 50 switches and 75 VLANs. You have been tasked with deploying
these 75 VLANs to all 50 switches. This is a large task that is definitely prone to human
error. VLAN Trunking Protocol (VTP) is designed to ease the deployment of VLAN
configuration information between switches across trunk links. This section explains
the reasons why VTP might not be sharing VLAN configuration information with other
switches in the domain. Figure 4-11 is used as the topology for the examples. SW1 and
SW2 need to have the same VLAN database.

Domain Name Mismatch
Switches that will learn VLAN configuration information from each other using VTP
need to be in the same VTP domain. The VTP domain is identified by a name known as
the VTP domain name, and it can be anything you want it to be. However, it must match
on the devices that will be exchanging VLAN configuration information. Suppose, for
example, that SW1 in Figure 4-11 is using a VTP domain name of TSHOOT and SW2 is
using a VTP domain name of TSHOOT. Obviously, they match. What about SW1 using
TSHOOT and SW2 using TSHO0T? It looks like they match, but they do not. The VTP
domain name for SW2 has a zero (0) in it instead of the letter O. Compare Examples 4-15
and 4-16, which display the output of show vtp status on SW1 and SW2. Are SW1 and
SW2 in the same VTP domain?

Example 4-15 Verifying the VTP Domain Name on SW1
Key
Topic SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : Tshoot

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 149

VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 001c.57fe.f600
...output omitted...

Example 4-16 Verifying the VTP Domain Name on SW2
Key
Topic SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : TSHOOT
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100
...output omitted...

Note that case does matter for the VTP domain name. Therefore, SW1 and SW2 are in
completely different VTP domains and will not share VLAN configuration information
with each other. In addition, as mentioned earlier, if you are using DTP to form a trunk
and you have a VTP domain name mismatch, a trunk will not form.

Version Mismatch
There are three versions of VTP: VTPv1, VTPv2, and VTPv3. VTPv1 is the default. If you
are running VTPv1, all switches need to be using VTPv1 to successfully exchange VLAN
configuration information. If you are running VTPv2 or VTPv3 the switches can be using
VTPv2 or VTPv3 because they are compatible. However, to reduce the possibility of
issues, it is recommended that you avoid mixing VTP versions. To verify the VTP version
in use on a switch, issue the show vtp status command, as shown in Example 4-17. Also
notice in the output that SW2 is capable of running all three versions of VTP.

Example 4-17 Verifying the VTP Version on SW2
SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : TSHOOT
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100
...output omitted...

Mode Mismatch
VTP has four modes of operation: Server, Client, Transparent, and Off. For a switch to
use the VLAN configuration information in a VTP message, it must be in Server or Client
mode. A switch operating in Transparent mode will ignore the information contained in

From the Library of Outcast Outcast

150 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

a VTP message; however, it will still forward on the message to other switches. In Off
mode, the switch behaves the same as Transparent mode, except that it will not forward
on VTP messages that it receives. Therefore, if you are troubleshooting an issue that
involves missing VLANs on a switch and you are using VTP, check whether the switch
is in VTP Transparent mode or Off. To verify the VTP mode used on a switch, issue
the show vtp status command, as shown in Examples 4-18 and 4-19. In addition, with
VTPv3, only the VTP primary server can add or delete VLANs.

Example 4-18 Verifying the VTP Mode on SW1
SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100

Feature VLAN:
--------------
VTP Operating Mode : Server
Number of existing VLANs : 10
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 1005
Configuration Revision : 3
...output omitted...

Example 4-19 Verifying the VTP Mode on SW2
SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 001c.57fe.f600

Feature VLAN:
--------------
VTP Operating Mode : Client
Number of existing VLANs : 10
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 255
Configuration Revision : 3
...output omitted...

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 151

Password Mismatch
To ensure that a switch only uses VTP configuration information from legitimate sources,
it is recommended that a VTP password is set. When a switch receives a VTP message
from another switch, it will verify that the attached message digest 5 (MD5) algorithm
hash matches its local hash. If it matches, the VTP message is from a legitimate source
and is processed. If not, the VTP message is discarded. Remember that the VTP password
is case sensitive. Example 4-20 shows how you can verify the password that is configured
with the show vtp password command and the hash value that will be used with the
show vtp status command.

Example 4-20 Verifying VTP Passwords
SW1#show vtp password
VTP Password: CCNP

SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : SWITCH
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 2893.fe3b.0100

Feature VLAN:
--------------
VTP Operating Mode : Server
Number of existing VLANs : 11
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 1005
Configuration Revision : 2
Primary ID : 2893.fe3a.e300
Primary Description : DSW1
MD5 digest : 0x98 0x29 0xB8 0x5D 0x4D 0x48 0x71 0xE3
0x8A 0x93 0x8E 0x82 0x2B 0xEA 0xA0 0x45
...output omitted...

Higher Revision Number
When a switch in VTP server mode makes a change to the VLAN database, it incre-
ments the configuration revision number shown in Example 4-20. Currently it is 2, but if
another VLAN were added or a modification were made that affected the VLAN data-
base, VTP would increment the configuration revision number. This number is extremely
important because the switch with the higher configuration revision number is consid-
ered to have the most up-to-date and valid VLAN database. However, this might not
always be the case. For example, suppose that you are preparing for the TSHOOT exam
and you are troubleshooting VLANs. You keep adding and deleting VLANs while using

From the Library of Outcast Outcast

152 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

VTPv1 to propagate your changes to the other switches in your lab pod. Now you have
a really high configuration revision number. The next day a coworker plugs your lab pod
into the production network, and your lab VLAN database overwrites the VLAN data-
base of the production network because you were using the same domain name and pass-
word on your lab devices and the lab had a higher configuration revision number than the
production network. Now you need to rebuild the production VLAN database or restore
it from backup, if you have one.

You need to prevent this from ever happening by ensuring no one uses the same VTP
domain name or password on other devices and then plugs them into the produc-
tion network. However, that is hard to control. So, it is better to run all the switches in
Transparent mode and only use Server or Client mode when you are building the VLAN
database or making significant changes that have to be propagated to all the other switch-
es. This is because Transparent mode switches will not update their VLAN information
from VTP messages, protecting you from having your VLAN database overwritten. You
may also want to consider having all switches in VTP Transparent mode when they are
added to the domain so that their configuration revision number is 0, which it always is
for Transparent mode. Your best option is to use VTPv3 because only the VTP primary
server will be considered a trusted source of VTP messages within the VTP domain, and
any other VTP messages will be ignored, ensuring that your database is not overwritten
by a rouge switch.

Troubleshooting VLANs
Our discussions have led us to this important point in this chapter: Being able to identify
and solve issues with VLANs. This is an important task for any troubleshooter. Some of
these issues could be a result of a trunk or VTP issue, as previously discussed. This sec-
tion identifies the issues that might arise with VLANs and how you can fix them. The
discussion is based on Figure 4-11.

Incorrect IP Addressing
It all starts with the client configuration. If the IP address, subnet mask, or default gate-
way are not configured correctly, frames will not flow as expected. Example 4-21 dis-
plays the output of ipconfig on PC1 and Server. If you look closely, you will notice that
Server is not addressed correctly, and therefore not in the same subnet. When PC1 needs
to send data to Server, because they are not on the same subnet, PC1 will send the frame
to its default gateway so that it can be routed to a different subnet. However, this pro-
cess will fail at some point because both PC1 and Server cannot be in the same Layer 2
VLAN (as Figure 4-11 shows), within different IP networks. They need to be in the same
subnet if they are in the same VLAN so that frames can be sent from PC1 directly to
Server based on the Layer 2 MAC addresses.

From the Library of Outcast Outcast

Chapter 4: Troubleshooting Layer 2 Trunks, VTP, and VLANs 153

Example 4-21 Verifying End-User IP Addresses
PC1>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.100.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.100.1

Server>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.10.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.10.1

Missing VLAN
For a switch to associate switchports with VLANs or to pass traffic over a trunk for a
VLAN, the switch needs to know about the VLAN. The command show vlan brief, as
shown in Example 4-22, displays the VLANs that are known by the switch.

Example 4-22 Verifying VLANs on a Switch
Key
Topic SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/5, Gi0/6, Gi0/7, Gi0/8,
Gi0/9, Gi0/10, Gi0/11, Gi0/12,
Gi0/13, Gi0/14, Gi0/15, Gi0/16,
Gi0/17, Gi0/18, Gi0/19, Gi0/20,
Gi0/21, Gi0/22, Gi0/23, Gi0/24,
Te1/0/1, Te1/0/2
99 NATIVE active
100 10.1.100.0/24 active Gi0/1, Gi0/3
200 10.1.200.0/24 active Gi0/4
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

From the Library of Outcast Outcast

if you are missing VLANs. If VLANs are configured manually in your organization. Note that even though the port is up/up. and Gig0/4 has been statically assigned to VLAN 200. which displays the output of show interfaces gigabitethernet 0/1 switchport. and the switch would not be able to for- ward the frames successfully between the devices within the same VLAN. PC1. and default gateway). which identifies the VLANs ports are assigned to. However. because the VLAN does not exist. PC2. PC3 and PC5 have to be in the same subnet (but different from the other devices) because they are connected to ports in VLAN 200. the VLAN database in your VTP domain will be overwritten by this switch. For example. Example 4-23 Identifying Missing VLANs on a Switch SW1#show interfaces gigabitethernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 100 (Inactive) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Incorrect Port Assignment Once VLANs are created. the VLAN to switchport assignments would be incorrect. Therefore. The assignments Key should be based on which device is going to be connected to that port (based on IP Topic address. switchports need to be assigned to VLANs. and Server have to be in the same logical subnet because they are all connected to ports in VLAN 100. From the Library of Outcast Outcast . focus on the highlighted text. Example 4-24 displays the output of show vlan brief. Gig0/1 and Gig0/3 have been statically assigned to VLAN 100. In Example 4-23. this could be the reason why.154 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide If any VLANs are missing from the output of show vlan brief that should be there. If the creation and deletion of VLANs is learned by other switches though VTP. It is listed as (Inactive). it is important to remember that if you are using VTPv1 or 2 and a switch is added to the domain with the correct pass- word. you need to troubleshoot why VTP is not propagating the VLAN information to the other switches. or some- one deleted the VLAN on the switch. you need to find out why. Notice in brackets the name of the VLAN. all ports are assigned to VLAN 1. in Figure 4-11. PC4. This is a great sign that the interface belongs to a VLAN that does not currently exist on the switch. the answer is one of two reasons: Someone forgot to configure the VLAN on the switch. and has a higher revision number. If this is not done. By default. subnet mask. the port will not be forwarding traffic.

0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup It is important to note that ports that belong to VLANs that do not exist will not be dis- played in the output of show vlan brief. when SW1 received a frame inbound on Gigabit Ethernet 0/1 from PC1. In addition. If the MAC address table is not being populated the way you expect it. VTP. Gi0/11. Gi0/15. Gi0/21.0/24 active Gi0/1. Gi0/8. Gi0/6. Gi0/3 200 10. Te1/0/1. the dynamically learned MAC addresses. Chapter 4: Troubleshooting Layer 2 Trunks. you will need to figure out why. As discussed earlier. and the ports. Gi0/16. The MAC address table is the structure that is used by the switch to make a forwarding decision. Therefore. it learned the MAC from the frame and associated it with the port it arrived on and the VLAN the port is a member of. The structure of the table is important. using Figure 4-11 as the reference topology. Gi0/22.------------------------------- 1 default active Gi0/5. As Example 4-23 displayed.-------------------------------. Example 4-25 SW1’s MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- From the Library of Outcast Outcast . Example 4-25 displays the dynamically learned MAC addresses on SW1 with the com- Key mand show mac address-table dynamic.1. Gi0/23. Gi0/24.200. it is populated based on the source MAC address of the frame when it arrives on a switchport. It is passing traffic for multiple VLANs. Gi0/9. This section covers the MAC address table and its importance. This information is extremely valuable. Te1/0/2 99 NATIVE active 100 10.--------. Gi0/19. Gi0/20. and VLANs 155 Example 4-24 Verifying Switchport Assignment SW1#show vlan brief VLAN Name Status Ports ---. Gi0/13. Gi0/7. trunk ports will not appear in the output of show vlan brief. It lists Topic the VLANs. Gi0/12. Notice in Example 4-24 that Gig0/2 is missing because it is a trunk port and does not belong to any single VLAN. Gi0/14. Gi0/10. they will appear as (Inactive) in the output of show interfaces switchport. Gi0/17. Gi0/18.1.100. The MAC Address Table The MAC address table is the most important table for the switch.

dddd DYNAMIC Gi0/2 200 3333. Gi0/8.aaaa DYNAMIC Gi0/1 100 bbbb.dddd DYNAMIC Gi0/2 200 3333. What can we conclude by looking at the MAC address table for SW1 displayed in Example 4-26 when comparing it to Figure 4-11? Example 4-26 Example of SW1’s MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---. Gi0/9.bbbb. Example 4-27 Confirming SW1’s VLAN Assignments SW1#show vlan brief VLAN Name Status Ports ---.dddd. Gi0/7. Te1/0/2 99 NATIVE active From the Library of Outcast Outcast . but the VLAN number is 200 instead of 100.5555. Gi0/21. we can conclude that interface Gigabit Ethernet 0/1 is not a member of the correct VLAN.------------------------------- 1 default active Gi0/5. Gi0/24. Te1/0/1. -------.5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 6 Let’s look at an example. Gi0/18.bbbb DYNAMIC Gi0/2 100 cccc.aaaa.--------. Gi0/20.-------------------------------. Gi0/15.aaaa. ----- 100 aaaa. Gi0/11. -------.cccc. ----- 100 bbbb.3333. Gi0/19. The MAC address table shows the MAC address of PC1 (AAAA.156 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Vlan Mac Address Type Ports ---. Gi0/23. Gi0/10.aaaa DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 6 When comparing Figure 4-11 with Example 4-26.3333 DYNAMIC Gi0/4 200 5555. Our next step is to reassign the port to the correct VLAN.3333.5555. Reviewing the output of show vlan brief and show interfaces gigabitethernet 0/1 switchport. ----------.AAAA) was learned on the correct interface.AAAA.cccc DYNAMIC Gi0/3 100 dddd. Gi0/12. Gi0/22. Gi0/17. Gi0/16. Gi0/13. Gi0/6.dddd.5555 DYNAMIC Gi0/2 200 aaaa. Gi0/14.bbbb.3333 DYNAMIC Gi0/4 200 5555.cccc.bbbb DYNAMIC Gi0/2 100 cccc. as demonstrated in Example 4-27. con- firms this for us.cccc DYNAMIC Gi0/3 100 dddd. ----------.

5555.CCCC PC2 PC4 DDDD.200.AAAA..DDDD 10.1 DG: 10.output omitted.0/24 active Gi0/1.1.AAAA BBBB.255.3333. All trouble tickets in this section are based on the topology depicted in Figure 4-12.BBBB. CCCC.1..BBBB PC3 PC5 3333.100.255. Layer 2 Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.1 VLAN 100 VLAN 100 Gig 0/1 Gig 0/2 Gig 0/1 Gig 0/2 VLAN 100 SW1 SW2 VLAN 100 Trunk Gig 0/4 Gig 0/4 PC1 Server VLAN 200 VLAN 200 AAAA.255. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.100.100. Chapter 4: Troubleshooting Layer 2 Trunks.1. if you ever need to clear the dynamic entries in the MAC address table immediately so that they can be relearned.1.DDDD.1.1..255.100.CCCC.. issue the clear mac address-table dynamic EXEC command.100.100 255. and VLANs 157 100 10.5555 Figure 4-12 Topology for Trouble Tickets From the Library of Outcast Outcast .0/24) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none .0 Gig 0/3 Gig 0/3 255.3333 5555. giving you the opportunity to confirm the correct associations.0 DG: 10.10 10. Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup SW1#show interfaces gigabitethernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 200 (10.200. While troubleshooting. VTP.1.0/24 active Gi0/3 200 10.

as shown in Example 4-28.100.1. However. Received = 4.1.255. Request timed out. Lost = 0 (0% loss). and default gateway are 10.100 Pinging 10. A simple ping from PC1 will help us with this. subnet mask.100.100 with 32 bytes of data: Request timed out.100: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. A ping from PC2 is successful.100: Packets: Sent = 4. Therefore. let’s verify whether others are having the same issue.158 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Trouble Ticket 4-1 Problem: A user on PC1 indicates that he is not able to access a document on Server. Request timed out.1.1. Lost = 4 (100% loss). as shown in Example 4-30.100.100: bytes=32 time 1ms TTL=128 Reply from 10. Example 4-28 Issuing a Ping from PC1 PC1>ping 10. This is a typical description within a trouble ticket.1.100.1.100.100. these are correct. the first process is to veri- fy the issue.100.100 Pinging 10. and 10. Therefore. Ping statistics for 10. Received = 0.100.0. indicates that the IP address.1. Approximate round trip times in milli-seconds: Minimum = 0ms.100: bytes=32 time 1ms TTL=128 Reply from 10.1. it is not a problem with the server or the path from PC2 to the server. What did we learn from this ping? We learned that we have no connectivity from Layer 1 to Layer 3 of the OSI model.10. Therefore. Using the ipconfig command.1.100. which is similar to PC1.100 with 32 bytes of data: Reply from 10.100.100. Average = 0ms Let’s start by checking the IP address of PC1. as shown in Example 4-29.100.1. Maximum = 0ms. The output of Example 4-28 indicates that the ping failed. Example 4-29 Issuing a Ping from PC2 PC2>ping 10. According to Figure 4-11.100: bytes=32 time 1ms TTL=128 Reply from 10.255.100: Packets: Sent = 4. Request timed out. we can focus our troubleshooting efforts at these layers.1. 255. From the Library of Outcast Outcast .1.

Gi0/10.3333. but it is associated with VLAN 1 instead of VLAN 100. Te1/0/1.5555. Chapter 4: Troubleshooting Layer 2 Trunks.3333 DYNAMIC Gi0/4 200 5555. let’s confirm this further with the show vlan brief command.1. Gi0/13.aaaa DYNAMIC Gi0/1 100 bbbb. . Gi0/6. . . Gi0/12. . . Gi0/18. Gi0/24. . .aaaa. Te1/0/2 99 NATIVE active 100 10. Gi0/11.dddd. Gi0/9. Gi0/20. : 10.255.10 Subnet Mask . Gi0/7. Gi0/8. . : 10. Gi0/15.100. . Gi0/19.------------------------------- 1 default active Gi0/1. .100. .1. . Gi0/22. . and VLANs 159 Example 4-30 Verifying PC1’s Layer 3 Settings PC1>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . . which is correct. It appears we have found the problem.100.cccc. Gi0/5. -------. . . ----------.255. . Example 4-31 shows that the MAC address of PC1 was learned on Gigabit Ethernet 0/1.-------------------------------. : 255. . . . : IP Address.bbbb.5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 6 Example 4-32 Verifying VLAN Port Assignments with the show vlan brief Command SW1#show vlan brief VLAN Name Status Ports ---.dddd DYNAMIC Gi0/2 200 3333. . . Example 4-31 Verifying PC1 in the MAC Address Table on SW1 SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---. . Gi0/17. ----- 1 aaaa. . Gi0/14. . Gi0/21. However.1 The next step is to check the MAC address table on SW1 using the command show mac address-table dynamic.0/24 active Gi0/3 From the Library of Outcast Outcast .1. as shown in Example 4-32. Gi0/16.0 Default Gateway . .--------. Gi0/23. . VTP.bbbb DYNAMIC Gi0/2 100 cccc.cccc DYNAMIC Gi0/3 100 dddd. . .

100. As before.1. Received = 0.1.100: bytes=32 time 1ms TTL=128 Reply from 10. Example 4-33 Confirming That the Problem Is Solved with a Successful Ping PC1>ping 10.100: bytes=32 time 1ms TTL=128 Ping statistics for 10. A simple ping from PC2 will help us with this.1. Request timed out. Approximate round trip times in milli-seconds: Minimum = 0ms. Average = 0ms Trouble Ticket 4-2 Problem: A user on PC2 indicates that she is not able to access a document on Server.100: bytes=32 time 1ms TTL=128 Reply from 10.100.1. Lost = 0 (0% loss). Received = 4. Example 4-34 Issuing a Ping from PC2 PC2>ping 10.1. Request timed out.100.1.100.100. Example 4-33 confirms that the problem is solved.100. we change the switchport VLAN assignment with the switchport access vlan 100 interface command and verify that the problem is solved by pinging from PC1 again. From the Library of Outcast Outcast .200.1.100.1. Request timed out.100 Pinging 10. the first process is to verify the issue.1.100.160 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 200 10.100 with 32 bytes of data: Request timed out.100: Packets: Sent = 4.100: Packets: Sent = 4. Ping statistics for 10. Lost = 4 (100% loss). Maximum = 0ms.100.100 with 32 bytes of data: Reply from 10.100 Pinging 10.1.100.100: bytes=32 time 1ms TTL=128 Reply from 10.0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup To solve the problem. as shown in Example 4-34.1.

Gi0/6. Gi0/9.1.100. As you can see from Example 4-36.1. Gi0/17. VLAN 100 exists. Received = 0. we can focus our troubleshooting efforts at these layers. Using the command show vlan brief on SW1 will verify whether the VLAN exists and which switchports are associated with it. Gi0/12. Te1/0/2 99 NATIVE active 100 10.------------------------------- 1 default active Gi0/5. Chapter 4: Troubleshooting Layer 2 Trunks. this is not an isolated issue. Gi0/21. However. Gi0/22. Gi0/14. Gi0/16. Gi0/10. Te1/0/1. Example 4-36 Verifying That VLAN 100 Exists on SW1 with show vlan brief SW1#show vlan brief VLAN Name Status Ports ---. Gi0/15.100 with 32 bytes of data: Request timed out. this is not enough evidence to shift our focus just yet.200. Gi0/13.1. Therefore.100. VTP. let’s verify whether others are having the same issue. Ping statistics for 10. A ping from PC1 fails.1. Gi0/20. The most important information comes from the MAC address table. First thing that comes to mind is a missing VLAN on SW1. PC1 and PC2 are both members of VLAN 100. and both switchports for PC1 and PC2 are associated with it.0/24 active Gi0/1. Gi0/18. Gi0/11. Request timed out. Gi0/7.--------.100. Request timed out. Example 4-35 Issuing a Ping from PC1 PC1>ping 10.100: Packets: Sent = 4. Gi0/3 200 10. Gi0/8. Gi0/24.100 Pinging 10. Gi0/23. and we should be looking for causes that would affect multiple users. Gi0/19. What did we learn from this ping? We learned that we have no connectivity from Layer 1 to Layer 3 of the OSI model.100. and VLANs 161 The output of Example 4-34 indicates that the ping failed. Request timed out.1.0/24 active Gi0/4 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup However. Therefore. as shown in Example 4-35.-------------------------------. This will truly verify that the MAC From the Library of Outcast Outcast . Lost = 4 (100% loss).

1q trunking 99 Port Vlans allowed on trunk Gi0/2 100. As shown in Example 4-39. -------.5555 DYNAMIC Gi0/2 Total Mac Addresses for this criterion: 4 However. as shown in Example 4-40. VLAN 200 is the only VLAN allowed on the trunk link.3333 DYNAMIC Gi0/4 200 5555.aaaa. This output shows that VLAN 100 and 200 are allowed on the trunk between SW1 and SW2. ----- 100 aaaa. However. Let’s verify this on SW1 with the command show interfaces trunk.cccc DYNAMIC Gi0/3 200 3333.5555. Example 4-37 displays the output of the show mac address-table dynamic command and confirms for us that the MAC addresses are learned correctly and that the ports are associated with the correct VLANs. As a matter of fact. as shown in Example 4-38.200 Port Vlans in spanning tree forwarding state and not pruned Gi0/2 100. What is missing? Do you see any reference to the MAC address of Server? The MAC address of Server is not being learned on Gigabit Ethernet 0/2 of SW1. neither is PC4. This is a good indication that traffic for VLAN 100 is not being allowed over the trunk. indicates that only VLAN 200 is allowed on the trunk.200 Port Vlans allowed and active in management domain Gi0/2 100. look very closely at the MAC address table in Example 4-37.cccc. PC5 is being learned. Example 4-37 Verifying the MAC Address in the MAC Address Table SW1#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---. Example 4-38 Verifying Allowed VLANs on SW1 Trunks SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/2 desirable n-802.3333. A further examination of the running configuration.200 Let’s check the output of show interfaces trunk on SW2.aaaa DYNAMIC Gi0/1 100 cccc.162 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide addresses of PC1 and PC2 are being learned on the correct interfaces and are being associated with the correct VLAN. From the Library of Outcast Outcast . ----------.

100: bytes=32 time 1ms TTL=128 Reply from 10.1.100.100: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. Current configuration : 167 bytes ! interface GigabitEthernet0/1 switchport trunk native vlan 99 switchport trunk allowed vlan 200 switchport mode dynamic desirable end After issuing the interface command switchport trunk allowed VLAN 100.100: Packets: Sent = 4.100. as illustrated in Example 4-41.1q trunking 99 Port Vlans allowed on trunk Gi0/1 200 Port Vlans allowed and active in management domain Gi0/2 200 Port Vlans in spanning tree forwarding state and not pruned Gi0/2 200 Example 4-40 Verifying Interface Configuration in the Running Configuration SW2#show run interface gigabitethernet 0/1 Building configuration.100 with 32 bytes of data: Reply from 10. you ping from PC1 and PC2 again to verify that the issue is solved.100: bytes=32 time 1ms TTL=128 Reply from 10.200 on SW2 to allow both VLAN 100 and 200.. Lost = 0 (0% loss). Example 4-41 Verifying That the Issue Is Solved PC1>ping 10.100. Chapter 4: Troubleshooting Layer 2 Trunks.100 From the Library of Outcast Outcast ..100.100.1. Received = 4.100.1. and VLANs 163 Example 4-39 Verifying Allowed VLANs on SW2 Trunks SW2#show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/1 desirable n-802.1. VTP.100.100: bytes=32 time 1ms TTL=128 Reply from 10.100 Pinging 10.1. Maximum = 0ms. The ping is successful from PC1 and PC2.1. Average = 0ms PC2>ping 10.100. Approximate round trip times in milli-seconds: Minimum = 0ms.1.

100: bytes=32 time 1ms TTL=128 Ping statistics for 10.100.100: bytes=32 time 1ms TTL=128 Reply from 10.1. Average = 0ms From the Library of Outcast Outcast .100.1.100: Packets: Sent = 4. Maximum = 0ms. Received = 4.1.1.100.1. Approximate round trip times in milli-seconds: Minimum = 0ms.164 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Pinging 10.100: bytes=32 time 1ms TTL=128 Reply from 10.100.100.100.100 with 32 bytes of data: Reply from 10. Lost = 0 (0% loss).1.100: bytes=32 time 1ms TTL=128 Reply from 10.

Chapter 4: Troubleshooting Layer 2 Trunks. and VLANs 165 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. 802. destination MAC. Review All Key Topics Review the most important topics in this chapter.1Q. MAC address table. VTP. dynamic desirable.” and the exam simulation questions on the CD-ROM. VTP domain name. encapsulation. dynamic auto. “Final Preparation. VTP. Chapter 22. noted with the Key Topic icon in the outer margin of the page. Table 4-3 Key Topics for Chapter 4 Key Topic Key Topic Element Description Page Number Paragraph A review of the frame-forwarding process 132 List Outlines potential issues that arise with a Layer 2 140 topology Example 4-2 Output of show interfaces switchport command on 141 SW1 to verify encapsulation Example 4-3 Output of show interfaces switchport command on 141 SW2 to verify encapsulation Example 4-6 Verifying trunking administrative mode (access) 143 Example 4-7 Verifying trunking administrative mode (trunk) 143 Example 4-12 Result of native VLAN mismatch on trunk 146 Section Allowed VLANs 147 Example 4-15 Verifying the VTP domain name on SW1 148 Example 4-16 Verifying the VTP domain name on SW2 149 Example 4-22 Verifying VLANs on a switch 153 Section Incorrect port assignment 154 Paragraph Using the MAC address table during troubleshooting 155 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: frame. native VLAN. you have a couple of choices for exam preparation: the exercises here. trunk. ISL. Table 4-2 lists a reference of these key topics and the page numbers on which each is found. source MAC. VLAN From the Library of Outcast Outcast . access port.

To test your memory of the commands. this can allow a troubleshooter to determine whether a previously learned MAC address is relearned. Therefore. clear mac-address-table). It might not be necessary to memorize the complete syntax of every command. cover the right side of Table 4-4 with a piece of paper.” also on the disc. or at least the section for this chapter. Clears dynamically learned MAC addresses from clear mac address-table dynamic the MAC address table of a switch. Table 4-4 EXEC CLI show Commands Task Command Syntax Displays the contents of the MAC address table. you should be able to identify the commands needed to successfully troubleshoot switches. includes completed tables and lists to check your work. and then see how much of the command you can remember. The 300-135 TSHOOT exam focuses on practical. “Memory Tables. “Memory Tables Answer Key. hands-on skills that are used by a net- working professional. show vlan brief Displays which VLANs are permitted on the trunk show interfaces trunk ports of a switch and which switchports are configured as trunks.” (found on the disc). Command Reference to Check Your Memory This section includes the most important EXEC show commands covered in this chapter. With the dynamic keyword. Shows to which VLANs the ports of a switch belong. Appendix D. show mac address-table [dynamic] including the MAC address associated with a port and the VLAN the port is a member of. but you should be able to remember the basic keywords that are needed.166 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Complete Tables and Lists from Memory Print a copy of Appendix C. only dynamically learned entries are displayed. From the Library of Outcast Outcast . both static and dynamic entries are displayed. Note that on some versions of Cisco IOS running on Cisco Catalyst switches. Without the dynamic keyword. read the description on the left side. and complete the tables and lists from memory. the clear mac address-table command contains a hyphen between mac and address (that is.

configuration revision show vtp status number.1Q or ISL). You can verify the operational mode interface_number switchport (access or trunk). and VLANs 167 Task Command Syntax Displays VLAN and trunk information related to show interfaces interface_type a switchport. mode. in addition to the native VLAN if it is a trunk port. in addition to the encapsulation (802. Displays the configured VTP password. VTP. show vtp password From the Library of Outcast Outcast . Chapter 4: Troubleshooting Layer 2 Trunks. You can also verify the access VLAN the port will be a member of if it is an access port. version. and MD5 hash. Displays the VTP domain name.

BPDU Guard. and BPDU Filter. ■ Troubleshooting Layer 2 EtherChannel: This sec- tion reviews how Layer 2 EtherChannels are formed and identifies issues that could cause them to fail. Root Guard. ■ STP Trouble Tickets: This section provides trouble tickets that demonstrate how a structured trouble- shooting process can be used to solve a reported problem.This chapter covers the following topics: ■ Spanning-Tree Protocol Overview: This section reviews how STP determines the STP topology from root bridge election to which ports will be nondesig- nated. ■ STP Troubleshooting Issues: This section focuses on what could happen if STP is not behaving as expected. ■ Troubleshooting STP Features: This section reviews STP features such as PortFast. ■ EtherChannel Trouble Tickets: This section provides trouble tickets that demonstrate how a structured troubleshooting process can be used to solve a reported problem. It also identifies the show commands that can help during the troubleshooting process. From the Library of Outcast Outcast . ■ Collecting Information About an STP Topology: This section identifies the show commands required to successfully troubleshoot STP issues.

which can impact a business’s bottom line if these applications are unavailable for even a short period. This increases the total bandwidth available on uplinks and tricks STP into thinking there is only one port between the switches instead of multiple ports. “Answers to the ‘Do I Know This Already?’ Quizzes. which can cause frames to endlessly circle a LAN (for example. can result in Layer 2 loops. This chapter reviews the operation of STP and focuses on troubleshooting STP issues. while being able to detect a link failure and bring up a previously blocked switchport to restore connectivity.” Table 5-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Spanning-Tree Protocol Overview 1–4 Collecting Information About an STP Topology 5 STP Troubleshooting Issues 6 Troubleshooting STP Features 7 Troubleshooting Layer 2 EtherChannel 8–10 From the Library of Outcast Outcast . such as voice and e-commerce. broadcast frames creat- ing a broadcast storm). this chapter reviews how you can combine multiple physical Layer 2 switch- ports into a logical EtherChannel bundle. To improve availability. Spanning Tree Protocol (STP) is used to logically break these Layer 2 topological loops by strategically blocking ports. all links are used for traffic forwarding instead of STP blocking them. however. allowing a single switch or a single link to fail while still maintaining connectivity between any two network endpoints. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. Table 5-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. many enterprise networks interconnect Layer 2 switches with redundant connections. read the entire chapter. In addition. CHAPTER 5 Troubleshooting STP and Layer 2 EtherChannel Maintaining high availability for today’s enterprise networks is a requirement for many applications. Therefore. Such a redundant topology. You can find the answers in Appendix A. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. As a result.

Lowest MAC address c. if cost is tied.170 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. 1. 20 d. Upstream port ID 4. debug spanning-tree state c. Lowest bridge ID d. Downstream port ID d. Lowest priority b. When determining the root port of a nonroot bridge. show spanning-tree interface d. Lowest cost 2. show port span From the Library of Outcast Outcast . 50 5. Which two of the following commands are most helpful in determining STP informa- tion for a Layer 2 switch? a. Designated port b. Upstream bridge ID c. 2 b. Root port c. If you do not know the answer to a question or are only partially sure of the answer. What is the STP port type for all ports on a root bridge? a. 15 c. what is refer- enced next to break the tie? a. show spanning-tree vlan b. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. Nondesignated port d. What determines the switch that will be the STP root bridge for a VLAN? a. Nonroot port 3. you should mark that question as wrong for purposes of the self-assessment. What is the maximum age for an STP BPDU in seconds? a. Downstream bridge ID b.

Root Guard d. Which switch feature allows multiple physical links to be bonded into a logical link? a. Native VLAN d. On – Active c. Desirable – Auto d. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 171 6. STP port cost 10. Interface speed b. BPDU Guard b. Desirable – Passive From the Library of Outcast Outcast . MAC address table filling to capacity d. BPDU Filter c. Switch virtual interfaces 9. What combination will successfully form a Cisco proprietary Layer 2 EtherChannel bundle? a. What are two common issues that could result from an STP failure? a. PortFast 8. MAC address table corruption 7. Which STP feature ensures that certain ports in the STP topology never become root ports. EtherChannel c. and if the port receives a superior BPDU it places it in the root inconsistent state? a. Active – Passive b. PortFast d. Broadcast storms c. STP b. Tagged frames being sent into a native VLAN b. What must match on physical switchports to successfully form an EtherChannel bundle? (Choose three.) a. Interface mode (access/trunk) c.

