Troubleshooting of Switching, HSRP and Addressing Services
Contents
1. do not require this service forwarding their requests must be disabled manually on all routers using the Cisco IOS no ip forward protocol udp port number command in global configuration mode Chapter 4 41 DHCP Troubleshooting Issues Troubleshooting can be related to DHCP security efforts Automatic addressing is accomplished through DHCP Security is accomplished through DHCP snooping Some specific issues related to DHCP snooping Improper configuration of the DHCP snooping trust boundaries e Failure to configure DHCP snooping on certain VLANs Improper configuration of the DHCP snooping rate limits Performance degradation Poor planning of DHCP snooping can result in DHCP transactions being blocked or affected on W ab DHCP Troubleshooting Issues C t DHCP troubleshooting questions to ask Where are the DHCP servers and clients located Are DHCP relay agents configured What are the DHCP pool sizes Are they sufficient Are there any DHCP option compatibility issues u EE any ACLs or firewalls filtering UDP port 67 or UDP port 68 Are there any active DHCP DoS attacks Is forwarding disabled on the router acting as DHCP Relay Agent for any UDP ports using the Cisco IOS no ip forward protocol udp port command Is the ip helper address command applied to correct router interfaces Is DHCP snooping configured Chapter 4 CISCO DHCP Troubleshooting Com2. dst 255 255 255 255 67 length 584 Aug 23 19 01 05 303 UDP broadcast packet dropped src 0 0 0 0 dst 192 168 1 255 Aug 23 19 01 08 911 UDP revd src 0 0 0 0 68 dst 255 255 255 255 67 length 584 Aug 23 19 01 08 911 UDP broadcast packet dropped src 0 0 0 0 dst 192 168 1 255 Aug 23 19 01 12 911 UDP roud sre 0 0 0 0 68 dst 255 255 255 255 67 length 584 Aug 23 19 01 12 911 UDP broadcast packet dropped src 0 0 0 0 dst 192 168 1 255 lt output omitted gt Chapter 4 59 III ds CISCO DHCP Troubleshooting Example 3 p ont SC Configure R1 with a helper address to forward DHCP requests to 4 DHCP 10 1 1 0 24 192 168 1 0 24 r 1 1 4 r em R2 R1 R4 DHCP Relay DHCP Client Agent Server R1 config int a0 0 R1 config if f ip helper address 192 168 1 4 R1 config if f end Chapter 4 60 CISCO DHCP Troubleshooting Example 3 Cont DHCP 10 1 1 0 24 192 168 1 0 24 al 1 R4 debug ip udp UDP packet debugging is R4 Aug 23 19 31 39 303 UDP 0 0 0 67 dst 255 255 255 255 68 length 308 Aug 23 31 39 303 UDP 0 0 0 0 68 dst 255 255 255 255 67 length 584 7 Aug 23 19 31 39 303 UDP 0 0 0 0 67 dst 255 255 255 255 68 Length 308 Aug 23 31 40 159 UDP 0 0 0 0 68 dst 192 168 1 4 67 length 584 Aug 23 19 31 44 159 UDP 0 0 0 68 dst 192 168 1 4 67 length 584 Aug 23 31 46 307 UDP 1
3. tO rg tg rg tg TO tg O tg TO OkkHkbkbkbkbkbkbbkbkbppbp ORPRPRPRPRPRPRPRPRPEP PPE Chapter 4 55 gt DHCP Troubleshooting Example 2 pt Cont 10 1 1 0 24 RIG sh run inc excluded ip dhep excluded address 10 1 1 100 R1 Chapter 4 CISCO j gt i DHCP Troubleshooting Example 2 ont Note Configure R1 to exclude the range of addresses that are to be reserved for static assignment 10 1 1 0 24 R1 conf t Enter configuration commands one per line End with CNTL Z config no ip dhcp excluded address 10 1 1 100 SE Rl config ip dhcp excluded address 10 1 1 1 10 1 1 20 R1 config end Dit Chapter 4 57 el DHCP Troubleshooting Example Issue R4 is a centrally located DHCP server The DHCP clients in network segment 10 1 1 0 are unable to obtain IP address and other parameters R2 is a DHCP client that is having trouble acquiring ip address R1 is supposed to act as a relay agent and forward DHCP messages between local clients and the DHCP server R4 3 Relay Agent DHCP 10 1 1 0 24 192 168 1 0 24 b gt gt 1 1 4 r lt a 4 SZ im R1 R4 DHCP Relay DHCP Client Agent Server Chapter 4 CISCO DHCP Troubleshooting Example 3 Cont DHCP 10 1 1 0 24 192 168 1 0 24 al 1 R1 debug ip udp UDP packet debugging is on R1 R1 Aug 23 19 01 05 303 UDP roud sre 0 0 0 0 68
