CCNA: Fast Pass phần 8 pot

Here’s an example of the router output using the show cdp entry * command: Platform: cisco 1900, Capabilities: Trans-Bridge Switch Interface: Ethernet0, Port ID outgoing port: 2 Platform

3.5 Troubleshoot a Device as Part of a Working Network 257

IP address: 172.16.10.2

Platform: cisco 2500, Capabilities: Router

Interface: Serial0, Port ID (outgoing port): Serial0

Holdtime : 154 sec

Version :

Cisco Internetwork Operating System Software

IOS (tm) 3000 Software (IGS-J-L), Version 11.1(5),

RELEASE SOFTWARE (fc1)Copyright (c) 1986-1996 by cisco

Systems, Inc.Compiled Mon 05-Aug-03 11:48 by mkamson

Todd2509#

What are you being shown here? Well first, you’re given the hostname and IP address of all directly connected devices In addition to the same information displayed by the show cdp neighbor command (see Table 3.4), the show cdp neighbor detail command also gives you the IOS version

of the neighbor device

The show cdp entry * command displays the same information as the show cdp neighbor details command Here’s an example of the router output using the show cdp entry * command:

Platform: cisco 1900, Capabilities: Trans-Bridge Switch

Interface: Ethernet0, Port ID (outgoing port): 2

Platform: cisco 2500, Capabilities: Router

Interface: Serial0, Port ID (outgoing port): Serial0

Holdtime : 151 sec

Version :

Cisco Internetwork Operating System Software

IOS (tm) 3000 Software (IGS-J-L), Version 11.1(5),

RELEASE SOFTWARE (fc1)Copyright (c) 1986-1996 by cisco

Systems, Inc.Compiled Mon 05-Aug-03 11:48 by mkamson

Todd2509#

Gathering Interface Traffic Information

The show cdp traffic command displays information about interface traffic, including the number of CDP packets sent and received and the errors with CDP

The following output shows the show cdp traffic command used on the 2509 router

Todd2509#sh cdp traffic

CDP counters:

Packets output: 13, Input: 8

Hdr syntax: 0, Chksum error: 0, Encaps failed: 0

No memory: 0, Invalid packet: 0, Fragmented: 0

Todd2509#

This is not really the most important information you can gather from a router, but it does show how many CDP packets are sent and received on a device

Gathering Port and Interface Information

The show cdp interface command (sh cdp inter for short) gives you the CDP status on router interfaces or switch ports

And as I said earlier, you can turn off CDP completely on a router by using the no cdp run command But did you know that you can also turn off CDP on a per interface basis with the

no cdp enable command? You can You enable a port with the cdp enable command All ports and interfaces default to cdp enable

On a router, the show cdp interface command displays information about each interface using CDP, including the encapsulation on the line, the timer, and the holdtime for each inter-face Here’s an example of this command’s output on the 2509 router:

3.5 Troubleshoot a Device as Part of a Working Network 259

To turn off CDP on one interface on a router, use the no cdp enable command from face configuration mode:

Notice above that serial 0 isn’t listed in the router output To get that, you’d have to perform

a cdp enable on Serial 0 It would then show up in the output

Name Resolution

Have you memorized every IP address in your enterprise? What if you have 5,000 routers? Think you can memorize those? Hostnames and DNS can greatly simplify troubleshooting by allowing you to access devices based on names rather than IP addresses It is much easier to ping

la than to try and remember the IP address of the LA router In order to use a hostname rather than an IP address to connect to a remote device, the device that you are using to make the con-nection must be able to translate the hostname to an IP address

There are two ways to resolve hostnames to IP addresses: building a host table on each router

or building a Domain Name System (DNS) server, which is kind of like a dynamic host table

Building a Host Table

A host table provides name resolution on the router that it was built upon only The command

to build a host table on a router is

ip host name tcp_port_number ip_address

The default is TCP port number 23, but you can create a session using Telnet with a different TCP port number if you want You can also assign up to eight IP addresses to a hostname.Here’s an example of configuring a host table with two entries to resolve the names for the 2501B router and the switch:

<0-65535> Default telnet port number

A.B.C.D Host IP address (maximum of 8)

Default domain is not set

Name/address lookup uses domain service

Name servers are 255.255.255.255

Host Flags Age Type Address(es)