This is different from Layer 3 packets that have a time-to-live (TTL) field that will terminate the packet if it does not reach its destination within a finite number of router hops. SW3. this creates a problem known as a Layer 2 loop. frames sent out any of the interfaces interconnecting these switches could loop indefi- nitely through the network as well.AAAA Gi1/0/6 Gi1/0/6 BBBB. Therefore. In addition. Therefore. In addition. traffic sent from SW1 on one link to SW2 can go back to SW1 on the other link and continue indefinitely because there is no mechanism built in to a Layer 2 frame that will stop the frame from looping forever through the network. Layer 2 loops need to be prevented by a protocol known as Spanning Tree Protocol (STP). as shown in Figure 5-1. Loop1 Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. as shown with Loop1 in Figure 5-1. From the Library of Outcast Outcast .CCCC Priority: 32768 Figure 5-1 Layer 2 Loops You need to have a solid understanding of how STP makes decisions when troubleshoot- ing Layer 2 issues. notice how there is a larger loop between SW1. this section reviews how an STP topology is dynamically formed. Notice how traffic from SW1 can be sent on both links to SW2 and vice versa. Therefore. IEEE 802.BBBB SW1 SW2 Priority: 32768 Priority: 32768 Gi1/0/1 Gi1/0/2 Gi0/1 Gi0/2 Loop 2 MAC Address: SW3 CCCC. and SW2 (Loop 2). However.AAAA.1D STP allows a network to physically have Layer 2 loops while strategically blocking data from flowing over one or more switchports to prevent the looping of traffic. this section discusses commands useful in troubleshooting STP issues. Therefore.BBBB.CCCC.172 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Spanning Tree Protocol Overview Network availability at Layer 2 of the OSI model requires redundant links between the switches in your topology as well as redundant paths through the network.

the switch with the lowest MAC address (that is.BBBB. The switch with the lowest bridge ID (BID) is elected as the Topic root bridge.CCCC. The priority is used first. BPDU packets contain information on ports. Figure 5-2 illustrates the root bridge election in a network. ■ Nonroot bridge: All other switches in the STP topology are considered nonroot bridges. SW1) is elected as the root bridge. addresses. and costs needed to build the STP topology and ensure that the data ends up where it was intended to go. only if the priority is tied between two or more switches will the MAC address be used to break the tie.AAAA. Key Topic From the Library of Outcast Outcast . The loops are then removed by logically blocking selected bridge interfaces and placing them in the blocked state. priorities. The BID is made up of a priority value (default is 32768) and a MAC address (base Ethernet MAC of switch as shown in the output of the show version command. BPDU messages are exchanged every 2 seconds by default across switches to detect loops in a network topology.AAAA Gi1/0/6 Gi1/0/6 BBBB.). because such an occurrence could result in a broadcast storm or the corruption of a switch’s MAC address table. Switches in an STP topology are classified as one of the following: ■ Root bridge: The root bridge is a switch elected to act as a reference point for a Key spanning tree topology.BBBB SW1 SW2 Priority: 32768 Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge Bridge Gi0/1 Gi0/2 MAC Address: SW3 CCCC. Because a MAC address is based on hexadecimal. lower to higher is 0–9. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 173 Reviewing STP Operation STP uses Bridge Protocol Data Units (BPDUs) to build the STP topology. STP prevents Layer 2 loops from occurring in a network. Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. Notice that because all bridge priorities are 32768 (default). The MAC address is read left to right.CCCC Priority: 32768 Non-Root Bridge Figure 5-2 Root Bridge Election Remember the golden rule of STP: Lower is better and ties are not acceptable. then A–F.

the upstream port ID (PID) is used to break the tie. DP RP Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. If the upstream BID is tied. It is the port on the segment that is closest to the root bridge. Table 5-2 STP Port Roles Key Topic Port Roles Description Root port (RP) Every nonroot bridge has a single root port (this is mandatory).AAAA Gi1/0/6 Gi1/0/6 BBBB. It is the port on the switch that is closest to the root bridge. the upstream BID is used to break the tie. the upstream port ID (PID) is used to break the tie. Switchports in an STP topology are categorized as one of the following port roles described in Table 5-2 and illustrated in Figure 5-3.CCCC Priority: 32768 Non-Root Bridge Figure 5-3 STP Port Roles From the Library of Outcast Outcast . in terms of cost. all ports on a root bridge are DPs. Nondesignated port (X) These are the ports blocking traffic to create a loop-free topology.BBBB. If cost is tied. the upstream BID is used to break the tie.174 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Note Remembering this rule will help you during each step of the election processes. in terms of cost.AAAA. If the upstream BID is tied.BBBB SW1 SW2 Priority: 32768 DP Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge DP DP Bridge RP Gi0/1 Gi0/2 MAC Address: SW3 CCCC. which is inversely proportional to bandwidth by default. Designated port (DP) Every network segment has a single designated port (this is mandatory).CCCC. If cost is tied. Note Because all ports on the root bridge are as close as you could get to the root bridge.

the BPDUs will have the same priority because they are sent from the same switch (SW1) with a priority of 32768. Table 5-3 Default Port Costs Key Topic Link Speed 802. When SW1 sends BPDUs. In this case. When the path cost is tied. Remember. Notice the higher the speed the lower the cost.1D-2004 STP. 2. however.1D-2004 STP Port Cost 10 Mbps (Ethernet) 100 2000000 100 Mbps (Fast Ethernet) 19 200000 1 Gbps (Gigabit Ethernet) 4 20000 10 Gbps (Ten Gig Ethernet) 2 2000 100 Gbps N/A 200 1 Tbps N/A 20 10 Tbps N/A 2 Determining Root Port Key Topic Being able to determine why a port has a specific role is important for troubleshooting and tuning the STP topology. The total cost from SW2 Gi1/0/2 to the root bridge is (4 + 4) 8. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 175 Table 5-3 shows the default port costs for various link speeds for both 802. they are both the same because switches use the same base Ethernet MAC address for all BPDUs sent on all interfaces. lower is better and ties are not acceptable. Identify the port that has the lowest cumulative cost path to the root bridge. the total cost from SW2 Gi1/0/5 to the root bridge is 4. Proceed to Step 3. In Figure 5-3. This PID includes a port priority number and an inter- face number.1D STP and its successor 802. both received BPDUs from SW1 have a priority of 32768 and a MAC of AAAA. Remember that a lower cost is better and that the cost used is the cumulative path cost. Therefore. the BID received in the BPDUs from SW1 is tied. Identify the SW2 port (Gi1/0/5 or Gi1/0/6) that receives a BPDU with a lower upstream BID. you use the lowest upstream BID as a tiebreaker. Proceed to Step 2. AAAA. In this case. review the following steps for determining the root port on a switch: 1. Next is to compare the MAC addresses listed in the BPDUs. it includes a PID. you use the upstream PID to break the tie.1D STP Port Cost 802. Why was it chosen as the root port? If you are not sure. The priority number can be manually changed (default 128). 3. we have a tie for the lowest value at 4. Again. The total cost from SW2 Gi1/0/6 to the root bridge is 4. From the Library of Outcast Outcast . The priority is checked first for the BPDUs received by SW2 on Gi1/0/5 and Gi1/0/6 from SW1.AAAA. Identify the port that receives a BPDU with a lower upstream PID. When the upstream BID is tied. In Figure 5-3. Notice the root port for switch SW2 is Gig 1/0/5 in Figure 5-3.

Therefore. in Figure 5-3 the only link/segment remaining without a designated port is the segment between SW2 and SW3.176 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide the interface number cannot. Therefore. What is the MAC address? BBBB. Point to SW2. you follow the same steps listed in the previous section for the root port election. when SW2 receives the BPDUs from SW1. We then need to look at the MAC address. Point to SW3.6. If a nondesignated port does need to transition to the forwarding state. SW3 Gi0/2 has a cumulative cost (including the cost of the segment itself) of (4 + 4) = 8. the nondesignated port indirectly detects the link failure from BPDUs and determines whether it needs to transition to the forward- ing state or not to ensure network availability while preventing loops. It is generated by the switch to identify the port.BBBB. without performing any calculations. you already know a few designated ports in the topology.BBBB. SW1 would more than likely have a PID of 128.5 and the received BPDU on Gi1/0/6 has a PID attached of 128. In Figure 5-3. Which one is lower? It is the MAC address of SW2. as depicted in Figure 5-3. Lower is better. Remember that every port on the root bridge will be a designated port. SW2’s port Gi1/0/2 is the designated port for the segment between SW2 and SW3. Therefore. What is the MAC address? CCCC. We have a tie. What is the priority? 32768. What is the priority? 32768. Nondesignated ports do not forward traffic during normal operation but do receive BPDUs to determine the state of the STP topology. If a link in the topology goes down. Find the upstream switch with the lowest BID. but why? Let’s walk through the steps together: 1. As a result. This is tricky if you do not know where to position yourself. Common Spanning Tree (CST).5 on Gi1/0/5 and 128. so we move on to Step 2. We have a tie. Determining Designated Port Key Topic When determining the designated ports for each segment. STP (802. and Cisco’s implementation of STP (PVST+) transition through the following states: From the Library of Outcast Outcast . We can see that it is already labeled as Gi1/0/2 on SW2. Here is my trick. SW2 Gi1/0/5 is elect- ed the root port based on the PID value sent from SW1 in the BPDUs.1D). 2. Determining Nondesignated Port Every other port that is not a root port or a designated port is a nondesignated port and will be blocking traffic. Identify the port on the segment with the lowest cumulative cost back to the root bridge. therefore. the type of STP in use will determine how long it takes to transition to the forwarding state. Still standing in the middle of the segment. Focusing on SW3 in Figure 5-3 shows a total cost of 4 to get to the root bridge using Gi0/1 and a total cost of 8 using Gi0/2.6 on Gi1/0/6 by default. SW2 Gi1/0/2 has a cumulative cost (including the cost of the segment itself) of (4 + 4) = 8. As a result.CCCC. the received BPDU on Gi1/0/5 has a PID attached of 128. point to SW2.CCCC. Gi0/1 is elected as the root port. Point to SW3. Pretend you are standing in the middle of the segment between SW2 and SW3.

If you ever need to manipulate STP. which inform adjacent switches of the port’s intent to forward data. ■ Forwarding: The port moves from the learning state to the forwarding state and begins to forward frames while learning MAC addresses and sending and receiving BPDUs. convergence is 5 seconds or less. the switch considers the BPDU stale and transitions to the listening state. This section identifies the various methods we can use to gather information about our STP topology. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 177 ■ Blocking: The port remains in the blocking state until it needs to transition. the resulting STP topology might not be the best for your organization.1w and 802.1s) use a handshaking mechanism rather than timers as their primary method of convergence. it receives BDPUs from other switches. the port begins to add entries to its MAC address table while still sending and receiving BPDUs to ensure that the decisions made in relation to the STP topology are still accurate. if a neighboring switch is using 802. It is essentially the time-to-live of a BPDU. the port sources BPDUs. As you can see. ■ Learning: The port moves from the listening state to the learning state and remains in this state for 15 seconds by default.1s rely on the same timers as 802. it will wait for 20 seconds by default. If it Key Topic needs to transition. 802. In addition.1D as backup. one of the first tasks is to learn which switch is acting as the root bridge. ■ Listening: The port remains in this state for 15 seconds by default (15 seconds is known as the forward delay).1D. Therefore. During this time. If a new BDPU is not received before the max age time expires. If the handshaking mechanism fails. in addition to learning the port roles on the various switches From the Library of Outcast Outcast . you need to know the current topology and how to modify it. During the blocking state. This is known as the max age time. which will help in the building of the STP topology and determining the root ports and designated ports. the total time to transition from the blocking state to the forwarding state is 50 seconds with 802.1D. During this time.1w) and Multiple Spanning Tree Protocol (802. you might want to influence a particular switch to become a root bridge to ensure optimal traffic forwarding through a Layer 2 topology. you might want traffic for one VLAN to take a certain path while traffic for other VLANs takes a different path. For example. Collecting Information About an STP Topology Cisco Catalyst switches will dynamically form a spanning-tree topology using default port costs and bridge priorities right out of the box. In addition. Or. Rapid Spanning Tree Protocol (802. However. Root ports and designated ports are in this state. which will more than likely be the case. timers are used with them for backward compatibility. a nondesignated port evaluates BPDUs in an attempt to determine its role in the spanning tree. You do not have to do anything. Gathering STP Information When troubleshooting an STP topology. A BPDU is only valid for 20 seconds.

and the port cost of Gig 0/2 is 4 as well. if you see a high number of sent and received BPDUs on ports.cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio. there is a root port on the switch.25 P2p Gi0/2 Altn BLK 4 128.aaaa Cost 4 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address cccc. which shows the output from the show Topic spanning-tree vlan 1 command. and it does not state that this switch is the root bridge. but comparing the current STP state of a topol- ogy to a baseline state can also provide clues as to the underlying cause of an issue. This is because the MAC address of the root bridge (Root ID) differs from the MAC address of SW3 (Bridge ID). Note that in a stable topology. Therefore. PVST+ allows a switch to run a sepa- rate STP instance for each VLAN. In addition. The output in Example 5-1 shows that SW3 is not the root bridge for the spanning tree of VLAN 1. (That is. it is a blocking port.cccc.Nbr Type ----------------------------------------------------------------------- Gi0/1 Root FWD 4 128. The VLAN is specified because Cisco Catalyst switches use Per-VLAN Spanning Tree + (PVST+) by default. and designated ports should only send BPDUs. whereas port Gig 0/2 is a nondesignated port. displays the number of BPDUs sent and received. which a root bridge cannot have. as shown in Example 5-2.26 P2p The show spanning-tree interface interface_type interface_number detail command. you have an unstable STP topology and need to determine why this is so and fix it. The show spanning-tree [vlan {vlan_id}] command can display information about the Key STP state of a switch. From the Library of Outcast Outcast . such as suboptimal traffic forwarding.aaaa. root ports should only receive BPDUs. Example 5-1 show spanning-tree vlan Command Output SW3#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32768 Address aaaa. The Gig 0/1 port of switch SW3 is the root port of the switch.178 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide in the topology. the port identi- fier. and the designated root and designated bridge priority and MAC address. Not only is this information important in understanding how frames are currently flowing through the topology.) Note that the port cost of Gig 0/1 is 4. Consider Example 5-1.

■ The MSTP revision number must match. thus conserving CPU resources.aaaa. address aaaa.aaaa. When deploying and troubleshooting MSTP. received 1245 Gathering MSTP Information Multiple Spanning Tree Protocol (MSTP) allows you to group multiple VLANs into a single STP instance. address aaaa. as shown in Example 5-3. only MST0 (known as the IST) is used to send BPDUs. You have just achieved load sharing and reduced the number of STP instances from 100 to 2. From the Library of Outcast Outcast . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 179 Example 5-2 show spanning-tree interface interface_type interface_number detail Command Output SW3#show spanning-tree interface gig 0/1 detail Port 25 (GigabitEthernet0/1) of VLAN0001 is root forwarding Port path cost 4. and the switches will consider each other to be in a different MSTP region and therefore produce different spanning-tree topologies than the admin- istrator envisioned. You can then manipulate who the root bridge is so that one instance ends up using one uplink and the other instance uses the other uplink. Port Identifier 128. you need to gather statistics about the traffic flowing through the networking on a VLAN-by-VLAN basis and make sure that you do not place heavily used VLANs in the same MSTP instance or you will not achieve optimal load sharing. the CPU does not have to process BPDUs for all the different VLANs. you can group half the VLANs in one instance and the other half in another instance. To verify the current region name. you have to remember these three very important rules for switches in the same region: ■ The MSTP region name must match. with MSTP. This significantly improves STP in end-to-end VLAN deployments where a large number of VLANs are maintained by many switches. ■ The MSTP instance to VLAN mappings must be the same on all the switches. revision number.1. and VLAN to instance mappings on a switch. designated path cost 0 Timers: message age 2. Designated root has priority 32768. If any of the items listed do not match exactly. When you group various VLANs together into the same instance.25. forward delay 0. and all the other MST instances are listed in the MST0 BPDUs as M-records. To ensure you optimize load sharing. hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 1.aaaa Designated bridge has priority 32768. Consider this. the digest that is sent within an MSTP BPDU will be different. If you have 100 VLANs and you only have 2 uplinks from an access layer switch to the distribution layer. issue the show spanning-tree mst configuration com- mand. In fact.aaaa Designated port id is 128. This improves CPU performance. Port priority 128.

As a result of this. the MAC address table of a switch can become corrupt.AAAA. This behavior can lead to issues such as MAC address table corruption and broadcast storms. then back on Gig0/1. Because STP is not functioning.AAAA. From the Library of Outcast Outcast . switch SW2 sees the frame forwarded onto segment B by switch SW1 on its Gig 0/2 port. Therefore.AAAA. switch SW2 also incorrectly updates its MAC address table. Therefore. not only would the MAC address table be corrupt.” that the MAC address table determines what a switch will do with a frame. Layer 2 frames can endlessly circulate through a network because of the loop created. Corruption of a Switch’s MAC Address Table Recall from Chapter 4. then Gig0/2.11-19. this table needs to be accurate. A switch will dynamically learn what MAC addresses are reachable off its ports. it would be unstable. and VLANs.AAAA will be forwarded out Gig0/2 and never reach PC1. Because the frame has a source MAC address of AAAA. all frames des- tined to AAAA.AAAA.200 ------------------------------------------------------------------ STP Troubleshooting Issues If STP fails to operate correctly. To illustrate.201-4094 1 10.180 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-3 show spanning-tree mst configuration Command Output SW3#show spanning-tree mst configuration Name TSHOOT Revision 10 Instances configured 2 Instance Vlans mapped -------.100 2 20. That was a simplified example of what would occur. “Troubleshooting Layer 2 Trunks. causing both switches to add an entry to their MAC address tables (AAAA. In reality.101-199. both switches then forward the frame out segment B. VTP.AAAA is associated with port Gig 0/1).AAAA. switch SW1 sees the frame forwarded out the Gig 0/2 port of switch SW2.AAAA resides off port Gig 0/2. consider Figure 5-4.AAAA would be learned on Gig0/1. PC2 receives two copies of the frame. in the event of an STP failure. however. Also. the frame is seen on the Gig 0/1 ports of switches SW1 and SW2. In this section we analyze the results of an STP failure.21-99. Similarly. AAAA. When the frame sent from PC1 is transmitted on segment A. PC1 is transmitting traffic to PC2. switch SW1 incorrectly updates its MAC address table indicating that a MAC address of AAAA. At one moment AAAA. then Gig0/2. as frames continue to propagate through the network. As a result. ------------------------------------------------------- 0 1-9.

AAAA Received Figure 5-4 MAC Address Table Corruption You will be able to recognize this issue because syslog messages will be generated identi- fying that you have MAC addresses flapping between different ports on the same switch. the switch floods the frame out all switch- ports except the port on which the frame was received. From the Library of Outcast Outcast .7111. consuming resources on both switches and attached devices (for example. and this would occur only if there were a loop allowing the same frame to be seen on multiple interfaces: %SW_MATM-4-MACFLAP_NOTIF: Host 0000. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 181 Switch SW1’s MAC Address Table PC1 MAC Address: Port MAC Addresses AAAA.b60c. a broad- cast frame endlessly circulates through the Layer 2 topology.AAAA Gig 0/1 AAAA.AAAA PC2 Duplicate Frames Gig 0/2 AAAA. The following syslog messages show that the MAC addresses are being learned on Gi0/1 and Gi0/2.AAAA Segment A Gig 0/1 Gig 0/1 SW1 SW2 Gig 0/2 Gig 0/2 Segment B Switch SW2’s MAC Address Table Port MAC Addresses Gig 0/1 AAAA. The same is true for unknown unicast and multicast frames.FFFF. when a switch receives a broadcast frame (that is. Figure 5-5 illustrates how a broadcast storm can form in a Layer 2 topology when STP is not functioning correctly.AAAA Gig 0/2 AAAA. a frame des- tined for a MAC address of FFFF.7e05 in vlan 502 is flapping between port Gi0/1 and port Gi0/2 %SW_MATM-4-MACFLAP_NOTIF: Host 0050. user PCs).FFFF).AAAA. Because a Layer 2 frame does not have a TTL field.AAAA.AAAA.AAAA.0114 in vlan 20 is flapping between port Gi0/1 and port Gi0/2 %SW_MATM-4-MACFLAP_NOTIF: Host 8049.5e00.AAAA.f21b in vlan 20 is flapping between port Gi0/1 and port Gi0/2 Broadcast Storms As previously mentioned.

onto Segment A). as the broadcast frame copies continue to loop through the network. 2.182 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide PC1 Broadcast frame destined for (1) FFFF. on to Segment B). the frames going to the resources that the users need to access are not making it to the destination or are taking a really long time because the network is congested.FFFF (3) Segment A Gig 0/1 (3) Gig 0/1 SW1 SW2 Gig 0/2 Gig 0/2 (2) (2) Segment B PC2 Figure 5-5 Broadcast Storm 1. The performance of PC1 and PC2 is impacted. because they also continue to receive copies of the broadcast frame that they must process. This section discusses these features and reviews the commands needed to troubleshoot them. A common complaint you will receive from multiple network users at the same time when there is an STP issue is. This is because of the broadcast storm consuming the majority of the resources in the Layer 2 network. This behavior continues. and the frame enters each switch on port Gig 0/1. Knowing how to troubleshoot these features is important to ensure the STP topology is functioning as it should. Therefore.FFFF. Key Troubleshooting STP Features Topic STP relies on many features to protect the topology. causing PC1 to receive two copies of the broadcast frame. These features are not enabled by default. Both switches flood a copy of the broadcast frame out of their Gig 0/2 ports (that is. from Segment B) and flood the frame out of their Gig 0/1 ports (that is. From the Library of Outcast Outcast . the network/Internet is really slow. Both switches receive a copy of the broadcast frame on their Gig 0/2 ports (that is. 3. PC1 sends a broadcast frame onto Segment A. causing PC2 to receive two copies of the broadcast frame.

Example 5-4 Verifying PortFast-Enabled Interfaces SW3#show run interface fa0/1 Building configuration. “The port is in the portfast mode by default.b800 Designated port id is 128. address 081f.fe3a. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 183 PortFast The PortFast feature is used to transition a switchport to the forwarding state as soon as the switchport is enabled.f34e. address 2893. Designated root has priority 10. Port priority 128. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default BPDU: sent 11.) If you are using PortFast with PVST+.. In Example 5-5. Also notice how the output of the command show spanning-tree interface fastEthernet 0/1 detail in Example 5-5 is different when compared to Example 5-4.e300 Designated bridge has priority 32778. which will enable it on all nontrunking switchports. Port Identifier 128. designated path cost 4 Timers: message age 0. or MSTP. forward delay 0. it states. received 0 If you enabled PortFast globally. From the Library of Outcast Outcast .1. when a BPDU is received on a PortFast-enabled switchport. (A device is plugged in. Current configuration : 108 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast end SW3#show spanning-tree interface fastEthernet 0/1 portfast VLAN0010 enabled SW3#show spanning-tree interface fastEthernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19.” which indicates that PortFast was enabled globally.. and the switchport is not shut down. RPVST+. you can use another show command to verify that PortFast was enabled globally: show spanning-tree summary. Notice that PortFast Default is enabled. This ensures that it transitions through the necessary states and processes before going to the forwarding state to ensure that a loop is not caused.1. as shown in Example 5-5. the switchport will immediately transition out of the PortFast state and become a normal switchport. Example 5-4 iden- tifies three ways to verify PortFast is enabled on an interface. You can enable PortFast on an interface-by-interface basis with the spanning-tree portfast interface command or globally with the spanning-tree portfast default command.

. Interface Role Sts Cost Prio.184 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-5 Verifying Globally Enabled PortFast Interfaces SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: EtherChannel misconfig guard is enabled Extended system ID is enabled Portfast Default is enabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short SW3#show spanning-tree interface fastEthernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19.output omitted. received 0 One of the easiest ways to confirm that a switchport is indeed enabled for PortFast is to review the output of show spanning-tree.1 P2p Edge Fa0/2 Desg FWD 19 128. Port Identifier 128.f34e.25 P2p Gi0/2 Altn BLK 4 128..Nbr Type ------------------.output omitted.. BPDU Guard BPDU Guard is used to enforce STP domain borders.fe3a..e300 Designated bridge has priority 32778. designated path cost 4 Timers: message age 0.b800 Designated port id is 128.---------------------- Fa0/1 Desg FWD 19 128. Fa 0/1 is listed as an Edge port indicated that PortFast is enabled on the interface. address 081f. Port priority 128.1..---. As shown in Example 5-6.26 P2p . address 2893. When a BPDU is received on a switchport enabled with BPDU From the Library of Outcast Outcast .. This ensures that the STP topol- ogy remains predictable. Example 5-6 Using show spanning-tree to Verify PortFast Status SW3#show spanning-tree .2 P2p Edge Gi0/1 Root FWD 4 128. Designated root has priority 10. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode by default Link type is point-to-point by default Bpdu filter is enabled by default BPDU: sent 11.-------.. forward delay 0.1.--------..--.

Fast Ethernet 0/1 is in the err-disabled state. changed state to down Example 5-7 show interfaces status Command Output SW3#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX Fa0/5 notconnect 1 auto auto 10/100BaseTX Fa0/6 notconnect 1 auto auto 10/100BaseTX Like PortFast. You can verify whether BPDU Guard is enabled globally using the commands show span- ning-tree summary and show spanning-tree interface interface_type interface_number detail. Example 5-8 Verifying BPDU Guard Is Enabled Globally SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short . The global command will only enable it on PortFast-enabled interfaces. %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1.. BPDU Guard can be enabled on an interface-by-interface basis with the spanning-tree bpduguard enable interface command or globally with the spanning-tree portfast bpduguard default global configuration command. as shown in Example 5-7.. Disabling port.. you will receive the following: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/1 with BPDU Guard enabled. the port will be disabled and placed in the err-disabled state. issue the command show interfaces status. To verify which ports are in the err-disabled state. putting Fa0/1 in err-disable state %LINK-3-UPDOWN: Interface FastEthernet0/1.output omitted. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 185 Guard. if you are tracking syslog messages. SW3#show spanning-tree interface fastethernet 0/1 detail From the Library of Outcast Outcast . In addition.. as depicted in Example 5-8. In this example.

fe3a. Port Identifier 128. forward delay 0.1. Current configuration : 140 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast spanning-tree bpduguard enable end To recover from the err-disabled state.. address 081f. Port priority 128. forward delay 0. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled by default BPDU: sent 11. and then manually disable and enable the err-disabled interface with the shut- down and then no shutdown commands. Designated root has priority 10.1. Or. address 081f. remove the device that is sending the rogue BPDUs.f34e.f34e. as shown in Example 5-9. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled BPDU: sent 4.b800 Designated port id is 128. If the From the Library of Outcast Outcast . Designated root has priority 10. designated path cost 4 Timers: message age 0. you can set up an err-disable recovery feature that will attempt to automatically enable the interface at defined intervals. Port Identifier 128. designated path cost 4 Timers: message age 0.1.e300 Designated bridge has priority 32778.. address 2893. Port priority 128. received 0 SW3#show run interface fastethernet 0/1 Building configuration. Example 5-9 Verifying BPDU Guard Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. received 0 You can verify if BPDU Guard has been enabled on an interface basis with the show spanning-tree interface interface_type interface_number detail command and the show run interface interface_type interface_number command. address 2893.1.fe3a.186 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19.b800 Designated port id is 128.e300 Designated bridge has priority 32778.

■ If you enable BPDU Filter manually on an interface with the spanning-tree bpdufil- ter enable command. This would be for security reasons. the interface will go back into the err-disabled state. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 187 rogue BPDUs are still detected. if necessary. How you enable it determines the extent of BDPUs that will be suppressed: ■ If you enable it globally. if a BPDU is received on an interface. If it is enabled on an interface-by- interface basis. as shown in Example 5-11. Example 5-10 Verifying BPDU Filter Is Enabled Globally SW3#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is enabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short SW3#show spanning-tree interface fastethernet 0/1 detail Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding From the Library of Outcast Outcast . BPDU Filter BPDU Filter is designed to suppress the sending and receiving of BPDUs on an interface. transition the interface through the normal STP states/processes. For example. it will process it normally and. you can verify BPDU Filter with the show spanning-tree interface interface_type interface_number detail command and the show run interface interface_type interface_number command. You can verify whether BPDU Filter is enabled globally with the show spanning-tree summary command and the show spanning-tree interface interface_type interface_ number detail command. the interface will automatically recover. as shown in Example 5-10. Doing so allows the end station to collect the data in the BPDUs and potentially launch an attack against the STP topol- ogy. use the errdisable recovery cause bpduguard global configuration command. there is no need to send BPDUs out an interface that is connected to an end station or a router. However. To enable the err-disable recovery feature for BPDU Guard. If the rogue BPDUs are not detected anymore. which is not recommended. it suppresses the sending and receiving of BPDUs. BPDU Filter will be enabled on all PortFast-enabled interfaces and will sup- press the sending of BPDUs out an interface. with the spanning-tree portfast bpdufilter default com- mand. This is not recommended because any received BPDUs are ignored and may result in a Layer 2 loop because the interface is automatically in the forwarding state.

address 081f.. received 0 SW3#show run interface fastethernet 0/1 Building configuration. From the Library of Outcast Outcast . designated path cost 4 Timers: message age 0. Port Identifier 128.e300 Designated bridge has priority 32778. As a result. Designated root has priority 10.188 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Port path cost 19.b800 Designated port id is 128. Designated root has priority 10.f34e. it would be suppressing the sending and receiving of BPDUs. forward delay 0. Port priority 128. If so. received 0 Example 5-11 Verifying BPDU Filter Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19. designated path cost 4 Timers: message age 0. Current configuration : 173 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable end If you are experiencing a Layer 2 loop in your topology. address 081f. Port priority 128.fe3a.f34e.1. check whether BPDUFilter was enabled on an interface. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled by default BPDU: sent 11.e300 Designated bridge has priority 32778.1.1. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled BPDU: sent 18.b800 Designated port id is 128. a port within the topology is in the forwarding state causing a Layer 2 loop when it should be in the blocking state.1. Port Identifier 128. address 2893.. address 2893.fe3a. forward delay 0.

is used to verify its configuration. Example 5-12 Verifying That RootGuard Is Enabled on an Interface SW3#show spanning-tree interface fastethernet 0/1 Port 1 (FastEthernet0/1) of VLAN0010 is designated forwarding Port path cost 19.1.b800 Designated port id is 128. Because Root Guard is enabled on an interface-by-interface basis with the command spanning-tree guard root. it can become the root bridge. From the Library of Outcast Outcast . and root ports would change on all the other switches so that the new root ports point to the rogue root bridge. Port priority 128. forward delay 0. If you recall. Root Guard stops this from happening by ignoring superior BPDUs that are received on the Root Guard-enabled ports and placing the port in the spanning-tree inconsistent state. the root port on a switch points to the root bridge.------------------ VLAN0010 FastEthernet0/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 1 In addition. when a port goes into the root inconsistent state you will receive a syslog message indicating so as follows: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/1 on VLAN0010. Notice how Fast Ethernet 0/1 is in the root inconsistent state. address 2893.fe3a.e300 Designated bridge has priority 32778. You can also verify which ports are inconsistent by issuing the show spanning-tree inconsistentports command. received 0 Example 5-13 Verifying Inconsistent Ports on a Switch SW3#show spanning-tree inconsistent ports Name Interface Inconsistency -------------------. designated path cost 4 Timers: message age 0. Port Identifier 128. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 189 Root Guard Root Guard is designed to protect the root bridge by ensuring that certain ports on non- root bridges are prevented from becoming root ports. the command show spanning-tree interface interface_type interface_number detail. address 081f.f34e. Designated root has priority 10.1. as shown in Example 5-13. as shown in Example 5-12. If a rogue switch is introduced to the STP topology with a superior BID.-----------------------. This is a good indication that the interface is enabled for Root Guard and that it received a superior BPDU. hold 0 Number of transitions to forwarding state: 2 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled Bpdu filter is enabled by default Root guard is enabled on the port BPDU: sent 18.

All trouble tickets in this section are based on the topology depicted in Figure 5-6. no manual intervention is required to recover the port from the inconsistent state. Instead. if a nondesignated port ceases to receive BPDUs. the port is automatically taken out of the inconsistent state. From the Library of Outcast Outcast . and once the switchport no longer hears the superior BPDUs. as well. instead of blocking it. All you need to do is remove the device that is sending the superior BPDUs to that switchport from the network. it places it in the loop- inconsistent blocking state and generates the following syslog message: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/2 on VLAN0010.------------------ VLAN0010 GigabitEthernet0/2 Loop Inconsistent Number of inconsistent ports (segments) in the system : 1 STP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. Loop Guard Loop Guard is a feature designed to provide additional protection against Layer 2 loops. This would produce a loop because the nondesignated port is now sending and receiving data. it will transition to the for- warding state once the max age timer expires. as shown in Example 5-14.190 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide When a switchport is in the inconsistent state. However. Loop Guard ensures that the nondesignated port does not erroneously transition to the forwarding state. Example 5-14 Verifying Loop-Inconsistent Ports on a Switch SW3#show spanning-tree inconsistent ports Name Interface Inconsistency -------------------. By default. This is all because the BPDUs are no longer arriving on the interface. what if the switch was not receiv- ing the BPDUs because the switch that was sending the BPDUs had a software failure preventing it from sending BPDUs? That switch.-----------------------. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. issue the command show span- ning-tree inconsistent ports. would still be able to send and receive data on the interface. To verify which ports are in the loop-inconsistent state.

bbbb.10. Example 5-15 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address bbbb.1. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 191 CORE Gi1/0/5 Gi1/0/5 MAC Address: MAC Address: AAAA. Notice that SW1 is not the root bridge for VLAN 10. all traffic from the end stations in VLAN 10 destined to the core is flowing through SW2 when it should be flowing through SW1. the switch with the MAC address bbbb.bbbb is the root bridge.BBBB. According to the topology.AAAA Gi1/0/6 Gi1/0/6 BBBB. With this in mind. SW1 should be the root bridge for VLAN 10.AAAA. all traffic for VLAN 10 should be flowing through SW1 under normal conditions.0/24 PC1 Figure 5-6 STP Trouble Ticket Topology Trouble Ticket 5-1 Problem: Based on traffic analyzers.BBBB SW1 SW2 Priority: 32768 Priority: 32768 Root Gi1/0/1 Gi1/0/2 Non-Root Bridge Bridge Vlan 10 Gi0/1 Gi0/2 MAC Address: SW3 CCCC. According to the root ID section of the output.aaaa.bbbb. check the placement of the root bridge using the show spanning-tree vlan 10 command on SW1. as shown in Example 5-15. Therefore.CCCC.aaaa From the Library of Outcast Outcast .bbbb Cost 4 Port 5 (GigabitEthernet1/0/5) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa.CCCC Fa0/1 Priority: 32768 Non-Root Bridge Vlan 10 10.

Trans Bridge. At the bottom of the output.Gig 0/1 You should now verify if SW2 is the root bridge for VLAN 10 using the output of show spanning-tree vlan 10. The output shows that SW2 is the root bridge for VLAN 10. using the show cdp neigh- bors command. B . you can confirm that this is the root port. without the diagram. how would you figure out who the root bridge is? You would follow the path.CVTA. as shown in Example 5-16. as shown in Example 5-17. T . bbbb is the MAC of SW2.Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID SW2 Gig 1/0/6 138 S I WS-C3750E Gig 1/0/6 SW2 Gig 1/0/5 138 S I WS-C3750E Gig 1/0/5 SW3 Gig 1/0/1 141 S I WS-C2960.bbbb. you can confirm that SW2 is directly connected to SW1 on port Gi1/0/5. Therefore.Switch.Router. P . It explicitly states This bridge is the root.Source Route Bridge S .Repeater. C .Remote. and notice that all the ports are designated ports.Phone. According to the output in Example 5-15.1 P2p Gi1/0/5 Root FWD 4 128.bbbb Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec From the Library of Outcast Outcast . I . M . Example 5-16 show cdp neighbors Command Output on SW1 SW1#show cdp neighbors Capability Codes: R . Figure 5-6 shows that bbbb. D .bbbb This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 10 (priority 0 sys-id-ext 10) Address bbbb. r .192 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio. H . the port on SW1 to get to the root bridge is Gigabit Ethernet 1/0/5.bbbb.bbbb.Nbr Type Gi1/0/1 Desg FWD 4 128.6 P2p Next you should check which switch is the root bridge.IGMP. However.Host. Example 5-17 show spanning-tree vlan 10 Command Output for SW2 SW2#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address bbbb.5 P2p Gi1/0/6 Altn BLK 4 128.

.. To solve this issue.aaaa This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa. Example 5-18 show run Command Output for SW2 SW2#show run | section spanning-tree .-------.----------------------- Gi1/0/1 Desg FWD 4 128.aaaa. It appears that the priority of SW2 was manually lowered..output omitted.Nbr Type ------------------.----------------------- Gi1/0/2 Desg FWD 4 128. which is lower than the priority of SW1. as shown in Example 5- 15.--------. as shown in Example 5-19.6 P2p Upon further analysis of Example 5-17. Once done... you will notice that the priority of SW2 is 0 plus the extended system ID (which is the VLAN number). which is 32768 plus 10 (32778). for a total value of 10.6 P2p From the Library of Outcast Outcast .---.---.-------.5 P2p Gi1/0/6 Desg FWD 4 128.1 P2p Gi1/0/5 Desg FWD 4 128.aaaa Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 193 Interface Role Sts Cost Prio.--------.--. Using the command show run | section spanning-tree indicates that the command spanning-tree vlan 10 priority 0 was executed on SW2. as shown in Example 5-18...2 P2p Gi1/0/5 Desg FWD 4 128.output omitted..5 P2p Gi1/0/6 Desg FWD 4 128. spanning-tree vlan 10 priority 0 . Example 5-19 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa.aaaa.Nbr Type ------------------.--. we can verify that SW1 is now the root bridge for VLAN 10 with the show spanning-tree vlan 10 command. we would need to remove this command by executing the no span- ning-tree vlan 10 priority 0 command.

It appears that the cost of interface Gig0/1 has been modified.aaaa. Example 5-20 show spanning-tree vlan 10 Command Output for SW1 SW1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa.194 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Trouble Ticket 5-2 Problem: Based on traffic analyzers.aaaa Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio. Example 5-21 show spanning-tree vlan 10 Command Output for SW3 SW3#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 From the Library of Outcast Outcast . These links should have a cost of 4 by default. With this in mind.aaaa This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address aaaa. According to Figure 5-6.----------------------- Gi1/0/1 Desg FWD 4 128. Notice that SW1 is the root bridge for VLAN 10. Therefore. as shown in Example 5-20.--.Nbr Type ------------------.1 P2p Gi1/0/5 Desg FWD 4 128.5 P2p Gi1/0/6 Desg FWD 4 128.---.6 P2p We have confirmed that SW1 is the root bridge and this matches our diagram in Figure 5-6. it is currently an alternate port in the blocking state with a cost of 10. Reviewing the output of show spanning-tree vlan 10 on SW3.aaaa.--------. According to the topology. This cost of 10 is larger than the total cost of 8 using Gig0/2. we can trust the information displayed. SW1 should be the root bridge for VLAN 10. as shown in Example 5-21. all traffic for VLAN 10 should be flowing through SW1 under normal conditions. all traffic from the end stations in VLAN 10 destined to the core is flowing through SW2 when it should be flowing through SW1.-------. we have a Gigabit Ethernet link between SW3 and SW1 as well as SW3 and SW2. check the placement of the root bridge using the show spanning-tree vlan 10 command on SW1. If Figure 5-6 has been kept up to date. If we look at Gig0/1. we can see that to reach the root bridge the total cost is 8 using Gigabit Ethernet 0/2.

as shown in Example 5-22.----------------------- Gi0/1 Altn BLK 10 128. Example 5-23 show spanning-tree vlan 10 Command Output for SW3 SW3#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address aaaa. we need to execute the no spanning-tree vlan 10 cost 10 command in interface configu- ration mode..cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.. Example 5-22 show run interface gig 0/1 Command Output for SW3 SW3#show run interface gig 0/1 .aaaa Cost 8 Port 2 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address cccc. we can verify that SW3 is using Gi0/1 as the root port and that it has a cost of 4 by issuing the show spanning-tree vlan 10 command shown in Example 5-23. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 195 Address aaaa..cccc.cccc.output omitted.aaaa.2 P2p The output of show run interface gig 0/1 confirms that the cost was modified with the spanning-tree vlan 10 cost 10 command. After we remove the command..Nbr Type ------------------.1 P2p Gi0/2 Root FWD 4 128.aaaa.--------. spanning-tree vlan 10 cost 10 ...Nbr Type From the Library of Outcast Outcast .cccc Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.--...aaaa Cost 4 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address cccc.output omitted.---.-------. To solve this issue.