4. 0 0 24 172 16 11 0 24 S0 1 0 172 16 6 0 24 Fa0 0 R2 sh ip nat translations Pro Inside global Inside local Outside local Outside global 172 16 6 1 10 10 10 1 Chapter 4 29 a E ech N cisco f Wir ts NAT PAT Troubleshooting Example 1 Cont NAT device 10 10 10 0 24 172 16 11 0 24 LO 10 1 S0 1 0 L1 10 1 L2 10 1 SO ooo N OQ ooo mmh 172 16 6 0 24 Fa0 0 R3 debug ip icmp ICMP packet debugging is on R1 ping 172 16 11 3 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 172 3 timeout is 2 seconds Success rate is 0 percent 0 5 R3 Aug 23 13 54 00 556 Aug 23 13 54 02 552 Aug 23 13 54 04 552 Aug 23 13 54 06 552 Aug 23 13 54 07 552 Chapter 4 30 172 16 11 0 24 S0 1 0 172 16 6 0 24 Fa0 0 R3 show ip route 172 16 6 0 255 255 255 0 Subnet not in table R3 configure terminal R3 config ip route 172 16 6 0 255 255 255 0 172 16 11 2 R3 config exit R1 ping 172 16 11 3 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 172 16 11 3 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 1 2 4 ms R1 Chapter 4 31 NAT PAT Troubleshooting Example 2 Incorrect Access List Administrators are unable to use SSH from the 10 10 10 0 24 network to routers R3 or R4 They can accom
5. 0 1 1 11 53470 dst 255 255 255 255 69 length 30 Aug 23 19 31 49 307 UDP 10 1 1 11 53470 dst 255 255 255 255 69 length 30 lt output omitted gt Aug 23 19 32 28 439 UDP 1 1 11 53470 dst 255 255 255 255 69 Aug 23 19 32 31 439 UDP 1 1 11 53470 dst 255 255 255 255 69 Length 29 Length 29 Aug 23 19 32 35 439 UDP 1 1 11 53470 dst 255 255 255 255 69 length 29 Aug 23 19 32 37 011 UDP 0 68 dst 192 168 1 4 67 length 584 Chapter 4 61 Cisco Networking Academy Mind Wide Open
6. 0007 b400 0101 local Fa0 0 Listen 0007 6b400 0102 10 1 1 2 Chapter 4 22 Troubleshooting NAT PAT Issues w p Some important NAT issues and considerations to keep in mind are Chapter 4 Diagrams for the NAT configuration are helpful and should be a standard practice Do not start configuring without a diagram that shows or explains each item involved ACLs are used to tell the NAT device what source IP addresses are to be translated IP NAT pools are used to specify to what those addresses translate as packets go from IP NAT inside to IP NAT outside Marking the IP NAT inside interfaces and the IP NAT outside interfaces correctly is important NAT packets still have to obey routing protocols and reachability rules Make sure that every router Knows how to reach the desired destinations Make sure the public addresses to which addresses translate are advertised to the outside neighbors and autonomous systems w Troubleshooting NAT PAT Issues w Cont st F The following commands can help determine if NAT is functioning correctly clear ip nat translation Removes NAT entries from the NAT table Specific entries can cleared with additional parameters Clearing all translations can cause disruption until new translations are re created show ip nat translations Displays all the translations static and dynamic that are currently installed and a
7. 10 0 0 17 listen Et T Lal 161 1001 0 17 listen 10 11 1 162 1011 0 Eg listen LOT Lad 57767 1011 0 0 0 0 17 listen any 161 20001 17 listen any 162 20011 17 listen any 60739 20011 Pini umma R1 Chapter 4 52 w 2 D DHCP Troubleshooting Example Client IP Addresses In this scenario the IP address of router R1 Fa0 0 was previously 10 1 1 100 It has been changed to 10 1 1 1 to comply with a new network policy This policy states that all branch routers will have the first IP address on any subnet After the change some DHCP clients are reporting duplicated IP addresses Users state that this happens sporadically a few times a week sa uplicate 10 1 1 0 24 Chapter 4 53 ot Ax DHCP Troubleshooting Example 2 Cont 10 1 1 0 24 R1 show running config beg ip dhcp pool ip dhcp pool vlanl0 network 10 1 1 0 255 255 255 0 default router 10 1 1 1 lease 3 Chapter 4 Ajali a N CISCO i 7 KN DHCP Troubleshooting Example 2 Cont 10 1 1 0 24 R1 show ip dhcp conflict address Detection method Gratuitous ARP Aug 06 Gratuitous ARP Aug 06 Gratuitous ARP Aug 06 Gratuitous ARP Aug 06 Gratuitous ARP Aug 06 Gratuitous ARP Aug 06 Gratuitous ARP Aug Gratuitous ARP Aug Gratuitous ARP Aug Gratuitous ARP Aug Gratuitous ARP Aug Gratuitous ARP Aug Gratuitous ARP Aug go fO rg
