Beruflich Dokumente
Kultur Dokumente
Troubleshooting
Case Study:
Bank of POLONA
CCNP TSHOOT: Maintaining and Troubleshooting IP Networks
TSHOOT v7 Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 9 Objectives
Bank of POLONA Trouble Ticket 1
Troubleshooting Redistribution
Troubleshooting VRRP with Interface Tracking
FHRP Tracking Options
Troubleshooting IP SLA
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 9 Objectives
Bank of POLONA Trouble Ticket 3
Troubleshooting GRE Tunnels
OSPF Summarization Tips and Commands
Troubleshooting AAA
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Troubleshooting
Case Study:
Bank of POLONA
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Bank of POLONA
Trouble Ticket 1
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Trouble Ticket 1
Newly-acquired branch, Branch 3, is running EIGRP, while the
other two branches are running OSPF.
Issue Notification:
User on PC3 on branch 3, cannot access the server SRV2.
If R1s uplink to HQ fails, then traffic from PC0 goes to R1 then
R2, instead of going directly to R2.
HSRP was considered, but VRRP is to be installed, to avoid the
sub-optimal traffic path.
Since connection SRV2 was not reliable, an SLA was configured
on HQ to test connectivity to SRV2.
However, the SLA test is not starting.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Commands
telnet 192.168.3.101
Ping HQ
Ping 192.168.2.200
SRV2
Show ip protocols
Check HQ router
Show ip protocols
Redistribute ospf 1
Resolve
Verify
Result
Conclusions
Successful
Fail
Successful
Problem verified
OK
HQ is a neighbour
OSPF 1 not being
redistributed into
EIGRP.
OSPF routes in BR3
table
Successful
Problem solved
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Troubleshooting Redistribution
When prefixes are not distributing from one process to another,
you must first check whether the redistribute command is
referencing the correct routing process with the appropriate
process number.
You must also check that routes are not filtered by any
misconfigured distribute list or route map.
Redistribution from one process to another requires that you
provide a seed metric for the redistributed routes.
OSPF has a default seed metric of 20
EIGRP and RIPv2 do not have a default metric by default.
You can set up a default metric for these protocols, or you can
assign unique metric values on the redistribution command line.
Note: Prefixes are redistributed from one process into another only
as long as they are present in the IP routing/forwarding table.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
Troubleshooting Redistribution
Protocol-specific facts relate to redistribution:
EIGRP
EIGRP does not automatically have a default metric for any redistributed routes.
If the default metric or a manual metric is not specified, EIGRP assumes a metric of 0
and does not advertise the redistributed routes.
EIGRP will not autosummarize external routes unless a connected or internal EIGRP
route exists in the routing table from the same major network of the external routes.
If an EIGRP stub router needs to redistribute routes, it has to be explicitly configured to
do so using the eigrp stub redistributed command.
OSPF
Use the parameter subnets to distinguish classful and classless behavior.
When any protocol is redistributed into OSPF, if the networks that are being redistributed
are subnets, you must define the subnets keyword under the OSPF configuration.
If the subnets keyword is not added, OSPF will ignore all the subnetted routes when
generating the external link-state advertisement (LSA).
The situation could also arise when connected or static routes are being redistributed into
OSPF.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Troubleshooting Redistribution
Protocol-specific facts relate to redistribution:
BGP
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Commands
Result
Conclusions
tracert 209.165.201.45
Correct path
tracert 209.165.201.45
Path: R1 R2 HQ
Show vrrp
OK so far.
Check tracking
Show track
Show vrrp
Test:
Shut down R1s E0/1
interface & see VRRP info
Verify
tracert 209.165.201.45
Problem verified
Problem solved
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
13
R1
R2
HQ
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Cisco Public
17
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Troubleshooting IP SLA
To implement Cisco IOS IP SLAs, you need to perform the
following tasks:
1.Enable the Cisco IOS IP SLAs responder, if needed.
2.Configure the required Cisco IOS IP SLAs operation type.
3.Configure any options available for the specified Cisco IOS
IP SLAs operation type.
4.Configure threshold conditions, if required.
5.Schedule the operation to run, and then let the operation
run for a period of time to gather statistics.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
22
IP SLA Troubleshoot
Issue #3
An IP SLA test was
configured on HQ to
gauge the reachability
of SRV2 at all times,
but the SLA has not
begun.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
23
IP SLA Troubleshoot
Issue #3
Hypothesis:
There was no schedule
configured for the IP
SLA test.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Test:
show ip sla application Shows 1 configured SLA and 1 active entry
show ip sla statistics Shows latest start time for the IP SLA and its
operation Time-To-Live as Forever.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Bank of
POLONA Trouble
Ticket 2
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Trouble Ticket 2
Newly-acquired branch, Branch 3, is running EIGRP, while the
other two branches are running OSPF.