Therefore.ac47 DYNAMIC Fa0/4 10 0800.275d. You attempt to ping from the user’s PC to its default gateway. . . . . Therefore. Example 5-25 show mac address-table dynamic Output for SW3 SW3#show mac address-table dynamic Mac Address Table ---. -------. .. .1234 DYNAMIC Gi0/1 10 0800. . He also indicates that he had no issues on Monday when he left work at 5:45 p. . : 08-00-27-5D-06-D6 Link-local IPv6 Address . ----- 10 0800.--. Also note the MAC address of PC1 at this point. Example 5-25 is displaying the MAC address table of SW3.275d. : 255. they are not able to contact a DHCP server. .0. . You attempt to ping from the user’s PC to the Internet.x. . . : Yes Autoconfiguration IP Address. . . ----------. and a user has indicated that he cannot connect to the network.166 Subnet Mask . : 169.b3dd DYNAMIC Fa0/3 From the Library of Outcast Outcast . . . . but it fails. . .255. something appears to be wrong at Layer 1 or Layer 2 of the OSI model.----------------------- Gi0/1 Root FWD 4 128. . . .196 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ------------------. . as it will be useful later. Issuing the command ipconfig /all on the PC as depicted in Example 5-24 indicates that an Automatic Private IP Addressing (APIPA) address (169. .---. . . .------------------------------- Vlan Mac Address Type Ports ---. but it fails. . . .275d. .254. Example 5-24 ipconfig Output for PC PC1>ipconfig /all Windows Ip Configuration <Output Omitted> Ethernet adapter Local Area Connection: <Output Omitted> Physical Address.-------------------------------.m. .254. and there is no entry in the table with PC1’s MAC address. : fe80::444c:23b1:6e1e:de0c%16 Dhcp enabled. . Your next task is to make sure that the PC is receiving an IP address from the Dynamic Host Configuration Protocol (DHCP) server in the network.0 <Output Omitted> Issuing the command show mac address-table dynamic on SW3 will indicate whether SW3 is receiving any frames from PC1.180. .-------.--------.--------.1 P2p Gi0/2 Altn BLK 4 128.x/16) is being used by the PC. : Yes Autoconfiguration enabled. . .2 P2p Trouble Ticket 5-3 Problem: It is Tuesday morning. .

Example 5-26 show vlan brief Output for SW3 SW3#show vlan brief VLAN Name Status Ports ---. Issuing the command show vlan brief will confirm this for us.--------.0/24 active Fa0/1. According to Figure 5-6. In addition. Example 5-26 shows that interface Fa0/1. Fa0/6. the output of show inter- faces status | include Fa0/1. 20 10. Fa0/9. From the Library of Outcast Outcast . Fa0/13. Fa0/11. Fa0/23. Fa0/2.1.ed13 DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 6 You verify physical connectivity and everything is perfect. Fa0/24.1. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 197 10 0800. You decide to check the SW3 logs on your syslog server and notice the following entry: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/1 on VLAN0010. does not indicate that anything is wrong. Fa0/7. Fa0/4. confirming that something is not right. Fa0/8. you notice that the LED of the switchport PC1 is connected to is amber rather than green. which is connected to PC1. Fa0/14. 10 10. Fa0/16. Fa0/15. Fa0/17. Fa0/21. Issuing the com- mand show spanning-tree inconsistentports on SW3 confirms that Fast Ethernet 0/1 is in the root-inconsistent state. as shown in Example 5-28.275d.0/24 active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup Example 5-27 show interfaces status | include Fa0/1 Output for SW3 SW3#show interfaces status | include Fa0/1 Port Name Status Vlan Duplex Speed Type Fa0/1 connected 10 a-full a-10010/100BaseTX No other users at this point have indicated that they are experiencing issues. Fa0/10.------------------------------- 1 default active Fa0/5.-------------------------------. However. as shown in Example 5-27. Fa0/22.10. It appears that BPDUs are being received by Fast Ethernet 0/1 from PC1.ce47 DYNAMIC Fa0/2 10 0800. PC1 should be in VLAN 10. Fa0/20.275d. Fa0/12. Fa0/19.20. is in VLAN 10. Fa0/3. Fa0/18.

198 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 5-28 show spanning-tree inconsistentports Output for SW3 SW3#show spanning-tree inconsistentports Name Interface Inconsistency -------------------.1.10.1: bytes=32 time<1ms TTL=255 Reply from 10.10 Subnet Mask . : fe80::444c:23b1:6e1e:de0c%16 IPv4 Address. . Example 5-29 SW3 show spanning-tree inconsistenetports Output After Application Removed from PC1 SW3# %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/1 on VLAN0010. . Further investigation will be needed to determine whether this was malicious or by accident. To solve this issue.1 with 32 bytes of data: Reply from 10.1. . . . . is successful.1: bytes=32 time=1ms TTL=255 From the Library of Outcast Outcast .1. . . . Example 5-30 ipconfig and ping Output for PC After Issue Solved PC1>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix .10. . : 255.255. .------------------ Number of inconsistent ports (segments) in the system : 0 The output of ipconfig on PC1 in Example 5-30 verifies it has an IP address and a ping to 10.10.---------------------.1.1.1 Pinging 10.------------------ VLAN0010 FastEthernet0/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 1 Upon further examination. . .1. : 10.1. : 10. . beyond the scope of this book. . : domain.10.1: bytes=32 time=3ms TTL=255 Reply from 10. .local Link-local IPv6 Address .10.---------------------. PC1’s default gateway.0 Default Gateway .255. we remove the offending application from PC1. an application was installed on PC1 after hours that mimics a switch and sends BPDUs. . .1. . .10.1. . . . .10. as shown in Example 5-29. . . . . . .1.1.1 PC1>ping 10.1: bytes=32 time=1ms TTL=255 Reply from 10. .10. and the switch will recover the port automatically. . SW3#show spanning-tree inconsistentports Name Interface Inconsistency -------------------.

you have to make sure that the modes within the protocol can successfully form the bundle with each other. Specifically. duplex. Approximate round trip times in milli-seconds: Minimum = 0ms. and port type (Layer 2 or Layer 3). should be identical. when using LACP or PAgP. ■ Inappropriate EtherChannel distribution algorithm: EtherChannel determines which physical link to use to transmit frames based on a hash calculation. Port Aggregation Protocol (PAgP). allowed VLAN configurations. STP treats the logi- cal bundle (known as a port channel) as a single port for STP calculation purposes. ■ Mismatched EtherChannel configuration: Both switches forming the EtherChannel should be configured with compatible modes. as illustrated in Figure 5-7. Received = 4. Gig 0/1-4 Gig 0/1-4 SW1 SW2 Figure 5-7 Layer 2 EtherChannel This section reviews what is necessary to successfully form a Layer 2 EtherChannel bun- dle and the EtherChannel mode combinations that will successfully form the bundle. trunk mode.10. For example. on both switches.1: Packets: Sent = 4. Link Aggregation Control Protocol (LACP). Maximum = 3ms. Figure 5-7 shows four Gigabit Ethernet links logically bonded into a single EtherChannel link. These modes are not compatible with each other. a hash calculation might be based only on the destination MAC From the Library of Outcast Outcast . Reviewing Layer 2 EtherChannel When multiple ports are combined into a logical EtherChannel. all ports should Topic have the same speed.1. Following are common troubleshooting targets to consider when troubleshooting an EtherChannel issue: ■ Mismatched port configurations: The configurations of all ports making up an Key EtherChannel. Lost = 0 (0% loss). Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 199 Ping statistics for 10. and ON. An EtherChannel logically combines the bandwidth of multiple physical interfaces into a logical connec- tion between switches. Average = 1ms Troubleshooting Layer 2 EtherChannel An exception to STP operation can be made if two switches are interconnected via mul- tiple physical links and those links are configured as an EtherChannel. Table 5-4 identifies which modes can be configured on each switch to successfully form an EtherChannel bundle. For example. native VLAN configurations. The hash- ing approach selected should distribute the load fairly evenly across all physical links. In addition. There are three options.

the load distribution could be uneven. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. issue the show etherchannel load-balance command. Gi1/0/5 Gi1/0/5 SW1 Gi1/0/6 Gi1/0/6 SW2 Gi1/0/1 Gi1/0/2 Gi0/1 Gi0/2 SW3 Figure 5-8 Layer 2 EtherChannel Trouble Ticket Topology From the Library of Outcast Outcast .200 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide address of a frame. If the frames are destined for only a few different MAC address- es. To verify the load-balancing algorithm in use. Table 5-4 EtherChannel Modes That Will Successfully Form a Bundle Key Topic SW1 MODE PAgP PAgP Auto LACP LACP ON Desirable Active Passive PAgP Yes Yes No No No Desirable SW2 PAgP Auto Yes No No No No LACP No No Yes Yes No Active LACP No No Yes No No Passive ON No No No No Yes EtherChannel Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. All trouble tickets in this section are based on the topology depicted in Figure 5-8.

as shown in Example 5-31.stand-alone s .suspended H . the ports are either standalone or suspended.Layer3 S .unsuitable for bundling w . minimum links not met u .down P .failed to allocate aggregator M .suspended H .unsuitable for bundling w .in use f .bundled in port-channel I .Hot-standby (LACP only) R . Notice that both switches are using LACP as their protocol.waiting to be aggregated d . minimum links not met u . however.down P .not in use.not in use.failed to allocate aggregator M . You start by reviewing the output of show etherchannel summary for SW1 and SW2.Hot-standby (LACP only) R .stand-alone s .in use f . and the port channel is down.bundled in port-channel I .Layer2 U . This is a good indication that there is a conflict with the port configurations. Example 5-31 show etherchannel summary Output for SW1 and SW2 SW1#show etherchannel summary Flags: D .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(s) SW2#show etherchannel summary Flags: D .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) From the Library of Outcast Outcast .Layer2 U . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 201 Trouble Ticket 5-4 Problem: A junior network administrator has approached you indicating that the EtherChannel bundle she is trying to form between SW1 and SW2 is not forming. You need to solve this issue for her.Layer3 S .waiting to be aggregated d .

To form the bun- dle. Example 5-32 show run interface gigabitethernet Output for SW1 and SW2 SW1#show run interface gigabitethernet 1/0/5 Building configuration. as shown in Example 5-32. Current configuration : 189 bytes ! interface GigabitEthernet1/0/5 switchport trunk encapsulation isl switchport mode access switchport nonegotiate channel-group 1 mode active end SW1#show run interface gigabitethernet 1/0/6 Building configuration... they have to match.202 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide To verify the port configuration you issue the show run interface gigabitethernet 1/0/5 and show run interface gigabitethernet 1/0/6 command on SW1 and SW2. Current configuration : 151 bytes ! interface GigabitEthernet1/0/5 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate channel-group 1 mode passive end SW2#show run interface gigabitethernet 1/0/6 Building configuration.. you will notice that the switchport modes do not match on the SW1 interfaces that are part of the EtherChannel bundle. If you look closely..... Current configuration : 189 bytes ! interface GigabitEthernet1/0/6 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW2#show run interface gigabitethernet 1/0/5 Building configuration. Current configuration : 151 bytes ! interface GigabitEthernet1/0/6 switchport trunk encapsulation isl switchport mode trunk From the Library of Outcast Outcast ..

failed to allocate aggregator M . Example 5-33 show etherchannel summary Output for SW1 and SW2 After Problem Solved SW1#show etherchannel summary Flags: D .not in use.down P .default port From the Library of Outcast Outcast .Layer3 S .Layer2 U .stand-alone s .not in use.stand-alone s .unsuitable for bundling w . changed state to up In addition.down P .Layer3 S . the EtherChannel bundle should now be successfully formed. Reviewing the output of show etherchannel summary on SW1 and SW2 indicates that the ports are successfully bundled with the (P) flags and that the port channel is in use with the (U) flag. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 203 switchport nonegotiate channel-group 1 mode passive end Once you change the switchport mode on SW1 Gigabit Ethernet 1/0/5 with the switch- port mode trunk command.bundled in port-channel I .suspended H .Hot-standby (LACP only) R . minimum links not met u .waiting to be aggregated d .unsuitable for bundling w . as shown with the following logging messages: %LINK-3-UPDOWN: Interface Port-channel1. the port channel interface should come up.in use f .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SU) LACP Gi1/0/5(P) Gi1/0/6(P) SW2#show etherchannel summary Flags: D .waiting to be aggregated d .in use f . minimum links not met u .suspended H .Hot-standby (LACP only) R . changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1.failed to allocate aggregator M . as shown in Example 5-33.Layer2 U .bundled in port-channel I .

You need to solve this issue for him.default port Number of channel-groups in use: 1 Number of aggregators: 1 From the Library of Outcast Outcast .suspended H .in use f . as shown in Example 5-34. Example 5-34 show ip interface brief | include Port Output for SW1 and SW2 SW1#show ip interface brief | include Port Port-channel1 unassigned YES unset down down SW2#show ip interface brief | include Port Port-channel1 unassigned YES unset down down Next you check the status of the EtherChannel bundle with the show etherchannel sum- mary command. However.Hot-standby (LACP only) R . SW1 is using PAgP. if you look closer.down P .bundled in port-channel I . it is down/down.not in use. you will need to verify your documentation to determine which protocol should be used between SW1 and SW2 and make the appropriate adjust- ments.waiting to be aggregated d . You start by checking whether the port channel is up on SW1 and SW2.Layer2 U . to solve this issue. as shown in Example 5-35.unsuitable for bundling w . you will see the issue. These EtherChannel protocols are not compatible. According to the output.204 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SU) LACP Gi1/0/5(P) Gi1/0/6(P) Trouble Ticket 5-5 Problem: A junior network administrator has approached you indicating that the EtherChannel bundle he is trying to form between SW1 and SW2 is not forming.failed to allocate aggregator M . Therefore. Example 5-35 show etherchannel summary Output for SW1 and SW2 SW1#show etherchannel summary Flags: D .Layer3 S . and SW2 is using LACP.stand-alone s . Notice that the port channel is down and that all interfaces are standalone. minimum links not met u .

default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) From the Library of Outcast Outcast .waiting to be aggregated d .in use f .unsuitable for bundling w . minimum links not met u .bundled in port-channel I .Hot-standby (LACP only) R .Layer2 U .failed to allocate aggregator M .stand-alone s .Layer3 S .not in use.suspended H . Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 205 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) PAgP Gi1/0/5(I) Gi1/0/6(I) SW2#show etherchannel summary Flags: D .down P .

you have a couple of choices for exam preparation: the exercises here. Layer 2 EtherChannel. blocking. Table 5-5 lists a reference of these key topics and the page numbers on which each is found. listening. 802. LACP From the Library of Outcast Outcast .1w. root bridge. nondesig- nated port. noted with the Key Topic icon in the outer margin of the page.1D. forwarding. 802. “Final Preparation. Chapter 22. Table 5-5 Key Topics for Chapter 5 Key Topic Key Topic Element Description Page Number List Describes root bridge election 173 Sentence Identifies the golden rule of STP 173 Table 5-2 Identifies STP port types 174 Table 5-3 Identifies STP port costs 175 Section Reviews how to determine root ports 175 Section Reviews how to determine designated ports 176 List Identifies STP port states 177 Section Identifies show commands used for troubleshooting 178 STP Section Reviews STP features and the show commands used 182 for troubleshooting List Describes issues that could prevent an EtherChannel 199 from forming Table 5-4 Identifies the EtherChannel modes that will 200 successfully form a bundle Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: Spanning Tree Protocol (STP). designated port. learning. Review All Key Topics Review the most important topics in this chapter. 802.1s. PAgP. root port.206 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction.” and the exam simulation questions on the CD-ROM.

you should be able to identify the show commands needed to successfully troubleshoot the topics covered in this chapter. and then see how much of the command you can remember. Chapter 5: Troubleshooting STP and Layer 2 EtherChannel 207 Complete Tables and Lists from Memory Print a copy of Appendix C. read the description on the left side.” also on the disc. revision number. hands-on skills that are used by a networking professional.” (found on the disc). port priority. You will need to return to the previous chapters to review information relating to those show commands. and show spanning-tree interface type for each VLAN on the switch interface_type interface_number Displays detailed STP information about an interface. To test your memory of the commands. Appendix D. It does not include the show commands that were used in this chapter but introduced in previous chapters. cover the right side of Table 5-6 with a piece of paper. Therefore. “Memory Tables Answer Key. and complete the tables and lists from memory. show spanning-tree interface including the number of BPDUs sent and received and interface_type interface_number the STP features that have been enabled specifically on detail the interface Displays the MST region name. cost. includes completed tables and lists to check your work. Table 5-6 show Commands Introduced in Chapter 5 Task Command Syntax Displays STP information about all VLANs show spanning-tree Displays STP information about a specific VLAN show spanning-tree [vlan {vlan_id}] Displays the STP interface role. The 300-135 TSHOOT exam focuses on practical. or at least the section for this chapter. Command Reference to Check Your Memory This section includes the show commands introduced in this chapter. “Memory Tables. and show spanning-tree mst the instance to VLAN mappings configuration Displays ports configured with Root Guard that have show spanning-tree received superior BPDUs and ports configured with inconsistentports Loop Guard that are in the loop inconsistent state Displays which STP features have been enabled globally show spanning-tree summary on the switch Displays the status of port-channels as well as the status show etherchannel summary of the ports within the port channel Displays the EtherChannel load-balance algorithm show etherchannel load-balance configured on the switch From the Library of Outcast Outcast .

■ Router-on-a-Trunk/Stick Trouble Tickets: This sec- tion provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a reported problem. ■ Troubleshooting Routed Ports: This section reviews what is necessary to convert a Layer 2 switchport into a routed port. You will also learn how to troubleshoot issues related to SVIs. ■ SVI Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. ■ Routed Port Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem. ■ Layer 3 EtherChannel Trouble Tickets: This sec- tion provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a reported problem. From the Library of Outcast Outcast . ■ Troubleshooting Switched Virtual Interfaces: This section identifies what is necessary for an SVI to be up/up and provide inter-VLAN routing. ■ Troubleshooting Layer 3 EtherChannel: This sec- tion focuses on the steps needed to successfully troubleshoot a Layer 3 EtherChannel that relies on routed ports.This chapter covers the following topics: ■ Troubleshooting a Router-on-a-Trunk/Stick: This section covers how to troubleshoot inter-VLAN routing issues when using the router-on-a-trunk sce- nario.

If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. “Troubleshooting STP and Layer 2 EtherChannel. Of the Layer 3 services. You will also be exposed to a few different troubleshooting scenarios for each. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section.” and 5. forwarding or flooding frames based on the MAC addresses in the frame. These Layer 3 switches can perform both Layer 2 and Layer 3 services. read the entire chapter. “Answers to the ‘Do I Know This Already?’ Quizzes. and Layer 3 EtherChannel. routing is the most common that is implemented. In addition. Through the use of virtual Layer 3 interfaces (known as switched virtual interfaces [SVIs]) or by con- verting a Layer 2 switchport to a routed port. CHAPTER 6 Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels Chapters 4. These switches operate at Layer 2 of the OSI model. many Cisco Catalyst switches are Layer 3 switches.” focused on Cisco Catalyst switches as Layer 2 switches. you can assign IP addresses to these inter- faces and have the Layer 3 switch route data between VLANs and subnets. routed ports. This chapter focuses on how you can troubleshoot different inter-VLAN routing imple- mentations. You can find the answers in Appendix A. VTP. you can use routed ports to create Layer 3 EtherChannels. However.” Table 6-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting a Router-on-a-Trunk/Stick 1–2 Troubleshooting Switched Virtual Interfaces 3–5 Troubleshooting Routed Ports 6–7 Troubleshooting Layer 3 EtherChannel 8–9 From the Library of Outcast Outcast . “Troubleshooting Layer 2 Trunks. Table 6-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. and VLANs.

210 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Caution The goal of self-assessment is to gauge your mastery of the topics in this chap-
ter. If you do not know the answer to a question or are only partially sure of the answer,
you should mark that question as wrong for purposes of the self-assessment. Giving your-
self credit for an answer that you correctly guess skews your self-assessment results and
might provide you with a false sense of security.

1. Which command enables you to associate a VLAN with a router subinterface?

a. encapsulation

b. interface

c. ip address

d. vlan

2. Which show command enables you to verify the VLAN that has been associated
with a router subinterface?

a. show interface trunk

b. show vlan brief

c. show ip route

d. show vlans

3. What must be true for an SVI to be up/up? (Choose two answers.)

a. The VLAN associated with the SVI must exist on the switch.

b. The SVI must be disabled.

c. There must be at least one interface on the switch associated with the VLAN in
the spanning-tree forwarding state.

d. IP routing must be enabled on the switch.

4. Which show command enables you to verify the status of the SVI for VLAN 10 and
the MAC address associated with it?

a. show ip interface brief

b. show interfaces vlan 10
c. show ip interface vlan 10

d. show svi

5. Which command enables IPv4 unicast routing on a Layer 3 switch?

a. routing

b. ip route

c. ip routing

d. ip unicast-routing

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 211

6. Which command enables you to convert a Layer 2 switchport to a routed port?

a. no switchport

b. routed port
c. ip address

d. ip routing

7. Which show command enables you to verify whether interface Gigabit Ethernet
1/0/10 is a Layer 2 switchport or a routed port?

a. show gigabitethernet 1/0/10 switchport

b. show interfaces gigabitethernet 1/0/10

c. show interfaces gigabitethernet 1/0/10 switchport

d. show interfaces status

8. What flags in the show etherchannel summary output indicate that the
EtherChannel is Layer 3 and in use?

a. SU

b. SD

c. RU
d. RD

9. Which EtherChannel modes will successfully form an LACP EtherChannel?

a. Active-auto

b. Desirable-auto

c. Passive-desirable

d. Active-passive

10. Which EtherChannel flag indicates that the port is bundled in the EtherChannel
bundle?

a. R

b. S
c. P

d. H

From the Library of Outcast Outcast

212 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Foundation Topics

Troubleshooting a Router-on-a-Trunk/Stick
For traffic to pass from one VLAN to another VLAN, it has to be routed. This is easy to
remember if you recall that a VLAN = a subnet and to send traffic from one subnet to
another you route it. Therefore, to send traffic from one VLAN to another VLAN, you
also route it.

This section reviews how you can use an external router that is trunked to a switch to
perform routing between VLANs. The section also covers the various issues that could
cause this implementation to not function as expected.

Before Layer 3 switches existed, we relied on external routers to perform inter-VLAN
routing. The external router was connected to the Layer 2 switch via a trunk, which cre-
ated the router-on-a-stick or router-on-a-trunk topology, as shown in Figure 6-1.

Fa 1/1/1.1
VLAN 100
Fa 1/1/1
VLAN 200
R1 R1
Fa 1/1/1 Fa 1/1/1.2
Gig 0/2
Trunk

Gig 0/1 Gig 0/3
VLAN 100 SW1 VLAN 200
PC1 PC2
192.168.1.10/24 192.168.2.10/24
VLAN 100 VLAN 200

Figure 6-1 Router-on-a-Trunk / Router-on-a-Stick

In Figure 6-1, router R1’s Fast Ethernet 1/1/1 interface has two subinterfaces as indicated
by the period (.) in the interface identification. There is one for each VLAN, Fast Ethernet
1/1/1.1 for VLAN 100 and Fast Ethernet 1/1/1.2 for VLAN 200. Router R1 can route
between VLANs 100 and 200, while simultaneously receiving and transmitting traffic
over the trunk connection to the switch. Review Example 6-1 and Example 6-2, which
outline the configurations needed to implement a router-on-a-trunk.

Example 6-1 show run Command Output from R1
Key
Topic R1#show run
...output omitted...
interface FastEthernet1/1/1.1
encapsulation dot1Q 100

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 213

ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet1/1/1.2
encapsulation dot1Q 200
ip address 192.168.2.1 255.255.255.0
...output omitted...

Example 6-2 show run Command Output from SW1
Key
Topic SW1#show run
...output omitted...
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 100

interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

interface GigabitEthernet0/3
switchport mode access
switchport access vlan 200
...output omitted...

After reviewing Example 6-1 and Example 6-2, what are issues that could prevent inter-
Key VLAN routing from being successful?
Topic
■ Trunk encapsulation mismatch

■ Incorrect VLAN assignment on routers’ subinterfaces

■ Incorrect IP address or subnet mask on routers’ subinterfaces

■ Incorrect IP address, subnet mask, or default gateway on PCs

■ Switchport connected to router configured as an access port

■ Switchport connected to router configured to use Dynamic Trunking Protocol
(DTP), which is not supported by the router

■ Switchports connected to PCs in wrong VLAN

Being able to identify these issues and correct them is important for any troubleshooter.

Router-on-a-Trunk/Stick Trouble Tickets
This section covers various trouble tickets relating to the topics discussed earlier in the
chapter. The purpose of these trouble tickets is to give a process that you can follow
when troubleshooting in the real world or in an exam environment. All trouble tickets in
this section are based on the topology depicted in Figure 6-2.

From the Library of Outcast Outcast

214 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

192.168.1.1/24
Fa0/1.100
VLAN 100
Fa 0/1
R1 VLAN 200
R1
Fa0/1 Fa0/1.200
192.168.2.1/24

Trunk
802.1q
Fa0/24
PC1 PC2
Fa0/1 Fa0/2
SW1
VLAN 100 VLAN 200
192.168.1.10/24 192.168.2.10/24
VLAN 100 VLAN 200
DG:192.168.1.1 DG:192.168.2.1

Figure 6-2 Router-on-a-Trunk Trouble Tickets

Trouble Ticket 6-1
Problem: PC1 is not able to access resources on PC2.

As you dive deeper into trouble tickets, everything covered in the previous chapters still
applies because the PCs are still connected to the switches, there are still VLANs, and
there are trunks. As a result, having a repeatable structured troubleshooting process in
place will help you maintain focus and clarity as you troubleshoot.

The first item on the list of troubleshooting is to verify the problem. Issuing the ping
command on PC1, as shown in Example 6-3, indicates that PC1 is not able to reach PC2,
confirming the problem.

Example 6-3 Failed Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next you need to verify whether PC1 can get to its default gateway. This will help
you narrow down where the issue may be. Pinging PC1s default gateway, as shown in
Example 6-4, is not successful. This indicates that we have an issue between PC1 and the
default gateway.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 215

Example 6-4 Failed Ping from PC1 to Default Gateway
C:\PC1>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Now is an excellent time to brainstorm the likely causes of the issue based on Figure 6-2
and the fact that PC1 is not able to ping its default gateway:

■ PC1 may have an incorrect IP address, subnet mask, or default gateway configured.

■ SW1 switchport FA0/1 may not be associated with the correct VLAN.

■ VLAN 100 may not exist on SW1.

■ PC1 may physically be connected to the wrong switchport.

■ SW1 Fa0/24 may not be configured as a trunk.

■ SW1 Fa0/24 may not be allowing VLAN 100 traffic on the trunk.

■ SW1 Fa0/24 may be using the wrong trunk encapsulation.

■ R1 may not have the appropriate subinterfaces configured with the correct IP
addresses or subnet masks.

■ R1’s subinterfaces may be using the wrong trunk encapsulation.

■ R1’s subinterfaces may be disabled.

As you can see, the list is quite extensive, and it is not even a complete list. Let’s start fol-
lowing the path from PC1 and work toward the router. Issuing ipconfig on PC1 indicates
that it has the correct IP address, subnet mask, and default gateway configured, as shown
in Example 6-5, when compared to Figure 6-2.

Example 6-5 ipconfig Output on PC1
C:\PC1>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

From the Library of Outcast Outcast

216 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Issuing the show mac address-table dynamic command on SW1 will identify which
MAC address is being learned on Fa0/1 and which VLAN it is associated with. Example
6-6 is indicating that the MAC address of 0800.275d.06d6 is being learned on Fa0/1 and
that it is associated with VLAN 100. Issuing the ipconfig /all command on PC1, as shown
in Example 6-7, identifies PC1’s MAC as 0800.275d.06d6, which is the same as the one
outlined in the MAC address table. We can narrow our focus now because this proves
that PC1 is connected to the correct switchport, VLAN 100 exists, and Fa0/1 is in the
correct VLAN.

Example 6-6 show mac address-table dynamic Command Output on SW1
SW1#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
100 0800.275d.06d6 DYNAMIC Fa0/1
200 0800.27a2.ce47 DYNAMIC Fa0/2
Total Mac Addresses for this criterion: 2

Example 6-7 ipconfig /all Output on PC1
C:\PC1>ipconfig
...output omitted...
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-5D-06-D6
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
...output omitted...

Focus on Example 6-6 again. If you look closely at the MAC address table on SW1, you
will notice that no MAC addresses are being learned for VLAN 100 or VLAN 200 on
Fa0/24. Why would this be? The link between R1 and SW1 should be an 802.1Q trunk
according to Figure 6-2. If this trunk is not configured with the correct encapsulation,
or the correct trunk mode, or the trunk is pruning VLAN 100 or 200 traffic, traffic for
VLANs 100 and 200 would not pass over the link.

On SW1, start by issuing the show interfaces trunk command, as shown in Example 6-8.
The output indicates that Fa0/24 is a trunk using mode on, which means the command
switchport mode trunk was issued. It also indicates that Fa0/24 is using Inter-Switch
Link (ISL) as the trunk encapsulation method. According to Figure 6-2, the trunk should
be using 802.1Q.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 217

Example 6-8 show interfaces trunk Command Output on SW1
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 on isl trunking 1

Port Vlans allowed on trunk
Fa0/24 1-4094

Port Vlans allowed and active in management domain
Fa0/24 1,100,200

Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,100,200

Reviewing the output of show vlans on R1 in Example 6-9 confirms that R1 is using
802.1Q for its trunk encapsulation. As a result, we have a trunk encapsulation mismatch.

Example 6-9 show vlans Output on R1
R1#show vlans
...output omitted...
Virtual LAN ID: 100 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.100

Protocols Configured: Address: Received: Transmitted:
IP 192.168.1.1 4 8
Other 0 5

4 packets, 298 bytes input
13 packets, 1054 bytes output

Virtual LAN ID: 200 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 4 8
Other 0 5

4 packets, 298 bytes input
13 packets, 1054 bytes output

You need to fix SW1 so that Fa0/24 is using the correct trunk encapsulation method. On
Fa0/24 of SW1, issue the switchport trunk encapsulation dot1q command. After you
have implemented your solution, you need to confirm that it solved the problem by ping-
ing from PC1 to PC2 again. Example 6-10 shows that the ping is successful.

From the Library of Outcast Outcast

218 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Example 6-10 Successful Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10

Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Trouble Ticket 6-2
Problem: PC1 is not able to access resources on PC2.

The problem reported in this trouble ticket is the exact same as the previous trouble tick-
et. However, do not jump to the conclusion that it is the same problem and solution. You
always want to follow your structured troubleshooting approach to make sure that you
efficiently solve the problem and waste little effort.

The first item on the list of troubleshooting is to verify the problem. Issuing the ping
command on PC1, as shown in Example 6-11, indicates that PC1 is not able to reach PC2,
confirming the problem.

Example 6-11 Failed Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Pinging 192.168.2.10 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next you need to verify whether PC1 can get to its default gateway. This will help
you narrow down where the issue may be. Pinging PC1’s default gateway, as shown in
Example 6-12, is successful. This indicates that we do not have an issue between PC1 and
the default gateway.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 219

Example 6-12 Successful Ping from PC1 to Default Gateway
C:\PC1>ping 192.168.1.1
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128
Reply from 192.168.1.1: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Now is a great time to check whether PC1 can ping the default gateway of VLAN 200 at
192.168.2.1. This will help you determine whether inter-VLAN routing is working on R1
between VLAN 100 and VLAN 200. The ping, as shown in Example 6-13, is successful.

Example 6-13 Successful Ping from PC1 to Default Gateway of VLAN 200
C:\PC1>ping 192.168.2.1
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128
Reply from 192.168.2.1: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

It is time to shift attention to R1 and PC2 because it appears everything is fine from
PC1 to R1’s subinterface Fa0/1.100. In this case, we will work our way backward from
R1 to PC2. For VLAN 200 traffic to flow from R1 to PC2, the subinterface Fa0/1.200
needs to be using the correct encapsulation method (802.1Q), it needs to have the cor-
rect IP address and subnet mask assigned to it (192.168.2.1/24), and it needs to have the
right VLAN assigned to it (VLAN 200). Using the command show vlans on R1 will help
to verify the subinterface configuration on R1, as outlined in Example 6-14. Notice that
subinterface Fa0/1.200 has the appropriate IP address and that it is also using 802.1Q as
the trunk encapsulation. However, it is associated with VLAN 20, not VLAN 200. This
appears to be the issue.

Example 6-14 show vlans Command Output on R1
R1#show vlans
...output omitted...
Virtual LAN ID: 20 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

From the Library of Outcast Outcast

220 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 0 0

0 packets, 0 bytes input
0 packets, 0 bytes output
...output omitted...

In subinterface configuration mode for Fa0/1.200, you execute the command encapsula-
tion dot1q 200 to change the VLAN association from 20 to 200. Once done, you review
the output of show vlans on R1, as shown in Example 6-15, to verify that subinterface
Fa0/1.200 is associated with VLAN 200.

Example 6-15 show vlans Command Output on R1 After Configuration Changes
R1#show vlans
...output omitted...
Virtual LAN ID: 200 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interface: FastEthernet0/1.200

Protocols Configured: Address: Received: Transmitted:
IP 192.168.2.1 0 0

0 packets, 0 bytes input
0 packets, 0 bytes output

You then confirm the issue is solved by pinging from PC1 to PC2 again. Example 6-
16 shows that the ping is successful, and so you can now conclude that the problem is
solved.

Example 6-16 Successful Ping from PC1 to PC2
C:\PC1>ping 192.168.2.10
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128
Reply from 192.168.2.10: bytes=32 time 1ms TTL=128

Ping statistics for 192.168.2.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 221

Troubleshooting Switched Virtual Interfaces
On a router, an interface has an IP address that defines the subnet the interface is part
of. In addition, the IP address is usually acting as a default gateway to hosts residing off
of that interface. However, if you have a Layer 3 switch with multiple ports (access or
trunk) belonging to the same VLAN, as shown in Figure 6-3, which interface should the
IP address be configured on?
G
VL

9
ig 00

0/ 0
AN

20
0/

ig
7

AN
1

G
VL

SW1
G

8
ig

0/
VL

0/

ig 00
10
AN

G 1
AN
20
0

V L

Figure 6-3 Layer 3 Switch Without IP addresses

Since Layer 2 switchports cannot be assigned an IP address; you need to create a logi-
cal Layer 3 interface known as a switched virtual interface (SVI). These SVIs can be
assigned an IP address just like router interfaces. However, unlike router interfaces where
an IP address is associated with one interface, the SVI represents all switchports that are
part of the same VLAN the SVI is configured for. Therefore, any device connecting to
the switch that is in VLAN 100 uses SVI 100, and any device in VLAN 200 uses SVI 200,
and so on. This section explains how to configure SVIs on Layer 3 switches and the items
that you should look out for when troubleshooting SVIs.

Reviewing SVIs
Figure 6-4 shows a topology using SVIs, and Example 6-17 shows the corresponding
configuration. Notice that two SVIs are created: one for each VLAN. The SVI for VLAN
100 has the IP address 192.168.1.1/24, and the SVI for VLAN 200 has the IP address
192.168.2.1/24. Notice that these are two different subnets. As a result, devices that are
members of VLAN 100 need to have an IP address in the 192.168.1.0/24 network and

From the Library of Outcast Outcast

222 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

have their default gateway pointing to the VLAN 100 SVI IP address of 192.168.1.1.
Devices that are members of VLAN 200 need to have an IP address in the 192.168.2.0/24
network and have their default gateway pointing to the VLAN 200 SVI IP address of
192.168.2.1. An IP address is assigned to an SVI by going into interface configuration
mode for a VLAN. For example, the global configuration command interface vlan 10
enters interface configuration mode for SVI 10 and, if not previously created, will create
SVI 10. In this example, because both SVIs are local to the switch, the switch’s routing
table knows how to forward traffic between members of the two VLANs. Also, IPv4
routing is not on by default on Layer 3 switches; therefore, you need to enable it with the
ip routing global configuration command.
G
VL

9
ig 00

0/ 0
AN

20
0/

ig
7

AN
1

G
VL

SVI: VLAN 100 SVI: VLAN 200
192.168.1.1/24 192.168.2.1/24

SW1
G

8
ig

0/
VL

0/

ig 00
10
AN

G 1
N
20

A
0

VL

Figure 6-4 Layer 3 Switch with SVIs

Example 6-17 SW1 SVI Configuration
Key
Topic SW1#show run
...output omitted...
!
ip routing
!
...output omitted...
!
interface GigabitEthernet0/7
switchport access vlan 100
switchport mode access

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 223

!
interface GigabitEthernet0/8
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 200
switchport mode access
!
...output omitted...
!
interface Vlan100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan200
ip address 192.168.2.1 255.255.255.0

Troubleshooting SVIs
For an SVI to function, the SVI status has to be up and the protocol has to be up. You
can verify whether the SVI is up/up with a few different show commands, as shown in
Example 6-18. In this case, the SVI for VLAN 100 is up/up, as shown in the output of
show ip interface brief. The output of show interfaces vlan 100 also displays the SVI as
being up/up, but it provides the MAC (bia) address that will be used when devices need
to communicate directly with the SVI. For example, when hosts on VLAN 100 need to
send a frame to the default gateway (remember the SVI will be the default gateway), they
need a destination MAC address for the IP address associated for the SVI. It is this MAC
that will be used in this case. The command also provides the IP address of the SVI.
Lastly, the show ip interface vlan 100 command indicates that the SVI is up/up, in addi-
tion to providing us with the IP address.