8. 43884 network 1 TCB63BF854C created TCB63BF854C bound to UNKNOWN 43884 TCB63BF854C setting property TCP TOS 11 62AF6D55 Reserved port 43884 in Transport Port Agent for TCP IP type 1 TCP sending SYN seq 1505095793 ack 0 TCPO Connection to 172 16 11 3 22 advertising MSS 536 TCPO state was CLOSED gt SYNSENT 43884 gt TCPO state was SYNSENT gt ESTAB 43884 gt TCP Feb G3BF854C connection to 172 16 11 3 22 peer MSS Chapter 4 38 Common DHCP Troubleshooting Issues Three DHCP Roles a Router May Take DHCP Pool 10 4 4 100 10 4 4 200 Default Router 10 4 4 11 Router acting as L Bose 10 44 1124 DHCP server 5 ta0 0 Router Client Host DHCP Server Router acting as sesoses ei gt DHCP client Les Broadband Router brokering DHCP transactions DHCP relay agent Chapter 4 Chapter 4 3 DHCP Troubleshooting Issues Cont Configuration issues can result in many symptoms e Clients not obtaining IP information from the server e Client requests not reaching the server across a DHCP relay agent e Clients failing to obtain DHCP options and extensions Address pool issues e Poor capacity planning and security issues might result in DHCP scope exhaustion e When using static and dynamic IP address assignments an IP address that is already in use can be granted Multiple DHCP servers or even rogue DHCP servers can result in duplicate IP addresse
9. Links 0 Ports in the oroup Port Fa0 5 Port state Up Cnt bndl Suspend Not in Bndl Channel group 1 Mode On Gcchange Port channel null GC Pseudo port channel Pol Port index 0 Load 0x00 Protocol Age of the port in the current state 0d 00h 25m 13s lt output omitted gt Chapter 4 EtherChannel Problems Three common EtherChannel problems l Inconsistencies between the physical ports that are members of the channel Inconsistencies between the ports on the opposite sides of the EtherChannel link Uneven distribution of traffic between EtherChannel bundle members a cisco EtherChannel Diagnostic Commands Wi Using the show etherchannel summary command DSW2 show etherchannel summary Flags D I down P bundled in port channel stand alone s suspended Hot standby LACP only Layer3 S Layer2 in use f failed to allocate aggregator not in use minimum links not met unsuitable for bundling waiting to be aggregated default port Number of channel groups in use 2 Number of aggregators 2 Group Port Chapter 4 channel Protocol Ports 11 EtherChannel Diagnostics Using the show spanning tree command to examine STP ASW1 show spanning tree vlan 17 MSTO Spanning tree enabled protocol mstp Root ID Priority 32768 Address 001e 79a9 b580 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priori
10. Troubleshooting of Switching HSRP and Addressing Services CCNP TSHOOT Maintaining and Troubleshooting IP Networks Cisco Networking Academy Mind Wide Open TSHOOT v6 Chapter 4 Lecture 1 Objectives LAN switch operation Troubleshooting of VLANs STP and Etherchannel Inter VLAN routing e HSRP VRRP and GLBP NAT PAT DHCP Chapter 4 Review Before you start to troubleshoot make sure you know the operation of the following protocols and functions LAN switch operation VLANs Spanning Tree Protocol STP Etherchannel Inter VLAN routing First Hop Redundancy Protocols HSRP VRRP and GLBP Addressing Services NAT PAT and DHCP Chapter 4 LAN Switch Operation Issues that could cause the communication to fail e Physical problems e Bad missing or miswired cables Bad ports Power failure e Device problems Software bugs Performance problems e Misconfiguration e Missing or wrong VLANs e Misconfigured VTP settings Wrong VLAN setting on access ports e Missing or misconfigured trunks e Native VLAN mismatch VLANs not allowed on trunk Chapter 4 Verifying Layer 2 Forwarding Common findings when following the path of the frames through the switches Frames are not received on the correct VLAN This could point to VLAN or trunk misconfiguration as the cause of the problem Frames are received on a different port than you expected This could poi
11. anges last state change 01 00 36 Virtual IP address is Active virtual MAC address is lt _output truncated gt Virtual IP 10 1 1 254 24 10 1 1 2 24 10 1 1 1 24 C N gt arp a Interface 10 1 1 3 0x4 Internet Address Physical Address Type dynamic Chapter 4 18 Verifying HSRP Operation Cont The interface of a router participating in HSRP is shutdown interface FastEthernet0 0 interface FastEthernet0 0 ip address 10 1 1 1 255 255 255 0 ip address 10 1 1 2 255 255 255 0 standby 1 ip 10 1 1 254 standby 1 ip 10 1 1 254 standby 1 priority 110 standby 1 preempt standby 1 preempt shutdown 10 1 1 2 24 R2 show standby brief 7 P indicates configured to preempt Interface Grp Prio P State Active Standby Virtual IP Fa0 0 1 100 P Active local unknown 10 1 1 254 Chapter 4 19 Verifying HSRP Operation Cont While debug standby terse is enabled on R2 His interface is enabled R2 debug standby terse HSRP HSRP Errors debugging is on HSRP Events debugging is on protocol redundancy track HSRP Packets debugging is on Coup Resign 10 1 1 2 24 Rl configure terminal R1 config interface fa 0 0 R1 config if no shutdown R1 config if Chapter 4 20 3 Verifying HSRP Operation Cont Output of debug standby terse on R2 as R1 s interface is enabled R2 Mar Mar router Mar Mar 1 00 Mar 1 00 gt Speak Ma
