Limitar ancho de banda en interfaces de equipos CISCO

Dimensionar el Ancho de Banda de un interfaz de red nos sirve fundamentalmente para repartirlo de tal manera que puedan garantizarse los niveles de calidad de servicio deseados. Es decir, limitar el Ancho de Banda permitido para un servicio implica que los servidores dedicados a él no saturarán el interfaz y por lo tanto se mantendrán todos los servicios que lo necesitan.

Normalmente limitaremos el ancho de banda de los servicios que más tráfico requieren, por ejemplo tráfico web o correo.

La forma de hacerlo en CISCO es a través de rate-limit. La sintaxis de este comando la encontramos en:

http://www.cisco.com/en/US/docs/ios/12_2/qos/command/reference/qrfcmd8.html

Para el ejemplo que nos ocupa, hemos de definir unas listas de acceso extendidas y a continuación aplicarlas en el interfaz correspondiente:

Para correo entrante una limitación de 10Mbps .
Para correo saliente una limitación de 8Mbps .
Para tráfico Web una limitación de salida de 20Mbps .

Para restringir el ancho de banda a los servicios se utilizara una ACL.

Configuración:

Router(config)# access-list 100 permit tcp any <o IPs Web> eq www any  (trafico Web saliente)

Router(config)# access-list 101 permit tcp any any <o IPs POP3> eq pop3 (trafico smtp entrante)

Router(config)# access-list 102 permit tcp any <o IPs SMTP> eq smtp any (trafico smtp saliente)

A continuación, hay que implementar el comando rate-limit en la interfaz que conecta a internet o a cualquier otro Router los servidores conectados:

Router(config)# interface GigabitEthernet0/1

Router(config-if)#rate-limit output access-group 100 20000000 3750000 7500000 conform-action transmit exceed-action drop (limitado el ancho de banda del trafico Web saliente)

Router(config-if)#rate-limit input access-group 101 10000000 1875000 3750000 conform-action transmit exceed-action drop (limitado el ancho de banda del correo entrante)

Router(config-if)#rate-limit output access-group 102 8000000 1500000 3000000 conform-action transmit exceed-action drop (limitado el ancho de banda del correo saliente)

Para configurar el rate-limit hemos necesitado dos valores más que se recomienda calcular con la formula proporcionada por Cisco. Estos valores son el "normal burst" y el "extended burst".

Según Cisco estos valores se calculan de la siguiente manera:

 "normal burst" = rate * (1 byte)/(8 bits) * 1.5 seconds

"extended burst" = 2 * "normal burst"

 

Comando para verificación:

show interfaces rate-limit

Cisco.Longitud de terminal

A varios administradores siempre les frustra el hecho de que todas las líneas de configuración de Startup o Running muy largas se "cortan" o no se despliegan por completo en la terminal . Para solucionar esta incómoda situación existe el comando terminal lenght en los equipos cisco , ya que por defecto las líneas desplegadas son solo de 24 .

Comandos a utilizar  :
Desde vty
ROUTER#terminal length 0?
<0-512>
ROUTER#terminal length 0

Desde Consola
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line console 0
Router(config-line)#leng
Router(config-line)#length ?
<0-512> Number of lines on screen (0 for no pausing)
Router(config-line)#length 0

y solucionado el tema....Consultas , a las ordenes.

Cisco.Como liberar una conexión de terminal virtual (vty)

Para liberar o cerrar una conexión virtual (telnet | ssh) en un equipo Cisco debemos limpiar la linea especifica .

Para encontrar la linea o indice especifico podemos usar los siguientes comandos :

• who

• show line

En el siguiente ejemplo un router tiene una conexión por consola y otra por vty con la ip 192.168.250.1 en la linea 130:

Router_LA#who 

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00 

130 vty 0 idle 00:02:07 192.168.250.1

Interface User Mode Idle Peer Address

Router_LA#show  line

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

* 0 CTY - - - - - 0 0 0/0 -

129 AUX 9600/9600 - - - - - 0 0 0/0 -

* 130 VTY - - - - - 1 0 0/0 -

131 VTY - - - - - 0 0 0/0 -

132 VTY - - - - - 0 0 0/0 -

133 VTY - - - - - 0 0 0/0 -

134 VTY - - - - - 0 0 0/0 -

Las lineas que no estan en modo async o sin soporte de hardware son listadas del 1 al 128 .

La linea vty utilizada se identifica con el asterisco (*) , por tanto , para limpiar o salir de esta conexión usamos el siguiente comando :

Router_LA#clear line 130 

[confirm]

[OK]

Con eso conseguimos que no existan sesiones "colgadas " en nuestros equipos cisco .