Example 6-18 Verifying the Status of an SVI
Key
Topic SW1#show ip interface brief | include Vlan|Interface
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan100 192.168.1.1 YES manual up up
Vlan200 192.168.2.1 YES manual up up

From the Library of Outcast Outcast

224 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

SW1#show interfaces vlan 100
Vlan100 is up, line protocol is up
Hardware is EtherSVI, address is 000d.2829.0200 (bia 000d.2829.0200)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
...output omitted...

SW1#show ip interface vlan 100
Vlan100 is up, line protocol is up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
...output omitted...

To successfully troubleshoot SVIs, you need to understand the circumstances that are
Key necessary for an SVI to be up/up. The following list outlines what is needed for an SVI to
Topic
be up/up:

■ The VLAN the SVI is created for needs to exist locally on the switch.

■ The SVI has to be enabled and not administratively shut down.

■ At a minimum, there must be one switchport (access or trunk) that is up/up and in
the spanning-tree forwarding state for that specific VLAN.

Note To route from one SVI to another SVI, IP routing must be enabled on the Layer 3
switch with the ip routing command.

SVI Trouble Tickets
This section presents various trouble tickets relating to the topics discussed earlier in
the chapter. The purpose of these trouble tickets is to give a process that you can follow
when troubleshooting in the real world or in an exam environment. All trouble tickets in
this section are based on the topology depicted in Figure 6-5.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 225

10.1.1.10/26
PC1
SVI: VLAN 10 IP: 10.1.1.1
802.1q 10.1.1.0/26
Fa0/1
Gig0/1

SW2 Gig1/0/1

Fa0/2 SW1
PC2
SVI: VLAN 20 IP: 10.1.1.65
10.1.1.64/26
10.1.1.74/26

Figure 6-5 SVI Trouble Ticket Topology

Trouble Ticket 6-3
Problem: PC1 is not able to access resources on PC2.

Let’s start this trouble ticket by verifying the problem. Example 6-19 verifies that PC1
cannot access resources on PC2 because the ping has failed.

Example 6-19 Failed Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Pinging 10.1.1.74 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Next, we ping the default gateway for PC1, and the result is not successful either, as
shown in Example 6-20. This means that we have an issue from PC1 to the default gate-
way.

Example 6-20 Failed Ping from PC1 to Default Gateway
C:\PC1>ping 10.1.1.1
Pinging 10.1.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

From the Library of Outcast Outcast

226 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Following a structured troubleshooting approach, you would verify the IP configura-
tion on PC1 as well as its MAC address using the ipconfig /all command. Example 6-21
indicates that the IP address, subnet mask, and default gateway are all correct based on
Figure 6-5. It also indicates that the MAC address is 0800:275d:06d6.

Example 6-21 Verifying PC1s Configuration with ipconfig /all
C:\PC1>ipconfig /all
...output omitted...
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
Physical Address. . . . . . . . . : 08-00-27-5D-06-D6
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.192
Default Gateway . . . . . . . . . : 10.1.1.1
...output omitted...

Next we verify that SW2 is learning the MAC address of PC1 on the correct interface
and that it is associated with the correct VLAN. Example 6-22 shows that the MAC
address of PC1 (0800:275d:06d6) is associated with Fa0/1 and VLAN 10 with the com-
mand show mac address-table dynamic.

Example 6-22 Verifying SW2 Has Learned the MAC Address of PC1 on Fa0/1 and
VLAN 10
SW2#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0800.275d.06d6 DYNAMIC Fa0/1
20 0800.27a2.ce47 DYNAMIC Fa0/2
20 2893.fe3a.e342 DYNAMIC Gi0/1
Total Mac Addresses for this criterion: 3

Next we issue the show mac address-table dynamic command on SW1, as shown in
Example 6-23, to verify that the MAC address of PC1 is being learned on Gig1/0/1 and is
associated with VLAN 10. In this case, it is not being learned at all. In addition, reviewing
the output of Example 6-22 again concludes that there are no MAC addresses for VLAN
10 being learned on the Gig0/1 interface of SW2. We should see the MAC address of the
default gateway for the 10.1.1.0/26 network associated with Gig0/1, but we don’t.

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 227

Example 6-23 Verifying SW1 Has Learned the MAC Address of PC1 on Gig1/0/1 and
VLAN 10
SW1#show mac address-table dynamic
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0800.27a2.ce47 DYNAMIC Gi1/0/1
Total Mac Addresses for this criterion: 1

Because SW1 is a Layer 3 switch, it should have an SVI for VLAN 10 with an IP address
associated with it in the up/up state. Issuing the command show ip interface brief |
include Vlan10, as shown in Example 6-24, indicates that the SVI exists on SW1, it has
the IP address 10.1.1.1, and it is up/down. Therefore, the issue in this trouble ticket is
causing MAC addresses not to be learned for VLAN 10 on SW1’s Gig1/0/1 and SW2’s
Gig0/1 interfaces and is causing the SVI on SW1 to be up/down.

Example 6-24 Verifying SVI Exists on SW1 and Its Status
SW1#show ip interface brief | include VLAN10|Interface
Interface IP-Address OK? Method Status Protocol
Vlan10 10.1.1.1 YES NVRAM up down

What causes an SVIs protocol state to be down?

■ The VLAN the SVI is created for does not exist locally on the switch.

■ The SVI is administratively shut down.
■ There is no switchport (access or trunk) that is up/up and in the spanning-tree for-
warding state for that specific VLAN.

What would cause MAC addresses not to be learned on trunk interfaces?

■ The trunk has mismatched encapsulations, modes, native VLANs.
■ The trunk is manually or dynamically pruning traffic for the VLAN causing spanning
tree to have no forwarding state for the VLAN.

■ The VLAN does not exist on the switch.

Let’s compare these two lists. What do they have in common?

■ The VLAN does not exist.

■ Spanning tree is not in the forwarding state for the VLAN on at least one interface.

On SW1, the show interfaces trunk command enables you to see the spanning-tree for-
warding state for each VLAN on Gig1/0/1. Example 6-25 shows the output of the com-
mand show interfaces trunk on SW1 and highlights the fact that SW1 interface Gig1/0/1

From the Library of Outcast Outcast

228 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

is not in the spanning-tree forwarding state for VLAN 10, only for VLAN 1 and 20. If
you look further at the output, you see that VLAN 10 is not even listed in the list of
VLANs that are active in the management domain. This is a good indication that VLAN
10 does not exist on SW1.

Example 6-25 Output of show interfaces trunk on SW1
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 99

Port Vlans allowed on trunk
Gi1/0/1 1-4094

Port Vlans allowed and active in management domain
Gi1/0/1 1,20

Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,20

Reviewing the output of show vlan brief on SW1 confirms that VLAN 10 does not exist,
as shown in Example 6-26. Correcting this issue requires that you create the VLAN in
global configuration mode using the vlan 10 command.

Example 6-26 Output of show vlan brief on SW1
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Te1/0/1,
Te1/0/2
20 10.1.1.64/26 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

After you have corrected the issue, you want to confirm that the VLAN exists, as shown
in the show vlan brief output of Example 6-27. You want to confirm that the output of
show interfaces trunk lists VLAN 10 in the active VLANs in the management domain
and that it is in the spanning-tree forwarding state and not pruned for interface Gig1/0/1,

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 229

as shown in Example 6-28. In addition, you want to verify that the SVI for VLAN 10
is up/up by using the command show ip interface brief | include Vlan10, as shown in
Example 6-29.

Example 6-27 Output of show vlan brief on SW1 After Changes
SW1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Te1/0/1,
Te1/0/2
10 10.1.1.0/26 active
20 10.1.1.64/26 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

Example 6-28 Output of show interfaces trunk on SW1 After Changes
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/1 on 802.1q trunking 99

Port Vlans allowed on trunk
Gi1/0/1 1-4094

Port Vlans allowed and active in management domain
Gi1/0/1 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/1 1,10,20

Example 6-29 Output of show ip interface brief | include VLAN10 on SW1 After
Changes
SW1#show ip interface brief | include VLAN10|Interface
Interface IP-Address OK? Method Status Protocol
Vlan10 10.1.1.1 YES NVRAM up up

From the Library of Outcast Outcast

230 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide

Finally, you want to verify that the problem is solved by successfully pinging from PC1 to
PC2. Example 6-30 shows that the problem is solved and that the ping is successful.

Example 6-30 Successful Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128
Reply from 10.1.1.74: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Trouble Ticket 6-4
Problem: PC1 is not able to access resources on PC2.

You start by verifying the problem, as shown in Example 6-31, which confirms (because
the ping has failed) that PC1 is unable to access resources on PC2. Next you verify that
PC1 can reach the default gateway, as shown in Example 6-32, which it can since the ping
was successful. This confirms that no issue exists between PC1 and the default gateway.
Next you verify that PC1 can reach the default gateway of VLAN 20, which is 10.1.1.65.
Example 6-33 confirms that PC1 is able to reach the default gateway of VLAN 20 since
the ping was successful as well.

Example 6-31 Failed Ping from PC1 to PC2
C:\PC1>ping 10.1.1.74
Pinging 10.1.1.74 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.1.74:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Example 6-32 Successful Ping from PC1 to VLAN 10 Default Gateway
C:\PC1>ping 10.1.1.1
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128

From the Library of Outcast Outcast

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 231

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Example 6-33 Successful Ping from PC1 to VLAN 20 Default Gateway
PC1#ping 10.1.1.65
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128
Reply from 10.1.1.65: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Because all the pings were successful, this might mean that we have a problem between
SW1 and PC2. Let’s ping from SW1 to PC2 to verify this. Example 6-34 provides the
result of issuing the ping 10.1.1.74 command on SW1. Notice that the ping is successful,
which negates our hypothesis that a problem might exist between SW1 and PC2.

Example 6-34 Successful Ping from SW1 to PC2
SW1#ping 10.1.1.74
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.74, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/205/1015 ms

Let’s recap. PC1 can ping SVI 10, and PC2 can ping SVI 20. We also concluded that PC1
can ping SVI 20, which should mean that PC2 can ping SVI 10. Let’s double check by
pinging from PC2 to the IP address 10.1.1.1. As shown in Example 6-35, it is successful as
well.

Example 6-35 Successful Ping from PC2 to SVI 10
C:\PC2>ping 10.1.1.1
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128
Reply from 10.1.1.1: bytes=32 time 1ms TTL=128

Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

From the Library of Outcast Outcast

Therefore.IS-IS level-2 ia . L1 . you can issue the show ip route command again on SW1 to verify that directly connected entries have been added to the routing table for SVI VLAN 10 and SVI VLAN 20.ODR.OSPF external type 2 i . Therefore. S .NHRP. Example 6-36 Output of show ip interface brief on SW1 SW1#show ip interface brief | include Vlan|Interface Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES NVRAM administratively down down Vlan10 10. su . the pings are getting a little more than halfway to their destination.mobile. O .BGP D .EIGRP external.232 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide So.OSPF. P . R .1.periodic downloaded static route. IA . Example 6-37 Output of show ip route on SW1 SW1#show ip route Default gateway is not set Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty After you have enabled IP routing.65 YES NVRAM up up Let’s check the routing table on SW1 with the command show ip route.candidate default. U .local. The problem is that IP routing is not enabled on SW1. an entry for the network that the SVI belongs gets placed in the routing table. l . Remember how the SVIs work. give it an IP address. as shown in Example 6-36. * . does not even look like a routing table.1. and they are up/up.static. EX . They are equivalent to router interfaces.IS-IS. when you create an SVI. By default. SW1 cannot route traffic.IS-IS inter area.OSPF inter area N1 . on Layer 3 switches. % .OSPF external type 1.per-user static route o .RIP. H . It can only respond to pings that are sent to its local interfaces.next hop override From the Library of Outcast Outcast .1. IP routing is disabled.OSPF NSSA external type 2 E1 . E2 . L2 .replicated route. Issuing the command show ip inter- face brief on SW1.1.EIGRP. you execute the ip routing command in global configuration mode. they have the correct IP addresses assigned to them. and it is up/up.IS-IS summary.1 YES NVRAM up up Vlan20 10. N2 . Example 6-38 Output of show ip route on SW1 SW1#show ip route Codes: L .LISP + . What is required for the ping from PC1 to fully reach PC2? Routing. The output of show ip route. B . confirms that the SVIs for VLAN 10 and VLAN 20 exist. as shown in Example 6-37.connected. To enable it. C .IS-IS level-1. M . Example 6-38 shows a routing table that we are famil- iar with and the directly connected entries for VLAN 10 and VLAN 20. The output of Example 6-37 should immediately lead you to the solution of this problem.OSPF NSSA external type 1.

Pinging from PC1 to PC2. Vlan20 Finally.1. 6 subnets.2/24 192. 3 masks C 10.1. proving that we solved the issue. Average = 0ms Troubleshooting Routed Ports Although SVIs can route between VLANs configured on a switch. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 233 Gateway of last resort is not set 10. Approximate round trip times in milli-seconds: Minimum = 0ms.0/8 is variably subnetted. as shown in Example 6-40 also.2/24 Gig0/0 R2 SW2 SW1 Figure 6-6 Routed Ports on a Layer 3 Switch From the Library of Outcast Outcast .1. Example 6-39 Successful Ping from PC1 to PC2 C:\PC1>ping 10.1/32 is directly connected.1.1. You can verify whether a port is a routed port by using the show interfaces interface_ type interface_number switchport command.1.1.1.74 Reply from 10. we need to confirm that our solution solved the original issue.1.1.1/24 Gig0/0 192. you have to issue the no switchport command in interface configuration mode to convert a switchport to a routed port.1.1.1.168.1/24 Gig0/9 Gi0/10 192. A routed port will state Switchport: Disabled. as shown in Example 6-39. Vlan20 L 10.1.1.74: bytes=32 time 1ms TTL=128 Reply from 10.0.1. Lost = 0 (0% loss). Maximum = 0ms.74: bytes=32 time 1ms TTL=128 Ping statistics for 10.2.74: bytes=32 time 1ms TTL=128 Reply from 10. Vlan10 L 10.168. This sec- tion explains how to configure routed ports on Layer 3 switches so that you can identify potential problems during the troubleshooting process.2. Received = 4.1.1. which was that PC1 could not access resources on PC2.1.0/26 is directly connected. Figure 6-6 and Example 6-40 illustrate a Layer 3 switch with its Gigabit Ethernet 0/9 and 0/10 ports configured as routed ports. 192.168.168. the ports on many Layer 3 Cisco Catalyst switches operate as Layer 2 switch- ports.65/32 is directly connected.1. is successful. Vlan10 C 10.64/26 is directly connected. a Layer 3 switch can be configured to act more as a router (for example. in an environment where you are replacing a router with a Layer 3 switch) by using routed ports on the switch. Therefore.0.74: bytes=32 time 1ms TTL=128 Reply from 10. By default.1.74: Packets: Sent = 4.1.

! interface GigabitEthernet0/9 no switchport ip address 192.255.1.2 255...168.255.2 255.234 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 6-40 Configuration for Routed Ports on a Layer 3 Switch Key Topic SW1#show run .168.. IP routing needs to be enabled.. All trouble tickets in this section are based on the topology depicted in Figure 6-7.2.output omitted. ■ Physical switchport that has Layer 3 (routing) capabilities. SW1#show interfaces gigabitEthernet 0/10 switchport Name: Gi0/10 Switchport: Disabled The following list outlines the characteristics of routed ports: ■ Has no association with any VLAN. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. ■ Useful for uplinks between Layer 3 switches or when connecting a Layer 3 switch to a router. ■ Does not run switchport protocols such as Spanning Tree Protocol (STP) or Dynamic Trunking Protocol (DTP).0 ! .. ■ To route from one routed port to another or a routed port to an SVI and vice versa. ■ Does not support subinterfaces like a router.output omitted.0 ! interface GigabitEthernet0/10 no switchport ip address 192.. Routed Ports Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter..255.. From the Library of Outcast Outcast .255.

1.1. Success rate is 0 percent (0/5) Next you issue the show ip interface brief command on SW1. the problem statement can be changed to read as follows: Problem: PC1 and PC2 are not able to access resources beyond SW1. and it is successful.1.10. Example 6-41 Failed Ping from SW1 to R1 SW1#ping 10. Therefore.1.1/26 10. You ping from PC1 to PC2.1. On SW1.1.0/24 Fa0/1 Gig0/1 Gig1/0/10 . and it is successful.1. and it fails.10.1q 10. and it fails.1.65/26 10. as shown in Example 6-41.1. Therefore.10. You must always be sure that you fully understand the problem that is being submitted. The output shows that there is no IP address configured on Gig1/0/10 and that the interface is up/up.10/26 PC1 SVI: VLAN 10 802. From the Library of Outcast Outcast .1 Internet SW2 Gig1/0/1 ..1.1 Type escape sequence to abort. to verify that the correct IP address is configured on interface Gig1/0/10 and that it is up/ up. This clarification allows us to focus our attention from SW1 onward.10. you always need to further define the problem to make sure that it is accurate.1.1. You ping from PC1 to its default gateway.. Pinging from PC1 and PC2 to R1’s Gig1/0 interface fails. and it is successful. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 235 10. and it fails. 100-byte ICMP Echos to 10.. You ping from PC2 to the Internet. skipping all the Layer 2 troubleshooting between the PCs and SW1.. timeout is 2 seconds: . They are able to access each other. as shown in Example 6-42. You ping from PC2 to its default gateway.2 Gig1/0 R1 Fa0/2 SW1 PC2 SVI: VLAN 20 10.1.1. Sending 5. you ping 10.74/26 Figure 6-7 Routed Ports Trouble Tickets Topology Trouble Ticket 6-5 Problem: PC1 and PC2 are not able to access resources outside their subnet. You ping from PC1 to the Internet.

. From the Library of Outcast Outcast . Example 6-44 Output of the show interfaces gig1/0/10 switchport Command on SW1 SW1#show interfaces gig1/0/10 switchport Name: Gi1/0/10 Switchport: Enabled Administrative Mode: dynamic auto Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) . you are not able to configure an IP address on Gig1/0/10.255. Key This is a good indication that it is a Layer 2 switchport.0. The output displayed in Example 6-44 indicates that it is indeed a Layer 2 switchport because the output states Switchport: Enabled.. Also in Example 6-45.236 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 6-42 Output of show ip interface brief on SW1 SW1#show ip interface brief Interface IP-Address OK? Method Status Protocol . this would indicate that it is a routed port.1.. As shown in Example 6-43.. you need to convert it to a routed port using the no switchport command in interface configuration mode..255.2 255. GigabitEthernet1/0/9 unassigned YES unset down down GigabitEthernet1/0/10 unassigned YES unset up up GigabitEthernet1/0/11 unassigned YES unset down down .1. You enter interface configuration mode for Gig1/0/10 and issue the command ip address 10... as shown in Example 6-45.output omitted. You confirm this by issuing the Topic show interface Gig1/0/10 switchport command. you can see that the IP address command was successfully executed after the no switchport command was entered. You receive the error message dis- played in Example 6-43. as shown in Example 6-43. If it stated Switchport: Disabled.255..output omitted.10.10...2 255..255.0 ^ % Invalid input detected at '^' marker. Example 6-43 Error message on SW1 SW1#config t SW1(config)#interface gig 1/0/10 SW1(config-if)#ip address 10.. To assign an IP address to a switchport on a Layer 3 switch.output omitted.

Gig 0/1-4 Gig 0/1-4 Routed Ports Routed Ports SW1 SW2 Figure 6-8 Layer 3 EtherChannel Following are common troubleshooting targets to consider when troubleshooting a Layer Key 3 EtherChannel issue: Topic ■ Mismatched port configurations: The configurations of all ports making up an EtherChannel. Specifically. When you have multiple routed ports on Layer 3 switches.10. This section focuses on the Layer 3 EtherChannel requirements and how you can successfully trouble- shoot issues relating to it. the pings from PC1 and PC2 to the Internet are successful (not displayed).1. all ports should have the same speed and duplex and port type (Layer 2 or Layer 3).1.0 Now the ping from SW1 to R1 is successful. Also. you can bundle them together to create Layer 3 EtherChannels. Sending 5. should be identical. as illustrated in Figure 6-8. on both switches. which are Layer 3 ports that do not care about those parameters. and allowed VLAN configurations because we use routed ports.1 Type escape sequence to abort. An EtherChannel logically combines the bandwidth of multiple physical interfaces into a logical connection between switches.1.255. round-trip min/avg/max = 9/14/17 ms Troubleshooting Layer 3 EtherChannel Chapter 5 discussed how to troubleshoot Layer 2 EtherChannels between Layer 2 switchports on Cisco Catalyst switches. From the Library of Outcast Outcast .1. Figure 6-8 shows four Gigabit Ethernet routed ports logically bonded into a single EtherChannel link known as a port channel. Example 6-46 Successful Ping from SW1 to R1 SW1#ping 10. With Layer 3 EtherChannel. as displayed in Example 6-46.255.2 255. For example. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 237 Example 6-45 Configuring a Routed Port on SW1 SW1#config t SW1(config)#interface gig 1/0/10 SW1(config-if)#no switchport SW1(config-if)#ip address 10.!!!! Success rate is 80 percent (4/5). 100-byte ICMP Echos to 10. there is no need to worry about trunk mode.10. native VLAN configura- tions. timeout is 2 seconds: .10.

Therefore. if the physical interfaces are Layer 2 switchports. it is imperative that you either make the physical interfaces routed ports with the no switchport command before creat- ing the bundle or create the Layer 3 port channel with the interface port-channel interface_number command and issue the no switchport command in interface configuration mode before you configure the physical interfaces with the channel- group command. For example. The hash- ing approach selected should distribute the load fairly evenly across all physical links. If the physical interfaces are Layer 3 interfaces. a hash calculation might be based only on the destination MAC address of a frame. For example.238 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ Port type during configuration: Creating an EtherChannel with the channel-group command before the port channel is created will automatically create the port channel with the same state as the physical ports bundled in the channel group. If you prefer to statically configure EtherChannel. ■ Mismatched EtherChannel configuration: Both switches forming the EtherChannel should be configured for the same EtherChannel negotiation protocol. the port chan- nel will be a Layer 3 port channel. there is the on option as well. ■ Inappropriate EtherChannel distribution algorithm: EtherChannel determines which physical link to use to transmit frames based on a hash calculation. Table 6-2 identifies which options can be configured on each switch to success- fully form an EtherChannel. Table 6-2 Options for Successfully Forming an EtherChannel Key Topic SW1 MODE PAgP PAgP Auto LACP LACP On Desirable Active Passive PAgP Yes Yes No No No Desirable SW2 PAgP Auto Yes No No No No LACP No No Yes Yes No Active LACP No No Yes No No Passive On No No No No Yes From the Library of Outcast Outcast . If the frames are destined for only a few different MAC address- es. the load distribution could be uneven. Order of operations is more important with Layer 3 EtherChannel than with Layer 2 EtherChannel. The options are Link Aggregation Control Protocol (LACP) and Port Aggregation Protocol (PAgP). the port channel will be a Layer 2 port channel.

The only other option I would like to see beside the ports is H. Example 6-47 Output of show etherchannel summary SW1#show etherchannel summary Flags: D . This is what you want to see.down P . The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 239 Verifying an EtherChannel bundle is done with the show etherchannel summary com- mand.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) Layer 3 EtherChannel Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. as indicated by the P. it means that you have a configuration issue that is preventing the port from being bundled. if you see anything else.Layer2 U . if you see any other combination.bundled in port-channel I . which is used with LACP when you have more than eight ports in the bundle. it is a Layer 3 port channel. it means that you have a misconfiguration that is preventing the port channel from going up. the protocol that was used.in use f .not in use.Layer3 S . Again.stand-alone s . the logical port channel is port channel 1.failed to allocate aggregator M . and it is in use (as indicated by the RU). From the Library of Outcast Outcast . the logical port channel number for the group.unsuitable for bundling w . All trouble tickets in this section are based on the topology depicted in Figure 6-9. you want to see P listed by the ports. the ports in the bundle. and the status of the ports. minimum links not met u .suspended H . as shown in Example 6-47.waiting to be aggregated d . and Gig1/0/5 and 1/0/6 are bundled in the port channel. Link Aggregation Control Protocol (LACP) was used as the protocol in this example. When you have more than eight ports with LACP. In this example.Hot-standby (LACP only) R . you can verify the group number. With this output. the additional ports are placed in the standby state and used only if one of the main eight go down. the status of the port channel.

suspended H .bundled in port-channel I .240 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Core Gi1/0/5 Gi1/0/5 SW1 SW2 Gi1/0/6 Gi1/0/6 Gi1/0/1 Layer 3 EtherChannel Gi1/0/2 Gi0/1 Gi0/2 Fa0/1 Figure 6-9 EtherChannel Trouble Tickets Topology Trouble Ticket 6-6 Problem: A junior network administrator has approached you indicating that the Layer 3 EtherChannel they are trying to form between SW1 and SW2 is not forming. as shown in Example 6-48 and Example 6-49.down P .failed to allocate aggregator M .in use f .Hot-standby (LACP only) R .Layer3 S .stand-alone s .unsuitable for bundling w . Reviewing the flags on SW1 in Example 6-48 indicates that the ports are in standalone and that the port channel is Layer 2 down. Do you see the issue? Example 6-48 SW1 show etherchannel summary Output SW1#show etherchannel summary Flags: D . minimum links not met u . Reviewing the flags on SW2 in Example 6-49 indicates that ports are suspended and that the port channel is Layer 3 down.not in use. Your first step is to verify the EtherChannel configuration on SW1 and SW2 using the show etherchannel summary command. You need to solve this issue for them.waiting to be aggregated From the Library of Outcast Outcast .Layer2 U .

in use f .Layer2 U . the junior network administrator forgot the no switchport command on SW1.Layer3 S .suspended H .down P .failed to allocate aggregator M . If you recall.stand-alone s . to create a Layer 3 EtherChannel. as shown in Example 6-50.Hot-standby (LACP only) R .not in use.unsuitable for bundling w .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(SD) LACP Gi1/0/5(I) Gi1/0/6(I) Example 6-49 SW2 show etherchannel summary Output SW2#show etherchannel summary Flags: D . Example 6-50 SW1 show run interface Output SW1#show run int gig 1/0/5 ! interface GigabitEthernet1/0/5 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW1#show run int gig 1/0/6 ! interface GigabitEthernet1/0/6 From the Library of Outcast Outcast .waiting to be aggregated d .default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RD) LACP Gi1/0/5(s) Gi1/0/6(s) It appears that our junior network administrator failed to create a Layer 3 EtherChannel on SW1. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 241 d . Therefore. the physical ports and the port channel must be routed ports. minimum links not met u .bundled in port-channel I .

Example 6-51 confirms that the Layer 3 EtherChannel bundle is now formed.bundled in port-channel I .down P .242 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate channel-group 1 mode active end SW1#show run int port-channel 1 ! interface Port-channel1 end To solve this issue.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) ! SW2#show etherchannel summary Flags: D . minimum links not met u . and then issue the channel-group mode command on Gig1/0/5 and Gig1/0/6.unsuitable for bundling w . convert Gig1/0/5 and Gig1/0/6 to routed ports with the no switchport command.Hot-standby (LACP only) R . which will create the bundle and the Layer 3 port channel.waiting to be aggregated d .waiting to be aggregated d .suspended H .not in use.not in use. you need to remove the port channel and channel group configura- tion from SW1. Example 6-51 SW1 and SW2 show etherchannel summary Output SW1#show etherchannel summary Flags: D .in use f .stand-alone s .Layer3 S .bundled in port-channel I .Hot-standby (LACP only) R .failed to allocate aggregator M . Notice how the ports are bundled in the port channel and that the port channel is Layer 3 in use.default port From the Library of Outcast Outcast .Layer3 S .down P .Layer2 U .suspended H .in use f .unsuitable for bundling w .Layer2 U .stand-alone s . minimum links not met u .failed to allocate aggregator M .

Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 243 Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------- 1 Po1(RU) LACP Gi1/0/5(P) Gi1/0/6(P) From the Library of Outcast Outcast .

244 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. Chapter 22. Review All Key Topics Review the most important topics in this chapter. Layer 3 EtherChannel From the Library of Outcast Outcast . you have a couple of choices for exam preparation: the exercises here. Table 6-3 Key Topics for Chapter 6 Key Topic Key Topic Element Description Page Number Example 6-1 show run command output from R1 212 Example 6-2 show run command output from SW1 213 List Describes issues that prevent inter-VLAN routing 213 from functioning with the router-on-a-stick approach Example 6-17 SW1 SVI configuration 222 Example 6-18 Verifying the status of an SVI 223 List Identifies the elements that must be true for an SVI 224 to be up Example 6-40 Configuration for routed ports on a Layer 3 switch 234 Paragraph Identifies how to verify whether the port is a Layer 2 236 switchport or a routed port List Describes the common Layer 3 EtherChannel 237 troubleshooting targets Table 6-2 Options for successfully forming an EtherChannel 238 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: Layer 3 switch. router-on-a-trunk/router-on-a-stick. noted with the Key Topic icon in the outer margin of the page. switched virtual interface (SVI).” and the exam simulation questions on the CD-ROM. rout- ed port. “Final Preparation. Table 6-3 lists a reference of these key topics and the page numbers on which each is found.

Appendix D. Therefore. If IPv4 routing is enabled on a Layer 3 switch. read the description on the left side. includes completed tables and lists to check your work.” also on the disc. in addition show etherchannel summary to the status of the ports within the port channel. number switchport Displays the status of port channels. “Memory Tables. cover the right side of Table 6-4 with a piece of paper. and complete the tables and lists from memory. Show Command Reference to Check Your Memory This section includes the show commands introduced in this chapter. To test your memory of the commands. Table 6-4 show Commands Introduced in Chapter 6 Task Command Syntax Displays the VLANs that are associated with show vlans a router’s subinterfaces. Chapter 6: Troubleshooting Inter-VLAN Routing and Layer 3 EtherChannels 245 Complete Tables and Lists from Memory Print a copy of Appendix C. subnet mask. It does not include the show commands that were used in this chapter but introduced in previous chapters. hands-on skills that are used by a networking professional. in addition to the trunk encapsulation method used on router’s subinterfaces. or at least the section for this chapter. “Memory Tables Answer Key. it show ip route displays the contents of the IPv4 routing table. and MAC address associated with it. From the Library of Outcast Outcast . The 300-135 TSHOOT exam focuses on practical. Identifies if a switchport is operating as a Layer show interfaces interface_type interface_ 2 switchport or a Layer 3 routed port. and then see how much of the command you can remember.” (found on the disc). You will need to return to the previous chapters to review information relating to those show commands. you should be able to identify the show commands needed to successfully troubleshoot the topics presented in this chapter. Displays the Layer 1 and Layer 2 status of show interfaces [vlan {vlan-id}] an SVI on an MLS along with the IP address.

This chapter covers the following topics: ■ Troubleshooting Port Security: This section covers the various reasons why port security might not be performing as expected and how you can trouble- shoot them. and IP Source Guard. ■ Troubleshooting Spoof-Prevention Features: This section explains the purpose of DHCP Snooping. you will learn what could cause these features not to perform as expected and how to troubleshoot them. private VLANs. and VLAN Access Control Lists. ■ Troubleshooting Layer 2 Access Control: This sec- tion examines how to troubleshoot misconfigura- tions related to protected ports. Dynamic ARP Inspection. ■ Spoof-Prevention Features Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting pro- cess to solve a reported problem. In addition. From the Library of Outcast Outcast . ■ Port Security Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a structured troubleshooting process to solve a report- ed problem.

Therefore. Table 7-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. and VLAN access control lists (ACLs). all traffic within a VLAN is free to flow between the switchports in the same VLAN. However. CHAPTER 7 Troubleshooting Switch Security Features By default. From the Library of Outcast Outcast . “Answers to the ‘Do I Know This Already?’ Quizzes. If you do not know the answer to a question or are only partially sure of the answer. and IP Source Guard.” Table 7-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting Port Security 1–3 Troubleshooting Spoof-Prevention Features 4–8 Troubleshooting Layer 2 Access Control 9–10 Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. dynamic Address Resolution Protocol (ARP) inspec- tion. private VLANs. In addition. This might not be desired. out of the box. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. You can find the answers in Appendix A. DHCP snooping. by default. This chapter covers all these features and explores the various reasons why you may be experiencing issues and how you can troubleshoot them. You can improve switch security by implementing features such as port security. you should mark that question as wrong for purposes of the self-assessment. you can control the flow of traffic within the same VLAN with features such as protect- ed ports. Therefore. read the entire chapter. min- imal security is applied. with these added features comes additional issues related to them that you will need to be able to troubleshoot. switches are designed to provide connectivity. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section.

show port-security b. show port-security interface interface_type interface_number c. show interfaces c. show running-configuration b. Which two commands identify the ports that are in the err-disabled state if the err- disable recovery feature has not been enabled for port security? a. show port-security address 4. Which command enables you to verify the IP address that has been given to each client from the DHCP server along with the interface they are connected to and the VLAN the interface is a member of? a. c. It must be enabled for specific VLANs. What must be true for DHCP snooping to operate successfully? (Choose two. show running-configuration 2. show interfaces status d.248 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 1. d. Shutdown d. Disabled 3. show ip dhcp snooping database d. Protect b. Restrict c.) a. The ports going to end stations must be configured as trusted. The ports going to the DHCP servers need to be configured as untrusted. show ip dhcp snooping b. 5. b. Which two of the following port security violation modes will generate a log mes- sage when a violation occurs? a. show port-security address d. Which command enables you to verify the port status of a port security-enabled port? a. show ip dhcp snooping statistics From the Library of Outcast Outcast . show ip dhcp snooping binding c. It must be enabled globally.

DHCP snooping must be enabled globally. show ip arp b. Chapter 7: Troubleshooting Switch Security Features 249 6.) a. c. Community ports can communicate with other community ports in a different community. show ip verify source c. DHCP snooping database d. Protected ports c. Routing table 8. Isolated ports cannot communicate with other isolated ports. What must be true for dynamic ARP inspection to operate successfully? (Choose two answers. IP Source Guard b. Private VLANs d. Community ports cannot communicate with other community ports in the same community. except for upstream interfaces. All interfaces. show interfaces status d. Which two of the following statements are true about PVLANs? a. show ip dhcp snooping binding 9. Which command enables you to verify which interfaces have been configured with IP Source Guard? a. d. c. d. VLAN ACL From the Library of Outcast Outcast . b. Which of the following has the ability to deny only FTP traffic between two devices in the same VLAN? a. DHCP snooping must be enabled for specific VLANs. need to be configured as trusted interfaces. IP ARP inspection must be enabled for specific VLANs. Community ports cannot communicate with isolated ports and vice versa. b. How does IP Source Guard learn where valid source IPs are in the network? a. 7. ARP cache b. 10. MAC address table c.

where a malicious user attempts to overflow the CAM table by populating it with a large number of bogus MAC addresses. ■ Running configuration not saved to startup configuration. preventing access.. port security will perform as expected with minimal issues. Therefore. This helps to eliminate CAM table flooding attacks. Port Security Configured but Not Enabled Example 7-1 provides a port security configuration on interface Fast Ethernet 0/1 of an access layer switch. If an attack occurs. you will be troubleshooting. Common Port Security Issues Usually. if not.250 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting Port Security The port security feature is designed to control a specific set/number of MAC addresses that will be learned on an interface. port security keeps waiting. The following is a listing of issues that may occur when working with port security: ■ Port security is configured but not enabled. In addition. if something goes wrong. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 From the Library of Outcast Outcast . Example 7-1 Sample Port Security Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration. This section shows you how to iden- tify and troubleshoot port security issues. However. as with all services and features. Most issues arise from miscon- figurations. Key Topic ■ A static MAC address was not configured correctly. ■ The maximum number of MAC addresses has been reached. it ensures that only specific devices (based on MAC address) can connect to certain switchports. ■ Legitimate users are being blocked because of a violation. Notice that all commands start with switchport port-security. port security is not enabled on the interface regardless of the rest of the con- figuration specified.. if you fail to include the command switchport port-security (which is high- lighted). However. port security is a must for all organizations to implement. port security kicks in.

06d6:10 Security Violation Count : 0 Static MAC Address Not Configured Correctly If you have implemented port security by defining MAC addresses statically. Fast Ethernet 0/1 is enabled for port security. In this case.b607. From the Library of Outcast Outcast . Example 7-3 identifies the static MAC address configuration for 0800. you more than likely forgot to change the port security static MAC address. Chapter 7: Troubleshooting Switch Security Features 251 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050.275d. Example 7-2 Verifying Port Security Is Enabled on an Interface Key Topic SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 ASW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 0 Sticky MAC Addresses : 2 Last Source Address:Vlan : 0800.06d6 Use the commands show port-security and show port-security interface interface_type interface_number to verify whether port security is enabled on an interface. it is impera- tive that they are accurate.275d. as shown in Example 7-2.06d6.275d.657a switchport port-security mac-address 0800. If a user complains that he cannot access the network after receiving a new computer and your network relies on static port security addresses.