2501B (perm, OK) 0 IP 172.16.10.2

1900Switch (perm, OK) 0 IP 192.168.0.148

Todd2509#

You can see the two hostnames plus their associated IP addresses in this output The perm

in the Flags column means that the entry is manually configured If it said temp, it would be

an entry that was resolved by DNS

To verify that the host table resolves names, try typing the hostnames at a router prompt Remember that if you don’t specify the command, the router assumes you want to telnet In the following example, I used the hostnames to telnet into the remote devices, then pressed Ctrl+Shift+6 and then X to return to the main console of the Todd2509 router:

Todd2509#2501b

Trying 2501B (172.16.10.2) Open

3.5 Troubleshoot a Device as Part of a Working Network 261

User Access Verification

Password:

2501B>

Todd2509#[Ctrl+Shift+6, then x]

Todd2509#1900switch

Trying 1900switch (192.168.0.148) Open

Catalyst 1900 Management Console

Copyright (c) Cisco Systems, Inc 1993-1999

All rights reserved

Enterprise Edition Software

Ethernet Address: 00-B0-64-75-6B-C0

PCA Number: 73-3122-04

PCA Serial Number: FAB040131E2

Model Number: WS-C1912-A

System Serial Number: FAB0401U0JQ

Power Supply S/N: PHI033108SD

PCB Serial Number: FAB040131E2,73-3122-04

-1 user(s) now active on Management Console

User Interface Menu

If you want to remove a hostname from the table, just use the no ip host command like this:

RouterA(config)#no ip host routerb

The problem with the host table method is that you would need to create a host table on each router to be able to resolve names And if you have a whole bunch of routers and want to resolve names, using DNS is a much better choice!

Using DNS to Resolve Names

So if you have a lot of devices and don’t want to create a host table in each device, you can use

a DNS server to resolve hostnames

Any time a Cisco device receives a command it doesn’t understand, it tries to resolve it through DNS by default Watch what happens when I type the special command todd at a Cisco router prompt:

Todd2509#todd

Translating "todd" domain server (255.255.255.255)

% Unknown command or computer name, or unable to find

computer address

Todd2509#

It doesn’t know my name or what command I am trying to type, so it tries to resolve this through DNS This is really annoying for two reasons: first, because it doesn’t know my name (grin), and second, because I need to hang out and wait for the name lookup to time out You can get around this nasty little habit and prevent a time-consuming DNS lookup by using the

no ip domain-lookup command on your router from global configuration mode

If you have a DNS server on your network, you need to add a few commands to make DNS name resolution work:

 The first command is ip domain-lookup, and it’s turned on by default It only needs to be entered if you previously turned it off (with the no ip domain-lookup command)

 The second command is ip name-server This sets the IP address of the DNS server You can enter the IP addresses of up to six servers

 The last command is ip domain-name Although this command is optional, it really should be set It appends the domain name to the hostname you type in Since DNS uses a fully qualified domain name (FQDN) system, you must have a full DNS name, in the form domain.com.Here’s an example that uses these three commands:

3.5 Troubleshoot a Device as Part of a Working Network 263

Translating "2501b" domain server (192.168.0.70) [OK]

Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is

2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max

= 28/31/32 ms

Notice that the router uses the DNS server to resolve the name

After a name is resolved using DNS, use the show hosts command to see that the device cached this information in the host table:

Todd2509#sh hosts

Default domain is lammle.com

Name/address lookup uses domain service

Name servers are 192.168.0.70

Host Flags Age Type Address(es)

2501b.lammle.com (temp, OK) 0 IP 172.16.10.2

1900switch (perm, OK) 0 IP 192.168.0.148

Todd2509#

The entry that was resolved is shown as temp, but the 1900 switch device is still perm, meaning it’s a static entry Notice that the hostname is a full domain name If I hadn’t used the ip domain-name lammle.com command, I would have needed to type in ping 2501b.lammle.com, which is a pain

Telnet

Telnet is probably the most fundamental troubleshooting tool you will use After all, you are probably not going to run from device to device in a routed network to check out problems You are going to telnet from device to device and use the troubleshooting commands included in this chapter to check out the operation of devices

