Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
(Troubleshooting)
Ch. 3 Using Maintenance and
Troubleshooting Tools and Applications
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Fall 2014
Materials
Book:
Troubleshooting and Maintaining
Cisco IP Networks (TSHOOT)
Foundation Learning Guide:
Foundation learning for the CCNP
TSHOOT 642-832
By Amir Ranjbar
Book
ISBN-10: 1-58705-876-6
ISBN-13: 978-1-58705-876-9
eBook
ISBN-10: 1-58714-170-1
ISBN-13: 978-1-58714-170-6
To limit the output of the show ip route command, you can enter a specific
IP address on the command line as an option.
You can also limit output to a specific routing protocol or type of route.
%Subnetnotintable- router does not find a match in the routing
table
showiproute- You can enter a specific IP address on the command
line as an option.
Both the network address and the network mask should be specified in the
command.
If the netmask is omitted, command always tries to display the longestprefix-matching routing table entry.
FastEthernet0/1
FastEthernet0/0
FastEthernet0/1
FastEthernet0/0
Serial0/0/0.122
showcommands do not always have the option that allows you filter the
output down to exactly what you need.
You can perform a more generic way of filtering.
Output can be filtered by appending a pipe character | to the show
command followed by one of the keywords include,exclude, or begin
Simplest form: Match words or text fragments in a line of text
Full use: Use of the regular expression syntax allow you to build
complex expressions that match very specific text patterns
0.15%
0.05%
0 IP Input
Protocol
up
Caret (^) character, which is used to denote that a particular string will be
matched only if it occurs at the beginning of a line.
The expression ^CPU will therefore only match lines that start with the
characters CPU
Not any line that contains the string CPU
The same line uses the pipe character | as part of a regular expression to
signify a logical OR.
Displays only the lines that:
start with the string CPU or
Contains the string IP Input
1 9 2 .1 0 .2 .0 /2 4
AS 300
R o u te rA
1 3 0 .1 .5 0 .3 2 /3 0
AS 200
R o u te rB
1 2 .0 .0 .0 /8
RouterC#show ip bgp
Network
Next Hop
*> 11.0.0.0
0.0.0.0
*> 12.0.0.0
200.200.200.65
*> 192.10.2.0
200.200.200.65
2 0 0 .2 0 0 .2 0 0 .6 4 /3 0
AS 400
R o u te rC
1 1 .0 .0 .0 /8
12
1 9 2 .1 0 .2 .0 /2 4
AS 300
R o u te rA
1 3 0 .1 .5 0 .3 2 /3 0
AS 200
R o u te rB
1 2 .0 .0 .0 /8
RouterC#show ip bgp
Network
Next Hop
*> 11.0.0.0
0.0.0.0
*> 12.0.0.0
200.200.200.65
*> 192.10.2.0
200.200.200.65
2 0 0 .2 0 0 .2 0 0 .6 4 /3 0
AS 400
R o u te rC
1 1 .0 .0 .0 /8
13
1 9 2 .1 0 .2 .0 /2 4
AS 300
R o u te rA
1 3 0 .1 .5 0 .3 2 /3 0
2 0 0 .2 0 0 .2 0 0 .6 4 /3 0
AS 200
R o u te rB
1 2 .0 .0 .0 /8
RouterC#show ip bgp
Network
Next Hop
*> 11.0.0.0
0.0.0.0
*> 12.0.0.0
200.200.200.65
*> 192.10.2.0
200.200.200.65
AS 400
R o u te rC
1 1 .0 .0 .0 /8
14
1 9 2 .1 0 .2 .0 /2 4
AS 300
R o u te rA
1 3 0 .1 .5 0 .3 2 /3 0
2 0 0 .2 0 0 .2 0 0 .6 4 /3 0
AS 200
R o u te rB
1 2 .0 .0 .0 /8
RouterC#show ip bgp
Network
Next Hop
*> 11.0.0.0
0.0.0.0
*> 12.0.0.0
200.200.200.65
*> 192.10.2.0
200.200.200.65
AS 400
R o u te rC
1 1 .0 .0 .0 /8
15
AS 200
AS 100
2.0.0.0
1.0.0.0
AS 1000
AS 400
AS 300
AS 50
10.0.0.0
4.0.0.0
3.0.0.0
5.0.0.0
AS50#show ip bgp
Network
*> 5.0.0.0
*> 1.0.0.0
*> 2.0.0.0
*> 3.0.0.0
*> 4.0.0.0
*> 10.0.0.0
Path
i
100 i
100 200 i
300 i
300 400 i
300 400 1000 I
16
AS 200
AS 100
2.0.0.0
1.0.0.0
AS 1000
AS 400
AS 300
AS 50
10.0.0.0
4.0.0.0
3.0.0.0
5.0.0.0
AS50#show ip bgp