Example 7-4 Verifying Static Addresses Associated with Interfaces Key Topic SW1#show port-security address Secure Mac Address Table ----------------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---. . .252 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-3 Sample Static MAC Address Port Security Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration.. .657a switchport port-security mac-address 0800. : Broadcast From the Library of Outcast Outcast . .275d. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050. . (This is where accurate documentation is helpful. .657a SecureSticky Fa0/1 - 10 0800. . . ------------- 10 0050.275d.275d. . . . . . the MAC address 0800. ----------. .) The show port-security address command will also identify the dynamically learned port security MAC addresses and the sticky secure MAC addresses. . .06d6 SecureConfigured Fa0/1 - ----------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 Example 7-5 Verifying MAC Address of PC. . ---.b607. . . ----. : pc1 Primary Dns Suffix . . In this example. as shown in Example 7-4.b607. . . : Node Type .06d6 is a statically configured (SecureConfigured) port security MAC address for Fa0/1 and VLAN 10. . You need to compare this to the MAC address of the PC con- nected to the port with the ipconfig /all command.06d6 Using the show port-security address command reveals the static MAC address con- figured for the interfaces. . . PC1#ipconfig /all Windows IP Configuration Host Name . . .. . as shown in Example 7-5.

As shown in Example 7-7. . ... . you have to specify the number with the switchport port-security maximum number command. . . . Example 7-6 Identifying the Maximum Number of MAC Addresses Allowed SW1#show running-config interface fastEthernet 0/1 Building configuration. Maximum Number of MAC Addresses Reached By default. . . as shown in Example 7-6. .. . . .b607. . when port security is enabled. .output omitted. . .06d6 You can verify the maximum number of MAC addresses allowed on an interface with the show port-security and show port-security interface interface_type interface_number commands. . . ... . .275d. . In this case. : 08-00-27-5D-06-D6 Dhcp Enabled. .. . if you need more than one MAC address. . : No Ethernet adapter PC1 Lab: Connection-specific DNS Suffix .657a switchport port-security mac-address 0800. : No . only one MAC address will be allowed. . . . . Therefore. Chapter 7: Troubleshooting Switch Security Features 253 IP Routing Enabled. . . : AMD PCNET Family PCI Ethernet Adapter Physical Address. . . . . : No WINS Proxy Enabled. . the maximum number was set to 2 so that two devices could communicate through the interface. . . . Example 7-7 Identifying the Maximum Number of MAC Addresses Allowed SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict From the Library of Outcast Outcast . . . : Description . . Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050. and two have been learned. two MACs are allowed.

and the violation count is not incremented. Tip You can remember that these get more severe in alphabetic order (P/R/S) (drop/ drop&alert/shutdown&alert). Three different violations exist: ■ Protect: Any frame from the MAC addresses in violation is dropped without a noti- Key fication. From the Library of Outcast Outcast . Topic ■ Restrict: Any frame from the MAC addresses in violation is dropped. If the number is not correct. as shown in Example 7-8. and log mes- sages are generated. In this case. The violation will occur regardless of the additional MAC addresses being accidental or malicious. the port is placed in the err-disabled state.254 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800. You can verify whether there is a violation by using the show port-security and show port-security interface interface_type interface_number commands. However.275d. log messages will be generated. In addition. and because the violation mode is Restrict. any frame from the MAC addresses in violation is dropped. the security violation count would increment. a violation will occur if more than the specified number of MAC addresses are seen on the port. ■ Shutdown: When a violation occurs. if there were.06d6:10 Security Violation Count : 0 Legitimate Users Being Blocked Because of Violation You need to make sure that you have the correct number of MAC addresses specified. and log messages are generated. and any frame from any MAC address will be dropped. there is currently no violation.

as shown in Example 7-9. as dis- played in the following syslog messages: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1. changed state to down Example 7-9 Example Port That Has Been Shut Down and Placed in the Err-Disable State SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute From the Library of Outcast Outcast . changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/1. the port status is Secure-shutdown and placed in the err-disable state.ce47 on port FastEthernet0/1. Chapter 7: Troubleshooting Switch Security Features 255 Example 7-8 Identifying Security Violations SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 0 Restrict --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1.275d.27a2. and a violation occurs. putting Fa0/1 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred. caused by MAC address 0800.06d6:10 Security Violation Count : 0 If the violation mode is set to shutdown.

Example 7-11 displays all the dif- ferent services that can cause a port to go into the err-disabled state.ce47:10 Security Violation Count : 1 To verify ports that are in the err-disabled state.. address is 081f.output omitted. SW1#show interfaces fastEthernet 0/1 FastEthernet0/1 is down..f34e. Example 7-10 Identifying Ports in the Err-Disabled State SW1#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX Fa0/5 notconnect 1 auto auto 10/100BaseTX Fa0/6 notconnect 1 auto auto 10/100BaseTX . Fa0/1 is in the err-disabled state.. use the command show interfaces Key status.256 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 1 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0800. However.. it does not tell you what caused the err-disabled state.b801) Example 7-11 Identifying Which Services Are Enabled for Err-Disable SW1#show errdisable detect ErrDisable Reason Detection Mode ----------------.f34e. Notice that they are all enabled by default and that port security is one of them (psecure-violation).b801 (bia 081f. --------. ---- arp-inspection Enabled port bpduguard Enabled port channel-misconfig (STP) Enabled port community-limit Enabled port dhcp-rate-limit Enabled port dtp-flap Enabled port gbic-invalid Enabled port iif-reg-failure Enabled port inline-power Enabled port invalid-policy Enabled port From the Library of Outcast Outcast . You can also use the show interface interface_type Topic interface_number command. as shown in Example 7-10. As you can see. line protocol is down (err-disabled) Hardware is Fast Ethernet.27a2.

By doing so. changed state to down From the Library of Outcast Outcast . Make sure that logging to the console or terminal lines is enabled. bounce (shut/ noshut) the interface that is err-disabled. and do not forget about the terminal monitor command if you are using Telnet or Secure Shell (SSH). changed state to up %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1. which will generate a syslog message.27a2. In this case. and the mnemonic is ERR-DISABLE. one per line. putting Fa0/1 in err-disable state Tip If for some reason you do not have access to the syslog messages. putting Fa0/1 in err- disable state SW1(config-if)# %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred. SW1(config)#interface fastEthernet 0/1 SW1(config-if)#shut %LINK-5-CHANGED: Interface FastEthernet0/1. caused by MAC address 0800. %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1. Topic the message text clearly states it was caused by a port security violation. and you can see that the port was err-disabled due to a port security violation. SW1(config-if)# %LINK-3-UPDOWN: Interface FastEthernet0/1. Example 7-12 Bouncing the Interface to Determine Why It Is Err-Disabled SW1#config t Enter configuration commands. Chapter 7: Troubleshooting Switch Security Features 257 link-flap Enabled port loopback Enabled port lsgroup Enabled port mac-limit Enabled port pagp-flap Enabled port port-mode-failure Enabled port pppoe-ia-rate-limit Enabled port psecure-violation Enabled port/vlan security-violation Enabled port sfp-config-mismatch Enabled port sgacl_limitation Enabled port small-frame Enabled port storm-control Enabled port udld Enabled port vmps Enabled port psp Enabled port The best way to determine why a port is in the err-disabled state is to review syslog mes- Key sages. They are listed as severity level 4. End with CNTL/Z. changed state to administratively down SW1(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0/1. after the interface is enabled.ce47 on port FastEthernet0/1. the error will be detected again. This process is shown in Example 7-12.

as shown in Example 7-14. Example 7-14 Enabling the Err-Disable Recovery Feature SW1(config)#errdisable recovery cause ? all Enable timer to recover from all error causes arp-inspection Enable timer to recover from arp inspection error disable state bpduguard Enable timer to recover from BPDU Guard error From the Library of Outcast Outcast . issue the errdisable recov- ery cause service/feature global configuration command. Therefore. This example displays all the different options available on a Catalyst 2960 switch. Example 7-13 Verifying the Err-Disable Recovery Feature SW1#show errdisable recovery ErrDisable Reason Timer Status ----------------.258 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide If you are relying on the err-disable recovery feature to enable interfaces once the viola- Key Topic tion is no longer detected. if you need to use it. as shown in Example 7-13. Notice that the err-disable recovery feature is disabled by default for all the different services and features. it has to be manually enabled by you. -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled link-flap Disabled mac-limit Disabled loopback Disabled pagp-flap Disabled port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Disabled security-violation Disabled sfp-config-mismatch Disabled small-frame Disabled storm-control Disabled udld Disabled vmps Disabled psp Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: To enable err-disable recovery for a specific feature or service. you can verify the status of the feature with the show errdis- able recovery command.

it will be err-disabled again. you have an extra piece of information you can use. This makes it easier for you to troubleshoot what caused the port to be err-disabled. for instance. as shown in Example 7-15. If the violation still exists at that point. -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled link-flap Disabled mac-limit Disabled loopback Disabled pagp-flap Disabled From the Library of Outcast Outcast . It also indicates how much time is left until the port is automatically enabled. information identifies what interface is err-disabled and why. Chapter 7: Troubleshooting Switch Security Features 259 channel-misconfig (STP) Enable timer to recover from channel misconfig error dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error dtp-flap Enable timer to recover from dtp-flap error gbic-invalid Enable timer to recover from invalid GBIC error inline-power Enable timer to recover from inline-power error link-flap Enable timer to recover from link-flap error loopback Enable timer to recover from loopback error mac-limit Enable timer to recover from mac limit disable state pagp-flap Enable timer to recover from pagp-flap error port-mode-failure Enable timer to recover from port mode change failure pppoe-ia-rate-limit Enable timer to recover from PPPoE IA rate-limit error psecure-violation Enable timer to recover from psecure violation error psp Enable timer to recover from psp security-violation Enable timer to recover from 802.1x violation error sfp-config-mismatch Enable timer to recover from SFP config mismatch error small-frame Enable timer to recover from small frame error storm-control Enable timer to recover from storm-control error udld Enable timer to recover from udld error vmps Enable timer to recover from vmps shutdown error When using the err-disable recovery feature. At the bottom of the show errdisable recovery output. that you enable it for port security. Example 7-15 Verifying the Err-Disable Reason SW1#show errdisable recovery ErrDisable Reason Timer Status ----------------. Suppose.

-------------- Fa0/1 psecure-violation 85 Running Configuration Not Saved to Startup Configuration This is pretty obvious: If you fail to save the running configuration to the NVRAM.260 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Enabled security-violation Disabled sfp-config-mismatch Disabled small-frame Disabled storm-control Disabled udld Disabled vmps Disabled psp Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) --------.657a command. the port security configuration will no longer be available when the switch reboots.657a was learned by the switch on interface Fast Ethernet 0/1. However. many administrators who use the port security sticky feature forget about saving the configuration when a new PC is added. the switch placed it in the configura- tion with the switchport port-security mac-address sticky 0050. otherwise. Notice how the sticky feature was enabled with the switchport port-security mac-address sticky command. Current configuration : 456 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security From the Library of Outcast Outcast .. The sticky feature allows the switch to dynami- cally learn MAC addresses and then place the MAC address in the configuration just like they had been statically configured.b607. You now need to save the configuration.. the sticky-learned MAC address will not be in the configuration if the switch reboots.b607. Example 7-16 displays the port security sticky con- figuration on a switch. ----------------. Once the MAC address 0050. Example 7-16 Port Security Sticky Configuration SW1#show running-config interface fastEthernet 0/1 Building configuration.

The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. and the user on PC1 has called you indicating that she is not able to access any network resources. You notice that port security was added to all access ports on SW1. and notice that Fa0/1 is enabled for port secu- rity and that there is a security violation count of 1.657a switchport port-security mac-address 0800.b607. you decide to start your troubleshooting process by examining the port security configuration on SW1. This leads you to examine the change control documentation to determine whether any configuration changes were done in the past 2 weeks. Therefore. before she went on vacation. All trouble tickets in this section are based on the topology depicted in Figure 7-1. She indicates that it was 2 weeks ago. PC1 is connected to Fa0/1. According to documentation. Example 7-17 Verifying Port Security on Fa0/1 SW1#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 2 2 1 Shutdown Fa0/2 2 2 0 Shutdown From the Library of Outcast Outcast . You issue the command show port-security. VLAN 10 PC1 Fa0/1 Gi0/1 SW1 Fa0/2 PC2 Figure 7-1 Port Security Trouble Ticket Topology Trouble Ticket 7-1 Problem: It is Monday morning. Chapter 7: Troubleshooting Switch Security Features 261 switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 0050.275d. as shown in Example 7-17. You ask her when the last time it was that she was able to access resources.06d6 Port Security Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.

06d6:10 Security Violation Count : 1 From the Library of Outcast Outcast .275d. Port security is enabled but it is in the Secure-shutdown state.262 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Fa0/3 2 0 0 Shutdown Fa0/4 2 0 0 Shutdown Fa0/5 2 0 0 Shutdown Fa0/6 2 0 0 Shutdown Fa0/7 2 0 0 Shutdown Fa0/8 2 0 0 Shutdown Fa0/9 2 0 0 Shutdown Fa0/10 2 0 0 Shutdown Fa0/11 2 0 0 Shutdown Fa0/12 2 0 0 Shutdown Fa0/13 2 0 0 Shutdown Fa0/14 2 0 0 Shutdown Fa0/15 2 0 0 Shutdown Fa0/16 2 0 0 Shutdown Fa0/17 2 0 0 Shutdown Fa0/18 2 0 0 Shutdown Fa0/19 2 0 0 Shutdown Fa0/20 2 0 0 Shutdown Fa0/21 2 0 0 Shutdown Fa0/22 2 0 0 Shutdown Fa0/23 2 0 0 Shutdown Fa0/24 2 0 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 8192 To verify the status of port security for Fa0/1 you issue the command show port-securi- ty interface fastEthernet 0/1.06d6 for VLAN 10.275d. The last MAC address that was received on the interface was 0800. as shown in Example 7-18. Example 7-18 Verifying Port Security Status on Fa0/1 SW1#show port-security interface fastEthernet 0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 2 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0800.

. . . . . as shown in Example 7-20. . . Chapter 7: Troubleshooting Switch Security Features 263 Next you issue the show run interface fa0/1 command to verify the port security con- figuration on Fa0/1. . it has been enabled.. Example 7-19 Verifying Port Security Configuration on Fa0/1 SW1#show run interface fa0/1 Building configuration. : Node Type . . . The MAC address of PC1 is 08-00-27-5D-06-D6. . . . . . Current configuration : 352 bytes ! interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security mac-address 0050. . . : No WINS Proxy Enabled. Comparing the MAC address of PC1 to the addresses statically configured on Fa0/1. . . . . . .06d7 no lldp transmit spanning-tree portfast spanning-tree bpduguard enable spanning-tree guard root end You decide to confirm the MAC addresses of the IP Phone and PC1. . : Broadcast IP Routing Enabled. : No Ethernet adapter PC1 Lab: Connection-specific DNS Suffix . . . which happens to be the same MAC address that caused the violation shown in Example 7-18. . Example 7-20 Reviewing the MAC Address on PC1 C:###BOT_TEXT###gt;ipconfig /all Windows IP Configuration Host Name . As shown in Example 7-19. Starting with the PC. . . . . . . . . . . as shown in Example 7-19. .275d. . . : Description .657a switchport port-security mac-address 0800.b607. . . and there are 2 MAC addresses configured (one for the phone and one for PC1). . . . you issue the ipconfig /all command. . . confirms that PC1s MAC address is not one of the addresses configured. . . the maximum MAC addresses is set to 2. . . : AMD PCNET Family PCI Ethernet Adapter From the Library of Outcast Outcast . .. : pc1 Primary Dns Suffix .

275d. The issue has been solved. . .180. . It appears that the static MAC address was misconfigured with a 7 at the end rather than a 6. you conclude that the command switchport port-security mac-address 0050. Example 7-22 Confirming Fa0/1 is in the Err-Disabled State SW1#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/1 err-disabled 10 auto auto 10/100BaseTX Fa0/2 connected 10 a-full a-100 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX . .275d. : Yes Autoconfiguration Enabled . After confirming that the IP Phone’s MAC address is 0050..06d7 SW1(config-if)#switchport port-security mac-address 0800.output omitted.657a is correct but that the command switchport port-security mac-address 0800.. .255.0 . changed state to up You confirm the problem is solved by accessing PC1 and pinging the default gateway at 10.1.b607.166 Subnet Mask . .06d6 You confirm the port is still in the err-disabled state with the show interfaces status command.275d. .06d7 is not correct. : 169. .264 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Physical Address. From the Library of Outcast Outcast . The output shown in Example 7-22 confirms it is. . . : Yes Autoconfiguration IP Address. . one per line. SW1(config)#interface fastEthernet 0/1 SW1(config-if)#no switchport port-security mac-address 0800. Example 7-21 Solving the Issue by Configuring the Correct Static MAC Address SW1#config t Enter configuration commands. .. ..1..output omitted.. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. . Example 7-21 provides the configuration that is needed to solve the issue. .1. .0. . and you receive the following syslog messages: %LINK-3-UPDOWN: Interface FastEthernet0/1. . It is successful.275d. The interface successfully goes up/up. . . . you bounce the interface by issuing the shutdown and then no shutdown commands. End with CNTL/Z. .254.06d7 command and replace it with the MAC address of PC1. . . : 08-00-27-5D-06-D6 Dhcp Enabled.b607. To recover from the err- disabled state. : 255. . . You proceed to remove the incorrect static MAC address with the no switchport port- security mac-address 0800. ..657a. . as shown in Example 7-23. . . .. . .

1: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. Chapter 7: Troubleshooting Switch Security Features 265 Example 7-23 Successful Ping from PC1 to Default Gateway C:###BOT_TEXT###gt;ping 10. Take a moment to examine Example 7-24. ■ Interfaces that need to accept all DHCP message types are configured as trusted with the ip dhcp snooping trust command.1 Reply from 10.1. DHCP snooping also creates a binding table that keeps track of which devices are connected to which interfaces based on the IP addresses that were handed out by the DHCP server.1.1. Average = 0ms Troubleshooting Spoof-Prevention Features Features such as DHCP snooping.1: Packets: Sent = 4. Received = 4. Key Topic ■ DHCP snooping is enabled for specific VLANs with the ip dhcp snooping vlan com- mand. Approximate round trip times in milli-seconds: Minimum = 0ms.1.1. This comes in handy with DAI and IP Source Guard. With DHCP snooping.1: bytes=32 time 1ms TTL=128 Reply from 10.1. From the Library of Outcast Outcast . and IP Source Guard are designed to protect your network from spoofing attacks against the Dynamic Host Configuration Protocol (DHCP) service.1. which displays a sample DHCP snooping con- figuration.1: bytes=32 time 1ms TTL=128 Reply from 10.1. you can implement DHCP snooping. you can define which interfaces will accept all DHCP messages and which interfaces will accept only Discover and Request DHCP messages. ■ All other interfaces need to be untrusted. as you will see later. and IP addressing. DHCP Snooping To prevent rogue DHCP servers from handing out IP addresses in your network. Lost = 0 (0% loss). which is the default. ARP. What is required for DHCP snooping to operate successfully? Let’s make a list: ■ DHCP snooping is enabled globally with the ip dhcp snooping command.1.1. This section explains what you should look for while troubleshooting these three security features.1: bytes=32 time 1ms TTL=128 Reply from 10. Maximum = 0ms.1. dynamic ARP inspection. ■ If the DHCP server does not support option 82 it needs to be disabled on the switch with the no ip dhcp snooping information option command.

which interfaces are untrusted. and which interfaces have a DHCP rate limit applied.. In this case. as shown in Example 7-25.output omitted. interface GigabitEthernet0/1 ip dhcp snooping trust interface GigabitEthernet0/2 ip dhcp snooping trust . ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping .b800 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------. ------.. Example 7-25 Verifying DHCP Snooping Key Topic SW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 DHCP snooping is operational on following VLANs: 10 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 081f...266 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-24 Sample DHCP Snooping Configuration SW1#show run ... To verify DHCP snooping. You can verify which VLANs are enabled and operational for DHCP snooping. ---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: GigabitEthernet0/2 yes yes unlimited Custom circuit-ids: From the Library of Outcast Outcast . Gigabit Ethernet 0/1 and 0/2 are trusted interfaces. Finally. You can verify whether it is enabled globally with the line that states Switch DHCP snooping is enabled. use the show ip dhcp snooping command. You can verify whether option 82 is enabled or disabled. you can verify which interfaces are trusted. it is only VLAN 10... In this case.. -----------.f34e.output omitted....output omitted. and all other interfaces that are not listed are automatically untrusted.

. it needs to be enabled per VLAN with the ip arp inspection vlan command.1. ------------.output omitted... ---.. When DAI detects an invalid ARP request or response on an untrusted interface it will generate syslog messages with a severity level of 4 with the mnemonic of DHCP_ SNOOPING_DENY.10 67720 dhcp-snooping 10 FastEthernet0/1 Total number of bindings: 1 Dynamic ARP Inspection Dynamic ARP inspection (DAI) is used to prevent ARP spoofing attacks. -------------- -- 08:00:27:5D:06:D6 10.output omitted.. interface GigabitEthernet0/1 ip dhcp snooping trust ip arp inspection trust interface GigabitEthernet0/2 ip dhcp snooping trust ip arp inspection trust . ---------... you have to be able to troubleshoot the commands related to DAI. as shown in Example 7-26.1.1. you need to be able to troubleshoot DHCP snooping issues when dealing with DAI issues. Refer to Example 7-27. In addition. Because of this. This is because DAI relies on the DHCP snooping binding table to identify appropriate IP address to MAC address bindings. In these syslog messages From the Library of Outcast Outcast . For DAI to function. interfaces where DAI should not be performed (where there are no DHCP snooping bindings) need to be configured as trusted interfaces with the ip arp inspection trust command. Example 7-26 Verifying DHCP Snooping Bindings Key Topic SW1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface -----------------. It relies on DHCP snooping and the binding table that is created by it. the PC with the MAC address 08:00:27:5D:06:D6 is located out Fast Ethernet 0/1.1.10 from a DHCP server. ip dhcp snooping vlan 10 ip arp inspection vlan 10 no ip dhcp snooping information option ip dhcp snooping .. In addition. Chapter 7: Troubleshooting Switch Security Features 267 To verify the bindings in the DHCP snooping database.output omitted. Example 7-27 Sample DAI Configuration Key Topic SW1#show run . issue the show ip dhcp snooping bindings command. -------------.. In this example. and has been assigned the IP address 10. which is part of VLAN 10....

the ip verify source com- mand has been added..1. It relies on DHCP snooping and the binding table that is created by it..10 and a MAC of 0050.1. %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/1. you need to be able to trouble- shoot DHCP snooping issues when dealing with IP Source Guard issues. on interface Fast Ethernet 0/1 (which connects to an end station)... vlan 10.e345/10. however.1.657a/10.. you can see that the MAC address is included now and the filter type is ip-mac.. you are filtering based on IP address only. In this case.([0050.1.10 are the only ones allowed inbound on interface Fa0/1. b607.1.. Fa0/1 on SW1 has been enabled with IP Source Guard.10/2893.1. you have to be able to identify issues related to IP Source Guard configurations. b607.e345/10.268 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide a device with the IP address 10. Notice in Example 7-28 that the same DHCP snooping configuration example is listed.1/18:42:55 UTC Mon Mar 1 1993]) %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1.1. as shown in Example 7-29. This enables IP Source Guard on the interface.1/18:43:15 UTC Mon Mar 1 1993]) IP Source Guard IP Source Guard is used to prevent IP address spoofing.fe3a.1. If you want to include the MAC address with the IP address when verifying the source of packets.. Notice how the Mac-address column is blank and the Filter-type is IP. You can verify which interfaces have IP Source Guard enabled with the show ip verify Key Topic source command. In addition.fe3a.657a/10. vlan 10.output omitted.1. In Example 7-30. interface FastEthernet0/1 ip verify source interface GigabitEthernet0/1 ip dhcp snooping trust interface GigabitEthernet0/2 ip dhcp snooping trust .. and the packets with the source IP address 10. Example 7-28 Sample IP Source Guard Configuration SW1#show run .output omitted. you issue the ip verify source port-security command..([0050. With the ip verify source command.output omitted.657a is being denied because its ARPs are invalid since the addresses do not match the addresses in the bind- ing table...1.1.b607. Because of this. ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping .1. From the Library of Outcast Outcast .10/2893.

----------------. ------------. because the secure MAC addresses are used. ----------.1. Therefore. ----------. ---- Fa0/1 ip-mac active 10. ----------. Example 7-31 IP MAC Filtering Without Port Security Enabled on Interface SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. Because IP Source Guard relies on DHCP snooping and there is no binding in the table. as shown in Example 7-31. However.1. you need to have port security enabled on the interface. If port security is not enabled. ----------. ---- Fa0/1 ip-mac active 10. ----------------. --------------. --------------. ----------------. ---------. --------------. all traffic will be blocked for all IPs.1. ---- Fa0/1 ip-mac active 10. remember that IP Source Guard relies on DHCP snooping. In this example.1. ----------. if there is no binding in the DHCP snooping database for the port.1. ----------.1. --------------.20 permit-all 10 Also. the specific MAC address will not be learned. all ingress traffic on Fa0/2 will be denied.1. -------------- -- 08:00:27:5D:06:D6 10.10 08:00:27:5D:06:D6 10 Fa0/2 ip-mac active 10. ---.10 08:00:27:5D:06:D6 10 Fa0/2 ip-mac active deny-all permit-all 10 SW1#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface -----------------. ----------. Example 7-32 Fa0/2 Sourced Traffic Denied Because There Is No Binding SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------.10 08:00:27:5D:06:D6 10 If you are using the ip-mac filter type. ----------------.10 70453 dhcp-snooping 10 FastEther- net0/1 Total number of bindings: 1 From the Library of Outcast Outcast .1. --------------. there is no DHCP snooping binding for Fa0/2 because it has a static IP configured. as shown in Example 7-32. and all MAC addresses will be permitted as a result.1. Chapter 7: Troubleshooting Switch Security Features 269 Example 7-29 Verifying IP Source Guard (only IP) SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------. ---- Fa0/1 ip active 10.10 10 Example 7-30 Verifying IP Source Guard (IP and MAC) SW1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------.1.1. IP Source Guard is enabled on the inter- face. ----------.1.

VLAN20 10.10. so that all traffic sent or received by Fa0/1 is captured and sent to Fa0/24. where your laptop is connected and running packet-capturing software.20.1.10.VLAN10 10. However.1 VLAN 20 Figure 7-2 Spoof-Prevention Features Trouble Ticket Topology Trouble Ticket 7-2 Problem: A junior administrator has approached you for assistance with a trouble ticket that she is having an issue with.10.1. End with CNTL/Z.1. This is the port on ASW1 that is used as the Switched Port Analyzer (SPAN) destination port.10.1.0/24 VLAN 10 and 20 VLAN 10 PC1 PC2 Gi1/0/24 Fa0/1 Fa0/2 Gi0/1 Fa0/3 ASW1 Gi1/0/1 PC3 Fa0/4 DSW1 SVI . they are con- fused as to why they would be receiving the default gateway address of 10. Example 7-33 Configuring a SPAN Session on ASW1 ASW1#config t Enter configuration commands.10. You configure ASW1.10. They also indicate that they verified the DHCP pool on the DHCP server and that the default gateway address for the VLAN 10 pool is configured for 10. The trouble ticket indicates that users in VLAN 10 are not able to access any resources outside their own subnet. To assist with the issue.1.1.1. All trouble tickets in this section are based on the topology depicted in Figure 7-2.10.1. They have verified that the clients receive their IP addressing information via a DHCP server.20. one per line. VLAN10 .1 PC4 SVI . you decide to connect your laptop to Fast Ethernet 0/24 on ASW1.100 when documentation shows that the default gateway should be configured as 10.270 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Spoof-Prevention Features Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. as shown in Example 7-33.1.0/24 DHCP Server for VLAN20 . ASW1(config)#monitor session 1 source interface fastEthernet 0/1 both ASW1(config)#monitor session 1 destination interface fastEthernet 0/24 From the Library of Outcast Outcast . The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.

Your network is configured with DHCP snooping. and she does. it is enabled for VLAN 20. Based on the output. The DHCP packets between the server and PC1 are successfully copied by SPAN to your laptop running packet-capturing software.1. information option 82 is disabled. You have identified the problem. you decide to dig deeper. To update all the client PCs. They receive the correct default gateway of 10. -------. which is connected to Fa0/24.34 and MAC 28:93:fe:3a:e3:45. By your enabling of DHCP snooping for VLAN 10. the DHCP server that was configured on Fa0/17 is able to hand out DHCP addresses on the network. Using the show mac address- table dynamic address 28:93:fe:3a:e3:45 command to follow the path. As a result. you verify that the device with that MAC address is reachable out Fa0/17.1 now. Fa0/17 would become an untrusted port by default and prevent DHCP Offer and Acks from being accepted inbound. Example 7-34 Renewing a DHCP Address ASW1#show mac address-table dynamic address 28:93:fe:3a:e3:45 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---.10. Therefore.1. and IP Source Guard. you issue the ipconfig /renew command on all of them. ----------. and Gig0/1 is trusted. DAI. You ask the employee to disable the DHCP server. ----- 10 28:93:fe:3a:e3:45 DYNAMIC Fa0/17 Total Mac Addresses for this criterion: 1 The issue is solved. Chapter 7: Troubleshooting Switch Security Features 271 You access PC1 and issue the ipconfig /renew command to trigger the DHCP process so that you can identify who is providing the IP addressing.10. DHCP snooping has not been enabled for VLAN 10. DHCP snooping is enabled globally. as shown in Example 7-34. as shown in Example 7-35. Example 7-35 Reviewing the DHCP Snooping Configuration ASW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 20 DHCP snooping is operational on following VLANs: 20 DHCP snooping is configured on the following L3 Interfaces: From the Library of Outcast Outcast . However. You review the DHCP offer message in your packet-capture software and notice that it is sourced from IP 10. You decide to issue the show ip dhcp snooping command on ASW1 to verify the DHCP snooping configuration. this issue should have never happened. You review your network documentation and trace the port to a PC that is being used for study purposes by an employee that currently enabled DHCP and just happened to use the same network that VLAN 10 is using in the production net- work. which is part of VLAN 10.

57fe. Example 7-37 Verifying DHCP Snooping Is Enabled for VLAN 10 ASW1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10. you issue the ip dhcp snooping vlan 10 com- mand in global configuration mode.272 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 001c. one per line. -----------. Example 7-36 Configuring DHCP Snooping for VLAN 10 ASW1#config t Enter configuration commands. ---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: From the Library of Outcast Outcast .f600 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------. ASW1(config)#ip dhcp snooping vlan 10 You verify the configuration with the show ip dhcp snooping command again and con- firm that VLAN 10 is now enabled for DHCP snooping. ------. -----------.20 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is disabled circuit-id default format: vlan-mod-port remote-id: 001c. ------.f600 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------. as shown in Example 7-37.57fe. End with CNTL/Z. ---------------- GigabitEthernet0/1 yes yes unlimited Custom circuit-ids: To fix the DHCP snooping configuration. as shown in Example 7-36.20 DHCP snooping is operational on following VLANs: 10.

it will not be forwarded if the egress port is also a protected port. which are used to filter traffic between devices within the same subnet/VLAN. for security reasons. However. Therefore. and VACLs. ■ Traffic is not flowing between two interfaces when it should be. Therefore. you are usually dealing with the following issues: ■ Traffic is flowing between two interfaces when it should not be. and VLAN access control lists (VACLs). if two devices are able to communi- cate when they should not. traffic is not allowed to flow between Fa0/1 and Fa0/2. when trouble- Topic shooting protected ports. If traffic arrives inbound on a protected port. Example 7-38 displays the interface configura- tion command switchport protected that is used to configure the ports as protected. Figure 7-3 displays an access layer switch with PC1 and PC2 connected to it on Fa0/1 and Fa0/2. private VLANs. private VLANs. This is because that traffic is never sent to the router interface. Keep in mind that a protected port can only communicate with ports that are not protected ports. When dealing with protected ports. Both ports are members of VLAN 10. Chapter 7: Troubleshooting Switch Security Features 273 Troubleshooting Access Control Access control between devices within the same VLAN/subnet can be implemented using features such as protected ports. Because the devices are in the same VLAN/subnet that you are trying to filter traffic to or from. VLAN 10 PC1 Fa0/1 Gi0/1 SW1 Fa0/2 PC2 Figure 7-3 Protected Ports From the Library of Outcast Outcast . It stays within the local subnet/VLAN between the Layer 2 switchports. Protected Ports The purpose of a protected port is to deny all traffic from flowing between devices con- Key nected to two interfaces in the same VLAN on the same switch. regular router-based ACLs that are applied to router interfaces will not filter this traffic. it might be because one port is a protected port and the other is not a protected port when it should be. both these issues would be the result of a misconfig- uration. This section explains what is involved when troubleshooting issues related to protected ports.

output omitted. you can use the com- mand show interfaces interface_type interface_number switchport to verify whether a port is configured as a protected port. Example 7-39 Verifying Protected Ports SW1#show interfaces fastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (10...output omitted. which means Fa0/1 is a protected port.1..0/26) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL From the Library of Outcast Outcast .... In the output for Fa0/1...1.274 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 7-38 Sample Protected Port Configuration SW1#show run interface fastEthernet 0/1 . interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport protected end SW1#show run interface fastEthernet 0/2 . it states Protected: true. as shown in Example 7-39. interface FastEthernet0/2 switchport access vlan 10 switchport mode access switchport protected end Besides using the running configuration to verify protected ports.

which will be used for our PVLAN examples. when troubleshooting PVLANs. the following are true: ■ DNS1 and DNS2 are able to communicate with each other because they are mem- bers of the same community VLAN. you are usually dealing with the following issues: ■ Traffic is flowing between two interfaces when it should not be. When dealing with PVLANs. DNS2. Just like protected ports. which is within the primary VLAN 200. From the Library of Outcast Outcast . FS1 and FS2 are in the secondary isolated VLAN 502. Chapter 7: Troubleshooting Switch Security Features 275 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: true Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Private VLANs Private VLANs (PVLAN) take the protected port concept further by enabling you to con- trol which ports in the same VLAN can communicate with each other and which ports cannot. ■ Traffic is not flowing between two interfaces when it should be. and FS2 are able to communicate out to the cloud because Gi1/0/10 is the promiscuous port. ■ DNS1 and DNS2 are not able to communicate with FS1 and FS2 because DNS1 and DNS2 are members of a community VLAN and FS1 and FS2 are members of an iso- lated VLAN. This is accomplished by grouping ports together in secondary VLANs that are members of a Private VLAN. based on the rules of PVLANs. which is within the primary VLAN 200. ■ FS1 and FS2 are not able to communicate with each other because they are members of an Isolated VLAN. Therefore. DNS1 and DNS2 are in the secondary community VLAN of 501. FS1. Refer to Figure 7-4. both these issues would be the result of a misconfigura- tion. ■ DNS1.

the secondary community VLAN needs to be iden- tified with the private-vlan community command. you can associate the ports on the switch with the appropriate VLANs. ■ Isolated ports cannot communicate with other isolated ports. In addition.276 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide VLAN 200 Secondary Community DNS1 Primary VLAN 501 DNS2 Gi1/0/x Promiscuous Port 21 22 Gi1/0/10 23 Gi1/0/10 FS1 24 SW2 SW1 FS2 Secondary Isolated VLAN 502 Figure 7-4 PVLANs To successfully troubleshoot PVLANs. unless you are using Virtual Trunking Protocol (VTP) Version 3. Example 7-40 displays the commands required to successfully implement the PVLANs in Figure 7-4. the VTP mode has to be transparent or off. Gig1/0/10 is the promiscuous port for the secondary VLANs 501 and 502 that are mapped to the primary VLAN 200. ■ Community ports cannot communicate with isolated ports and vice versa. To associate a port with a secondary VLAN. as identified by the commands switch- port private-vlan mapping 200 501-502 and switchport mode private-vlan promiscu- ous. The only way to determine from this output that the interface is in the correct secondary VLAN is to examine the switchport private-vlan host-association primary_vlan secondary_vlan command and compare the secondary VLAN ID to the VLAN configuration information. you need to remember the following PVLAN rules: ■ Community ports can communicate with other community ports in the same com- Key munity. and the secondary isolated VLAN needs to be identified with the private-vlan isolated command. From the Library of Outcast Outcast . First. The primary VLAN needs to be identified with the private-vlan primary command and associated with the secondary VLANs with the private-vlan association command. After the VLANs have been identified. ■ Community and isolated ports can communicate with the promiscuous port. you use the switchport private-vlan host-association primary_vlan secondary_vlan command in interface configuration mode along with the command switchport mode private-vlan host. In this example. VTP Versions 1 and 2 cannot carry PVLAN information like VTPv3. Topic ■ Community ports cannot communicate with other community ports in a different community.