Telnet is a virtual terminal protocol that uses the TCP/IP protocol suite; it allows you to make connections to remote devices, gather information, and run programs

After your routers and switches are configured, you can use the Telnet program to reconfigure and/or check up on your routers and switches without using a console cable You run the Telnet

program by typing telnet at any command prompt (DOS or Cisco) You have to have VTY

pass-words set on the routers for this to work

Remember—when you are working on reachability issues with remote devices, you can’t use CDP to gather information about routers and switches that aren’t directly connected to your device However, you can use the Telnet application to connect to your neighbor devices, then run CDP on those remote devices to get the skinny on them, and eventually reach those remote routers and switches You can issue the telnet command from any router prompt, like this:

Todd2509#telnet 172.16.10.2

Trying 172.16.10.2 Open

Password required, but none set

[Connection to 172.16.10.2 closed by foreign host]

Todd2509#

Oops! Ummm, I guess I didn’t set my passwords—how embarrassing! Note to self (and you)—the VTY ports on a router are configured as login, meaning we have to either set the VTY pass-words, or use the no login command

On a Cisco router, you don’t need to use the telnet command, you can just type in an IP address from a command prompt, and the router will assume that you want to telnet to the device Here’s how that looks:

Todd2509#172.16.10.2

Trying 172.16.10.2 Open

Password required, but none set

[Connection to 172.16.10.2 closed by foreign host]

3.5 Troubleshoot a Device as Part of a Working Network 265

2501B#

%SYS-5-CONFIG_I: Configured from console by console

Now, let’s try this again—here, I’m connecting to the router from the 2509’s console:

Telnetting into Multiple Devices Simultaneously

Sometimes when working on a complicated problem, you want to see what multiple devices are seeing For example, you may want to do a show ip route command on several routers to see

if a route is propagating correctly or not If you telnet to a router or switch, you can end the

con-nection by typing exit at any time, but what if you want to keep your concon-nection to a remote

device but still come back to your original router console? To do that, you can press the Ctrl+Shift+6 key combination, release it, and then press X

Here’s an example of connecting to multiple devices from my Todd2509 router console:

In this example, I telnetted to the 2501B router, then typed the password to enter user mode I then pressed Ctrl+Shift+6 and then X, but you can’t see that because it doesn’t show on the screen output Notice my command prompt is now back at the Todd2509 router.

You can also telnet into a Catalyst 1900 switch, but to get away with that, you must set the enable mode password level 15 or the enable secret password on the switch before you can gain access via the Telnet application

In the following example, I telnetted into a 1900 switch that responded by giving me the console output of the switch:

Todd2509#telnet 192.168.0.148

Trying 192.168.0.148 Open

Catalyst 1900 Management Console

Copyright (c) Cisco Systems, Inc 1993-1999

All rights reserved

Enterprise Edition Software

Ethernet Address: 00-B0-64-75-6B-C0

PCA Number: 73-3122-04

PCA Serial Number: FAB040131E2

Model Number: WS-C1912-A

System Serial Number: FAB0401U0JQ

Power Supply S/N: PHI033108SD

PCB Serial Number: FAB040131E2,73-3122-04

-1 user(s) now active on Management Console

User Interface Menu

3.5 Troubleshoot a Device as Part of a Working Network 267

Checking Telnet Connections

In the heat of a problem, you may end up with many telnet sessions open To see the connections made from your router to a remote device, use the show sessions command

by typing the number of the connection and pressing Enter twice

Checking Telnet Users

When you are working on a problem, you will probably want to know who else is working on

it After all, you don’t want someone else to change something on a router you are shooting without knowing about it! You can list all active consoles and VTY ports in use on your router with the show users command:

rep-Closing Telnet Sessions

You can end Telnet sessions a few different ways—typing exit or disconnect is probably the easiest and quickest

To end a session from a remote device, use the exit command:

Todd2509#[Enter] and again [Enter]

[Resuming connection 2 to 192.168.0.148 ]

1900Switch>exit

[Connection to 192.168.0.148 closed by foreign host]

Todd2509#

Since the 1900Switch was my last session, I just pressed Enter twice to return to that session

To end a session from a local device, use the disconnect command:

Todd2509#disconnect ?