Network
*> 5.0.0.0
*> 1.0.0.0
*> 2.0.0.0
*> 3.0.0.0
*> 4.0.0.0
*> 10.0.0.0
Path
i
100 i
100 200 i
300 i
300 400 i
300 400 1000 I
AS 200
AS 100
2.0.0.0
1.0.0.0
AS 1000
AS 400
AS 300
AS 50
10.0.0.0
4.0.0.0
3.0.0.0
5.0.0.0
AS50#show ip bgp
Network
*> 5.0.0.0
*> 1.0.0.0
*> 2.0.0.0
*> 3.0.0.0
*> 4.0.0.0
*> 10.0.0.0
Path
i
100 i
100 200 i
300 i
300 400 i
300 400 1000 I
AS 200
AS 100
2.0.0.0
1.0.0.0
AS 1000
AS 400
AS 300
AS 50
10.0.0.0
4.0.0.0
3.0.0.0
5.0.0.0
AS50#show ip bgp
Network
*> 5.0.0.0
*> 1.0.0.0
*> 2.0.0.0
*> 3.0.0.0
*> 4.0.0.0
*> 10.0.0.0
Path
i
100 i
100 200 i
300 i
300 400 i
300 400 1000 I
19
AS 200
AS 100
2.0.0.0
1.0.0.0
AS 1000
AS 400
AS 300
AS 50
10.0.0.0
4.0.0.0
3.0.0.0
5.0.0.0
AS50#show ip bgp
Network
*> 5.0.0.0
*> 1.0.0.0
*> 2.0.0.0
*> 3.0.0.0
*> 4.0.0.0
*> 10.0.0.0
Path
i
100 i
100 200 i
300 i
300 400 i
300 400 1000 I
21
Protocol
up
up
up
Protocol
up
up
up
append- Redirects the command output to the file location specified in the
URL.
Analogous to the |redirectoption, but it allows you to append the
output to a file instead of replacing that file.
Note: TFTP server cannot be used in this case
Description
repeat repeatcount
size datagram-size
source [address |
interface]
df-bit
Fa 0/0
10.1.192.1
Ser 0/0/0
IP Fragmentation
The
The outgoing
outgoing link
link has
has a
a
large enough
MTU
but to
I
smaller
MTU so
I have
dont reconstruct
fragment
the packets.
packets.
It is my job to reconstruct
the packets.
IP Packet
IP Packet
IP Packet
IP Packet
IP Packet
Network link with
smaller MTU
IP Packet
IP Packet
IP Packet
IP Packet
IP Packet
IP Packet
When fragmentation occurs, it does not get reconstructed until it reaches the host.
This takes processing time.
Fragment Offset field identifies the order
Some applications cannot re-assemble fragmented packets app will fail.
Sometimes by discovering the MTU of a path, the application can be configured not send
packets larger than the MTU so that fragmentation doesnt happen.
Why it is sometimes necessary to find out the MTU of a path and not to block all ICMP
27
messages like Fragmentation needed and DF bit set.
Ping df-bit
df-bit:
Sets the Dont-Fragment bit in the IP header to indicate that routers should
not fragment this packet.
If it is larger than the MTU of the outbound interface, the router should:
Drop the packet
Send an ICMP Fragmentation needed and DF bit set message back to
the source.
Very useful when you are troubleshooting MTU related problems.
By setting the df-bit option and combining it with the size option, you can
force routers along the path to drop the packets if they would have to
fragment them.
By varying the size and looking at which point the packets start being
28
dropped, you can determine the MTU.
The M in the output of the ping command signifies that an ICMP Fragmentation
needed and DF bit set message was received.
From this, you can conclude that somewhere along the path to the destination there
must be a host that has an MTU of 1476 bytes.
A possible explanation for this could be usage of a Generic Routing Encapsulation
(GRE) tunnel, which typically has an MTU of 1476 bytes (1500 bytes default MTU minus
24 bytes for the GRE and IP headers).
!
.
U
Q
M
?
&
This example shows using the extended ping prompted mode to set a sweep
range ping packet sizes.
You must be in privileged EXEC mode to use extended ping prompted mode.
32
ICMP Messages
Char
!
.
U
Q
M
?
&
Description
Eachexclamationpointindicatesreceiptofareply.
Eachperiodindicatesthenetworkservertimedoutwhilewaitingfora
reply.