Cisco.Longitud de terminal

Si no nos gusta andar tocando la tecla espaciadora para que nos aparezca toda la config al darle un show run o show ip interface brief , etc.- podemos adecuar a nuestra necesidad la longitud de la terminal de nuestro router o switch cisco con el comando terminal lenght , ya que por defecto solo se despliegan 24 lineas por dispositivo.

Configuracion en routers :
terminal length <0-512> Numero de lineas en la pantalla (Si ponemos 0 no hara pausa)
terminal no length (vuelve a la configuracion por defecto de 24 lineas)

Configuracion en switches :
set length <0-512> Numero de lineas en la pantalla (Si ponemos 0 no hara pausa)
set length 24 ((vuelve a la configuracion por defecto de 24 lineas)
set no lenght (vuelve a la configuracion por defecto de 24 lineas)

Para verificar la configuracion de la terminal :
otilino_rt1#show terminal
Line 388, Location: "", Type: "xterm"
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Status: PSI Enabled, Ready, Active, No Exit Banner, Automore On
Notify Process
Capabilities: none
Modem state: Ready
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
00:05:00 never none not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set
Modem type is unknown.
Session limit is not set.
Time since activation: 00:00:07
Editing is enabled.
History is enabled, history size is 20.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are ssh.
Allowed output transports are pad telnet rlogin lapb-ta mop v120 ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters

Cisco.Tareas programadas con Kron. Backups de configs.

Cuando manejamos equipos de networking CISCO siempre intentamos buscar la manera de sacarle el máximo provecho a estos , bajo el menor riesgo posible . Lastimosamente , en algún momento se nos presenta un problema (si nunca les ha sucedido viven en la matrix) , donde el mejor aliado contra esto es la copia de seguridad de nuestras configuraciones . En tal caso , y al igual que el comando cron de unix y linux , CISCO dispone de kron , el cual nos permitirá realizar backups de la configuración de nuestros routers y/o switches de forma totalmente automática.

Primeramente determinamos las tareas que se van a ejecutar, dichas configuraciones la hacemos  en modo de configuración global:
1. Creamos una tarea programada con el nombre BKP :
otilino(config)#kron policy-list BKP

2. Le “decimos” a la tarea que guarde el running-config en el startup-config:
otilino(config-kron-policy)# cli write

3. Consecuentemente , se copiará el running-config en el servidor tftp indicado:
otilino(config-kron-policy)# cli show running-config | redirect tftp://192.168.100.254/BKP.RunConfig.RT.Core

4. Seguidamente , programamos la periodicidad de la tarea creada:
otilino(config)#kron occurrence BKPSemanal at 23:00 Fri recurring
otilino(config-kron-occurrence)#policy-list BKP

Con esto definimos que nuestro backup del running config del router core se ejecute cada viernes a las 23:00 , copiándolo en el servidor TFTP . Podemos jugar con el comando kron occurrence para definir el intervalo de tiempo en el que queremos realizar nuestra copia de seguridad . La utilidad y ayuda brindada por estos comandos es increíble y en muchos casos , como el mío , evita la compra de software comerciales que realicen lo mismo.

Cisco.Instalando licencias en Switch SAN Cisco MDS 9xxx

Instalando licencias en Switch SAN Cisco MDS 9124

El modo de obtención de licencia para los switches cisco mds 9124 es muy sencillo y seguro . Los pasos para obtenerlo son los siguientes : 

1)      Obtener la licencia

Al comprar las licencias  , viene consigo una hoja de ayuda con los siguientes datos útiles (que debemos archivarlo):

·         PAK (Product authorization key) …ya especificado

·         Switch Serial Number…a sacarlo del switch 

Para obtener la licencia precisamos del serial del switch , ya que esta se relacionara directamente con el , por lo que solo será útil para este equipo .

Dicho esto vamos a los pasos para obtener la licencia :

a)      Obtenemos el switch serial number ingresando al equipo mediante cli el siguiente comando :

switch# show license host-id

License hostid: VDH=FOX064317SQ (No precisamos del ID VDH=  , con el FOX064317SQ ya nos sirve)

b)      Obtenemos el PAK del documento acompañado al momento de adquirir la licencia, anotamos en este documento el switch serial number (Ej : En este caso FOX064317SQ).

c)       Vamos a la dirección : www.cisco.com/go/license  , nos registramos en caso de que no estemos ,completamos el formulario (nos solicitara solo el PAK y el SW S°Number) y ya nos permitirá descargar la licencia , que puede ser para 8 , 16 o 24 puertos , a su vez nos enviara un mail “avisándonos” que hemos obtenido una licencia para nuestro cisco mds.