12. atively down down Chapter 4 47 a E cisco R3 debug dhcp detail DHCP client activity debugging is on detailed R3 Aug 17 32 37 107 Retry count 1 Client ID cisco 0019 5592 a442 Fa0 0 Aug 17 32 37 1 Client ID hex dump 636973636F2D303031392E353539322E Aug 17 32 37 107 613434322D4551302F30 23 23 23 23 23 23 23 23 23 23 ug 23 utput ug 23 ug 23 ug 23 ug 23 B cast on FastEthernet0 0 interface from 0 0 0 0 DHCP SDiscover attempt 2 for entry Temp IP addr 0 0 0 0 for peer on Interface FastEthernet0 0 Temp sub net mask 0 0 DHCP Lease server 0 0 state 1 Selecting DHCP transaction id 13BA Lease 0 secs Renewal 0 secs Rebind 0 secs Next timer fires after 00 00 04 Retry count 2 Client ID cisco 0019 5592 a442 Fa0 0 Client ID hex dump 636973636F2D303031392E353539322E 613434322D4551302F30 O O 0 0 GA A GA GA A a A A a saj JJ JJ JJ JJ lt J Sos ss ss ss d OQ Gs a WM CC CO OC CO Ce Ce lt LA I Hostname R3 DHCP SDiscover sending 291 byte length DHCP packet DHCP SDiscover 291 bytes B cast on FastEthernet0 0 interface from 0 0 0 0 Aug 23 17 32 57 587 DHCP waiting for 60 seconds on interface FastEthernet0 0 g Chapter 4 48 10 1 1 0 24 R1 show ip int brief IP Address OK Method Status Protocol Interface FastEthernetO0 1 Serial0 0 0 Serial0 0 1 Chapter 4 u
13. ctive on the router show ip nat statistics Displays NAT statistics such as number of translations static dynamic extended number of expired translations number of hits match number of misses no match Chapter 4 Troubleshooting NAT PAT Issues Cont Te A sa As F Helpful NAT related debug commands debug ip nat Displays information about each packet that the router translates debug ip nat detailed Generates a description of each packet considered for translation Also displays information about certain errors or exception conditions such as the failure to allocate a global address debug ip packet access list Chapter 4 Displays general IP debugging information and IP security option IPSO security transactions If a communication session is closing when it should not be an end to end connection problem can be the cause Useful for analyzing messages traveling between the local and remote hosts Captures packets that are process switched including received generated and forwarded packets IP packets that are switched in the fast path are not captured The access list option allows you to narrow down the scope of debugging 25 Troubleshooting NAT PAT Issues w p st F Cont Limiting debug output with the debug condition command debug condition interface interface Chapter 4 Called conditionally triggered debugging Genera
14. eptions and transmissions clear ip dhcp binding address e Deletes an address binding from the DHCP server database The address denotes the IP address of the client If the asterisk character is used as the address parameter DHCP clears all automatic bindings clear ip dhcp conflict address e Clears an address conflict for a specific entry with the address option Clears all address conflicts with the asterisk option Chapter 4 45 rik 1 Pr a DHCP Troubleshooting Example After a Security Audit Router R1 provides DHCP services to clients in the 10 1 1 0 subnet The DHCP clients are R2 and R3 A security audit has been recently performed in router R1 It is reported that R1 is no longer providing reliable DHCP services The clients are unable to renew their IP addresses oblems 10 1 1 0 24 Chapter 4 46 10 1 1 0 24 R2 show ip int brief Interface IP Address OK Method Status Protocol FastEthernet0 1 unassigned YES NVRAM administratively down down Serial0 0 0 unassigned YES NVRAM administratively down down Serial0 0 1 unassigned YES NVRAM administratively down down R3 show ip int brief Interface IP Address OK Method Status Protocol FastEthernet0 0 unassigned YES DHCP up up aaa FastEthernet0 1 unassigned YES NVRAM administratively down down Serial0 0 0 unassigned YES NVRAM administratively down down Serial0 0 1 unassigned YES NVRAM administr