Issue Notification:
BR3 is configured to summarise its networks (172.16.x.x) and
advertise only the summary route to HQ, but HQs routing table still
shows all the individual routes.
PC0 does not have Internet access via IPv6.
All Branch 3 devices have lost IPv6 Internet access.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Cisco Public
28
No summary-address
command on BR3s
tunnel interface to HQ.
But there is one on the
Eth 0/0 interface.
We verify that BR3 is connected to
HQ via the tunnel interface:
Show ip eigrp neighbors.
(confirmed)
So we move config to tunnel
Chapter 9
interface
.
Cisco Public
29
A word of caution:
Before moving the auto-summary command line, check to see which type
of EIGRP configuration has been implemented:
Conventional (autonomous system number) EIGRP configuration method
or:
EIGRP Named configuration
The conventional method uses the interface mode for configuring the
auto-summary address.
The Named convention has the summary address applied to the
af-interface interface section within an address family inside the
EIGRP process.
Check with show run | section eigrp <ASN>
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
30
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
31
Commands
Result
Ping
2001:DB8:D1A5:C92D::1
UUUUU
2001:DB8:C0A8::64/64
DG:FE80::1
Ping FE80::1
!!!! successful
Follow-the-Path approach:
Check R1 & R2:
Conclusions
OK so far.
No L1 or L2 problems.
R1 & R2 should be receiving
Default route from HQ via RIPng
Ping
2001:DB8:D1A5:C92D::1
Ping
2001:DB8:D1A5:C92D::1
Check protocols:
RIPng is active on
relevant interfaces.
So far so good
HQ is not generating
default routes
Verify:
Chapter 9
No valid route to
destination.
!!!! successful
Correct path
R ::/0 [120/2]
via FE80::10, Ethernet
0/1
Cisco Public
32
Troubleshooting RIPng
RIPng is a distance vector routing protocol, using hop count
as a metric. It uses native IPv6 packets for routing updates
exchange and a well-known multicast address (FF02::9).
User Datagram Protocol (UDP) is the transport protocol and
uses port number 521.
Before starting to troubleshoot IPv6 routing issues, make
sure that IPv6 routing is enabled on the device and that
interfaces are configured with IPv6 addresses.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
33
Troubleshooting RIPng
If RIPng routes do not appear in the IPv6 routing table:
Check that RIPng is enabled on the interface.
RIPng has the maximal radius of 15 hops and networks with more hops
are considered unreachable.
Check whether IPv6 access control lists (ACLs) are blocking the
RIPng traffic.
FF02::9 IPv6 multicast address and UDP port 521 must be permitted in
the ACL
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
34
Troubleshooting RIPng
If the default route is not announced, check that the default
route announcement is configured on the router.
A RIPng default route announcement must be configured on the
interface out of which it is to be announced.
(config-ig)# ipv6 rip process-id default-information originate
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
35
Cisco Public
36
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
37
Commands
Result
Conclusions
Telnet 2001:DB8:C0A8:340::1
success
OK so far.
No L1 or L2 problems.
Ping 2001:DB8:D1A5:C92D::1
source Eth 0/1
.. Fail
Problem verified
Ping 2001:DB8:D1A5:C92D::1
.. Fail
Gather info:
Check BR3s IPv6 routing table:
S ::/0 [1/0]
via FE80::1, Ethernet 0/0
Eth 0/0 up up
Ping FE80::1
Terminal monitor
Debug ipv6 packet
Ping FE80::1
Output interface: Ethernet 0/0
Resolve alternatives:
1. Remove the explicit deny
statement
No sequence 220
2. Add two permit icmp statements before the explicit deny statement
.. Fail
Problem solved
See slide Example 9-31/2
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
38
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
39
The Neighbor Advertisement (NA) packets are sent by BR3s neighbour, HQ, in
response to BR3s Neighbor Solicitation (NS) messages.
NA and NS messages perform IPv6-to-MAC address resolution, similar to ARP
Request and ARP Reply messages in IPv4
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
40
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
41
Cisco Public
42
A non-existing ACL permits all traffic, but an empty ACL denies all
traffic. In IPv6, the empty ACL permits all traffic; however, if you
add a comment to an empty IPv6 ACL, it will deny all traffic.