..... end From the Library of Outcast Outcast ..output omitted.output omitted.. you will notice that VLAN 502 is an isolated VLAN. ! interface GigabitEthernet1/0/10 switchport private-vlan mapping 200 501-502 switchport mode private-vlan promiscuous ! .. Example 7-40 PVLAN Configuration Example Key Topic SW2#show run . ! interface GigabitEthernet1/0/21 switchport private-vlan host-association 200 501 switchport mode private-vlan host ! interface GigabitEthernet1/0/22 switchport private-vlan host-association 200 501 switchport mode private-vlan host ! interface GigabitEthernet1/0/23 switchport private-vlan host-association 200 502 switchport mode private-vlan host ! interface GigabitEthernet1/0/24 switchport private-vlan host-association 200 502 switchport mode private-vlan host ! .... if you compare the secondary VLAN ID of 502 in the command switch- port private-vlan host-association 200 502 of interface Gig1/0/23 with the VLAN 502 configuration.output omitted... ! vtp mode transparent ! vlan 200 private-vlan primary private-vlan association 501-502 ! vlan 501 private-vlan community ! vlan 502 private-vlan isolated ! ..output omitted. Chapter 7: Troubleshooting Switch Security Features 277 For example...

you can verify the private VLANs and the ports associated with each pri- vate VLAN using the show vlan private-vlan command. it is the promiscuous port. Gi1/0/21. Gi1/0/10. In addition. indicating that it is either a member of a community vlan or isolated vlan. and Gi1/0/22. is the promiscuous port in both cases. The ports associated with the isolated VLAN are Gi1/0/10. as indicated by the line Access Mode VLAN: 200 (primary).--------. Further down. with all the different parameters. you can see the host association. which indicates that the primary VLAN is VLAN 200 and that this specific port is a member of the secondary VLAN 501. You can see in this output the primary VLAN 200 and its associated community VLAN 501 and isolated VLAN 502. Gi1/0/23. the administrative mode and operational mode is private-vlan host.200. The ports associated with the community VLAN are Gi1/0/10. If it stated private-vlan promiscuous. Example 7-42 Verifying Private VLAN Information for a Specific Port SW2#show interfaces gigabitEthernet 1/0/22 switchport Name: Gi1/0/22 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: private-vlan host Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 200 (primary) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: 200 (10. it is imperative that you can read a PVLAN configuration. Gi1/0/21. and determine where the misconfiguration is that is causing traffic to be forwarded to ports it should not be forwarded to or causing traffic to not be for- warded to ports it should be forwarded to. The first port. In addition.278 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide As you can see. Example 7-41 Verifying Private VLANs and Associated Ports Key Topic SW2#show vlan private-vlan Primary Secondary Type Ports ------. as shown in Example 7-41. and Gi1/0/24. it is very easy to misconfigure PVLANs. Gi1/0/22 200 502 isolated Gi1/0/10.0/24) 501 (VLAN0501) Administrative private-vlan mapping: none From the Library of Outcast Outcast . the Operational private-vlan output states the same.------------------------------------------ 200 501 community Gi1/0/10. As shown in Example 7-42. compare it to a topological diagram. Gi1/0/23. Therefore. Gi1/0/24 You can also use the command show interfaces interface_type interface_number switchport to verify the PVLAN status and configuration of a specific interface.----------------.1. The primary VLAN in this case is VLAN 200.

. ■ The ACL could be misconfigured: Permit versus deny. wrong protocol. it uses top-down processing. However. Refer to the sample VACL in Example 7-43. Topic ■ VLAN access map: Used to define the action that will be taken on the traffic that is matched in the ACLs. ■ VLAN filter list: Used to define which VLANs the VLAN access map will apply to.. Use the show run | include vlan filter command or the show vlan filter command to verify the configured VLAN filter list. Therefore. it is all traffic or no traffic that is being forwarded between the ports. Notice all the different configurations that could cause the VACL to not function as expected. and there is an implicit deny all at the end.200.. Topic ■ The VLAN access map could be in the wrong sequence order: Just like an ACL.output omitted. Use the show access-lists command to verify the configured ACLs.0/24) 501 (VLAN0501) . From the Library of Outcast Outcast . wrong Key addresses. However. Chapter 7: Troubleshooting Switch Security Features 279 Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: 200 (10. Because you are able to control traffic on a more granular level. Use the show run | section vlan access-map command or the show vlan access-map command to verify the configured VLAN access maps. wrong ports. they lack granular control. such as drop versus forward. you can implement VLAN access control lists (VACLs). when troubleshooting VACLs you need to examine a few different compo- nents that make up the VACL: ■ ACLs: Used to define the traffic that will be examined by the VLAN access map (IP Key or MAC). which is in the same VLAN.. This VACL is designed to prevent PC1 from being able to ping or telnet to PC2. VACLs Protected ports and PVLANs are excellent features that help you control the traffic that can flow between ports in the same subnet/VLAN. ■ The VLAN access map could be misconfigured: Matching the wrong ACL. PC1 will be able to access other resources and services on PC2. If you do need to control the type of traffic that is flowing between ports in the same VLAN/subnet on a switch. You can- not pick which type of traffic to control. the action could be incorrect. route map. will immediately execute the actions upon a match. and prefix list.1. which was used to configure SW1 in Figure 7-5.

1.20 eq telnet SW1#show run | section vlan access-map vlan access-map TSHOOT 10 match ip address 100 action drop vlan access-map TSHOOT 20 action forward SW1#show run | include vlan filter vlan filter TSHOOT vlan-list 10 VLAN 10 PC1 Fa0/1 Gi0/1 10.1.1.1.0 Fa0/2 PC2 Figure 7-5 VACL From the Library of Outcast Outcast .1.1.280 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ■ The VLAN filter could be misconfigured: The filter may be referencing the wrong VLAN access map. Example 7-43 Sample VLAN ACL Configuration SW1#show access-lists Extended IP access list 100 10 permit icmp host 10.1. it could be configured with the wrong VLAN list.1.1.0 SW1 10.10 host 10.1.1.20 20 permit tcp host 10.2.1.1.10 host 10. or it may be missing completely.

“Final Preparation.257 disable state and provides a valuable tip Paragraph Describes the error disable recovery feature and the 258 commands used for verification purposes List Provides a listing of items that must be true for 265 DHCP snooping to operate correctly Example 7-25 Verifying DHCP snooping 266 Example 7-26 Verifying DHCP snooping bindings 267 Example 7-27 Sample DAI configuration 267 Paragraph Describes how to verify that IP Source Guard has 268 been configured correctly Section Protected ports 273 List Outlines the PVLAN rules that are required when 276 troubleshooting PVLANs Example 7-40 PVLAN configuration example 277 Example 7-41 Verifying Private VLANs and associated ports 278 From the Library of Outcast Outcast . Review All Key Topics Review the most important topics in this chapter. you have a couple of choices for exam preparation: the exercises here. Table 7-2 Key Topics for Chapter 7 Key Topic Key Topic Element Description Page Number List Identifies issues that may be the reason why port 250 security is not behaving as expected Example 7-2 Verifying port security 251 Example 7-4 Verifying static addresses associated with interfaces 252 List Outlines the different port security violation modes 254 Paragraph Describes how to verify a port is in the err-disable 256 state Paragraph Describes how to determine why a port is in the err. Chapter 7: Troubleshooting Switch Security Features 281 Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. Table 7-2 lists a reference of these key topics and the page num- bers on which each is found. noted with the Key Topic icon in the outer margin of the page.” and the exam simulation questions on the CD-ROM. Chapter 22.

Table 7-3 show Commands Used for Verification and Troubleshooting Task Command Syntax Displays the ports that have port security show port-security enabled. protect violation mode. IP Source Guard. DCHP snooping. Therefore. whether there is a security violation. shutdown violation mode. It might not be necessary to memorize the complete syntax of every command. the current number learned. protected ports. isolated VLAN. DHCP snooping (trusted port). To test your memory of the commands. promiscuous port. private VLANs. but you should be able to remember the basic keywords that are needed. err-disabled. sticky secure MAC address. dynamic ARP inspection. cover the right side of Table 7-3 with a piece of paper. primary VLAN. The 300-135 TSHOOT exam focuses on practical. community VLAN. and then see how much of the command you can remember. you should be able to identify the commands needed to successfully verify and troubleshoot the topics covered within this chapter. read the description on the left side. and the action that is taken if a violation occurs. restrict violation mode. hands-on skills that are used by a net- working professional. From the Library of Outcast Outcast . the maximum number of MAC addresses allowed. DHCP snooping (untrusted port).282 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Key Topic Element Description Page Number List Identifies the components involved with VACLs that 279 you may have to troubleshoot List Identifies what could be misconfigured with a VACL 279 that could be causing issues Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: port security. VLAN access control list Command Reference to Check Your Memory This section includes the most important show commands covered in this chapter.

DAI. You can type interface_number verify configurations related to port security. From the Library of Outcast Outcast . Displays the MAC address to IP address show ip dhcp snooping binding DHCP snooping mappings. In addition. Displays which features are able to use the show errdisable detect error disable recovery feature on the switch and the mode they will use. show ip dhcp snooping including whether it is enabled or disabled globally. and the type (SecureDynamic. the violation mode that is configured. It displays the port and associated VLAN. and the aging type and time. It identifies whether interface_number port security is enabled or disabled. along with the port and VLAN they are mapped to. the number of sticky addresses. Displays the configuration within the running show running-config interface interface_ configuration for a specific interface. Chapter 7: Troubleshooting Switch Security Features 283 Task Command Syntax Displays the secure MAC addresses that show port-security address have been learned on each port security enabled port. the MAC address. IP Source Guard. It also displays the maximum max addresses allowed. the timer that has been set. SecureSticky. which is helpful for troubleshooting. Displays the status of DHCP snooping. Displays the Layer 1 and Layer 2 status of an show interface status interface. and whether a violation has occurred. Also helps identify which ports are in the err-disable state. whether option 82 is enabled or disabled. the VLANs it is enabled for. the number of statically configured addresses. DHCP snooping. Displays which features are enabled and show errdisable recovery disabled for the error disable recovery feature. the current number of MAC addresses. protected ports. it displays the last seen MAC on the port. Displays detailed port security information show port-security interface interface_type for the interface. and SecureConfigured). the port security status. and the trusted ports. and PVLANs. and any ports that are currently in the err-disable state (along with the reason why).

MAC address. PVLAN.284 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Task Command Syntax Displays the interfaces that have been show ip verify source enabled with IP Source Guard. Displays VLAN. including IP and show access-list MAC. trunking. and VLAN number that source packets and frames will need to match. show vlan access-map Displays the VLAN access map to VLAN show run | include vlan filter mapping on the switch. and show interfaces interface_type interface_ protected port information related to an number switchport interface. Displays all access lists. along with the IP address. show vlan filter From the Library of Outcast Outcast . the filter type being used. that are configured on the switch. Displays the primary and secondary PVLAN show vlan private-vlan mappings along with the member interfaces. Displays the VLAN access map configuration show run | section vlan access-map on the switch.

This page intentionally left blank From the Library of Outcast Outcast .

■ GLBP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem.This chapter covers the following topics: ■ Troubleshooting HSRP: This section focuses on the Cisco Hot Standby Router Protocol (HSRP). ■ Comparing HSRP. It reviews the VRRP features and functions as well as how you can verify VRRP con- figurations and troubleshoot VRRP issues. ■ Troubleshooting GLBP: This section focuses on the Cisco Gateway Load Balancing Protocol (GLBP). From the Library of Outcast Outcast . ■ VRRP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. and GLBP: This section provides a close-up comparison of the different first- hop redundancy protocols (FHRPs) covered in the chapter. It reviews the GLBP features and functions and how you can verify GLBP configurations and trouble- shoot GLBP issues. ■ HSRP Trouble Tickets: This section provides trouble tickets that demonstrate how you can use a struc- tured troubleshooting process to solve a reported problem. VRRP. ■ Troubleshooting VRRP: This section focuses on the industry standard Virtual Router Redundancy Protocol (VRRP). It reviews the HSRP features and functions and how you can verify HSRP configurations and trouble- shoot HSRP issues.

VRRP. even if the Layer 3 switch or router that had been servicing that IP address becomes unavailable. This chapter reviews HSRP. CHAPTER 8 Troubleshooting First-Hop Redundancy Protocols Many devices. devices that relied on the default gateway’s IP address would be unable to send traffic off their local subnet. “Answers to the ‘Do I Know This Already?’ Quizzes. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. The default gateway parameter identifies the IP address of a next-hop router on the local-area network (LAN) that serves as the exit point for the LAN. and GLBP. and GLBP. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics. VRRP. As a result. These technologies include HSRP. if that router were to become unavailable. read the entire chapter. and provides a collection of Cisco IOS commands you can use to troubleshoot issues related to them. which allow clients to continue to reach their default gateway’s IP address. GLBP 10 From the Library of Outcast Outcast . VRRP. Fortunately. are configured with a default gateway. You can find the answers in Appendix A. Cisco devices such as routers and Layer 3 switches offer technologies known as first-hop redundancy protocols (FHRPs) that provide next-hop gateway redundancy. such as PCs.” Table 8-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting HSRP 1–4 Troubleshooting VRRP 5–6 Troubleshooting GLBP 7–9 Comparing HSRP. Table 8-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions.

256 d. 2 c. 100 c. Preemption is off by default. 5. Virtual router master d. The virtual router IP address has to be an unused IP in the LAN. Virtual forwarder b. Active virtual gateway c. What command enables you to verify the virtual MAC address of an HSRP group? a. Which two of the following are true about HSRP? a. If you do not know the answer to a question or are only partially sure of the answer. show hsrp brief c.288 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. b. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. d. show standby d. 0 b. What is the default priority for an HSRP interface? a. 32768 2. No limit 3. 1 b. 1. The virtual router IP address can be an unused IP in the LAN or an IP associ- ated with a router’s LAN interface. 4 d. show standby brief 4. What is the name for the router in a VRRP virtual router group that is actively for- warding traffic on behalf of the virtual router group? a. How many active forwarders can be in an HSRP group? a. you should mark that question as wrong for purposes of the self-assessment. Active virtual forwarder From the Library of Outcast Outcast . c. show hsrp b. Preemption is on by default.

VRRP c. GLBP d. Which of the following are Cisco proprietary FHRPs? (Choose two answers. Host dependent c. GLBP allows multiple routers to simultaneously forward traffic. The virtual router IP address has to be an unused IP in the LAN. Preemption is on by default. Preemption is off by default. c. show arp c. Round-robin 9. The virtual router IP address can be an unused IP in the LAN or an IP associ- ated with a router’s LAN interface. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 289 6. HSRP b. Which of the following statements is true concerning GLBP? a. b. d. A GLBP group has multiple active virtual gateways. show glbp brief 8.) a.) a. show glbp d. d. 7. c. Which two of the following are true about VRRP? (Choose two answers. 10. b. GLBP is an industry-standard FHRP. Which of the following is the default GLBP method for load balancing? a. show run b. Which show commands enable you to verify the virtual MAC addresses that an AVF is responsible for? (Choose two answers. IRDP From the Library of Outcast Outcast . Weighted b.) a. Server dependent d. The active virtual forwarder in a GLBP group is responsible for responding to ARP requests with different MAC addresses.

they are given the virtual MAC address. Reviewing HSRP HSRP uses a virtual IP address and MAC address to represent a virtual router within an HSRP group. When the end-stations ARP for the MAC address of the default gateway IP address. one router is the active router.1. You can have additional routers in an HSRP group.16.1 172.16. In this section you will review the concepts of HSRP as well as how to verify and troubleshoot HSRP configurations.3 Et 0/0 172.16. HSRP Group 10 Active Router Virtual Router Standby Router R1 Virtual R2 Fa 0/0 172.16. They will simply sit and wait for the active or standby to fail so they can elect a replacement among them. When implemented. Another router in the HSRP group is known as the standby router. HSRP operates on both Cisco routers and Cisco multilayer switches. Within an HSRP group.1. This router is wait- ing for the active router to fail or experience a link/reachability failure so that it can take over the active router role and forward traffic and respond to ARP requests. but they will not be active or standby. it allows multiple physical layer 3 gateways to appear as a single virtual layer 3 gateway. It is this virtual layer 3 gateway that the clients point to as their default gateway. Under no circumstances should the end-stations ever be given the real MAC address of the device that is acting as the default gateway when they are ARPing for the MAC of the virtual IP address.290 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting HSRP Hot Standby Router Protocol (HSRP) is a Cisco Proprietary FHRP that was designed to provide default gateway redundancy. Figure 8-1 illustrates a basic HSRP topology. The end-stations’ default gateway IP address is the IP address of the virtual router.1. This router is responsible for forwarding data sent to the MAC address of the default gateway and responding to ARP requests asking for the MAC associated with the IP address of the default gateway.3 Figure 8-1 Basic HSRP Operation From the Library of Outcast Outcast .2 Workstation A Next-Hop Gateway = 172. As a troubleshooter you will need to have a very solid understanding of how HSRP func- tions in order to resolve any issues related to HSRP.1.

.. Also. and with HSRP. convergence happens more rapidly if an interface is administratively shut down..OUTPUT OMITTED..1.1..1 255. Also. the newly added router were not configured for preemption. HSRP sends hello messages every three seconds.16. Example 8-2 HSRP Configuration on Router R2 R2#show run . Also.OUTPUT OMITTED.2 255. Router R1 is configured with a higher pri- Topic ority using the standby 10 priority 150 command... interface Ethernet0/0 ip address 172.16. if the standby router does not hear a hello message within ten seconds by default.255.16.1. Specifically. If. Notice that both routers R1 and R2 have been configured with the same virtual IP Key address of 172. Router R2 has a default HSRP prior- ity of 100 for group 10. the newly added router would send a coup message. If it were configured for preemption.3 for an HSRP group of 10. The standby router then assumes the active role.0 standby 10 ip 172.255. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 291 Examples 8-1 and 8-2 show the HSRP configuration for routers R1 and R2. notice that router R1 is configured with the standby 10 preempt command. however..255..3 . the standby router considers the active router to be down. which means that if router R1 loses its active status.16.1. HSRP Converging After a Failure By default.. interface FastEthernet0/0 ip address 172.OUTPUT OMITTED. it will regain its active status when it again becomes available. From the Library of Outcast Outcast .. higher priority values are more preferable. Although this ten-second convergence time applies for a router becoming unavailable for a reason such as a power outage or a link failure.OUTPUT OMITTED. to inform the active router that the newly added router was going to take on the active role. an active router sends a resign mes- sage if its active HSRP interface is shut down.1.16..255.3 standby 10 priority 150 standby 10 preempt . Example 8-1 HSRP Configuration on Router R1 R1#show run .0 standby 10 ip 172.. consider the addition of another router to the network segment whose HSRP prior- ity for group 10 is higher than 150... perhaps because it is powered off. the currently active router would remain the active router..

1. From the Library of Outcast Outcast . are configured with the preempt option? ■ What is the virtual IP address? ■ What is the virtual MAC address? ■ Is interface or object tracking on? The show standby brief command can be used to show which interface is participating in an HSRP group. Examples 8-3 and 8-4 show the output from the show standby brief command issued on routers R1 and R2. and if preemption is enabled or not.16. this command identifies the router that is currently the active router.1.16.2 is the standby router.1 local 172.1. Issuing this command on router R1.1.16. In this case. the HSRP timers. | Interface Grp Prio P State Active Standby Virtual IP Fa0/0 10 150 P Active local 172. the router with the IP address 172. if any.3 Example 8-4 show standby brief Command Output on Router R2 R2#show standby brief P indicates configured to preempt. and the local routers current priority is the same as the configured priority. It identifies the HSRP group number. the show standby interface_type interface_number command also displays the HSRP group’s virtual MAC address. | Interface Grp Prio P State Active Standby Virtual IP Et0/0 10 100 Standby 172. you should begin by determining the following information about the HSRP group under inspection: ■ Which router is the active router? Key Topic ■ Which routers.3 In addition to an interface’s HSRP group number.3. the standby rout- ers priority. the priority of the interface.0c07. the router that is currently the standby router.1. shows that the virtual MAC address for HSRP group 10 is 0000. It also has a priority of 150 with preemption enabled. where router R1 is currently the active router for group 10 with a virtual IP of 172. which happens to be R2. and the virtual IP address for the HSRP group. the standby routers priority is 100.16.2 172.ac0a.292 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide HSRP Verification and Troubleshooting When verifying an HSRP configuration or troubleshooting an HSRP issue.16.16. and the HSRP group’s virtual IP address. as shown in Example 8-4. Additionally. as shown in Example 8-5. Example 8-3 show standby brief Command Output on Router R1 Key Topic R1#show standby brief P indicates configured to preempt. the interface’s state. the timers are default at 3 and 10. and if the current local priority is different than the configured local prior- ity.1.

HSRP Code known Group HSRP Number Code in Hex Figure 8-2 HSRP Virtual MAC Address The default virtual MAC address for an HSRPv2 group begins with a vendor code of 0000. you can have a total of 4096 HSRPv2 groups.0c07. is based on the HSRP group number. last state change 01:20:00 Virtual IP address is 172.2.ac. Therefore. you can have up to 256 HSRPv1 groups. because 10 in deci- mal equates to 0a in hexadecimal. an HSRP group of 10 yields a default virtual MAC address of 0000. as shown in Figure 8-2. followed with a well-known HSRPv2 code of 9F. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 293 Example 8-5 show standby fastethernet 0/0 Command Output on Router R1 R1#show standby fastethernet 0/0 FastEthernet0/0 .0c. Specifically.16.16.0c07. hold time 10 sec Next hello sent in 1.1.0c.0c07.0c07.Group 10 State is Active 1 state change. For example. followed with a well-known HSRPv1 code of 07.321 sec) Priority 150 (configured 150) IP redundancy name is "hsrp-Fa0/0-10" (default) Virtual Router MAC Address The default virtual MAC address for an HSRPv1 group. HSRP Group 10 Key Topic 0000.044 secs Preemption enabled Active router is local Standby router is 172. By default.ac0a Local virtual MAC address is 0000. the virtual MAC address for an HSRP group begins with a vendor code of 0000. HSRP Key will only detect a failure of the device itself or the path that is used by the hello packets.1.3 Active virtual MAC address is 0000. The last two hexadecimal digits are the hexadecimal representation of the HSRP group number. priority 100 (expires in 8.ac0a (v1 default) Hello time 3 sec. and then the last three hexa- decimal digits represent the HSRPv2 group. Therefore.F. hello packets are From the Library of Outcast Outcast . Interface Tracking HSRP interface tracking is a feature that most organizations will deploy.ac0a.ac0a Vendor Well. Topic What about the uplinks from the routers running HSRP? If they fail.

and if preemption is enabled on the standby router. hold time 10 sec Next hello sent in 0.0c07. Therefore. When it is down.1. last state change 00:02:16 Virtual IP address is 172. Example 8-6 show standby Command Output on Router R1 R1#show standby fa 0/0 FastEthernet0/0 . reviewing the configured priority of 110 and the current priority of 99 indicates why this router is not the active router at the moment.0c07. From the Library of Outcast Outcast . This is where interface tracking comes into play.Group 10 State is Standby 2 state changes. priority 100 (expires in 9.16. Now you would have to troubleshoot why the interface is down. you might then check to see whether Key a host on the HSRP virtual IP address’s subnet can ping the virtual IP address. you can use object tracking. However. Example 8-7 shows a successful ping from Workstation A.312 sec) Standby router is local Priority 99 (configured 110) Track interface FastEthernet2/0 state Down decrement 11 Group name is "hsrp-Gi0/0-10" (default) In the case of Example 8-6. the priority will be decremented by 11. If the interface is anything but up/up.3 Active virtual MAC address is 0000. packets are dropped at the active router because it cannot forward them.1.2. Interface tracking allows you to control the priority of a router in an HSRP group based on the status of an interface.16. if the uplink is down. which allows you to track IP-related information such as a route. Verifying First Hop Once you know the current HSRP configuration. You can use the show standby command to verify whether interface tracking is configured and the state of the tracked interface.784 secs Preemption enabled Active router is 172. You implement interface tracking with the standby group_number track interface_type interface_num- ber decrement_value command. and the status of an interface. In addition to interface tracking. a group of objects.294 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide still exchanged successfully.ac0a (v1 default) Hello time 3 sec. you can see that the tracked interface state is down. and the active router is still available. as shown in Example 8-6. Based on Topic the topology previously shown in Figure 8-1. the status of a service level agreement (SLA). which is beyond the scope of our HSRP discussion.ac0a Local virtual MAC address is 0000. it will take over as the active forwarder because it now has the higher priority. you can decrement the priority of the router to a value that is lower than the standby router. Its priority has been lowered to 99 from 110 because the interface state is down. We discuss this type of tracking in the “Troubleshooting VRRP” section.

..2. However. Approximate round trip times in milli-seconds: Minimum = 1ms.3: bytes=32 time=1ms TTL=255 Reply from 172.16.3: bytes=32 time=2ms TTL=255 Reply from 172.3 Pinging 172.3: Packets: Sent = 4. With traceroute. as shown in Example 8-10. Therefore.1..4 --.1.1.1.16. Lost = 0 (0% loss). Trace complete.16. Example 8-8 shows Workstation A’s Address Resolution Protocol (ARP) cache entry for the HSRP virtual IP address of 172.1. Maximum = 2ms.3 00-00-0c-07-ac-0a dynamic However.0x4 Internet Address Physical Address Type 172. Notice that it states that the first hop is 172.1. Average = 1ms A client could also be used to verify the appropriate virtual MAC address learned by the client corresponding to the virtual MAC address reported by one of the HSRP routers.1.3: bytes=32 time=1ms TTL=255 Ping statistics for 172. From the Library of Outcast Outcast .16.1 .16.16. Example 8-9 displays the tracert command executed on a PC. Example 8-8 Workstation A’s ARP Cache C:###BOT_TEXT###gt;arp -a Interface: 172.16. Received = 4.1.16.3 with 32 bytes of data: Reply from 172. Notice in the output that the MAC address learned via ARP does match the HSRP virtual MAC address reported by the active HSRP router.2. suppose that a failure happened and R2 became the active forwarder.1. you can identify the physical first-hop router that the packets are traversing.1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 295 Example 8-7 Ping Test from Workstation A to the HSRP Virtual IP Address C:###BOT_TEXT###gt;ping 172.1.16.0. The ARP cache would still be the same on the PC..0.16. the output of tracert on the PC would now display that the first hop is 172.1.1 Tracing route to 192. we can conclude the R1 is the active forwarder at the moment.3: bytes=32 time=1ms TTL=255 Reply from 172.2. However. one of the best tools to use with FHRPs to verify the path is traceroute.1.3.16.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 172. This is the IP address of R1’s LAN interface. Example 8-9 A Trace from Workstation A Confirming That R1 Is the First Hop (Active Forwarder) C:###BOT_TEXT###gt;tracert 192.1.16.output omitted.16.

1 Tracing route to 192.979: HSRP: Et0/0 Grp 10 Coup in 172.930: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 10 state Standby -> Active *Mar 1 01:25:45.979: HSRP: Et0/0 Grp 10 Active: j/Coup rcvd from higher pri router (150/172.2.2. was local *Mar 1 01:25:45. Trace complete.. Example 8-11 shows this debug output on router R2 when router R1’s Fast Ethernet 0/0 interface is shut down. such as a state change.1.930: HSRP: Et0/0 Grp 10 Standby -> Active *Mar 1 01:25:45. Example 8-12 debug standby terse Command Output on Router R2: Changing HSRP to Standby R2# *Mar 1 01:27:57. because router R1 is configured with the preempt option. The output shown in Example 8-12 demonstrates how router R2 receives a coup message.16.0.1. Debug You can also use the debug standby terse command to view important HSRP changes.1 over a maximum of 30 hops 1 3 ms 2 ms 4 ms 172.2 .930: HSRP: Et0/0 Grp 10 Standby: c/Active timer expired (172.1..930: HSRP: Et0/0 Grp 10 Standby router is unknown. notice that router R2’s state changes from standby to active.1 Active pri 150 vIP 172.930: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Standby -> Active *Mar 1 01:25:48.output omitted.16.936: HSRP: Et0/0 Grp 10 Redundancy group hsrp-Et0/0-10 state Active -> Active When router R1’s Fast Ethernet 0/0 interface is administratively enabled.16. was 172.0.930: HSRP: Et0/0 Grp 10 Active router is local. router R1 reas- sumes its previous role as the active HSRP router for HSRP group 10.16.935: HSRP: Et0/0 Grp 10 Redundancy group hsrp-Et0/0-10 state Active -> Active *Mar 1 01:25:51.16...1.16.3 *Mar 1 01:27:57. letting router R2 know that router R1 is taking back its active role. Example 8-11 debug standby terse Command Output on Router R2: Changing to Active R2# *Mar 1 01:25:45.1.1 *Mar 1 01:25:45.1.296 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-10 A Trace from Workstation A Confirming That R2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.1) From the Library of Outcast Outcast .1) *Mar 1 01:25:45.

979: HSRP: Et0/0 Grp 10 Standby router is local *Mar 1 01:28:07.62 SW3 PC1 IP 10.1.1.1/26 IP 10.1 Gig 1/0/10 Gig 1/0/10 Int VLAN 10 Int VLAN 10 SW1 SW2 IP 10. was local *Mar 1 01:27:57. all traffic for VLAN 10 is flowing through SW2 to reach the core instead of SW1.979: HSRP: Et0/0 Grp 10 Speak -> Standby *Mar 1 01:28:07.979: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Speak -> Standby HSRP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter.1.16.1.2/26 Active HSRP GROUP 10 Standby IP 10.1.979: HSRP: Et0/0 Grp 10 Active -> Speak *Mar 1 01:27:57. From the Library of Outcast Outcast . Chapter 8: Troubleshooting First-Hop Redundancy Protocols 297 *Mar 1 01:27:57.1.10/26 DG 10. All trouble tickets in this section are based on the topology depicted in Figure 8-3.2.1.979: HSRP: Et0/0 Grp 10 Redundancy "hsrp-Et0/0-10" state Active -> Speak *Mar 1 01:28:07.979: %HSRP-6-STATECHANGE: Ethernet0/0 Grp 10 state Active -> Speak *Mar 1 01:27:57.1.1.1.62 Figure 8-3 HSRP Trouble Ticket Topology Trouble Ticket 8-1 Problem: According to traffic statistics.979: HSRP: Et0/0 Grp 10 Active router is 172. 192.979: HSRP: Et0/0 Grp 10 Speak: d/Standby timer expired (unknown) *Mar 1 01:28:07. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment.1.1.0.

1. You should check the output of show standby on SW1 to determine whether that is the configured priority or if some tracked object is down and causing the priority to be lowered. In this case. All you care about is the first hop. if you look very closely at Examples 8-14 and 8-15. The HSRP router that has the higher priority is the active forwarder.1.2.1 10.62 Reviewing Figure 8-3 indicates that SW1 should be the active forwarder for group 10.1.1 over a maximum of 30 hops 1 6 ms 1 ms 2 ms 10..0.1.1.2 .1 or 10. Example 8-14 displays the output of show standby brief on SW2. From the Library of Outcast Outcast . Example 8-16 displays the output of show standby on SW1.1 Tracing route to 192. is it 10.1. Example 8-14 show standby brief Command Output on SW2 SW2#show standby brief P indicates configured to preempt. Notice that the priority is listed as 10 and that it states it is configured as 10.1. and SW2 has a priority of 100.1.298 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide You start by verifying the problem from PC1 on VLAN 10..0. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 100 P Active local 10. which is the IP address of the standby router.1.1.1. Example 8-13 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192. Example 8-15 indicates that SW1 is indeed the standby router for group 10.1.1.1. the best tool is traceroute because it will identify the router hops (real IPs) along the path.0/26 network because it was the first hop returned for the tracert command output.1. Now is an excellent time to review the output of show standby brief on SW1 to see whether anything stands out that might be the issue. Notice that under the Active column it states local and that under the Standby column it displays 10.2 local 10.1.2.1.2? This will identify whether traffic is flowing though SW1 or SW2 to reach the core. Example 8-15 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt.output omitted Trace complete. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 10 P Standby 10. Next you need to confirm that this is in fact true by reviewing the output of HSRP show commands. you should notice that SW1 has a priority of 10.1.62 However. SW1.1. Example 8-13 indicates that SW2 is in fact the HSRP active forwarder for the 10.

ac0a Local virtual MAC address is 0000. last state change 00:06:51 Virtual IP address is 10.Group 10 State is Standby 4 state changes. you see the following syslog message confirming that SW1 is now the active forwarder: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active You then reissue the tracert command on PC1. Current configuration : 163 bytes ! interface Vlan10 ip address 10.255. hold time 10 sec Next hello sent in 2. as shown in Example 8-18.1 255.1. From the Library of Outcast Outcast .62 standby 10 priority 10 standby 10 preempt standby 10 track 1 decrement 11 end After fixing the issue by executing the command standby 10 priority 110 in VLAN 10 interface configuration mode on SW1.1. Example 8-16 show standby Command Output on SW1 SW1#show standby Vlan10 .2.1. Example 8-17 show run interface vlan 10 Command Output on SW1 SW1#show run interface vlan 10 Building configuration. which shows that the prior- ity was configured to 10 instead of 110.255. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 299 It must have been mistyped.0c07..1.1.1.62 Active virtual MAC address is 0000.ac0a (v1 default) Hello time 3 sec.192 standby 10 ip 10. Checking your documentation indicates that the priority should be configured to 110. and confirm that SW1 is in fact the active forwarder now.1..1. priority 100 (expires in 9.016 secs Preemption enabled Active router is 10.0c07.488 sec) Standby router is local Priority 10 (configured 10) Track interface GigabitEthernet1/0/10 state Up decrement 11 Group name is "hsrp-Vl10-10" (default) Example 8-17 displays the interface VLAN 10 configuration.

1.1 Tracing route to 192. which is the IP address of the standby router. Example 8-21 indicates that SW1 is indeed the standby router for group 10. Now is an excellent time to review the output of show standby brief on SW1 to see whether anything stands out that might be the issue. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 100 P Active local 10.300 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-18 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.1.output omitted Trace complete.2.1. Trouble Ticket 8-2 Problem: According to traffic statistics.2.1.0. You start by verifying the problem from PC1 on VLAN 10.1.1 over a maximum of 30 hops 1 6 ms 1 ms 2 ms 10.. Example 8-20 displays the output of show standby brief on SW2...1 10. In this case.1..1. the best tool is traceroute because it will identify the router hops (real IPs) along the path.0.1. Trace complete.2.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10. SW1.1.2.1.0.1. Example 8-20 show standby brief Command Output on SW2 SW2#show standby brief P indicates configured to preempt. Next you need to confirm that this is in fact true by reviewing the output of HSRP show commands.2 .2? This will identify whether traffic is flowing through SW1 or SW2 to reach the core.1 Tracing route to 192. is it 10.1 .output omitted.0.1 or 10. Example 8-19 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.1.1.1. From the Library of Outcast Outcast . All you care about is the first hop. Notice that under the Active column it states local and that under the Standby column it displays 10. Example 8-19 indicates that SW2 is in fact the HSRP active forwarder for the 10.1. all traffic for VLAN 10 is flowing through SW2 to reach the core instead of SW1.1.62 Reviewing Figure 8-3 indicates that SW1 should be the active forwarder for group 10.0/26 network because it was the first hop returned for the tracert command output..1..

if you look very closely at Examples 8-20 and 8-21. hold time 10 sec Next hello sent in 1. you should notice that SW1 has a priority of 110 and that SW2 has a priority of 100.2. in this case. it is not.520 secs Preemption disabled Active router is 10. Taking an even closer look at Examples 8-20 and 8-21. as shown in Example 8-22.1. priority 100 (expires in 10.ac0a (v1 default) Hello time 3 sec. last state change 02:39:07 Virtual IP address is 10. From the Library of Outcast Outcast .1.ac0a Local virtual MAC address is 0000. you notice that SW1 does not have pre- emption enabled. You check the output of show standby on SW1. After fixing the issue by executing the command. as indicated by the missing P in the output.1. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 110 Standby 10. and it indi- cates that preemption is disabled.62 However.1. Example 8-22 show standby Command Output on SW1 SW1#show standby Vlan10 . pre- emption needs to be on.2 local 10. as shown in Example 8-23. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 301 Example 8-21 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt.1.1. The HSRP router that has the higher priority should be the active forwarder.1.Group 10 State is Standby 7 state changes.0c07.112 sec) Standby router is local Priority 110 (configured 110) Track interface GigabitEthernet1/0/10 state Up decrement 11 Group name is "hsrp-Vl10-10" (default) If SW1 is expected to take over as the active forwarder when it has a higher priority.62 Active virtual MAC address is 0000. you see the following syslog message confirming that SW1 is now the active forwarder: %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active You then reissue the tracert command on PC1. standby 10 preempt in VLAN 10 interface configuration mode on SW1. However.1.0c07. and confirm that SW1 is in fact the active forwarder now.

1. Example 8-24 Failed Ping from PC1 to Destination Outside LAN C:\PC1>ping 192. Approximate round trip times in milli-seconds: Minimum = 0ms.62 Reply from 10. Maximum = 0ms.0.1.1.1. Request timed out. and it is successful. Trouble Ticket 8-3 Problem: Users in VLAN 10 are reporting that they are not able to reach any resources outside their LAN. Average = 0ms From the Library of Outcast Outcast .output omitted.2.1.1.1.62: bytes=32 time 1ms TTL=128 Ping statistics for 10.1. Trace complete. Received = 4. as shown in Example 8-24.1.1.0..1 Tracing route to 192..0.302 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-23 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.2.0.2.2. You ping 192. Lost = 0 (0% loss).1: Packets: Sent = 4. which is the virtual router IP address of 10.2.1 with 32 bytes of data: Request timed out. Lost = 4 (100% loss).1. Example 8-25 Successful Ping from PC1 to Default Gateway C:\PC1>ping 10.1. You ping the default gateway of PC1.0. Request timed out.62: Packets: Sent = 4. Request timed out.62: bytes=32 time 1ms TTL=128 Reply from 10.1 ...1.1.0.1. You start by verifying the problem from PC1 on VLAN 10.62: bytes=32 time 1ms TTL=128 Reply from 10.62. and it fails.1.1. Ping statistics for 192.1 Pinging 192.62: bytes=32 time 1ms TTL=128 Reply from 10. Received = 0. as shown in Example 8-25.2.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10.

