Troubleshooting Case Study: Bank of POLONA: CCNP TSHOOT: Maintaining and Troubleshooting IP Networks

Chapter 9:
Troubleshooting
Case Study:
Bank of POLONA
CCNP TSHOOT: Maintaining and Troubleshooting IP Networks
TSHOOT v7 Chapter 9
© 2007 – 2016, Cisco Systems, Inc. All rights reserved. Cisco Public 1
Chapter 9 Objectives
 Bank of POLONA Trouble Ticket 1
• Troubleshooting Redistribution
• Troubleshooting VRRP with Interface Tracking
• FHRP Tracking Options
• Troubleshooting IP SLA
• Troubleshooting EIGRP Summarization
• Troubleshooting RIPng
• Troubleshooting Access Control Lists
Chapter 9
Chapter 9 Objectives
• Troubleshooting GRE Tunnels
• OSPF Summarization Tips and Commands
• Troubleshooting AAA
• Troubleshooting OSPF for IPv6
• Troubleshooting the Dysfunctional Totally Stubby Branch Areas
• OSPF Stub Areas
Chapter 9
Troubleshooting
Case Study:
Bank of POLONA
Chapter 9
Troubleshooting Case Study: Bank of POLONA
Scenario
Chapter 9
Bank of POLONA
Trouble Ticket 1
Chapter 9
Troubleshooting Redistribution
 When prefixes are not distributing from one process to another,

you must first check whether the redistribute command is
referencing the correct routing process with the appropriate
process number.
 You must also check that routes are not filtered by any
misconfigured distribute list or route map.
 Redistribution from one process to another requires that you
provide a seed metric for the redistributed routes.
• OSPF has a default seed metric of 20
• EIGRP and RIPv2 do not have a default metric by default.
 You can set up a default metric for these protocols, or you can
assign unique metric values on the redistribution command line.
Note: prefixes are redistributed from one process into another only
as long as they are present in the IP routing/forwarding table.
Chapter 9
Protocol-specific facts relate to redistribution:
EIGRP
• EIGRP does not automatically have a default metric for any redistributed routes.
• If the default metric or a manual metric is not specified, EIGRP assumes a metric of 0 and
does not advertise the redistributed routes.
• EIGRP will not autosummarize external routes unless a connected or internal EIGRP
route exists in the routing table from the same major network of the external routes.
• If an EIGRP stub router needs to redistribute routes, it has to be explicitly configured to
do so using the eigrp stub redistributed command.
OSPF
• Use the parameter subnets to distinguish classful and classless behavior.
• When any protocol is redistributed into OSPF, if the networks that are being redistributed
are subnets, you must define the subnets keyword under the OSPF configuration.
• If the subnets keyword is not added, OSPF will ignore all the subnetted routes when
generating the external linkstate advertisement (LSA).
• The situation could also arise when connected or static routes are being redistributed into
OSPF.
Chapter 9
Protocol-specific facts relate to redistribution:
BGP
• When redistributing Interior Gateway Protocol (IGP), static, and connected routes into
Border Gateway Protocol (BGP), it is important to carefully filter the redistributed routes
so that invalid/private networks do not sneak into the BGP table and be announced to
external BGP neighbors.
Chapter 9
Troubleshooting VRRP with Interface Tracking
Chapter 9
Chapter 9
Chapter 9
FHRP Tracking Options
 HSRP interface tracking allows you to specify another

interface on the router for the HSRP process to monitor so
that you can alter the HSRP priority for a given group.
 If the specified interface’s line protocol goes down, the
HSRP priority of this router is reduced, allowing another
HSRP router with a higher priority to become active (if it has
preemption enabled).
• When multiple tracked interfaces are down, the priority is reduced by
a cumulative amount
• If you explicitly set the decrement value, the value is decreased by
that amount if that interface is down, and decrements are cumulative.
• If you do not set an explicit decrement value, the value is decreased
by 10 for each interface that goes down.
 To configure HSRP interface tracking, use:
• standby [ group ]track interface [ priority ] command
Chapter 9
FHRP Tracking Options
 You can track either the interface line protocol state or the
interface IP routing state.
 When you track the IP routing state, three conditions are
required for the object to be up:
1. IP routing must be enabled and active on the interface.
2. The interface line-protocol state must be up.
3. The interface IP address must be known.
 Object tracking of IP SLA operations allows clients (such as