15. forwarding behavior of switches from the content of TCAM on Catalyst switches show platform On the Catalyst 3560 3750 and 4500 platforms the show platform family of commands can be used to obtain detailed information about the forwarding behavior of the hardware show mls cef On the Catalyst 6500 platform the show mls cef family of commands can be used to obtain detailed information about the forwarding behavior of the hardware CISCO Checking SVI Status Verifying the status of a VLAN and SVI ASW1 Interface IP Address OK Method Status Protocol Vlan128 10 1 156 1 YES NVRAM up down ASW1 Spanning tree instance s for vlan 128 does not exist ASW1 VLAN id 128 not found in current VLAN database Chapter 4 Verifying HSRP Operation Sample output from the show standby brief command Rl show standby brief P indicates configured to preempt Interface Grp Prio P State Active Standby Virtual IP Fa0 0 1 110 P Active local 10 1 1 2 10 1 1 254 Virtual IP 10 1 1 254 24 10 1 1 2 24 10 1 1 1 24 Default Gateway R2 show standby brief P indicates configured to preempt Interface Grp Prio P State Active Standby Virtual IP Fa0 0 1 100 P Standby 10 1 1 1 local 10 1 1 254 Chapter 4 17 Verifying HSRP Operation Cont Sample output from the show standby interface id command Rl show standby fa 0 0 FastEthernet0 0 Group 1 State is Active 8 state ch
16. g Example 2 Cont Using debug ip nat while attempting SSH R2 debug ip nat IP NAT debugging is on R2 R2 R2 R2 Aug 23 16 28 31 731 NAT TCP s 555 55587 d 22 gt 2222 R1 ssh l1 user 172 16 11 3 Destination unreachable gateway or host down R1 R2 sh ip nat translations Pro Inside global Inside local Outside local tcp Sn 172 16 11 3 22 tep 10 10 1021 29632 10 10 10 1 29032 172 16 12 53222 tcp 10 10 10 1 43907 10 10 10 1 43907 172 16 11 3522 tcp 10 10 10 1 55587 10 10 10 1255597 172 16 113522 tcp 10 10 10 1 60089 10 10 10 1 60089 L72161 143 22 tep 10 10 10 1 62956 10 10 410 ol 62938 T 72 16 1143422 Chapter 4 37 NAT PAT Troubleshooting Example 2 Cont Correcting the ACL on R3 to allow SSH with a custom port R3 conf t Enter configuration commands one per line End with CNTL Z R3 config ip access list exten FIREWALL INBOUND R3 config ext nacl f permit tcp any host 172 16 11 3 eq 2222 R3 config ext nacl f end R3 R1 ssh 1 Password Aug Aug Aug Aug Aug Aug Aug Aug 23 23 23 23 23 25 23 23 16 16 16 16 16 16 16 16 user 172 16 11 3 30 30 30 30 30 30 30 30 42 26 26 26 26 26 26 26 172 16 11 3 22 Aug 23 16 30 26 172 16 11 31 22 Aug 23 16 30 26 MSS is 536 536 604 604 604 604 604 604 604 608 608 608 TCP Random local port generated
17. mands gt show ip dhcp server statistics Displays counts for server statistics and messages sent and received for an IOS based DHCP server show ip dhcp binding Displays DHCP binding information for IP address assignment and subnet allocation show ip dhcp conflict Displays address conflicts found by a Cisco IOS DHCP server when addresses are offered to the client show ip dhcp pool name Displays the subnets allocated and the current utilization level for the pool or all the pools if the name argument is not used show ip dhcp database Displays server database agent information Chapter 4 URL Specifies the remote file used to store automatic DHCP bindings Read written The last date and time bindings were read written from the file server Status Indication of whether the last read or write of host bindings was successful Delay The amount of time in seconds to wait before updating the database Timeout The amount of time in seconds before the file transfer is aborted Failures Successes The number of failed successful file transfers 44 w DHCP Troubleshooting Command s Cont debug ip udp e Displays UDP packets sent and received e Can use considerable CPU cycles on the device debug ip dhcp server packets events Enables DHCP server debugging The events option reports server events such as address assignments and database updates The packets option decodes DHCP rec