IPv4 ACLs are applied to interfaces by using the ip accessgroup command, but IPv6 ACLs are applied to interfaces by
using the ipv6 traffic-filter command.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
43
Cisco Public
44
Cisco Public
45
Bank of POLONA
Trouble Ticket 3
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
46
Trouble Ticket 3
Newly-acquired branch, Branch 3, is running EIGRP, while the
other two branches are running OSPF. The plan is to reconfigure
EIGRP soon.
Issue Notification:
Branch 1 has lost connectivity to the Headquarters site. PC1 user
reports that pings to PC0 fail. PC1 could reach PC0 before the
upgrades.
After the routing protocol at BR3 was migrated to OSPF Area 3, it
was necessary to summarise Branch 3s networks (172.16.0.0/16)
to the R1 & R2 routers at the headquarters site.
However the R1 router is still receiving the individual subnets at
Branch 3.
The branch 1 router (BR1) must authenticate remote login
requests (Telnet) using the local authentication method.
However, telnetting into BR1 shows a request for only a password
and not a username.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
47
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
48
Commands
Result
UUUUU
Conclusions
Ping 192.168.1.100
Check interfaces on HQ
Get an ip address
Interface tunnel 1
Ip address 192.168.11.2
255.255.255.0
Tunnel 1 is up
Now test
Ping 192.168.11.1
Check neighbours:
More is needed
Verify:
!!!! successful
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
49
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
50
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
51
Cisco Public
52
Cisco Public
53
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
54
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
55
Cisco Public
56
Troubleshooting AAA
TACACS+ is a Cisco proprietary protocol that runs over TCP port
49, and RADIUS is an IETF standard that runs over UDP port
1812 (or 1645) for authentication and UDP port 1813 (or 1646)
for accounting.
It is a common and best practice to use a centralized AAA server
as the primary authentication method and use the local
authentication as the backup, in cases that the AAA server is
either down or unreachable.
To enable AAA services on Cisco routers, use the aaa newmodel command.
Next, you can configure your preferred AAA methods using the
aaa authentication , aaa authorization , and aaa accounting
commands with appropriate parameters.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
57
Troubleshooting AAA
Common problems encountered while using centralized
authentication with TACACS+ and RADIUS servers include the
following:
Server failure or server not accessible
To prevent locking yourself out of the device when the AAA server is not
accessible, use the local authentication method as the backup method for
authentication. You can define up to four methods for authentication.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
58
Bank of POLONA
Trouble Ticket 4
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
59
Multiple IP subnets can be configured on a single link between two routers. OSPFv3
neighbors can establish adjacency even if they do not share a common IPv6 subnet.
An IPv6 address cannot be used as a router ID. If IPv6 is the only protocol enabled on a
router, the router ID must be manually specified; otherwise, the OSPFv3 process will not
start.
Multiple instances of OSPFv3 can be used on a single link. Instances are distinguished
based on the instance ID (recorded in OSPFv3 packet header).
An OSPFv3 router uses its link-local address as the source of its Hello packets. The
next-hop addresses for the OSPFv3 routes in the IPv6 routing table are also link-local.
The multicast address FF00::5 is used to address all OSPFv3 routers, and the multicast
address FF00::6 is used to address all OSPFv3 designated routers.
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
60
Cisco Public
61
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
62
Cisco Public
63
Cisco Public
64
Chapter 9 Summary
Troubleshooting Redistribution
Troubleshooting VRRP with Interface Tracking
FHRP Tracking Options
Troubleshooting IP SLA
Troubleshooting EIGRP Summarization
Troubleshooting RIPng
Troubleshooting Access Control Lists
Troubleshooting GRE Tunnels
OSPF Summarization Tips and Commands
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
65
Chapter 9 Summary
Troubleshooting AAA
Troubleshooting OSPF for IPv6
Troubleshooting the Dysfunctional Totally Stubby Branch
Areas
OSPF Stub Areas
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
66
Chapter 9 Labs
Lab 9-1 Network-Mirror
Lab 9-2 In Synch
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
67
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
68
Acknowledgment
Some of the texts and images are from Troubleshooting and Maintaining Cisco
IP Networks (TSHOOT) Foundation Learning Guide by Amir Ranjbar
(158720455X)
Copyright 2015 2016 Cisco Systems, Inc.
Special Thanks to Bruno Silva
Chapter 9
2007 2016, Cisco Systems, Inc. All rights reserved.
Cisco Public
69