AdestinationunreachableerrorPDUwasreceived.
Sourcequench(destinationtoobusy).
Couldnotfragment.
Unknownpackettype.
Packetlifetimeexceeded
33
In 1947, Grace Murray Hopper was working on the Harvard University Mark II Aiken
Relay Calculator (a primitive computer). On the 9th of September, 1947, when the
machine was experiencing problems, an investigation showed that there was a moth
trapped between the points of Relay #70, in Panel F. The operators removed the
moth and affixed it to the log. The entry reads: "First actual case of bug being found.
36
no debug
Diagnosing Hardware
42
Checking CPU
Utilization
Routers and switches have a main CPU that executes the processes that
constitute Cisco IOS Software.
Finite resource shared by various processes.
Processes are scheduled to share the available CPU cycles and take turns
executing their code.
43
Checking CPU
Utilization
Over the past minute 31% of the available CPU has been used
SSH Process was responsible for roughly half of these CPU cycles
(15.67%) over that period.
The next process in this sorted list is the Check heaps process:
Consumed only 0.78% of the total available CPU time over the last
minute
What the remaining 15% CPU cycles recorded over the last minute
were spent on?
44
Checking CPU
Utilization
What the remaining 15% CPU cycles recorded over the last minute were
spent on?
CPU runs both IOS processes and is also responsible for packet switching.
The packet switching task is not handled by a specific process.
The CPU is:
Interrupted to suspend the current process that it is executing
Switch one or more packets
Resume the execution of scheduled processes
Calculated by adding the CPU percentages for all processes and then
subtracting that total from the total CPU percentage listed at the top.
45
Checking CPU
Utilization
For the 5-second CPU usage, packet switching % is actually even listed
separately behind the slash.
30% of the total available CPU cycles over the past 5 seconds were
used
26% were spent in interrupt mode (packet switching)
4% for the execution of scheduled processes
46
Switches
http://cisco.biz/en/US/products/sw/iosswrel/ps1828/products_tech_n
ote09186a00800a65d0.shtml
http://www.cisco.com/en/US/products/hw/routers/ps133/products_te
ch_note09186a00800a70f2.shtml
http://www.cisco.com/en/US/docs/ios/fundamentals/command/refere
nce/cf_s3.html#wp1570801
48
Checking CPU
Utilization
Normal for routers to be running at high CPU loads during peaks in network
traffic.
If a process is consistently using a lot of available CPU time, this could be a
clue that there is a problem associated with that particular process.
Need to have a baseline of the CPU usage over time.
Better caching mechanisms reduce the number of CPU interrupts and CPU
utilization due to interrupts.
For example, Cisco Express Forwarding (CEF)
49
Total(b)
26534476
6291456
Used(b)
19686964
3702900
Free(b)
6847512
2588556
Lowest(b)
6288260
2511168
Largest(b)
6712884
2577468
Total(b)
26534476
6291456
Used(b)
19686964
3702900
Free(b)
6847512
2588556
Lowest(b)
6288260
2511168
Largest(b)
6712884
2577468
Total(b)
26534476
6291456
Used(b)
19686964
3702900
Free(b)
6847512
2588556
Lowest(b)
6288260
2511168
Largest(b)
6712884
2577468
Checking
Interfaces
54
Checking
Interfaces
Checking
Interfaces
Input errors:
Indicates the number of errors such as cyclic redundancy check (CRC) errors
experienced during reception of frames.
High numbers of CRC errors could indicate:
cabling problems
interface hardware problems
duplex mismatches (Ethernet)
56
Checking
Interfaces
Output errors:
This counter indicates the number of errors such as collisions, during
transmission of frames.
Most Ethernet-based networks are full-duplex and half-duplex is the exception. In
full-duplex.
Collisions cannot occur, therefore collisions, and especially late collisions,
often indicate duplex mismatches
57
Checking
Interfaces
The absolute number of drops or errors in the output is not very significant.
The error counters should be evaluated against the total number of input and output
packets.
25 CRC errors in relation to 123 input packets is reason for concern
25 CRC errors for 1,458,349 packets is not a problem at all
These counters accumulate from the time the router boots up could be months. (show
version)
If you need to investigate the interface counters it is good practice to reset the counters by
58
using the clear counters and then re-evaluate the outcome.
Checking Interfaces
If you repeatedly want to display selected statistics to see how the counters
are increasing, it is very useful to filter the output.
Use a regular expression that limits the output:
Start with the word Fast or
Includes the word errors or the word packets
59
Using Specialized
Maintenance and
Troubleshooting
Tools
62
Diagnosis
The processes that benefit the most from the deployment of network
maintenance and troubleshooting tools are the processes that are technical
in nature:
Define the problem: Network monitoring and event reporting systems can
notify the network support team of events as they happen before the users
notice and report them.