1 2 10. R .1.1 Tracing route to 192. nor are there any routes learned from a neighboring router in the core on Gig1/0/10.1.EIGRP external.2.local.1.OSPF NSSA external type 2 E1 .1. we will come back to it.62 Review Example 8-26 again. L2 . notice how no other hop is displayed and you receive a destination host unreachable message from 10.1. * .1. SW2.BGP D . L1 .1.2 10.IS-IS summary. Next you need to confirm that SW1 is in fact the active forwarder by reviewing the out- put of HSRP show commands.1 reports: Destination host unreachable. Notice that under the Active column it states local and that under the Standby column it displays 10.per-user static route o .OSPF. % .1. All you see are con- nected and local routes.1.EIGRP.replicated route. which is the IP address of the standby router.NHRP. | Interface Grp Pri P State Active Standby Virtual IP Vl10 10 109 P Active local 10.2.OSPF inter area N1 .1.IS-IS level-1.IS-IS level-2 ia .ODR. Example 8-26 confirms that it is SW1 at 10.RIP.2.0. You issue the show ip route command on SW1.1 over a maximum of 30 hops 1 4 ms 2 ms 2 ms 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 303 So far. there is no connected route for Gig1/0/10.OSPF external type 1.1.static.IS-IS inter area.OSPF NSSA external type 1. O . However. IA .candidate default. N2 . You decide to use traceroute to determine which router is currently the active forwarder. Keep this in mind.next hop override From the Library of Outcast Outcast . l .0.connected. Example 8-26 A Trace from PC1 Confirming That SW1 Is the First Hop (Active Forwarder) C:\PC1>tracert 192.LISP + .1. H . U .mobile.1. su . M .2. S . E2 . Example 8-27 show standby brief Command Output on SW1 SW1#show standby brief P indicates configured to preempt.1.0. Remember how the tracert command output is failing at SW1? This is a good indication that SW1 cannot route the packet to 192. Example 8-28 show ip route Command Output on SW1 SW1#show ip route Codes: L . C .1. P . However. B .IS-IS.1. you have confirmed that connectivity beyond the default gateway is not possible but that connectivity to the default gateway is.periodic downloaded static route. Trace complete. as shown in Example 8-28.OSPF external type 2 i . Example 8-27 displays the output of show standby brief on SW1. EX .1.

1. you need to determine in the meantime why HSRP did not successfully fail over to SW2 as the active forwarder for group 10 in case this happens again.0c07.10. Vlan10 C 10. Using the command show standby on SW1 indicates that you are tracking interface Gigabit Ethernet 1/0/10. Vlan20 You issue the command show ip interface brief | exclude unassigned.1.1. If it did.760 sec) Priority 109 (configured 110) Track interface GigabitEthernet1/0/10 state Down decrement 1 Group name is "hsrp-Vl10-10" (default) From the Library of Outcast Outcast .1.1.1. hold time 10 sec Next hello sent in 0.64/26 is directly connected.0. Vlan10 L 10. on SW1 and notice that Gig1/0/10 is down/down. as shown in Example 8-30. This ensures that the active forwarder does not maintain the active status if it is not fit to do so.0/26 is directly connected.Group 10 State is Active 8 state changes.1.2.0c07. Vlan20 L 10.1. priority 100 (expires in 7.1 YES NVRAM up up Vlan20 10. 2 masks C 10.ac0a (v1 default) Hello time 3 sec.1. last state change 00:14:11 Virtual IP address is 10.65 YES NVRAM up up GigabitEthernet1/0/10 10. as shown in Example 8-29. 4 subnets.1. Example 8-30 show standby Command Output on SW1 SW1#show standby Vlan10 . it might black hole traffic as it did in this scenario. However.304 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Gateway of last resort is not set 10.0. There is an issue between SW1 and the core. You escalate the problem because it is beyond your control.1.736 secs Preemption enabled Active router is local Standby router is 10.2 YES NVRAM down down Interface tracking is a feature that allows an HSRP-enabled router to decrement its pri- ority by a specified value if the status of an interface goes down.0/8 is variably subnetted.1. Example 8-29 show ip interface brief | exclude unassigned Command Output on SW1 SW1#show ip int brief | ex unassigned Interface IP-Address OK? Method Status Protocol Vlan10 10.1.ac0a Local virtual MAC address is 0000.1.1.1. It also shows that it is down and that the current priority is 109 instead of the configured 110.1/32 is directly connected.65/32 is directly connected.62 Active virtual MAC address is 0000.1.

0. it states how much to lower the configured priority by. In this case.1. as verified in Example 8-31. These are examples of the syslog messages: SW1# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Active -> Speak SW1# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Speak -> Standby SW1# SW2# %HSRP-5-STATECHANGE: Vlan10 Grp 10 state Standby -> Active SW2# You then reissue the tracert command on PC1..1.1 Tracing route to 192.255. which displays the output of show run interface vlan 10.1.1 255. Example 8-31 show run interface vlan 10 Command Output on SW1 SW1#show run interface vlan 10 Building configuration.2. which gives you 109.192 standby 10 ip 10. Current configuration : 163 bytes ! interface Vlan10 ip address 10.1 over a maximum of 30 hops 1 3 ms 2 ms 4 ms 10. and on SW2 you will see a sys- log message indicating that it is now in the active state. as shown in Example 8-32. Example 8-32 A Trace from PC1 Confirming That SW2 Is the First Hop (Active Forwarder) C:\PC1>tracert 192. Therefore.0. you will notice a syslog message on SW1 indicating that SW1 is no longer in the active state.1.2 From the Library of Outcast Outcast . and confirm that SW2 is the active forwarder.. the decrement value was set to 1.2. But in reality.255.62 standby 10 priority 110 standby 10 preempt standby 10 track 1 decrement 1 end After you solve this problem by changing the decrement value to a value of 11 or higher (so that the priority of SW1 will be 99 or lower). It appears that whoever configured it thought that the decrement value identified what the new priority should be if the interface goes down.1. Interface tracking was configured incorrectly.1. the con- figured priority is 110 and you minus 1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 305 The problem in this case is clear.

2. Average = 0ms Troubleshooting VRRP Virtual Router Redundancy Protocol (VRRP). Received = 4.1: bytes=32 time 1ms TTL=128 Ping statistics for 192..1 Trace complete. It is.. VRRP allows a collection of routers to service traffic destined for a single IP Key address. (Note that the VRID is the same concept as an HSRP group. the IP address serviced by a VRRP group does not have to be a Topic unique/unused IP address.1 Reply from 192. as shown in Figure 8-4.0.306 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide .2. In addition. A VRRP virtual router identifier (VRID) is made up of a virtual master router and multiple routers acting as virtual router backups. VRRP and HSRP are not compatible. Reviewing VRRP Like HSRP. Maximum = 0ms.0.2.. you need to understand the differences of VRRP so that you can successfully troubleshoot issues related to it.0. The IP address can be the address of a routers physical inter- face on the LAN. In addition.output omitted.0. as shown by the successful ping in Example 8-33. you need to ping from a client to make sure that the problem is officially solved. as a trouble- shooter. Lost = 0 (0% loss). your knowledge of HSRP can transfer over to VRRP.2.2. Example 8-33 Successful Ping from PC1 C:\PC1>ping 192.0.. is an IETF standard FHRP based on Cisco’s HSRP protocol. However. 7 48 ms 40 ms 30 ms 192.1: bytes=32 time 1ms TTL=128 Reply from 192.1: bytes=32 time 1ms TTL=128 Reply from 192. Unlike HSRP. This section focuses on the behavior of VRRP and how to verify and troubleshoot VRRP issues.1: bytes=32 time 1ms TTL=128 Reply from 192.) The virtual master router is responsible for handing out the virtual MAC address associated with the LAN’s default gateway IP address and forwarding traffic sent to the default gateway. Approximate round trip times in milli-seconds: Minimum = 0ms.0.0. although they are similar.2.2. Therefore. From the Library of Outcast Outcast . The virtual router backups are waiting for the master to fail so that one of them can take over the virtual master router role.1: Packets: Sent = 4.

. Notice in Examples 8-34 and 8-35 that the VRRP group IP address is the same as the SVI on SW2.1..2/26 Backup VRRP GROUP 20 VRM IP 10.1.1. SW2 will automatically be the virtual router master because it owns that IP address. interface vlan 20 ip address 10.1/26 10.1...1.OUTPUT OMITTED.1.OUTPUT OMITTED..66 Figure 8-4 Basic VRRP Operation Examples 8-34 and 8-35 show the VRRP configuration for SW1 and SW2.2.1.1.66 ..OUTPUT OMITTED..1.1.192 vrrp 20 ip 10.1.1...1..1. Example 8-35 VRRP Configuration on Router R2 SW2#show run .66 255.1.1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 307 192.255.65/26 10..66 VRM=Virtual Router Master SW3 PC1 IP 10. Example 8-34 VRRP Configuration on Router R1 SW1#show run . interface vlan 20 ip address 10..65 255.OUTPUT OMITTED.255.66 .192 vrrp 20 ip 10.0.1.1. regardless of what the priority is because it will give itself a pri- From the Library of Outcast Outcast .1.66/26 IP 10.74/26 DG 10..255..255.. As a result of this.1 Gig 1/0/10 Gig 1/0/10 20 Int VLAN 10 Int VLAN 10 20 SW1 SW2 IPIP10..1.1.1.

the priority.1.66 10.1. SW1 is in the backup state. In this case. this command will identify the current state of the router along with the master address and the group address. In the previous con- figuration examples. Also make note that preemption is on by default. VRRP Verification and Troubleshooting When verifying a VRRP configuration or troubleshooting a VRRP issue. it is 255 because SW2 owns the IP that is being used as the virtual IP address. Therefore. the state.66 Example 8-37 show vrrp brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 255 3003 Y Y Master 10.1. You can also see that preemption is enabled and that SW2 owns the IP address that is being used as the virtual router IP address. we did not configure the priority. In addition. We kept it at the default of 100. Notice how SW2 is currently the master router for group 20. it automatically changes its priority to 255 so that it becomes the virtual router master for the group. Example 8-36 show vrrp brief Command Output on Router SW1 Key Topic SW1#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3609 Y Backup 10. It identifies the VRRP group number.1. and the VRRP group’s virtual IP address. By default. the priority of the interface. and whether preemption is enabled.1. In addition to an interface’s VRRP group number. if any. Examples 8-36 and 8-37 show the output from the show vrrp brief command issued on SW1 and SW2. you should begin by determining the following information about the VRRP group under inspection: ■ Which router is the virtual router master? Key Topic ■ How was the virtual router master chosen? ■ Which routers. notice how SW2 has a priority of 255.66 10. From the Library of Outcast Outcast .1. the show vrrp interface interface_type interface_number command also displays the VRRP group’s virtual MAC address and the VRRP timers. Therefore.66 In Examples 8-36 and 8-37. you do not have to manually enable it. are configured with the preempt option? (Enabled by default) ■ What is the IP address of the virtual router? ■ What is the virtual MAC address? ■ Is object tracking on? You can use the show vrrp brief command to show which interface is participating in a VRRP group. whether it owns the IP being used as the virtual router IP.1.308 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide ority of 255 automatically.1. VRRP uses a priority of 100 like HSRP.

as shown in Figure 8-5. priority is 255 Master Advertisement interval is 1.01.000 sec Master Down interval is 3. followed with a well-known VRRP address block of 00. Specifically. and the virtual master router is still available. and SW2 is the master router.Group 20 State is Master Virtual IP address is 10.5e00. the From the Library of Outcast Outcast . a VRRP group of 20 yields a default virtual MAC address of 0000.1.1.0114 Vendor Well. Object tracking enables you to control the priority of a router in a VRRP group based on the status of an object. Issuing this command on SW2. The last two hexadecimal digits are the hexadecimal representation of the VRID (group) number.0114. packets are dropped at the virtual master router because it cannot forward them. Example 8-38 show vrrp interface vlan 20 Command Output on SW2 SW2#show vrrp interface vlan 20 Vlan20 .5e (IANA’s organizationally unique identifier [OUI]). VRRP will only detect a failure of the device itself or the path that is used by the Topic hello packets.0114 Advertisement interval is 1.1. shows that the virtual MAC address for VRRP group 20 is 0000.1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 309 By default. because 20 in decimal equates to 14 in hexadecimal. What about the uplinks from the routers running VRRP? If they fail. is based on the VRRP VRID. hello packets are still exchanged successfully. The object can be IP-related information such as a route.66 (local). By Key default.5e00.66 Virtual MAC address is 0000. the timers are default at 1 and 3.5e00.000 sec Preemption enabled Priority is 255 Master Router is 10. if the uplink is down.0114. the priority is 255. as shown in Example 8-38.5e00.003 sec Virtual Router MAC Address The default virtual MAC address for a VRRP group. which is just a fancy way to identify the group number. Therefore. a group of objects. VRRP Code known Group (IANA) VRRP Number Code in Hex Figure 8-5 VRRP Virtual MAC Address Object Tracking Object tracking is a feature that most organizations will deploy when using VRRP. For example. VRRP timers are 1 second for the Advertisement interval and 3 seconds for the Master Down interval. VRRP VRID 20 Key (Group) Topic 0000. the virtual MAC address for a VRRP group begins with a vendor code of 0000. This is where object tracking comes into play.

Using the command show track you can verify what tracked object num- ber 1 is tracking.570 sec (expires in 3. you might then check to see whether a Key host on the VRRP virtual IP address’s subnet can ping the virtual IP address. You can use the show vrrp command to verify whether object tracking is configured. you can verify that it is the status of the line protocol on interface Gigabit Ethernet 1/0/10. From the Library of Outcast Outcast . and because preemption is enabled by default.65. and the state of the tracked object.Group 20 State is Backup Virtual IP address is 10. Example 8-39 show vrrp Command Output on Router SW2 SW2#show vrrp VLAN 20 . and when it is down.0114 Advertisement interval is 1.310 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide status of an SLA probe. which is beyond the scope of our VRRP discussion.026 sec) In the case of Example 8-39. If the object is anything but up. it will decrement the priority by 11. and the status of an interface.126 Virtual MAC address is 0000. Example 8-40 show track Command Output on Router SW2 SW2#show track Track 1 Interface GigabitEthernet1/0/10 line-protocol Line protocol is Down (hw admin-down) 2 changes.1.1. last change 00:05:13 Tracked by: VRRP VLAN20 20 Now you would have to troubleshoot why the interface is down.000 sec Preemption enabled Priority is 99 (cfgd 110) Track object 1 state Down decrement 11 Master Router is 10. Verifying First Hop Once you know the current VRRP configuration.000 sec Master Down interval is 3. In Example 8-40. the standby router will take over as the virtual master router because it now has the higher priority. you need to find out what the tracked object is specifically so that you can trou- bleshoot further. It is admin-down and being tracked by VRRP group 20. However.1. Based on the Topic topology previously shown in Figure 8-4. priority is 100 Master Advertisement interval is 1. You can see the current priority is 99 and the configured priority is 110 (110 – 11 = 99).1. you can see that the tracked object 1 is in a state of down. the priority of the router can be decremented to a value that is lower than the standby router. as shown in Example 8- 39.5e00. Example 8-41 shows a successful ping from PC1.

This is the IP address of SW2’s VLAN 20 SVI. Suppose.2.1. you can identify the physical first-hop router that the packets are traversing.66: bytes=32 time=1ms TTL=255 Reply from 10.1.1.74 --.0x4 Internet Address Physical Address Type 10. that does not prove that we are using the virtual MAC address and VRRP. Maximum = 2ms.1 Tracing route to 192.0. Example 8-42 PC1 ARP Cache C:\PC1>arp -a Interface: 10. as shown in Example 8-44.1. that a failure happened and SW1 became the virtual router master. you can conclude the SW2 is the virtual router master at the moment.65. Notice that it states that the first hop is 10.1..1. Example 8-43 displays the tracert command executed on PC1.66: bytes=32 time=1ms TTL=255 Ping statistics for 10. from the client.1.1.1.1.2.1.66. however. Received = 4.0. Therefore..1. however. Example 8-42 shows Workstation A’s ARP cache entry for the VRRP virtual IP address of 10. Example 8-43 A Trace from PC1 Confirming That SW2 Is the First Hop (Virtual Router Master) C:\PC1>tracert 192.66 with 32 bytes of data: Reply from 10.66: bytes=32 time=1ms TTL=255 Reply from 10. the output of tracert on the PC would now display that the first hop is 10..1.66 Pinging 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 311 Example 8-41 Ping Test from PC1 to the VRRP Virtual IP Address C:\PC1>ping 10.66: bytes=32 time=2ms TTL=255 Reply from 10.66 . one of the best tools to use with FHRPs to verify the path is traceroute. you should also verify the virtual MAC address learned by the client corresponds to the virtual MAC address reported by the VRRP virtual router master.1.. From the Library of Outcast Outcast . The ARP cache would still be the same on PC1.1. Notice in the output that the MAC address learned via ARP does match the VRRP virtual MAC address of the master router.1. Lost = 0 (0% loss). Average = 1ms However. as discussed with HSRP. Therefore.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10.1.1.66: Packets: Sent = 4.output omitted.66. Approximate round trip times in milli-seconds: Minimum = 1ms. Trace complete.1.1. With traceroute.1.1.66 00-00-5e-00-01-14 dynamic However.1.1.1.1.

1. From the Library of Outcast Outcast .1.1.1..66 VRM=Virtual Router Master SW3 PC1 IP 10.65/26 10.312 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-44 A Trace from PC1 Confirming That SW1 Is the First Hop (Virtual Router Master) C:\PC1>tracert 192.1.1. 192.66/26 Backup VRRP GROUP 20 VRM IP 10.1.1/26 IP 10. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. Trace complete.2.1 Gig 1/0/10 Gig 1/0/10 Int VLAN 10 20 Int VLAN 10 20 SW1 SW2 IPIP10.2.1.1.1.1.1.2.1 Tracing route to 192.1.1 over a maximum of 30 hops 1 7 ms <1 ms 2 ms 10.output omitted..0.66 Figure 8-6 VRRP Trouble Ticket Topology Trouble Ticket 8-4 Problem: According to traffic statistics.65 .0.0.1.2/26 10. VRRP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter..1. All trouble tickets in this section are based on the topology depicted in Figure 8-6..1. all traffic for VLAN 20 is flowing through SW1 to reach the core instead of SW2.74/26 DG 10.

66 What would be causing SW1 and SW2 to be in their correct states..2.66 Reviewing Figure 8-6 indicates that SW2 should be the virtual router master of the group.66 10. Example 8-46 show vrrp brief Command Output on SW1 SW1#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3609 Y Backup 10. Example 8-47 indicates that SW2 is in the master state.1.1.0.1. SW1 is not the VRRP master. Next you need to confirm that this is in fact true by reviewing the output of VRRP show commands..1.1. In this case. which is also the virtual IP address for the group.1.0. Trace complete.1. and it appears that it is. is it 10.1. the virtual router master will respond with the group MAC address. Example 8-47 show standby brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 255 3003 Y Y Master 10.1. because it was the first hop returned for the tracert command.1 over a maximum of 30 hops 1 2 ms 2 ms 1 ms 10.64/26 network.. you issue the arp -a com- mand.1. it should be 0000.65. All you care about is the first hop.1.2. Now is an excellent time to review the output of show vrrp brief on SW2 to verify this. Also notice how the Internet address listed is 10. Example 8-46 displays the output of show vrrp brief on SW1.66 address. which displays the output of the show interface vlan 20 command.0114 for group 20. as shown in Example 8-49.5e00.. That is the IP and MAC address of interface VLAN 20 on SW1.output omitted. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 313 You start by verifying the problem from PC1 on VLAN 20.1. It does not appear that the client is learning a VRRP MAC address. In this case. because none of the MAC addresses listed start with 0000.1. as shown in Example 8-48.65 or 10.1. the best tool is traceroute because it will identify the router hops (real IPs) along the path.66? This will identify whether traffic is flow- ing though SW1 or SW2 to reach the core. Notice that under the State column it states Backup and the Master addr is 10.66 10. to verify the MAC address being used by the client for the 10. Example 8-45 A Trace from PC1 Confirming That SW1 Is the First Hop (Master) C:\PC1>tracert 192.1.1.65 .1. On PC1.1 Tracing route to 192. From the Library of Outcast Outcast .01.1.1. Example 8-45 indicates that SW1 should be the VRRP virtual router master for the 10. Therefore.66.1. yet the wrong device being used as the first hop? Recall that when a client makes an ARP request for the VRRP group MAC address.1.5e00.1. with a MAC of 28-93-fe-3a-e3-43. even though it is being used as the first hop.

. .314 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-48 Verifying PC1’s ARP Cache C:\PC1>arp -a Interface: 10.0x2 Internet Address Physical Address Type 10. . you confirm that the default gateway is 10.74 --. .192 IP Address. . . as shown in Example 8-51.output omitted. : 255.1.65/26 . . . . : IP Address. Example 8-51 Verifying the Default Gateway on PCs After Adjustments C:\PC1>ipconfig Windows IP Configuration Ethernet adapter PC1: Connection-specific DNS Suffix . : 10.65 28-93-fe-3a-e3-43 dynamic Example 8-49 Verifying SW1’s SVI IP Address and MAC Address SW1#show interface vlan 20 Vlan20 is up. . .. . : IP Address. : fe80::a00:27ff:fea2:ce47%4 Default Gateway .1.1. : 10.1. . line protocol is up Hardware is EtherSVI.fe3a.fe3a. . . ..255. After the adjustments are made and the clients have the correct default gateway. From the show commands you just reviewed. . .65 as the default gateway address instead of the VRRP virtual IP of 10.e343) Internet address is 10. . .65 and not 10. . .1. .66) is being used as the first hop. . Example 8-50 Verifying the Default Gateway on PCs C:\PC1>ipconfig Windows IP Configuration Ethernet adapter PC1: Connection-specific DNS Suffix . . .1. you reissue the tracert command and confirm that SW2 (10.1. . as shown in Example 8-51 as well. .1. .1.65 You contact the administrator of the DHCP server and inform him of the issue. . : 10. . . . . .1. : 2001:20::20 IP Address.e343 (bia 2893. . . . it seems as if they are using 10.1. . . . .1.1.255. . . .74 From the Library of Outcast Outcast . address is 2893.1. Using the command ipconfig on PC1.1.1. . . .1.66. . .66. . . as shown in Example 8-50.1. .1. . .74 Subnet Mask . . It appears that the PCs might be configured with the wrong default gateway IP address.1. .1. . . . . ..1..

.255. Example 8-52 Verifying PC1’s ARP Cache After Adjustments C:\PC1>arp -a Interface: 10.1.0114 for group 20 is being used. .1.. .1. .0. when the uplink between SW3 and SW2 goes down. .1. .1 Tracing route to 192. .1. .1. . (Note that the default gateway IP address differs from the previous figures.. . In Example 8-52. .2. . Trace complete.1. . : 2001:20::20 IP Address. ..64/26 network. Trace complete. .1. From the Library of Outcast Outcast . : 255. You then trace the path from PC1 to an IP address outside the LAN. You start verifying the problem by shutting down the link between SW3 and SW2.66? This will identify whether traffic is flowing though SW1 or SW2 to reach the core. all traffic for VLAN 20 is flowing through SW3. .1. . as shown in Figure 8-7. Example 8-53 indicates that SW2 is in fact the VRRP vir- tual router master for the 10.. .1 over a maximum of 30 hops 1 3 ms 1 ms 2 ms 10. . However.66 C:\PC1>tracert 192. is it 10.. . . . .2.0.1.output omitted. . . .1..0x2 Internet Address Physical Address Type 10.65 or 10. you confirm with the arp -a command that the MAC address of 0000.1.0. .1. .output omitted. it is important that you confirm the correct VRRP MAC address is being used by checking the ARP cache on the PCs. . . Example 8-53 A Trace from PC1 Confirming That SW2 Is the First Hop (Master) C:\PC1>tracert 192. because it was the first hop returned for the tracert command. SW1.66 . . and then SW2 and routed out to the core. All you care about is the first hop.1. . SW1 should become the VRRP vir- tual router master so that traffic flow is optimized in the LAN.) If the uplink between SW3 and SW2 is not available.192 IP Address. .74 --.1 Tracing route to 192. .66 ..1.66 00-00-5e-00-01-14 dynamic Trouble Ticket 8-5 Problem: According to traffic statistics. .2. : 10.255. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 315 Subnet Mask . : fe80::a00:27ff:fea2:ce47%4 Default Gateway .1. . .0.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10. .. .2.5e00. .

126 VRM=Virtual Router Master SW3 PC1 IP 10.1.66 (SW2) for the group address 10. and when it is down.1.1.316 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 192.2. The config- ured priority is 110. as shown in Example 8-55.126 Figure 8-7 VRRP Suboptimal Traffic Flow Topology Next you need to confirm that this is in fact true by reviewing the output of VRRP show commands.1.Group 20 State is Master From the Library of Outcast Outcast .1.1.1.74/26 DG 10.0.1. you notice that SW2 is the master but that there is a problem with the priority. Example 8-54 show vrrp brief Command Output on SW2 SW2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Vl20 20 100 3570 Y Master 10.1. As a result.1. Notice that under the State column it states Master and the Master addr is 10. It indicates that the tracking object 1 is down.66 10.126.65/26 10.1/26 SW2 IP 10. but the current is 100.1. In this output. it has been decremented dynami- cally.1. Example 8-55 show vrrp Command Output on SW2 SW2#show vrrp Vlan20 .1.1.1. This can be verified with the tracked object that is currently down.1 Gig 1/0/10 Gig 1/0/10 Int VLAN 20 10 SW1 Int VLAN 10 20 IPIP10.1.1.1.2/26 Standby Backup VRRP GROUP 20 VRM Gi1/0/2 IP 10. All looks fine so far. Example 8-54 displays the output of show vrrp brief on SW2.1.126 Next you review the output of show vrrp.66/26 10. the priority will be decremented by 10 (110 – 10 = 100).1.1.1.

Chapter 8: Troubleshooting First-Hop Redundancy Protocols 317 Virtual IP address is 10. Example 8-57 show vrrp Command Output on SW1 SW1#show vrrp Vlan20 .570 sec What is tracking object 1? To verify. why is SW2 the virtual router master? When priority is tied. and the priority is tied.1. At this point in time. The output clearly shows that the priority of SW1 is 100. Gigabit Ethernet 1/0/2 is down. you execute the show track command on SW2.1.1. the IP address of the LAN interface participating in VRRP is used as the tiebreaker. which is the same as SW2. priority is 100 Master Advertisement interval is 1. SW2 is still the virtual router master for group 20 even though the priority is being decremented.5e00. If that is the case. As Example 8-56 displays. VRRP decremented the pri- ority by 10.5e00.66 (local). Example 8-56 show track Command Output on SW2 SW2#show track Track 1 Interface GigabitEthernet1/0/2 line-protocol Line protocol is Down (hw down) 6 changes.1.1. However.126 Virtual MAC address is 0000. as you saw in Example 8-55.609 sec (expires in 3. it is the virtual router master.1.1.126 Virtual MAC address is 0000.66.000 sec Preemption enabled Priority is 100 (cfgd 110) Track object 1 state Down decrement 10 Master Router is 10. and as a result. just like HSRP.000 sec Preemption enabled Priority is 100 Master Router is 10. Reviewing the output of show vrrp for SW1 and SW2 identifies that preemption is enabled. last change 01:39:45 Tracked by: VRRP Vlan20 20 Next you verify the priority on SW1 with the show vrrp command. Because SW2 has the higher LAN IP address.000 sec Master Down interval is 3.000 sec Master Down interval is 3.1.0114 Advertisement interval is 1.Group 20 State is Backup Virtual IP address is 10. the output of show track indicates that you are tracking the line protocol of Gigabit Ethernet 1/0/2 for VRRP on interface VLAN 20 for group 20.0114 Advertisement interval is 1.575 sec) From the Library of Outcast Outcast . priority is 100 Master Advertisement interval is 1. as shown in Example 8-57.

2. You then reissue the trac- ert command on PC1 to verify the first hop. Gateway Load Balancing Protocol (GLBP) can have multiple forwarders for each group.1.. As soon as you do this.2.318 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide How can you make sure that SW1 takes over as the virtual router master if the uplink between SW3 and SW2 fails? In this case. This section explains the GLBP active virtual gateway (AVG) and active virtual forwarder (AVF) concepts and how to verify and troubleshoot issues related to GLBP. make sure that the priority of SW2 is dropped below that of SW1.1 Tracing route to 192.65 .output omitted.0. a syslog message is dis- played on SW2.1 Tracing route to 192. Troubleshooting GLBP Whereas HSRP can only have one active forwarder for each group. From the Library of Outcast Outcast . the tracking object is up...0. and SW2 becomes the virtual router master. Example 8-59 A Trace from PC1 Confirming That SW2 Is the First Hop (Master) C:\PC1>tracert 192. Trace complete. It is now SW2. which means that SW2’s priority goes back to 110. It is now SW1.. GLBP can load balance traffic destined for a next-hop gateway across a collection of routers within the GLBP group. you issue the vrrp track 1 decrement 11 command in interface VLAN 20 configuration mode.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10... as shown in Example 8-59. as follows: %VRRP-6-STATECHANGE: Vl20 Grp 20 state Master -> Backup On SW1.66 .output omitted. Example 8-58 A Trace from PC1 Confirming That SW1 Is the First Hop (Master) C:\PC1>tracert 192. On SW2..2.2. as shown in Example 8-58.0. Therefore.. Next you enable the interface between SW3 and SW2 with the no shutdown command and receive the following syslog message on SW2: %TRACKING-5-STATE: 1 interface Gi1/0/2 line-protocol Down->Up %VRRP-6-STATECHANGE: Vl20 Grp 20 state Backup -> Master Because the interface is up.0.1. Trace complete.1. the following syslog message is displayed: %VRRP-6-STATECHANGE: Vl20 Grp 20 state Backup -> Master You now reissue the tracert command on PC1 to verify the first hop.1.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10.

This is the default behavior known as round-robin.1.1.0.. 192. R1 (AVG) responds with the MAC of 0007.1. The virtual router IP address that will be used as the default gateway on all the hosts is 10. Example 8-60 Possible GLBP Configuration on Router R1 R1#show run interface gigabitethernet 0/0 Building configuration.0a02.62 Virtual MAC = 0007.1.2 Gi0/0 10. b400.1.b400.1. Note that the AVG is usually an AVF as well.0a01 0007. there is one AVG and up to four AVFs in a group. As you can see from Figure 8-8.1.1. and Workstation B sends default gateway destined traffic to R2.62 Next-Hop GW = 10. The other options are host-dependent and weighted.62. R1 is the AVG.1.b400. Current configuration : 269 bytes ! From the Library of Outcast Outcast . When Workstation B sends an ARP request for the MAC address of 10. The AVFs are responsible for processing the frames that are sent to their MAC address. The AVG is responsible for Key handing out the AVF MAC addresses to the hosts in the LAN. Therefore.. The next workstation that sends an ARP request will get 0007.2. When Workstation A sends an ARP request for the MAC address of 10. it is responsible Topic for replying to ARP requests for the MAC address of the default gateway.1.1.b400.1.1.1.1.1. and R1 and R2 are AVFs.0a02.20 Figure 8-8 Basic GLBP Operation Examples 8-60 and 8-61 show the possible GLBP configurations for routers R1 and R2. Figure 8-8 shows a GLBP topology example.1.10 10.b400.62.62.0a02 Workstation A Workstation B 10.b400.0a02 Gi0/0 R1 ARP Reply R2 10.62 GLBP IP Address = 10. which can be changed with the glbp group_id load-balancing interface configuration command.1.b400. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 319 Reviewing GLBP With GLBP.1 ARP Request ARP Reply ARP Request Next-Hop GW = 10.0a01 and then 0007.62 with a MAC of with a MAC of 0007.b400.1. Workstation A sends default gateway destined traffic to R1.0a01 Gi3/0 Virtual MAC = 0007.1. R1 (AVG) responds with the MAC of 0007.0a01.1 Active Virtual Gateway (AVG) Core Active Virtual Forwarder (AVF) AVF GLBP IP Address = 10.1.1. and so on.

255.320 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide interface GigabitEthernet0/0 ip address 10.1.62 glbp 10 priority 150 glbp 10 preempt glbp 10 weighting 110 lower 90 upper 100 glbp 10 load-balancing weighted end Example 8-61 Possible GLBP Configuration on Router R2 R2#show run interface gigabitethernet 0/0 Building configuration.255.192 glbp 10 ip 10.. in these examples.255.2 255.1 255. Remember that preemption is not enabled by default for the AVG election process. This means that R1 will lose its ability to forward traffic for its vir- tual MAC address if its weighting drops below 90. load balancing has been configured to weighted. Therefore. Also. Current configuration : 237 bytes ! interface GigabitEthernet0/0 ip address 10. R1 will handle more hosts on average than R2.1. the MACs will be handed out in a round-robin fashion. and with GLBP. notice that R1’s lower limit is 90. The last two commands in Examples 8-60 and 8-61 relate to the AVFs and how their MAC addresses will be handed out to hosts on the LAN by the AVG.255. or 11:10 ratio. This means that the initial weighting value defined in the glbp 10 weighting command will determine the ratio that will be used to hand out MAC addresses.1.192 glbp 10 ip 10. It will regain its ability to forward traf- fic for its virtual MAC address if its weighting goes back above 100. higher-priority values are more preferable. Router R2 has a default GLBP priority of 100.1.1. Router R1 is configured to be the AVG with a higher priority using the glbp 10 priority 150 command. However.62 glbp 10 preempt glbp 10 weighting 100 lower 80 glbp 10 load-balancing weighted end Notice that both routers R1 and R2 have been configured with the same virtual IP address of 10.62 for GLBP group 10. By default. This means that R1’s virtual MAC address will be given to clients 11 times for every 10 times that R2’s virtual MAC address will be given out. In this case. notice that both routers are configured with the glbp 10 preempt command. Referring to Example 8-60 again. The lower and upper values are related to when the AVF will lose its ability to forward traffic for its virtual MAC address and when it will regain its ability to forward traffic for its virtual MAC address. The initial weighing From the Library of Outcast Outcast ..1. and whether they will be allowed to forward traffic. This ensures that the router with the higher priority will be the AVG.1.1.1. the AVG will hand out the MAC addresses in a 110:100 ratio.1.

Listen means that the router is waiting to take over the forwarding process for the virtual MAC address in the Address column if the router listed in the Active Router column is no longer able to forward traffic for the virtual MAC address.b400. 150 Active 10. Listen 0007. Example 8-62 show glbp brief Command Output on Router R1 Key Topic R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . Examples 8- 62 and 8-63 provide samples of the show glbp brief command.1. active means that it is the AVG.62 10. 100 Standby 10.1. in this case the top row. Notice that R2 in Example 8-61 has no upper weighting.2 - Example 8-63 show glbp brief Command Output on Router R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . If it is the AVG row. and standby means that it is waiting to become the AVG if the AVG fails. it is referring to the state of the AVF.1 - Gi0/0 10 2 .62 local 10. It identifies who the AVFs are under the Fwd column. Active 0007.1.b400. For the second and third rows. Listen 0007.1. Active 0007. begin by deter- mining the following information about the GLBP group under inspection: ■ Which router is the AVG? Key Topic ■ Which routers are the AVFs? ■ How was the AVG chosen? ■ Which routers.0a01 10.1. The State column identifies the state of the device for the group.b400.1.2 Gi0/0 10 1 .b400.1. GLBP Verification and Troubleshooting When verifying a GLBP configuration or troubleshooting a GLBP issue. In these examples. The output identifies the interfaces that are participating in a GLBP group.0a02 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 321 value is 110.1 local Gi0/0 10 1 .1.0a01 local - Gi0/0 10 2 . are configured with the preempt option? ■ What is the IP address of the virtual router? ■ What are the AVFs virtual MAC addresses? ■ Is object tracking on? The show glbp brief command displays a great deal of GLBP information. The Priority column is used to display the priority used dur- ing the AVG election process. The – refers to the AVG information. if any.1.1.1. which means that it is the same as the initial weighting. active means that the router is forwarding for the virtual MAC address in the Address column.1. and the numbers 1 and 2 refer to the AVFs in the group.0a02 local - From the Library of Outcast Outcast .

600. as shown in Example 8-64.1. priority 100 (expires in 9. and the status of preemption is also listed. You will also be able to see your current local priority and the configured priority. weighting 110 Forwarder 2 State is Listen MAC address is 0007. you can verify the group number and the interface associated with it.1. the hello and hold timers.1.0a01 (default) Owner ID is ca13. thresholds: lower 90. You can determine whether it is the AVG based on whether it is active or standby.1.1.0008 Redirection enabled Preemption enabled. upper 100 Track object 1 state Up decrement 25 Load balancing: weighted Group members: ca12.1.322 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide The show glbp command output provides significant details about the GLBP groups. and the members of the group.0854. min delay 30 sec Active is local. Example 8-64 show glbp Command Output on Router R1 R1#show glbp gigabitethernet0/0 GigabitEthernet0/0 .0008 (10. the type of load balancing being used. This is a great command to verify the weight- ing values.b400.568 secs Redirect time 600 sec.0854.1.2 (primary).0008 Redirection enabled.000 sec (maximum 14400 sec) Preemption enabled.1) local There are 2 forwarders (1 active) Forwarder 1 State is Active 3 state changes.b400. hold time 10 sec Next hello sent in 1.0008 (10.0854.2.984 sec) Priority 150 (configured) Weighting 110 (configured 110).000 sec remaining (maximum 600 sec) Time to live: 14400. forwarder time-out 14400 sec Preemption enabled.0854.62 Hello time 3 sec.Group 10 State is Active 1 state change. you will be able to verify the active or standby routers IP address and its priority. Depending on the state of the device. min delay 30 sec Active is 10. last state change 00:03:35 MAC address is 0007. last state change 00:31:34 Virtual IP address is 10.1. min delay 0 sec Active is local Standby is 10. The virtual IP address.232 sec) From the Library of Outcast Outcast . weighting 100 (expires in 11. In the output.1.1. which are identified by their physical MAC address and IP address associated with the interface participating in the GLBP group.0a02 (learnt) Owner ID is ca12.2) ca13.