Con esto completamos los pasos para obtener nuestra licencia , ahora pasamos al siguiente ítem , mucho mas entretenido , que es el de instalar lo que descargamos y licenciar estos puertos de fibra faltantes en nuestro switch.

2)      Instalar la licencia

Existen tres formas de instalar la licencia para los cisco mds  :

·         A través del cisco fabric manager (gui)

·         A través del cisco device manager (gui)

·         A través del cli

Como estamos duchos con la línea de comandos , obviaremos las instalaciones a través del gui  y procedemos :

a)      Copiar la licencia a través de :

·         TFTP :  copy tftp://192.168.10.91/MDS20101113426492690.lic bootflash:

·         SCP : copy scp://root@192.168.10.91/MDS20101113426492690.lic bootflash:

·         SFTP : copy sftp://root@192.168.10.91/MDS20101113426492690.lic bootflash:

En mi caso , utilice el protocol scp solo porque usaba una maquina linux y como viene por defecto activado con este S.O me resulto facil como introducir el comando en el switch junto con la contraseña de mi Linux.

switch# copy scp://root@192.168.10.91/MDS20101113426492690.lic bootflash:

Trying to connect to scp server......

|

SCP get operation was successful

b)      Instalar la licencia

switch# install license bootflash: MDS20101113426492690.lic 

…………

Installing license .......done

c)       Verificamos que se ha instalado y activado la licencia para los puertos

switch# show license default

Feature                               Default License Count

-----------------------------------------------------------------------------

FM_SERVER_PKG                         -

ENTERPRISE_PKG                        -

PORT_ACTIVATION_PKG                   8

10G_PORT_ACTIVATION_PKG               0

-----------------------------------------------------------------------------

d)      Destacamos que al instalar una nueva licencia no se borran las que ya se encontraban dentro del switch (salvo que lo realicemos intencionalmente)

switch# show license usage

Feature                      Ins  Lic   Status Expiry Date Comments

                                 Count

--------------------------------------------------------------------------------

FM_SERVER_PKG                 No    -   Unused             -

ENTERPRISE_PKG                No    -   Unused             -

PORT_ACTIVATION_PKG           Yes  24   In use never       -

10G_PORT_ACTIVATION_PKG       No    0   Unused             -

-------------------------------------------------------------------------------

Y eso es todo … por el momento.

Configuracion de cliente pppoe en router cisco 861

interface FastEthernet4 (Interface Wan)
 no ip address
 duplex full
 speed 100
 pppoe-client dial-pool-number 1 pppoe enable

interface Dialer1 (Interface virtual creada para la conexion pppoe)
 ip address negotiated (en caso de que el proveedor nos asigne ip´s dinamicas , caso contrario asignar la ip brindada)
 ip mtu 1492
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <HOSTNAME QUE TE DA EL PROVEEDOR>
 ppp chap password 0 <PASSWORD DADO POR EL PROVEEDOR>
 ppp pap sent-username <HOSTNAME> password 0 <PASSWORD>
 no cdp enable

ip route 0.0.0.0 0.0.0.0 Dialer1 (creamos una ruta por defecto que saque todo el trafico del router a traves de nuestra interfaz pppoe)

dialer-list 1 protocol ip permit (creamos una acl que permita todo el trafico ip por el enlace pppoe)
ip name-server X.X.X.X
ip name-server X.X.X.X

Cisco.Enable TCP keepalives

To enable TCP keepalives on the routers, use the following configuration commands:

Router1# config term
Router1(config)# service tcp-keepalives-in
Router1(config)# service tcp-keepalives-out
Router1(config)# end

Cisco.IP subnet Zero

What is IP Subnet Zero? – Cisco Articles & Tips

miércoles, 21 de julio de 2010

08:33 p.m.

I am sure you have used the Cisco IOS command show running-config before, and noticed a peculiar default command in the configuration. The command I am talking about is ip subnet-zero. Here is what I am talking about:

 But what is this command? Why is it there? Let’s find out.

What is a zero subnet in the first place?

Before we talk about the command, let’s ask ourselves, “In the first place, what is a zero subnet?” Under old IP subnetting rules, the all 0’s subnet was reserved for the network, and the all 1’s subnet was reserved for the broadcast. Over time, engineers found that the all 0’s subnet wasn’t really used and, if it could be handed out as a useable network, many IP addresses could be changed.