HSRP, GLBP, and VRRP) to track the output from IP SLA
objects and use this information to trigger an action (such
as decrementing priority).
Chapter 9
FHRP Tracking Verification
 show track [object-number [brief] | interface [brief] | ip

route [brief] | resolution | timers]
 The following parameters are optional:

• brief: Displays a single line of information related to the preceding
argument or keyword
• interface: Displays tracked interface objects
• ip route: Displays tracked IP route objects
• resolution: Displays resolution of tracked parameters
• timers: Displays polling interval timers
Chapter 9
Troubleshooting IP SLA
 To implement Cisco IOS IP SLAs, you need to perform the

following tasks:
1.Enable the Cisco IOS IP SLA’s responder, if needed.
2.Configure the required Cisco IOS IP SLA’s operation type.
3.Configure any options available for the specified Cisco IOS
IP SLA’s operation type.
4.Configure threshold conditions, if required.
5.Schedule the operation to run, and then let the operation
run for a period of time to gather statistics.
Chapter 9
IP SLA Verification Commands
 Commonly used IP SLA show and debug commands

include the following:
• show ip sla application
• show ip sla configuration
• show ip sla statistics [aggregated]
Chapter 9
IP SLA Troubleshoot Example
Chapter 9
Chapter 9
Chapter 9
Bank of
POLONA Trouble
Ticket 2
Chapter 9
Troubleshooting EIGRP Summarization
 EIGRP’s summarization feature is available in the form of automated
summarization (limited to classful summaries) at network boundaries;
 EIGRP summarization can also be performed manually in classless or
classful format.
 Conventional (autonomous system number) EIGRP configuration
method:
• Classful auto-summary is enabled by default, to disable use the no auto-
summary
• A manual summary is advertised only if at least one of its proper subnets is
present in the IP routing table.
• The metric of the summary is taken from the subnet with the smallest metric value.
• The EIGRP summary-address is applied within interface configuration mode
 When configuring EIGRP named configuration:
• the summary address is applied to the af-interface interface section within an
address family inside the EIGRP process.
 To check whether auto-summarization is active and which networks are
included in the EIGRP process, use the show ip protocols | section
eigrp command.
Chapter 9
Troubleshooting EIGRP Summarization Example
Chapter 9
Troubleshooting RIPng
 RIPng is a distance vector routing protocol, using hop count

as a metric. It uses native IPv6 packets for routing updates
exchange and a well-known multicast address (FF02::9).
 User Datagram Protocol (UDP) is the transport protocol and

uses port number 521.
 Before starting to troubleshoot IPv6 routing issues, make

sure that IPv6 routing is enabled on the device and that
interfaces are configured with IPv6 addresses.
Chapter 9
If RIPng routes do not appear in the IPv6 routing table:

Check that RIPng is enabled on the interface.
• RIPng with the same process ID must be explicitly enabled on each
interface that participates in the process.
Check that interface is operational (up).
Check whether the network missing the route is more than 15
hops away
• RIPng has the maximal radius of 15 hops and networks with more hops
are considered unreachable.
Check whether the default route is propagated via RIPng.
• Note that routing updates for non-default-route networks can be
suppressed if the command ipv6 rip name default-route only command
was used to configure default route announcement.
Check whether IPv6 access control lists (ACLs) are blocking the
RIPng traffic.
• FF02::9 IPv6 multicast address and UDP port 521 must be permitted in
the ACL
Chapter 9
 If the default route is not announced, check that the default