Chapter 8: Troubleshooting First-Hop Redundancy Protocols 323 Still referring to Example 8-64. In this case. R1 is in the listen state for Forwarder 2. it would be 0007.b400. a GLBP group of 43 yields a default virtual MAC address for AVF 1 of 0007. the weight of the router can be decremented to a value that is lower than a configured threshold so that another AVF can forward on behalf of the rout- er that cannot.b400. GLBP Group 43 Key Topic 0007. the status of an SLA probe. The next two hexadecimal digits represent the group number. meaning that it is waiting for the current owner of the virtual MAC 0007. The last two hexa- decimal digits represent the forwarder ID within the group. is based on the group number and the AVF forwarder ID within the group. This is where object tracking comes into play for the AVFs. However. what about the AVFs? If the uplinks fail. and the state of the tracked object. as shown in Example 8-65. It also states who the current owner is of the virtual MAC address.b400. GLBP will only detect a Key failure of the device itself or the path that is used by the hello packets. a group of objects. the virtual MAC address for a GLBP group begins with a well-known GLBP code of 0007.b400. By default. Virtual Router MAC Addresses The default virtual MAC address for the AVFs in a GLBP group.0a01 that is listed. Specifically.2b02 Well. That is perfectly Topic fine for the AVG because a failure of an uplink outside the LAN will not affect the AVG because hello packets are still exchanged successfully. You can use the show glbp command to verify whether object tracking is configured.b400. the AVF cannot forward packets for the virtual IP and MAC it owns. and for AVF 3. as shown in Figure 8-9. b400. focus on the area related to the forwarders. and the status of an interface. For AVF 2.2b01. If the object is anything but up. For example. GLBP AVF known Group ID GLBP Number Code in Hex Figure 8-9 GLBP Virtual MAC Address GLBP Object Tracking As with VRRP. This router is currently active for Forwarder 1. and the AVG is still reachable. it would be 0007. The owner is the device currently responsible for forwarding traffic for the virtual MAC address. From the Library of Outcast Outcast . you can verify that there are two AVFs.2b02.2b03. based on the physical MAC address of the device. This informa- tion is related to the AVFs in the group.0a02 to no longer be able to forward for the MAC so that it can take over. you can implement object tracking. The object can be IP-related information such as a route. because 43 in decimal equates to 2b in hexadecimal. Object tracking allows you to control the weighting of an AVF in a GLBP group based on the status of an object.b400. meaning that it is forwarding for the MAC address 0007.

1.1.0a02 (learnt) Owner ID is ca12. forwarder time-out 14400 sec Preemption enabled.1.b400. thresholds: lower 90.1) local There are 2 forwarders (1 active) Forwarder 1 State is Active 3 state changes. the line protocol of interface Gigabit Ethernet 3/0 is being tracked by GLBP.0854.2.568 secs Redirect time 600 sec.0854.Group 10 State is Active 1 state change.000 sec (maximum 14400 sec) Preemption enabled. priority 100 (expires in 9. weighting 110 Forwarder 2 State is Listen MAC address is 0007. However.1.62 Hello time 3 sec. if the tracked object goes down.0008 (10.2) ca13.0854. 600.1.b400.324 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Example 8-65 show glbp Command Output on Router R1 R1#show glbp GigabitEthernet0/0 .2 (primary). upper 100 Track object 1 state Up decrement 25 Load balancing: weighted Group members: ca12.000 sec remaining (maximum 600 sec) Time to live: 14400.0a01 (default) Owner ID is ca13. However. last state change 00:31:34 Virtual IP address is 10. which is R2. min delay 0 sec Active is local Standby is 10.0854. min delay 30 sec Active is local.984 sec) Priority 150 (configured) Weighting 110 (configured 110).1. min delay 30 sec Active is 10. weighting 100 (expires in 11. will have to forward for both MAC addresses at this point. the weighting will be lower than the lower threshold of 90 and R1 will no longer be able to be the AVF for MAC 0007.0008 Redirection enabled.1. In this output. hold time 10 sec Next hello sent in 1.1. if you need to find out what the tracked object is specifically so that you can troubleshoot further. last state change 00:03:35 MAC address is 0007. and as a result. as shown in Example 8-66.0a01.1. you can see that the tracked object 1 is in a state of up. use the command show track.0008 (10. AVF2.0008 Redirection enabled Preemption enabled.b400. the weighting will be decremented by 25.232 sec) In the case of Example 8-65.1. From the Library of Outcast Outcast .

you should also verify that the virtual MAC address learned by the client corresponds to the virtual MAC address reported by the GLBP AVG.1.62. Maximum = 2ms.1.1.1.1.10 --.1. Therefore. Notice in the output that the MAC address learned via ARP does match the GLBP virtual MAC address of the first AVF.62: bytes=32 time=1ms TTL=255 Reply from 10. last change 00:05:56 Tracked by: GLBP GigabitEthernet0/0 10 Verifying GLBP First Hop Once you know the current GLBP configuration.1.1.1.1.1.1.62: bytes=32 time=2ms TTL=255 Reply from 10.1.62: bytes=32 time=1ms TTL=255 Ping statistics for 10. Based on Topic the topology previously shown in Figure 8-8.0x4 Internet Address Physical Address Type 10. Example 8-67 Ping Test from Workstation A to the GLBP Virtual IP Address C:###BOT_TEXT###gt;ping 10.1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 325 Example 8-66 show track Command Output on R1 R1#show track Track 1 Interface GigabitEthernet3/0 line-protocol Line protocol is Up 3 changes.1.1. Average = 1ms However.62: Packets: Sent = 4.1. Example 8-68 Workstation A’s ARP Cache C:###BOT_TEXT###gt;arp -a Interface: 10.62 Pinging 10.62: bytes=32 time=1ms TTL=255 Reply from 10.1. Lost = 0 (0% loss). Received = 4. you might then check to see whether Key a host on the GLBP virtual IP address’s subnet can ping the virtual IP address. from the client.1.62 00-07-b4-00-0a-01 dynamic From the Library of Outcast Outcast .62 with 32 bytes of data: Reply from 10. Example 8-67 shows a successful ping from Workstation A. Approximate round trip times in milli-seconds: Minimum = 1ms.1. Example 8-68 shows Workstation A’s ARP cache entry for the GLBP virtual IP address of 10. that does not prove that we are using the virtual MAC address and GLBP suc- cessfully.

1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10. Notice that it states that the first hop is 10.. you can identify the physical first- hop router that the packets are traversing.1 . GLBP Trouble Tickets This section presents various trouble tickets relating to the topics discussed earlier in the chapter. Example 8-69 A Trace from Workstation A Confirming That R1 Is the First Hop (AVF) C:###BOT_TEXT###gt;tracert 192.1.0. The purpose of these trouble tickets is to give a process that you can follow when troubleshooting in the real world or in an exam environment. Notice that it states that the first hop is 10.. This is the IP address on R2’s Gig0/0 interface. But remember in both cases they are configured to use the vir- tual IP 10.1. Example 8-69 displays the tracert command executed on Workstation A.. Example 8-70 A Trace from Workstation B Confirming That R2 Is the First Hop (AVF) C:###BOT_TEXT###gt;tracert 192. Trace complete.62 and are dynamically provided a virtual MAC address based on the AVG load-balancing method.1..2. Trace complete..output omitted.0.0. This is the IP address of R1’s Gig0/0 interface.1 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10.2 .1. as discussed with HSRP and VRRP.1 Tracing route to 192.1.1.1. From the Library of Outcast Outcast . All trouble tickets in this section are based on the topology depicted in Figure 8-10.326 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide However.1.2.1..1. Example 8-70 displays the tracert command executed on Workstation B.output omitted.2.2.1 Tracing route to 192.0. one of the best tools to use with FHRPs to verify the path is traceroute.2... With traceroute.1.

1. and R2 has a priority of 100. In addition. they are both indicating that they are the AVG for the virtual address 10.62 Next-Hop GW = 10.1.1.0a02 local - Example 8-72 Output of show glbp brief on R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .b400. 150 Active 10. The junior admin provides the output shown in Example 8-71 and Example 8-72.2.0.1.2 Gi0/0 Next-Hop GW = 10.1.0a01 local - Gi0/0 10 2 .b400. However.1.1.20 Figure 8-10 GLBP Trouble Ticket Topology Trouble Ticket 8-6 Problem: A junior administrator has stated that GLBP is behaving strangely. Active 0007. Active 0007.1 10.62 with a MAC of with a MAC of 0007.b400.1.1.1. 100 Active 10. Example 8-71 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 . you ask the junior admin to show you what she means.b400. and then ask the junior administrator to explain.62.1.1.0a01 Virtual MAC = 0007.0a01 local - Gi0/0 10 2 .0a01 0007.0a02 R1 R2 Gi0/0 10. Active 0007. R1 has a priority of 150.1.1. From the Library of Outcast Outcast .1 Active Virtual Gateway (AVG) Core Active Virtual Forwarder (AVF) AVF GLBP IP Address = 10.1.1.b400.62 local unknown Gi0/0 10 1 .62 GLBP IP Address = 10. With a puzzled look on your face.1. R1 and R2 are both stating that they are the AVFs for the MAC addresses listed. You review them.62 local unknown Gi0/0 10 1 .1. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 327 192.0a02 Workstation A Workstation B 10.1.b400. Active 0007.62 Virtual MAC = 0007.1.b400.1.1.10 10.b400.0a02 local - The junior administrator indicates that R1 and R2 are both in group 10.

last state change 00:23:29 Virtual IP address is 10. hold time 10 sec Next hello sent in 0. forwarder time-out 14400 sec Authentication text. “That is correct.1. Now find out why!” The junior admin issues the command show glbp on R1 and R2. Therefore.1. but the type of authentica- tion does not match.62. forwarder time-out 14400 sec Authentication MD5.1.” You grin and state.328 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide You then ask the junior admin. but because they cannot From the Library of Outcast Outcast .. The virtual IP is the same at 10. “They don’t know each other is on the LAN and participating in GLBP group 10. output omitted. and reviews them hoping to spot the difference.output omitted.. They are both using authentication. At this point. although they do not have to be as long as they do not cause flapping neighbor relationships.1.62 Hello time 3 sec. “Why would they both consider themselves as the AVG and AVFs?” The junior admin replies.Group 10 State is Active 8 state changes.Group 10 State is Active 3 state changes. as displayed in Examples 8-73 and 8-74. last state change 00:21:32 Virtual IP address is 10. the junior admin spots the difference. key-string Preemption enabled.288 secs Redirect time 600 sec. min delay 0 sec Active is local Standby is unknown Priority 150 (configured) .. The timers are the same.. The output confirms that both R1 and R2 are the AVG for group 10 because it states “State is Active” near the top.1.. Do you see it? Example 8-73 Output of show glbp on R1 R1#show glbp brief GigabitEthernet0/0 .1. they know each other is there.62 Hello time 3 sec.. R1 is using plain-text GLBP authentication.. and R2 is using message digest 5 (MD5) GLBP authentication.. Example 8-74 Output of show glbp on R2 R2#show glbp brief GigabitEthernet0/0 . hold time 10 sec Next hello sent in 2. min delay 0 sec Active is local Standby is unknown Priority 100 (default) .592 secs Redirect time 600 sec. string "TSHOOT" Preemption enabled.

Your security policy states to use MD5 authentication. Active 0007.0a01 local - Gi0/0 10 2 .62 10. and R2 is standby and the AVF for the second MAC.62 From the Library of Outcast Outcast . which is down.0a02 10. so you change R1 with the com- mand glbp 10 authentication md5 key-string TSHOOT in interface configuration mode. they consider each other to be rogue GLBP devices and will not accept the GLBP information from each other.b400.b400.1. it will still be the AVF for the MAC address assigned to it by the AVG.1. and when it is down.0a01 10. Therefore.1. however.0a02 local - Trouble Ticket 8-7 Problem: The uplink has failed between R2 and the core.0a02 when it should be R1.1. It has. Let’s shoot from the hip this time! Brainstorm: Uplink failed + R2 still AVF when it should not be = object tracking and weight issue? Let’s use the show glbp command to see what the weight of R2 is and whether object tracking is enabled.1 local Gi0/0 10 1 .2 - Example 8-76 Output of show glbp brief on R2 R2#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .1.b400. Example 8-77 displays the output of show glbp on R2.2 Gi0/0 10 1 . R2 is still the AVF for MAC 0007.1. which it has been because the configured weight is 100 and the current weight is 80.Group 10 State is Standby 10 state changes. 100 Standby 10.1. 150 Active 10.1.62 local 10. Example 8-77 Output of show glbp on R2 R2#show glbp GigabitEthernet0/0 . as shown in Examples 8-75 and 8-76.1.1. Listen 0007. R1 is the AVG and AVF for the first MAC.1. and it clearly indicates that we are tracking object 1.1. Active 0007.1 - Gi0/0 10 2 .1. Example 8-75 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .b400. Listen 0007. However. You then check the output of show glbp brief on R1 and R2.1. R2’s weighting still has not passed the lower threshold. last state change 00:20:58 Virtual IP address is 10. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 329 authenticate each other.b400. the weighting will be decremented by 20. to verify whether the output has changed.

1.0a02 local - Comparing HSRP.330 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Hello time 3 sec. forwarder time-out 14400 sec Authentication MD5. It is important to note that the issues will be similar with these FHRPs. upper 100 Track object 1 state Down decrement 20 Load balancing: weighted To solve this problem. VRRP.1.2 Gi0/0 10 1 . making them easy to troubleshoot for most. HSRP. although HSRP.1. glbp 10 weighting track 1 decrement 21).b400.1. and GLBP have commonalities. and GLBP Key Topic Characteristic HSRP VRRP GLBP Cisco proprietary.1. R1 will be the AVF for both MACs. you need to modify the glbp 10 weighting track 1 command so that the decrement is greater than 20 (for example. More than one router in a group No No Yes can simultaneously forward traffic for that group. key-string Preemption enabled. thresholds: lower 80. When you do so. 3 seconds 1 second 3 seconds From the Library of Outcast Outcast . Hello timer default value. VRRP. Example 8-78 Output of show glbp brief on R1 R1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Gi0/0 10 .b400.1. it is important for you as a troubleshooter to understand the differences to make sure that you are troubleshooting as efficiently as possible. 150 Active 10. However. On R1. you can confirm this with the show glbp brief command.480 sec) Standby is local Priority 100 (default) Weighting 80 (configured 100).0a01 local - Gi0/0 10 2 . and GLBP are very similar. and GLBP As you have witnessed in this chapter. priority 150 (expires in 8. Table 8-2 Comparing HSRP. VRRP. VRRP. Yes No Yes Interface IP address can act as No Yes No virtual IP address.736 secs Redirect time 600 sec. as shown in Example 8-78. The output provided by the show commands is similar as well. Table 8-2 compares several characteristics of these FHRPs. hold time 10 sec Next hello sent in 0. Active 0007.62 local 10. Active 0007. min delay 0 sec Active is 10.1.

0c9f. 100 100 100 Default weight.0. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 331 Characteristic HSRP VRRP GLBP Hold timer default value.0.xxyy (xx = group number)(yy = AVF) V2: 0000.0.fxxx From the Library of Outcast Outcast . No Yes No for AVG.0.5e00.2 224. — — 100 Authentication supported. 224. Yes for AVFs Default priority. Yes Yes Yes Multicast address. V1: 0000.0.01xx 0007.0.102 Virtual MAC address.18 224.0c07.b400. 10 seconds 3 seconds 10 seconds Preemption enabled by default.acxx 0000.

Chapter 22. noted with the Key Topic icon in the outer margin of the page. Table 8-3 Key Topics for Chapter 8 Key Topic Key Topic Element Description Page Number Paragraph Describes how to configure an HSRP group and 291 explains priority and preempt List Identifies HSRP parameters that should be verified 292 while troubleshooting HSRP issues Example 8-3 show standby brief command output on Router R1 292 Figure 8-2 HSRPv1 virtual MAC address 293 Section Interface tracking 293 Section Verifying first hop 294 Section Reviewing VRRP 306 List Identifies VRRP parameters that should be verified 308 while troubleshooting issues Example 8-36 show vrrp brief command output on router SW1 308 Figure 8-5 VRRP virtual MAC address 309 Section Object tracking 309 Section Verifying first hop 310 Section Reviewing GLBP 319 List Identifies GLBP parameters that should be verified 321 while troubleshooting HSRP issues Example 8-62 show glbp brief command output on router SW1 321 Figure 8-9 GLBP virtual MAC address 323 Section GLBP object tracking 323 Section Verifying GLBP first hop 325 Table 8-2 Comparing HSRP. Table 8-3 lists a reference of these key topics and the page numbers on which each is found.332 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction. Review All Key Topics Review the most important topics in this chapter. VRRP.” and the exam simulation questions on the CD-ROM. “Final Preparation. and GLBP 330 From the Library of Outcast Outcast . you have a couple of choices for exam preparation: the exercises here.

Command Reference to Check Your Memory This section includes the most important show commands covered in this chapter. virtual rout- er. standby router. priority. in addition to tracked objects From the Library of Outcast Outcast . The 300-135 TSHOOT exam focuses on practical. virtual router backup. who the AVG is. read the description on the left side. you should be able to identify the commands needed to troubleshoot issues related to the topics covered in this chapter. who the AVFs interface_number are. hands-on skills that are used by a net- working professional.” (found on the disc). It might not be necessary to memorize the complete syntax of every command. virtual MAC address. preempt. AVG. and then see how much of the command you can remember. “Memory Tables Answer Key. including timers and tracked objects interface_number Displays the tracking objects configured on the router or show track switch Displays a summary of the GLBP group configuration on a show glbp brief switch or router Displays details of the GLBP group configuration on a router show glbp interface_type interface. active forwarder. weighting Complete Tables and Lists from Memory Print a copy of Appendix C. and complete the tables and lists from memory. or at least the section for this chapter. “Memory Tables. virtual master router.” also on the disc. To test your memory of the commands. Appendix D. GLBP. including timers. Chapter 8: Troubleshooting First-Hop Redundancy Protocols 333 Define Key Terms Define the following key terms from this chapter and check your answers in the glossary: HSRP. including timers and tracked type interface_number interfaces or objects Displays the commands configured on a router or switch show run interface_type interface interface_number Displays a summary of the VRRP group configuration on a show vrrp brief switch or router Displays details of the VRRP group configuration on a switch show vrrp interface_type or router interface. VRRP. interface tracking. Table 8-4 show commands Task Command Syntax Displays a summary of the HSRP standby group show standby brief configuration on a switch or router Displays details of the HSRP standby group configuration show standby interface_ on a switch or router interface. includes completed tables and lists to check your work. Therefore. AVF. cover the right side of Table 8-4 with a piece of paper. object tracking. but you should be able to remember the basic keywords that are needed.

■ Troubleshooting NAT: This section explains the rea- sons why NAT may not be translating addresses and how to recognize them. ■ Troubleshooting DHCP for IPv4: This section reviews the DHCP for IPv4 operations and identi- fies how you can successfully troubleshoot DHCP related issues. ■ IPv4 Addressing and Addressing Technologies Trouble Tickets: This section provides trouble tick- ets that demonstrate how you can use a structured troubleshooting process to solve a reported problem.This chapter covers the following topics: ■ Troubleshooting IPv4 Addressing: This section focuses on how you can verify that devices are addressed correctly in the network during your troubleshooting process. From the Library of Outcast Outcast .

as a troubleshooter. However. subnet mask. you need the skills neces- sary to successfully identify issues related to improper IPv4 addressing on devices. Network Address Translation (NAT) is needed to translate IPv4 private addresses to public addresses that are routable on the Internet. It might be a bad address. and NAT issues. You can find the answers in Appendix A. issues may arise that prevent a device from successfully obtaining an IPv4 address from the DHCP server. Therefore. when deploying IPv4 addresses. most networks are still relying on IPv4. with this dynamic pro- cess. Therefore. or even the address of the default gateway. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. Therefore. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics.” Table 9-1 “Do I Know This Already?” Section-to-Question Mapping Foundation Topics Section Questions Troubleshooting IPv4 Addressing 1–4 Troubleshooting DHCP for IPv4 5–7 Troubleshooting NAT 8–10 From the Library of Outcast Outcast . DHCP for IPv4-related issues. Dynamic Host Configuration Protocol (DHCP) will be used so that they can be dynamically assigned. Because RFC 1918 addresses are not routable on the Internet. This chapter covers the different methods that you can use to troubleshoot IPv4 address- ing issues. “Answers to the ‘Do I Know This Already?’ Quizzes. Table 9-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. it is being done at a slow pace. CHAPTER 9 Troubleshooting IPv4 Addressing and Addressing Technologies Although IPv6 is currently being deployed. read the entire chapter. Typically. you need a solid understanding of how DHCP operates and how to identify the issues that would prevent a client from obtaining an IP address from a DHCP server. and many new networks and network additions are being deployed with IPv4. This adds another bit of complexity to the environment that you need to know how to troubleshoot so that devices can access resources external to the organization.

What will occur when a PC with the IP address 10. If you do not know the answer to a question or are only partially sure of the answer.1.1. 3. b. 1. Which command enables you to verify the IP address configured on a router’s inter- face? a. arp -a d. 2.27/28 needs to communicate with a PC that has an IP address of 10. d.18? (Choose two answers.) a.1. show ip arp 4. you should mark that question as wrong for purposes of the self-assessment. show ip arp From the Library of Outcast Outcast . Which command enables you to verify the IP address configured on a Windows PC interface? a. c. c.336 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Caution The goal of self-assessment is to gauge your mastery of the topics in this chap- ter. b. It will ARP for the MAC address of the destination PC. What will occur when a PC with the IP address 10. It will ARP for the MAC address of the default gateway. ipconfig b.) a. It will send the frame directly to the destination PC.27/29 needs to communicate with a PC that has an IP address of 10. It will send the frame to its default gateway.18? (Choose two answers.1. It will ARP for the MAC address of the destination PC. show ip interface c.1. show ip interface c. arp -a d. d. It will send the frame directly to the destination PC.1. It will ARP for the MAC address of the default gateway.1. ipconfig b.1. Giving your- self credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. It will send the frame to its default gateway.

overload d. Request. Ack. ip address dhcp b. ip dhcp-forwarder d. Discover. ip address dhcp d. Which command enables you to verify the interfaces that are configured for NAT? a. Request. ip dhcp server 7. Discover. Which column in the output of show ip nat translations displays the address that source IPs have been translated to? a. private 9. ip helper-address 8. Inside Local b. ip helper-address c. Outside Local d. Ack. Outside Global From the Library of Outcast Outcast . show ip nat translations b. show ip nat statistics c. Which command will enable a router interface to obtain an IP address from a DHCP server? a. Ack 6. list c. ip dhcp server c. Chapter 9: Troubleshooting IPv4 Addressing and Addressing Technologies 337 5. Which parameter is necessary in the ip nat inside source command to enable PAT? a. Request. show ip nat interfaces d. Ack d. Offer. Inside Global c. pat b. Request. Offer. Discover. ip dhcp client b. Offer c. show ip nat 10. Discover b. What is the correct order of operations for the DHCP for IPv4 process? a. Offer. Which command is needed on a router interface to forward DHCP Discover mes- sages to a DHCP server on a different subnet? a.

20 255. R1. which shows a sample subnet (10.1. Now PC1 needs to determine whether PC2 is Topic From the Library of Outcast Outcast .1.2. an IPv4 address uniquely defines where a device resides in a network.10 255. you may or may not get your pizza. the street name and the number of your residence.1.255. and we do not want that to happen. IPv4 Addressing Issues An IPv4 address is made up of two parts: a network/subnet portion and a host portion.1 192. the PC could end up addressing the Layer 2 frame incorrectly and sending the packet in the wrong direction.0/26 10. If they are not exactly the same.1. and the combination of these will be unique within your city/town.1. The IP address 10. Therefore.1 Figure 9-1 Correct IPv4 Addressing Example When PC1 needs to communicate with PC2.255. This section focuses on how we can troubleshoot IPv4 addressing issues.338 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide Foundation Topics Troubleshooting IPv4 Addressing Just like your personal street address uniquely defines where you live. it does a DNS lookup for the IP address of Key PC2.1.0/26) with two PCs and their default gateway.1.0.1. It is imperative that all devices in the same network/subnet share the exact same network/ subnet portion.1.1 R1 10.255. The same is true with IPv4 addressing.1. Your street address is made of two parts.1 . it is imperative that you have a solid understanding of IPv4 addressing and how to verify that devices are addressed correctly on the network.192 PC1 DG:10.1. Refer to Figure 9-1. If your house is addressed incorrectly.1.1. As a result.192 PC2 DG:10.1.255. the pizza delivery person is able to drop off your pizza at your house in 30 minutes or it is free. they may or may not receive the packets that are intended for them.20 is returned. If devices are addressed incorrectly. 10.

2. to communicate with the web server. Let’s see what happens if PC1 is configured with the wrong subnet mask (255.00 – PC1 network/subnet ID 00001010.00000001.00000001. it can communicate directly with it and does not need to send the data to its default gateway. as shown in Figure 9-2.1.11111111.00001010 – PC1 IP address in binary 11111111. PC1 will create a frame with its own source MAC address and the MAC of R1 as the destination. The IP address 192.00001010 – PC1 IP address in binary 11111111.00 – PC1 network/subnet ID (The 1s in the subnet mask identify the network portion.00000001.00 – PC1 network/subnet ID 11000000.00000001. Now PC1 needs to determine whether the web server is located in the same net- work/subnet.00010100 – PC2 IP address in binary Because the binary bits are the same. From the Library of Outcast Outcast . PC1 will create a frame with its own source MAC address and the MAC of PC2 as the destination. because the bits are not the same.00000001.11111111.255.11111111. This will determine whether the frame will have the MAC of the web server or the MAC of the DG. accurate IP addressing is paramount for successful communication.255. therefore.00000001 – web server IP address in binary PC1 concludes that the web server is in a different network/subnet. therefore.2.0.00000001. It does a DNS lookup for the IP address of the web server.) Now PC1 compares the exact same binary bits to those binary bits in PC2’s address as follows: 00001010.240).00000001.00 – PC1 network/subnet ID (The 1s in the subnet mask identify the network portion.00000001.0. As you can see.1 is returned. Chapter 9: Troubleshooting IPv4 Addressing and Addressing Technologies 339 located in the same subnet because this will determine whether the frame will have the MAC of PC2 or the MAC of the default gateway (DG).00000001. PC1 determines its network/subnet portion by comparing its IP address to its subnet mask in binary as follows: 00001010.00000001. it needs to send the data to its default gateway.11111111. PC1 determines its network/sub- net portion by comparing its IP address to its subnet mask in binary as follows: 00001010.) Now PC1 compares the exact same binary bits to those binary bits in the web server address as follows: 00001010.00000001.00000001.00000001.11000000 – PC1 subnet mask in binary ----------------------------------- 00001010. PC1 concludes that PC2 is in the same network/ subnet.11000000 – PC1 subnet mask in binary ----------------------------------- 00001010.00000000. Consider what occurs when PC1 needs to communicate with the web server at 192.00000010.00000001.

1 .00000001.255. As a troubleshooter.1 192.20 255.00000001. In addition.00000001.00000001. but an inappropriate IP address combined with the correct subnet mask will also cause issues.1.255. Not only will an improper subnet mask cause issues.1 R1 10.11110000 – PC1 subnet mask in binary --------------------------------------------------- 00001010. Therefore.1.1.1.0. : From the Library of Outcast Outcast .255.00000001. and as a result we have an IPv4 addressing and connectivity issue.0000 – PC1 network/subnet ID 00001010.1 Figure 9-2 Incorrect IPv4 Addressing Example PC1 determines its network/subnet portion by comparing its IP address to its subnet Key mask in binary as follows: Topic 00001010.00010100 – PC2 IP address in binary PC1 concludes that PC2 is not in the same network/subnet.240 PC1 DG:10.10 255.00000001.340 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide 10. or eliminate them as a possible issue quickly.1. packets will not be forwarded to the correct device when packets need to be sent to a different subnet.255. the PCs are actually connected to the same subnet.2.1.1.11111111.00001010 – PC1 IP address in binary 11111111.1. Example 9-1 Verifying IP Addressing on a PC and on a Router Key Topic C:###BOT_TEXT###gt;ipconfig Windows IP Configuration Ethernet adapter PC1: Connection-specific DNS Suffix . You can verify the IP addressing information on a Windows PC using the ipconfig command and on a router or switch using the show ip interface inter- face_type interface_number command. you need to be able to recognize these issues.1.0000 – PC1 network/subnet ID Now PC1 compares the exact same binary bits to those binary bits in PC2s address as follows: 00001010. because the binary bits are not exactly the same.1.00000001. it cannot communicate directly with it and will need to send the frame to the router so that the router can route the packet to the subnet PC2 is in. as shown in Example 9-1.192 PC2 DG:10.00000001.0/26 10. if the default gateway is not configured correctly on the PCs. However.11111111.

. . . which is a total of 64 addresses.1.1.1. .1. .10 Subnet Mask . .1. . you can easily see that PC1 is not in the same subnet as R1 and PC2.1.20 255. and an interface on R1 are supposed to be in the same sub- net. The third subnet would be 10. Determining IP Addresses Within a Subnet You want to be quick! Here is a quick way to determine all the IP addresses that will be in a particular subnet. .1.63/26.0/26 and end at 10. . 255. . .output omitted.1.0/26. . and because the block size is 64.1. .1. . .0/26 10. take 256 and subtract 192 from it. .2.192 would have the last binary 1 in the fourth octet. PC2. .127/26.1.1 R1#show ip interface gigabitEthernet 1/0 GigabitEthernet1/0 is up. .255. Now you can compare the addresses of devices with the subnet ranges you just identi- fied.1.128/26 to 10.1.1 Figure 9-3 Determining IP Address Within a Subnet Take the subnet mask and find the most interesting octet. . . .1.191/26 and so on. this subnet would begin at 10. .1.1. .64/26 to 10. : fe80::a00:27ff:fe5d:6d6%4 Default Gateway .0. if you are reviewing the output of ipconfig on PC1.1. now that you have the ranges. In this case.127/26. The number 64 represents the block size or the total number of addresses in that subnet. . as shown in Example 9-2.1 R1 10..1.64/26 to 10.1. : 10.255. they better all be addressed correctly or communication will not occur correctly. . . . .10 255. . . This is where the last binary 1 Key would be. . Now. . .1.1.1.1.255. line protocol is up Internet address is 10. .192 PC1 DG:10.. . .1.1.192 IP Address.1. .. Although they have the same subnet mask. : 10. Topic which is 192. . In this case. .255. : 2001:10::10 IP Address.1.1/26 . whereas PC2 and the default gateway fall in the From the Library of Outcast Outcast . .1. 10. . . . . . PC1. Our subnet in this case is 10. The result is 64. The next subnet would be 10.1. Refer to Figure 9-3 as you are exploring this method.255. . . . : 255. As a result.255.255. Chapter 9: Troubleshooting IPv4 Addressing and Addressing Technologies 341 IP Address. . . .1.255.1 .1 192. in this case PC1 falls in the range 10.1.1.192 PC2 DG:10.1.1. For example.

63/26. . . Because it is the most common way to deploy IPv4 addresses. . . .74 Subnet Mask . Offer. . . : 10.1. . . PC1 is in a different network/subnet. .1. Specifically.1. .192 IP Address. . . you need to be well versed in the DHCP process and able to recognize issues related to DHCP. In corpo- rate networks. . when a PC boots. . your router more than likely obtains its IP address from your service provider via DHCP. . subnet mask. . .342 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide range 10.1. DNS server IP address. .255. digital subscriber line (DSL). . .1 Troubleshooting DHCP for IPv4 Dynamic Host Configuration Protocol (DHCP) serves as one of the most common meth- ods of assigning IPv4 address information to a network host. From the Library of Outcast Outcast . . or the same device that is also the default gateway. . You will have to fix the address on PC1 so that it is within the correct network/subnet. in a remote subnet.0/26 to 10. : 10. . The router is also acting as a DHCP server for the devices in your home. . Acknowledgment [DORA] process) that occur as a DHCP client obtains IP address information from a DHCP server. Request. .1. . Figure 9-4 illustrates the exchange of messages (Discover. . DHCP allows a DHCP client to obtain an IP address. . . : IP Address.1. . : fe80::a00:27ff:fe5d:6d6%4 Default Gateway . Reviewing DHCP Operations If you have a cable modem. . . . . . . . . . This section explains how DHCP operates and focuses on how to identify DHCP-related issues. Example 9-2 Verifying IP Addressing on PC with the ipconfig Command C:###BOT_TEXT###gt;ipconfig Windows IP Configuration Ethernet adapter PC1: Connection-specific DNS Suffix . .255. default gateway IP address. . .1.1. . . that PC receives its IP address configuration information from a corporate DHCP server. when it should be in the same according to Figure 9-3. . . . : 2001:10::10 IP Address. . The DHCP server can be local within the subnet. . . or fiber connection in your home. : 255. and other types of IP address information from a DHCP server.

and default gateway information. Router R1 is configured as a DHCP relay agent by using the syntax shown in Example 9-3. When a DHCP server receives a DHCPDISCOVER message. Notice that in Step 1 the DHCPDISCOVER message was sent as a broadcast. Chapter 9: Troubleshooting IPv4 Addressing and Addressing Technologies 343 DHCP DISCOVER DHCP Client Step 1 DHCP Server 10. more than one DHCP server might respond to this Discover message with a DHCPOFFER. it can respond with a DHCPOFFER message with an unleased IP address. Because the DHCPDISCOVER message is sent as a broadcast. Step 2. the way a DHCP cli- ent initially communicates is by sending a broadcast message (that is. the DHCP server responds to the client with a DHCPACK message indicating that the IP address is leased to the client and includes any addition- al DHCP options that might be needed at this point.1. if a client resides on a different network than the DHCP server. The source IP address will be 0. When a DHCP client initially boots.0/24 network.16. However. The DHCP client communicates with the selected server by sending a broad- casted DHCPREQUEST message indicating that it will be using the address provided in the DHCPOFFER and as a result wants the associated address leased to itself. Therefore. it has no IP address. the client typically selects the server that sent the first DHCPOFFER response it received.1. the default gateway of the client should be configured as a DHCP relay agent to forward the broadcast packets as unicast packets to the server.2 DHCP OFFER Step 2 DHCP REQUEST Step 3 DHCP ACK Step 4 Figure 9-4 DHCP DORA Process Step 1. subnet mask.255 and a destination MAC address of FFFF:FFFF:FFFF in an attempt to discover a DHCP server. Therefore. Step 3.0. Finally. the DHCP client belongs to the 172.0. You can use the ip helper-address ip_address interface configuration mode command to configure a router to relay DHCP messages to a DHCP server in the organization.1. and the source MAC address will be the MAC address of the sending device. From the Library of Outcast Outcast .0.255.255.0/24 net- work. consider Figure 9-5 and Example 9-3. The broad- cast cannot cross a router boundary.1.1. Step 4. In the figure. a DHCPDISCOVER message) to a destination IP address of 255. default gateway. Key Topic or other such configuration information. whereas the DHCP server belongs to the 10. To illustrate.

When you configure a router to act as a DHCP relay agent. when troubleshooting a DHCP relay agent issue. the router cannot relay the DHCP messages.1 R1 . Other protocols that are forward- ed by a DHCP relay agent include the following: ■ TFTP ■ Domain Name System (DNS) ■ Internet Time Service (ITS) ■ NetBIOS name server ■ NetBIOS datagram server ■ BootP ■ TACACS As a reference.1. which must be enabled for the DHCP services to function. If not. This command is usually not required because the DHCP service is enabled by default.1. the DHCP messages will be relayed to the wrong device. End with CNTL/Z. realize that it relays a few other broadcast types in addition to a DHCP message.1 DHCP Client DHCP Relay DHCP Server 172.2 In the configuration. Also.1.1.1.0/24 Agent 10. the ip helper-address 10. one per line. From the Library of Outcast Outcast .2 Figure 9-5 DHCP Relay Agent Example 9-3 DHCP Relay Agent Configuration Key Topic R1#configure terminal Enter configuration commands.16. however. Table 9-2 provides a comprehensive listing of DHCP message types you might encounter while troubleshooting a DHCP issue. R1(config)#service dhcp R1(config)#interface fa 0/0 R1(config-if)#ip helper-address 10. you might want to confirm that the service is enabled.344 CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide DHCP DISCOVER DHCP DISCOVER Broadcast Unicast Fa 0/0 Fa 0/1 . In addition.1.2 command specifies the IP address of the DHCP server. notice the service dhcp command. the ip helper-address command must be configured on the interface that is receiving the DHCPDISCOVER messages from the clients.0/24 . This command enables the DHCP service on the router. If the wrong IP address is specified.1.

255. instead of the usual IP address and subnet mask information. DHCPREQUEST This broadcast message is a request from the client to the DHCP server for the IP addressing information and options that were received in the DHCP Offer message. Notice the dhcp option used in the ip address command. DHCPDECLINE This message is sent from a client to a DHCP server to inform the server that an IP address is already in use on the network. thus allowing the DHCP server to reassign the client IP address to another client. This message is sent to a broadcast IP address of 255. DHCPNAK A DHCP server sends this message to a client and informs the client that the DHCP server declines to provide the client with the requested IP configuration information. Fa 0/1 R1 DHCP DISCOVER DHCP Server