<1-2> The number of an active network connection

WORD The name of an active network connection

If you want to end a session of a device attached to your router through Telnet, you should check and see if any devices are attached to your router first Use the show users command to get that information, like this:

3.6 Troubleshoot an Access List 269

Then verify that the user has been disconnected with the show users command:

Understand when you would use CDP Cisco Discovery Protocol can be used to help you

document and troubleshoot your network

Remember the output from the show cdp neighbors command The show cdp neighbors

command provides the following information: device ID, local interface, holdtime, capability, platform, and port ID

Understand how to telnet into a router, keep your connection, but return to your originating console If you telnet to a router or switch, you can end the connection by typing exit at any

time However, if you want to keep your connection to a remote device but still come back to your original router console, you can press the Ctrl+Shift+6 key combination, release it, and then press X

Remember the command to verify your Telnet sessions The command show sessions will

provide you with all the sessions your router has to other routers

Remember how to build a static host table on a router By using the global configuration

mode command ip host host_name ip_address, you can build a static host table on your

router

Remember how to verify your host table on a router You can verify the host table with the

show hosts command

3.6 Troubleshoot an Access List

When working on a problem, be sure to eliminate the possibility of an access list blocking traffic It is a crucial troubleshooting skill to be able to quickly view both the contents of access lists, and where they are applied

Table 3.5 shows the commands that you can use to view the configuration and application

of access lists on a router:

You should already be familiar with the show running-config command; let’s now focus

on some access list–specific commands The show access-list command lists all access lists

on the router, regardless of whether they’re applied to an interface:

Acme#show access-list

Standard IP access list 10

deny 172.16.40.0, wildcard bits 0.0.0.255

permit any

Standard IP access list BlockSales

deny 172.16.40.0, wildcard bits 0.0.0.255

permit any

Extended IP access list 110

deny tcp any host 172.16.30.5 eq ftp

deny tcp any host 172.16.30.5 eq telnet

permit ip any any

T A B L E 3 5 Access-List Commands

show access-list Displays all access lists and their parameters

config-ured on the router This command does not show you which interface the list is set on.

show access-list 110 Shows only the parameters for the access list 110

This command does not show you the interface the list

is set on.

show ip access-list Shows only the IP access lists configured on the router.

show ip interface Shows which interfaces have access lists set.

show running-config Shows the access lists and which interfaces have

access lists set.

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is BlockSales

Inbound access list is not set

Proxy ARP is enabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is disabled

IP fast switching on the same interface is disabled

IP Null turbo vector

IP multicast fast switching is disabled

IP multicast distributed fast switching is disabled

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Probe proxy name replies are disabled

Policy routing is disabled

Network address translation is disabled

Web Cache Redirect is disabled

BGP Policy Mapping is disabled

Acme#

Be sure and notice the bold line that indicates that the outgoing list on this interface is BlockSales, but the inbound access list isn’t set

Exam Essentials

Remember the command to verify an access list on an interface To see whether an access list

is set on an interface and in which direction it is filtering, use the show ip interface command

This command will not show you the contents of the access list, merely which access lists are applied on the interface.

Remember the command to verify the access lists configuration To see the configured access

lists on your router, use the show access-list command This command will not show you which interfaces have an access list set

3.7 Performing Simple WAN

Troubleshooting

In this section, I will show you some of the troubleshooting commands specific to WAN tocols We will look at commands used to validate and troubleshoot Point-to-Point Protocol (PPP), Frame Relay, and Integrated Services Digital Network (ISDN)

con-You can verify the PPP authentication configuration by using the debug ppp authentication command.

3.7 Performing Simple WAN Troubleshooting 273

Troubleshooting Frame Relay

As you know, frame relay is, well, a bit more complex than High-Level Data Link Control (HDLC) protocol or the Point-to-Point Protocol (PPP) You have to understand the technology, and there are many commands on the router you can use to ensure that various parts of Frame Relay are functioning Since most Frame Relay networks are not privately owned, you will likely be working on Frame Relay problems while on the telephone with your service provider.There are several commands frequently used to check the status of your interfaces and permanent virtual circuits (PVCs) once you have had Frame Relay encapsulation set up and running These commands will prove useful when you are working with the service provider to isolate exactly what is working and what is not Here are some of the commands you will be using:

RouterA>sho frame ?