Gather information: Important to be able to leverage any tool to obtain
detailed information about events in an effective way.
Analyze: Collecting statistics about network behavior and network traffic is
therefore a key process in comparing current behavior to a baseline.
Test hypothesis: Tools that enable easy rollback of changes are therefore
important to an efficient troubleshooting process.
63
Using
Traffic
Capturing
Tools
Packet sniffers, also called network or protocol analyzers, are important and
useful tools for network engineers.
Drawback is they capture a lot of information.
Helps to know how to filter the information.
Some free some cost.
Can be software or appliance style (with specialized hardware).
Can be difficult to do on server, router or switch.
64
Destination Interface
SPAN
66
SPAN
67
SPAN
Show monitor
The output of this command shows that both incoming and outgoing
traffic are sent from Fa0/7 to Fa0/8.
The frame type of native indicates Ethernet frames rather than 802.1Q
frames.
68
RSPAN
Remote Switched Port Analyzer (RSPAN) feature you can copy traffic
from ports or VLANs on one switch (source switch) to a port on a different
switch (destination switch).
A VLAN must be designated as the RSPAN VLAN and not be used for any
other purposes.
69
RSPAN
RSPAN
Source switch, the RSPAN VLAN is configured as the destination for the SPAN
session through use of the
monitorsessionsession#destinationremotevlanvlan#
Destination switch is configured to use the RSPAN VLAN as the source of the
SPAN session through use of the
monitorsessionsession#sourceremotevlanvlan#
The RSPAN VLAN needs to match on the source and destination switches
The session numbers do not need to match.
71
RSPAN
show monitor
The source switch (SW1) the session is identified as a Remote Source
Session
The destination switch (SW2) it is marked as a Remote Destination Session.
Verify that the VLAN is configured correctly as a RSPAN VLAN on both switches.
The show vlan remote-span command is useful to verify this.
If VTP pruning is enabled on the trunks within the path between source and
destination switches, you should verify that the RSPAN VLAN is allowed on those
trunks.
72
www.wiresharkbook.com
73
74
SNMP
Poll
Data
SNMP makes use of:
SNMP Network Management Station (NMS)
One or more SNMP Agents
Agents are special processes running on the devices wed like to monitor
and collect information about.
By periodically querying (polling) the SNMP agent, the SNMP NMS can
collect valuable ongoing information and statistics and store them.
75
NMS
This data can then be processed and analyzed by the NMS in various ways.
Averages, minimums, maximums, and so on,
Calculated, graphed, and thresholds can be set to trigger a notification
process when they are exceeded or there is an issue.
Statistics gathering with SNMP is considered a pull-based system
NMS polls devices periodically to obtain the values of the objects that it is
set up to collect.
There are numerous objects that an NMS can query about.
These objects organized and identified in a hierarchical model called
Management Information Base (MIB).
76
77
78
79
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/g
uide/fcf014.html
80
Gathering
Information with
NetFlow
81
For each individual flow, the number of packets and bytes will be tracked
and accounted.
This information is kept in a flow cache.
Flows are expired from the cache when the flows are terminated or time
out.
Examine the NetFlow cache:
CLI commands
Exported to a NetFlow collector Can be processed and graphed
The collector receives the flow information and records it in a database.
Contains a full view of all the traffic that has transited through the router
except for the payload.
82
NetFlow
The most current and flexible version is NetFlow version 9 (if your
collector supports it)
83
NetFlow
NetFlow
85
NetFlow
The collector is configured with and verifies the source IP address of the
incoming packets
Important that the NetFlow packets are always sourced from the
same router interface.
Using a loopback interface as the source interface for NetFlow ensures
that the packets will always be sourced from the same address,
regardless of the interface that is used to transmit the NetFlow
packets to the Collector.
86
After the router starts caching and accounting flow information locally in its
memory, you can display the NetFlow cache content by issuing the show ip
cache flow command.
Shows the active flows that are sending packets through the router.
In contrast to SNMP, NetFlow uses a push based model.
Routers must send NetFlow data to the collector based on changes in
the flow cache
The collector simply listens for NetFlow traffic
87
http://www.networkuptime.com/tools/netflow/
88
89
NetFlow
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/
ps6601/prod_white_paper0900aecd80406232.html
90
91
Syslog
SNMP
SNMP Traps
94
SNMP Traps
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_no
te09186a0080094a05.shtml
96
97
98