18. may erroneously block certain ports that should have gone to the forwarding state You may lose connectivity to certain parts of the network but the rest of the network is unaffected Type 2 STP erroneously moves one or more ports to the Forwarding state The failure is more disruptive as bridging loops and broadcast storms Can occur Chapter 4 ethical wha d CISCO x Spanning Tree Failures Cont Type 2 failures can cause these symptoms The load on all links in the switched LAN will quickly start increasing e Layer 3 switches and routers report control plane failures such as continual HSRP OSPF and EIGRP state changes or that they are running at a very high CPU utilization load Switches will experience very frequent MAC address table changes e With high link loads and CPU utilization devices typically become unreachable making it difficult to diagnose the problem while it is in progress Eliminate topological loops and troubleshoot issues Physically disconnect links or shut down interfaces Diagnose potential problems A unidirectional link can cause STP problems You may be able to identify and remove a faulty cable to correct the problem Chapter 4 ili CISCO Spanning Tree Failures Cont Using the show etherchannel 1 detail command DSW2 show etherchannel 1 detail Group state L2 Ports 2 Maxports 8 Port channels l Max Port channels I Protocol Minimum
19. mote host R1 Aug 23 14 59 42 636 TCP Random local port generated 42115 network 1 Aug 23 14 59 42 636 TCB63BF854C created Aug 23 14 59 42 636 TCB63BF854C bound to UNKNOWN 42115 Aug 23 14 59 42 636 TCB63BF854C setting property TCP TOS 11 62AAF6D55 Aug 23 14 59 42 636 Reserved port 42115 in Transport Port Agent for TCP Aug 23 14 59 42 640 TCP sending SYN seq 1491927624 ack 0 Aug 23 14 59 42 640 TCPO Connection to 172 16 11 3 22 advertising MSS Aug 23 14 59 42 640 TCPO state was CLOSED gt SYNSENT 42115 gt 172 16 11 3 22 Aug 23 14 59 42 640 TCPO state was SYNSENT gt CLOSED 42115 gt 172 16 hi ee 22 Aug 23 14 59 42 640 Released port 42115 in Transport Port Agent for TCP type 1 delay 240000 Aug 23 14 59 42 640 TCP0 bad seg from 172 16 11 3 closing connection port 42115 seq 0 ack 1491927625 rcvnxt 0 rcvwnd 0 len 0 EE a E a Aug 23 14 59 42 640 TCB 0x63BF854C destroyed Chapter 4 34 CISCO NAT PAT Troubleshooting Example 2 Cont Checking the access list applied to the serial interface on R3 R3 sh ip int s0 0 Serial 0 0 is up line protocol is up Internet address is 172 16 11 3 24 Broadcast address is 255 255 255 255 Address determined by nonvolatile memory MTU is 1500 bytes Helper address is not set Directed broadcat forwarding is disabled Multicast reserved groups joined 224 0 0 5 Proxy ARP is enabled Local Proxy ARP is disabled Security level is defa
20. nassigned YES NVRAM unassigned YES NVRAM unassigned YES NVRAM administratively down down administratively down down administratively down down 49 DHCP Troubleshooting Example 1 Cont R1 show ip dhcp server statistics Memory usage 9106 Address pools 1 Database agents Automatic bindings Manual bindings Expired bindings Malformed messages Secure arp entries Message Received BOOTREQUEST HCPDISCOVER CPREQUEST HCPDECLINE CPRELEASE HCP INFORM essage Semt OOTREPLY CPOFFER HCPACK CPNAK D D D D D M B D D D R1 sh ip dhcp pool Pool vlan10 Utilization mark high low Subnet size first next Total addresses Leased addresses Pending event 100 0 0 0 254 0 none 1 subnet is currently in the pool Chapter 4 50 10 1 1 0 24 R1 show ip sockets Proto Remote Port Local 88 Ja sten 6 EC 17 listen TO heed 17 listen LO 1 gs Ee 1 7 listen 10 1 1 1 17 listen any 17 listen y il a Stem ay R1 Chapter 4 Stat TIY Output IF 0 1001 1011 1011 20001 20011 20011 51 DHCP Troubleshooting Example 1 Cont DHCP 10 1 1 0 24 Rl conf t Enter configuration commands one per line End with CNTL Z R1 config service dhcp R R I config end 1 Rli show ip sockets Proto Remote Port Local Port Stat TTY OutputIF 88 listen 10 1 1 1
21. nt to a physical problem spanning tree issues a native VLAN mismatch or duplicate MAC addresses The MAC address is not registered in the MAC address table This tells you that the problem is most likely upstream from this switch Investigate between the last point where you know that frames were received and this switch Chapter 4 gt Verifying Layer 2 Forwarding Cont Useful Layer 2 diagnostic commands show mac address table Shows learned MAC addresses and corresponding port and VLAN associations show vlan Verifies VLAN existence and port to VLAN associations show interfaces trunk Displays all interfaces configured as trunks VLANs allowed and what the native