route announcement is configured on the router.
• A RIPng default route announcement must be configured on the
interface out of which it is to be announced.
• (config-ig)# ipv6 rip process-id default-information originate
 If RIPng is not load balancing, check the RIPng
configuration for the maximum-path command configured
value;
• Configuring maximum-path to 1 turns off load balancing.
• Also, check that there are multiple routes to the destination received
via RIPng and that they have the same metric. RIPng load balances
over equal-cost paths only.
Chapter 9
RIPng Verification Commands
The following are some useful troubleshooting commands

related to RIPng:
show ipv6 route [rip]: This command displays the RIPng
entries of the IPv6 routing table.
show ipv6 rip [ name ] [database]: This command displays

information about the current IPv6 RIPng process.
show ipv6 protocols | section rip: This command displays

the basic RIPng information.
debug ipv6 rip: This debug command displays debugging

messages for RIPng routing transactions.
Chapter 9
Troubleshooting Access Control Lists
When troubleshooting relates to access control lists, consider

the following items:
Determine whether the ACL exists.
Determine where the ACL is applied.
 Determine the direction the ACL is applied
• inbound versus outbound
Read and analyze each access-list statement;
• be aware of the wildcard mask implications and common mistakes.
Pay special attention to the order of ACL statements;
• specific statements must precede general statements.
To collect counters for denied traffic, you need to configure
explicit deny statements with the log option.
Chapter 9
Troubleshooting Access Control Lists
 If traffic is not explicitly permitted, it is denied.

• The last ACL statement is an implicit deny all.
 IPv6 ACLs permit ICMPv6 NS and NA messages
• unless an explicit deny statement is configured.
 The log keyword on an ACL statement instructs the router to log
a message to the system log whenever a specific access list
entry is matched.
• The logged event includes details of the packet that matched the access
list entry.
 A nonexisting ACL permits all traffic, but an empty ACL denies all
traffic. In IPv6, the empty ACL permits all traffic; however, if you
add a comment to an empty IPv6 ACL, it will deny all traffic.
 IPv4 ACLs are applied to interfaces by using the ip access-
group command, but IPv6 ACLs are applied to interfaces by
using the ipv6 traffic-filter command.
Chapter 9
Access Control Lists Verification
Use the following IOS commands to gather information about

configured ACLs:
show access-list: Displays all configured access lists (IPv4
and IPv6) and their contents
show ip access-list: Displays all configured IPv4 access

lists and their contents, including the hit counts for each
statement
show ipv6 access-list: Displays all configured IPv6 access

lists and their contents, including the hit counts for each
statement
Chapter 9
Access Control Lists Verification
To determine where the ACLs are applied and in which direction they are
applied, usethe following commands:
show running-config | include line|access-class: Displays access
lines (vty, console) and the access-lists configured to control traffic to the
line.
show running-config | include interface|access-group: Displays all
the lines form the show running-config command’s output, if they
include the word interface or the word access-group .
show ip interface interface-type interface-number : Displays interface
and IPv4 access lists applied to it. (A maximum of one ACL can be applied
in each direction.)
show running-config | include interface|traffic-filter
show ipv6 interface interface-type interface-number : Displays interface
and IPv6 access-list(s) applied to it. (A maximum of one ACL can be
applied in each direction.)
show running-config | include [ ACL-number | ACL-name |]: Displays
other applications of the access list, such as in NAT configuration lines.
Chapter 9
Bank of POLONA
Trouble Ticket 3
Chapter 9
Troubleshooting GRE Tunnels
 To configure a GRE tunnel, use the IOS command:

• interface Tunnel tunnel-id .
• tunnel source ipaddress or interface
• tunnel destination ip-address .
• tunnel mode gre ip command specifies the tunnel mode/type, but
• GRE is the default tunnel mode anyway.
Advantages of GRE tunnels include the following:
 Can be used to transport (tunnel) IP and non-IP, unicast,
multicast, and broadcast packets
 Can be used as a workaround for networks that contain
protocols with limited hop counts
 Can be used to connect discontinuous subnetworks
 Can be used to build VPNs across WAN links
Chapter 9
Troubleshooting GRE Tunnels
Common GRE problems include the following:

GRE source IP address is not reachable by remote host: Check
whether the correct source IP address or interface is applied to the tunnel.
You can also check routing in the backbone between the endpoint hosts.
GRE destination IP address is not reachable by local host: Check
whether the correct destination was configured, and also check whether
hosts are reachable between them.
Recursive routing: This could happen if the best route to the tunnel
destination is through the tunnel itself! This will cause the tunnel interface
to keep flapping. In extreme cases, your router may crash and reload.
GRE traffic denied by an ACL: IP protocol number 47 identifies GRE.
When using GRE, this protocol must be allowed by the access lists.
Further fragmentation due to the added GRE header: The maximum
transmission unit (MTU) is 1500 bytes. The GRE header is 24 bytes,
which effectively decreases the MTU to 1476 bytes. Packets larger than
1476 bytes will get fragmented, and this can result in processing delays
and high CPU usage.
Chapter 9
GRE Tunnels Verification
Useful GRE troubleshooting commands include the following:

show interfaces Tunnel tunnel-id : Displays the interface
status, tunnel IP address, tunnel mode (should be GRE/IP for
GRE tunnels), tunnel source and destination, and some other
tunnel parameters
show ip interface Tunnel tunnel-id : Displays the IP
parameters on the tunnel interface
debug tunnel: Enables you to get tunnel debugging
information and see events related to the tunnel
Chapter 9
OSPF Summarization Tips and Commands
There are two types of OSPF route summarization:

Interarea route summarization
• Interarea route summarization is done on ABRs, and it applies to routes
from a particular connected area.
• This has no effect on the external routes injected into OSPF through
redistribution.
• Summarization could be configured between any two areas, but it is
better to summarize in the direction of the backbone.
• Use area area-id range ip-address mask command, where areaid is the
area containing networks to be summarized
External route summarization
• This type of summarization is done on the OSPF Autonomous System
Boundary Router (ASBR).
• The ASBR is the actual router where redistribution of another process into
OSPF is performed.
• The summary-address ip-address mask is used on the ASBR router to
accomplish external route summarization.
Chapter 9
OSPF Summarization Tips and Commands
OSPF summarization commands include the following:

show ip route on the OSPF routers to check whether there are
individual routes or summarized routes in the routing table.
• When checking the routing table on the routers that perform
summarization, you should see summary routes pointing to the Null0
interface. This route is created automatically to prevent suboptimal routing
or routing loops.
show ip ospf command on the ABR router to verify which area
ranges are configured for summarization.
show ip ospf summary-address to check which external routes
are summarized on the ASBR
show ip ospf database summary command. You will be able to
see all summary LSAs (type 3) with summary network address,
mask, metric, and some other parameters.
show ip ospf database external to check Type 5 (or external)
LSAs. You will see all external LSAs, with their network address,
mask, metric and some other parameters.
Chapter 9
Troubleshooting AAA
 TACACS+ is a Cisco proprietary protocol that runs over TCP port

49, and RADIUS is an IETF standard that runs over UDP port
1812 (or 1645) for authentication and UDP port 1813 (or 1646)
for accounting.
 It is a common and best practice to use a centralized AAA server

as the primary authentication method and use the local
authentication as the backup, in cases that the AAA server is
either down or unreachable.
 To enable AAA services on Cisco routers, use the aaa new-

model command.
 Next, you can configure your preferred AAA methods using the
aaa authentication , aaa authorization , and aaa accounting
commands with appropriate parameters.
Chapter 9
Troubleshooting AAA
Common problems encountered while using centralized