ip show frame relay IP statistics

lmi show frame relay lmi statistics

map Frame-Relay map table

pvc show frame relay pvc statistics

route show frame relay route

traffic Frame-Relay protocol statistics

Let’s take a look at the most frequently used commands and the information they provide

The show frame relay lmi Command

The show frame relay lmi command (abbreviated sh frame lmi) gives you the Local agement Interface (LMI) traffic statistics exchanged between the local router and the Frame Relay switch:

Man-Router#sh frame lmi

LMI Statistics for interface Serial0 (Frame Relay DTE)

LMI TYPE = CISCO

Invalid Unnumbered info 0 Invalid Prot Disc 0

Invalid dummy Call Ref 0 Invalid Msg Type 0

Invalid Status Message 0 Invalid Lock Shift 0

Invalid Information ID 0 Invalid Report IE Len 0

Invalid Report Request 0 Invalid Keep IE Len 0

Num Status Enq Sent 0 Num Status msgs Rcvd 0

Num Update Status Rcvd 0 Num Status Timeouts 0

Router#

The router output from the show frame relay lmi command tells you about any LMI, as well as the LMI type

The show frame pvc Command

The show frame pvc command lists all configured PVCs and Data Link Connection Identifiers (DLCI) numbers It provides the status of each PVC connection and traffic statistics It also gives you the number of Backward-Explicit Congestion Notification (BECN) and Forward-Explicit Congestion Notification (FECN) packets received on the router:

RouterA#sho frame pvc

PVC Statistics for interface Serial0 (Frame Relay DTE)

DLCI = 16,DLCI USAGE = LOCAL,PVC STATUS =ACTIVE,

pvc create time 7w3d, last time pvc status changed 7w3d

DLCI = 18,DLCI USAGE =LOCAL,PVC STATUS =ACTIVE,

pvc create time 7w3d, last time pvc status changed 7w3d

To see information about only PVC 16, you can type the command show frame relay pvc 16.

The show interface Command

You can also use the show interface command to check for LMI traffic This command plays information about encapsulation as well as Layer-2 and Layer-3 information

dis-The LMI DLCI, as shown in the following output, is used to define the type of LMI being used If it’s 1023, it’s Cisco’s default LMI type If the LMI DLCI is zero, then it’s the ANSI LMI type If the LMI DLCI is anything other then 0 or 1023, call your provider—they have a definite problem!

RouterA#sho int s0

Serial0 is up, line protocol is up

3.7 Performing Simple WAN Troubleshooting 275

LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0

LMI DLCI 1023 LMI type is CISCO frame relay DTE

Broadcast queue 0/64, broadcasts sent/dropped 0/0,

interface broadcasts 839294

The show interface command displays line, protocol, DLCI, and LMI information

The show frame map Command

The show frame map command displays the Network layer–to–DLCI mappings:

RouterB#show frame map

Serial0 (up): ipx 20.0007.7842.3575 dlci 16(0x10,0x400),

dynamic, broadcast,, status defined, active

Serial0 (up): ip 172.16.20.1 dlci 16(0x10,0x400),

dynamic, broadcast,, status defined, active

Serial1 (up): ipx 40.0007.7842.153a dlci 17(0x11,0x410),

dynamic, broadcast,, status defined, active

Serial1 (up): ip 172.16.40.2 dlci 17(0x11,0x410),

dynamic, broadcast,, status defined, active

Notice that the serial interface has two mappings, one for IP and one for IPX Also, notice that the Network layer addresses were resolved with the dynamic protocol Inverse ARP (IARP) After the DLCI number is listed, you can see some numbers in parentheses Notice the first num-ber is 0x10.That’s the hex equivalent for the DLCI number 16, used on Serial 0 The 0x11 is the hex for DLCI 17 used on Serial 1 The second numbers, 0x400 and 0x410, are the DLCI numbers configured in the Frame Relay frame They’re different because of the way the bits are spread out

in the frame

The debug frame lmi Command

The debug frame lmi command shows output on the router consoles by default The tion from this command allows you to verify and troubleshoot the Frame Relay connection by helping you to determine whether the router and switch are exchanging the correct LMI infor-mation:

informa-Router#debug frame-relay lmi

Serial3/1(in): Status, myseq 214