VLAN is show interfaces switchport Provides a summary of all VLAN related information for interfaces show platform forward interface Used to determine how the hardware would forward a frame traceroute mac Provides a list of switch hops layer 2 path that a frame from a specified source MAC address to a destination MAC address passes through CDP must be enabled on all switches in the network for this command to work traceroute mac ip Displays Layer 2 path taken between two IP hosts Chapter 4 Spanning Tree Failures STP is a reliable but not an absolutely failproof protocol If STP fails there are usually major negative consequences With Spanning Tree there are two different types of failures Type 1 STP
22. plish connectivity from the R1 loopbacks The risk management team recently performed an upgrade to router and firewall security policies The routing protocol used is single area OSPF Goal to restore end to end connectivity and make sure SSH is operational to support management processes NAT device 10 10 10 0 24 172 16 11 0 24 2 Fad 172 16 6 0 24 Chapter 4 32 a i lt CISCO 7 an NAT PAT Troubleshooting Example 2 Cont Extended ping and SSH results from R1 to R3 NAT device 10 10 10 0 24 172 16 11 0 24 4 2 S0 1 0 17216 6 0 24 Fa0 0 R1 ping 172 16 11 3 source 10 10 50 1 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 172 16 11 3 timeout is seconds Packet sent with a source address of 10 10 50 1 Success rate is 100 percent 5 5 round trip min avg max 1 1 4 ms R1 ping 172 16 11 3 source 10 10 10 1 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 172 16 11 3 timeout is seconds Packet sent with a source address of 10 10 10 1 Success rate is 100 percent 5 5 round trip min avg max 1 1 4 ms R1 ssh 1l user 172 16 11 3 Connection refused by remote host Chapter 4 33 NAT PAT Troubleshooting Example 2 Cont Using debug ip tcp transactions while attempting SSH HI debug ip tcp transactions TCP special event debugging is on Riff ssh 1l user 172 16 11 3 Connection refused by re
23. r gt Speak Mar unknown Mar Mar Mar gt Standby Mar gt Standby R2 1 00 Chapter 4 1 00 1 00 1 00 1 00 1 00 1 00 16 16 16 16 16 16 1 00 16 23 vIP 10 1 1 254 1 00 16 23 110710 1 16 16 16 23 20 23 23 33 33 33 33 33 HSRP HSRP HSRP HSRP SHSRP 5 STATECHANGE HSRP HSRP HSRP HSRP HSRP 5 STATECHANGE HSRP Fa0 0 Grp 1 Fa0 0 Grp 1 Fa0 0 Fa0 0 Gre I Grp 1 Fa0 0 Grp 1 Fa0 0 Grp 1 Fa0 0 Fa0 0 Gre 1 Grp 1 Fa0 0 Grp 1 Coup in 10 1 1 1 Listen pri 110 Active j Coup rcvd from higher pri Active router is 10 1 1 1 was local Active gt Speak FastEthernet0 0 Grp 1 state Active Redundancy hsrp Fa0 0 1 state Active Speak d Standby timer expired Standby router is local Speak gt Standby FastEthernet0 0 Grp 1 state Speak Redundancy hsrp Fa0 0 1 state Speak 21 II g Ki CISCO a HSRP VRRP and GLBP Diagnostic Commands Output of basic show commands for HSRP VRRP and GLBP P indicates configured to preempt Interface Grp Prio P State Active Standby Virtual IP Fa0 0 1 110 P Active local a E 1 2 10 1 1 254 R1 Interface Grp Pri Time Own Pre State Master addr Group addr Fa0 0 1 110 3570 Y Master 10 1 1 1 10 1 1 254 R1 Interface Grp Fwd Pri State Address Active router Standby router Fa0 0 110 Active 10 1 1 254 local 102 1 1 2 Fa0 0 Active
24. s assigned to hosts Management issues Due to the pull nature of DHCP There are no provisions in the protocol to allow the DHCP server to push configuration parameters or control messages to DHCP clients A good example with critical implications in IP address renumbering is that IP addresses must be renewed from the client side There is no server side push type renewal process This means that during renumbering all clients would need to reboot or manually renew their IP addresses Otherwise you need to wait until the clients leases expire which might not be a viable option 40 DHCP Troubleshooting Issues DHCP Relay Agent The Cisco IOS command that makes a router a DHCP relay agent is ip helper address This is an interface configuration command that makes the router forward the BootP DHCP requests from clients to the DHCP server fthe DHCP server s IP address changes all interfaces of all routers must be reconfigured with the new IP helper address DHCP server s new IP address Enabling a router interface with the ip helper address command makes the interface forward UDP broadcasts for six protocols not just DHCP to the IP address configured using the ip helper address command TFTP port 69 DNS port 53 Time Service port 37 NetBIOS Name Service and Datagram Service ports 137 and 138 TACACS port 49 DHCP BOOTP Client and Server ports 67 and 68 f other protocols