authentication with TACACS+ and RADIUS servers include the
following:
Server failure or server not accessible
• To prevent locking yourself out of the device when the AAA server is not
accessible, use the local authentication method as the backup method for
authentication. You can define up to four methods for authentication.
Mismatched pre-shared key
• TACACS+ and RADIUS both require a pre-shared key to be configured
between the network device and the AAA server. If the keys on the AAA
server and the client (network device) do not match, authentication will
not be performed.
User credentials are rejected by the server
• You can inspect the server log to verify whether a user was correctly
authenticated/authorized or whether the user was rejected because of a
bad username or password.
Chapter 9
Bank of POLONA
Trouble Ticket 4
Chapter 9
Troubleshooting OSPF for IPv6
OSPFv3 operates in a similar way as OSPFv2. There are a few differences,
though, as follows:
Protocol processing per link, not per subnet
• Multiple IP subnets can be configured on a single link between two routers. OSPFv3
neighbors can establish adjacency even if they do not share a common IPv6 subnet.
OSPFv3’s router ID is a number with a dotted-decimal format
• An IPv6 address cannot be used as a router ID. If IPv6 is the only protocol enabled on a
router, the router ID must be manually specified; otherwise, the OSPFv3 process will
not start.
Support for multiple instances per link
• Multiple instances of OSPFv3 can be used on a single link. Instances are distinguished
based on the instance ID (recorded in OSPFv3 packet header).
Use of link-local address
• An OSPFv3 router uses its link-local address as the source of its Hello packets. The
next-hop addresses for the OSPFv3 routes in the IPv6 routing table are also link-local.
Different multicast addresses
• The multicast address FF00::5 is used to address all OSPFv3 routers, and the multicast
address FF00::6 is used to address all OSPFv3 designated routers.
IPsec is used for authentication
• There is no OSPF-specific authentication; IPsec is used to authenticate OSPF packets.
Chapter 9
OSPF for IPv6 Configuration anf Verification
 To create an OSPFv3 process, use the global configuration mode
command ipv6 router
 ospf process-id .
• If you do not specify the router ID manually, the highest IP address (loopback is
preferred) of the router is used as the router ID, and if the router has no IPv4
address, the OSPFv3 process will not start. You can manually configure the router
ID by using the command router-id router-id from within router configuration
mode.
 To activate OSPFv3 on a specific interface, use the command ipv6
ospf process-id area area from within interface configuration mode.
 Use the show ipv6 ospf process-id command to display the global
OSPFv3 settings such as router ID, timers, areas configured on the
router, and so on.
 To display the OSPFv3 neighbors of a router, use the command show
ipv6 ospf neighbor.
• The output is similar to the neighbor table displayed for OSPFv2; it displays
neighbor ID, priority, state, dead time, interface ID, and the interface that is used to
establish adjacency.
Chapter 9
OSPF for IPv6 Configuration anf Verification
 To display the list of interfaces where OSPFv3 is enabled,

use the command show ipv6 ospf interface .
• The output not only lists all interfaces where OSPFv3 is enabled, but
also reveals which area is configured on the interface, the router ID,
and the OSPF network type and timers on each interface.
 To display the OSPFv3 database, use the command show
ipv6 ospf database .
• To display details on a specific LSA, use the show ipv6 ospf
database lsa-type adv-router router-id command.
• To see the OSPFv3 Hello packets, use the command debug ipv6
ospf hello , and to see all OSPF packets, use the command debug
ipv6 ospf packet .
Chapter 9
OSPF Stub Areas
 OSPF allows certain areas to be configured as stub areas.

 When an area is configured as a stub area, external routes are
filtered on the ABR.
• Instead, a default route is propagated into the area by the ABR. To
configure an area as a stub area, all routers in the area must have the
area area-id stub command configured under the router OSPF
configuration mode.
 A stub area can be converted to a totally stubby area.
• In addition to external routes, interarea routes are prevented by the ABR
from penetrating into the totally stubby area.
• To configure a stub area as totally stubby, use the area area-id stub no-
summary command on the ABR and area area-id stub on all other
routers within that area.
 When troubleshooting the stub feature on a router, the show ip
ospf process-id command is very helpful.
• If stub is configured for the specific areas, you will see the “It is a stub
area” note within that area section. When a totally stubby area is
configured, you will see the “It is a stub area, no summary LSA in this
area” note in the Area section.
Chapter 9
OSPF Stub Areas (Cont.)
 The show ip ospf database command enables you to see the