25. tes debugging messages for packets entering or leaving on the specified interface Will not generate debugging output for packets for a different interface First define the condition with the debug condition command For example define a condition of interface serial 0 0 This definition means that all debug output will be limited to that particular interface The condition remains defined and applied until it is removed Check the active debug conditions using the show debug condition command a E m o NAT PAT Troubleshooting Example 1 Issue Router R1 can ping R4 but router R1 cannot ping R3 here are no routing protocols running in any of the routers R1 uses R2 as its gateway ol last resort The objective is to restore end to end connectivity from R1 to all destinations Routing NAT device 10 10 10 0 24 172 16 11 0 24 172 16 6 0 24 R2 sh ip nat statistics Hits 39 Misses 6 CEF Translated packets 45 CEF Punted packets Expired translations 6 Dynamic mappings Inside Source Id 1 access list 10 pool NAT OUT refcount 0 pool NAT OUT netmask 255 255 255 0 Start 172 16 6 129 end 172 16 6 240 type generic total addresses 112 Appl doors 0 Normal doors 0 Queued Packets 0 Chapter 4 allocated 0 0 Jr misses 0 t 28 CISCO NAT PAT Troubleshooting Example 1 Cont ajalt we r ME NAT device 10 10 1
26. ty 32768 priority 32768 sys id e st 0 Address 001e 79a9 b580 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Sts Cost Prio Nbr Type FWD 200000 128 9 P2p Edge Chapter 4 12 att CISCO Troubleshooting Routers and Multi Layer Switches Sample Data Plane and Control Plane commands for routers and multi layer switches show ip cef show ip cef show adjacency show adjacency show arp show platform show mls cef Data Plane Data Plane Cisco 7206 Catalyst 6504 Chapter 4 Troubleshooting Routers and Multi Layer Switches Cont Commands to check the CEF data structures for routers and multi layer switches show ip cef Displays the content of the CEF FIB The FIB reflects the content of the routing table with all the recursive lookups resolved already and the output interface determined for each destination prefix The FIB also holds additional entries for directly connected hosts the router s own IP addresses and multicast and broadcast addresses show adjacency Displays the content of the CEF adjacency table This table contains preconstructed Layer 2 frame headers with all necessary fields already filled in These frame headers are used to encapsulate the egress CEF switched packets and deliver them to appropriate next hop devices Chapter 4 ethics cis co e 3 t l i fre j Troubleshooting Multi layer Switches Commands to check
27. ult Split horizon is enabled CMP redirects are always sent CMP unreachables are always sent CMP mask replies are never sent fast switching is enabled fast switching on the same interface is enabled Flow switching is disabled CEF switching is enabled CEF Feature Fast switching turbo vector multicast fast switching is enabled R3 sh access lists Standard IP access list 11 10 permit any Extended IP access list FIREWALL INBOUND 10 permit tcp any host 172 16 11 3 eq www 20 Saas SS ae host 172 16 11 3 SS telent 40 permit tcp any host 172 16 11 3 eq ftp 50 permit tcp any host 172 16 11 3 eq ftp data 60 permit ospf any any 20 matches 70 deny ip any any 1 match Chapter 4 35 NAT PAT Troubleshooting Example 2 Cont Using debug ip packet while attempting SSH R1 ssh 1 user 172 16 11 3 Connection refused by remote host R1 R3 debug ip packet IP packet debugging is on R3 R3 Aug 23 16 32 42 711 IP s 172 16 11 2 Serial0 1 0 d 224 0 0 5 len 80 rcvd 0 Ang 23 16 32 49 883 IP s 10 10 10 1 S rial0 1 0 d 172 16 11 3 len 44 access denied Aug 23 16 32 49 883 IP tableid 0 s 172 16 11 3 local d 10 10 10 1 Serial0 1 0 routed via FIB Aug 23 16 32 49 883 IP s 172 16 11 3 local d 10 10 10 1 Serial0 1 0 len 56 sending Aug 23 16 32 50 067 IP s 172 16 11 3 local d 224 0 0 5 Serial0 1 0 len 80 sending broad multicast Chapter 4 36 NAT PAT Troubleshootin
Download Pdf Manuals
Related Search