OSPF database on your router.
• If the stub area is configured, there should be no LSA Type 5s and Type
7s within that area, but you will see an additional LSA Type 3 with the ID
0.0.0.0.
• This is the default route injected by the ABR. Other summary LSAs can
also be seen in the database.
• When the area is configured as a totally stubby area, only one summary
LSA can be seen: the LSA with the ID 0.0.0.0, which is the default route
injected by the ABR.
 To observe your router’s OSPF Hello message exchange, use
the debug ip ospf hello command. If adjacent routers in the
same area do not agree on the OSPF area type, a message
similar to “OSPF: Hello from 192.168.23.2 with mismatched
Stub/Transit area option bit” will appear. If you see this message,
check the stub configuration on both adjacent routers.
Chapter 9
Chapter 9 Summary
 Troubleshooting Redistribution
 Troubleshooting VRRP with Interface Tracking
 FHRP Tracking Options
 Troubleshooting IP SLA
 Troubleshooting EIGRP Summarization
 Troubleshooting RIPng
 Troubleshooting Access Control Lists
 Troubleshooting GRE Tunnels
 OSPF Summarization Tips and Commands
Chapter 9
Chapter 9 Summary
 Troubleshooting AAA
 Troubleshooting OSPF for IPv6
 Troubleshooting the Dysfunctional Totally Stubby Branch
Areas
 OSPF Stub Areas
Chapter 9
Chapter 9 Labs
 Lab 9-1 Network-Mirror
 Lab 9-2 In Synch
Chapter 9
Chapter 9
Acknowledgment
• Some of the texts and images are from Troubleshooting and Maintaining Cisco
IP Networks (TSHOOT) Foundation Learning Guide by Amir Ranjbar
(158720455X)
• Copyright © 2015 – 2016 Cisco Systems, Inc.
• Special Thanks to Bruno Silva
Chapter 9

Troubleshooting Case Study: Bank of POLONA: CCNP TSHOOT: Maintaining and Troubleshooting IP Networks

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Troubleshooting Case Study: Bank of POLONA: CCNP TSHOOT: Maintaining and Troubleshooting IP Networks

Hochgeladen von

Copyright:

Verfügbare Formate

Chapter 9:

CCNP TSHOOT: Maintaining and Troubleshooting IP Networks

 When prefixes are not distributing from one process to another,

 HSRP interface tracking allows you to specify another

 Object tracking of IP SLA operations allows clients (such as

 show track [object-number [brief] | interface [brief] | ip

 The following parameters are optional:

 To implement Cisco IOS IP SLAs, you need to perform the

 Commonly used IP SLA show and debug commands

 RIPng is a distance vector routing protocol, using hop count

 User Datagram Protocol (UDP) is the transport protocol and

 Before starting to troubleshoot IPv6 routing issues, make

If RIPng routes do not appear in the IPv6 routing table:

 If the default route is not announced, check that the default

The following are some useful troubleshooting commands

show ipv6 rip [ name ] [database]: This command displays

show ipv6 protocols | section rip: This command displays

debug ipv6 rip: This debug command displays debugging

When troubleshooting relates to access control lists, consider

 If traffic is not explicitly permitted, it is denied.

Use the following IOS commands to gather information about

show ip access-list: Displays all configured IPv4 access

show ipv6 access-list: Displays all configured IPv6 access

 To configure a GRE tunnel, use the IOS command:

Common GRE problems include the following:

Useful GRE troubleshooting commands include the following:

There are two types of OSPF route summarization:

OSPF summarization commands include the following:

 TACACS+ is a Cisco proprietary protocol that runs over TCP port

 It is a common and best practice to use a centralized AAA server

 To enable AAA services on Cisco routers, use the aaa new-

Common problems encountered while using centralized

 To display the list of interfaces where OSPFv3 is enabled,

 OSPF allows certain areas to be configured as stub areas.

 The show ip ospf database command enables you to see the

Das könnte Ihnen auch gefallen