An example of an IP address that is using a zero subnet is 10.1.0.1 with a subnet mask of 255.255.255.0. This IP address may look pretty weird to you. Some people may even try to argue that it is an invalid IP address because there is a 0 in third octet. However, today, this IP address is perfectly legal when it comes to subnetting. Thus, if I had an IP address of 10.1.0.0 with a 255.255.0.0 subnet mask and wanted to subnet it, I could actually get 255 valid networks out of it by using the 0 subnet. In other words, I could have networks ranging from 10.1.{0-254}.X where the X represents hosts 1-254. This gives me room for networks 0-254, or 255 total networks, by using the 0 subnet.

Do I need to enable my router to recognize the zero subnet?

The quick answer to this question is NO. Your Cisco IOS router, by default, has the command ip subnet-zero enabled on the router. Because of this command, the zero subnet can already be recognized.

Do I really want to use the zero subnet?

Just because something is there, doesn’t mean you should use it. That is true in the case of the zero subnet. Because many people still believe that the zero subnet is not a legal subnet, I would avoid using it if possible. I would do this just to avoid confusion when it comes to network configuration. On the other hand, if you work for a large Internet Service Provider and are handing out blocks of IP addresses, I would definitely hand out the zero block to help conserve your IP address resources.

Summary

In this article, we learned the difference between the following 3 commands:

• ip default-gateway
• ip default-network

• ip route 0.0.0.0 0.0.0.0 (configuring a default route)

The default-gateway command should only be used when a router is functioning as a bridge. The ip default-network and ip route 0.0.0.0 0.0.0.0 commands should be used to tell the router what route to select as the “gateway of last resort”.

Cisco.NAT

NAT puede funcionar de forma Estatico o Dinamico.

El NAT Estatico puede ser útil para host internos que deben ser accesibles desde internet como servidores DNS, servidores web o de correo electrónico.

Se configuran direcciones en una tabla de búsqueda y se asocian una por una de forma estática.

Configuración de NAT Estatico: ( donde 172.16.129.2 es ip privada y 200.42.1.11 es ip publica)

Router-Cisco#config t

Router-Cisco(config)# ip nat inside source static 172.16.129.2 200.42.1.11

Router-Cisco(config)# interface serial 0

Router-Cisco(config-if)# ip nat outside

Router-Cisco(config)# interface ethernet 0

Router-Cisco(config-if)# ip nat inside

El NAT dinamico está diseñado para mapear una dirección IP privada a una dirección pública de entre un pool de direcciones públicas ya establecido. Es decir, Cualquier dirección IP pública de este pool se asigna a un host de la red interna.

1) Primero definir un pool de direcciones (las direcciones públicas que nos asigne nuestro ISP)

Router-Cisco#configure treminal

Router-Cisco(config)# ip nat pool 1 200.42.1.1 200.42.1.10 netmask 255.255.255.0

2) Crear una lista de acceso estándard que permita las direcciones internas que se deben traducir.

Router-Cisco(config)# access-list 1 permit 172.16.129.0 0 0.0.0.255

3) Configurar la NAT dinamico basada en la dirección de origen especificando la lista de acceso definida en el paso anterior.

Router-Cisco(config)# ip nat inside source list 1 pool 1

4) Especificar la interfaz interna y marcarla como conectada al interior.

Router-Cisco(config)# interface etherne 0

Router-Cisco(config-if)# ip nat inside

Router-Cisco(config-if)# exit

5) Especificar la interfaz externa y marcarla como conectada al exterior.

Router-Cisco(config)# interface serial 0

Router-Cisco(config)# ip nat outside

Comandos para verificación de la tabla NAT

show ip nat translations

show ip nat statistics

debug ip nat

Cisco.Offset List

Offset-list

sábado, 07 de agosto de 2010

05:42 p.m.

offset-list

Command

Offset-List

Use

This command allows you to modify the metric of a route on the routing table.

Syntax

Router(config-router)#offset-list <list> <in or out> <offset> <interface>

Options

<list> - 0	All networks
<list> - 1-99,1300-1999	Standard access list
<list> - Name	Named access list
<in>	Affects inbound updates
<out>	Affects outbound updates
<offset> -1-16	Amount to modify metric
<interface>	Only affects updates comming through this interface

Example

In this example we will change the metric on the 1.0.0.0 routes to 200000. Currently the metric is 156160

R2(config-router)#do show ip route eigrp

1.0.0.0/32 is subnetted, 3 subnets

D 1.1.1.1 [90/156160] via 10.1.1.1, 00:00:07, FastEthernet0/0

D 1.3.3.3 [90/156160] via 10.1.1.1, 00:00:07, FastEthernet0/0

D 1.2.2.2 [90/156160] via 10.1.1.1, 00:00:07, FastEthernet0/0

192.168.13.0/30 is subnetted, 1 subnets

D 192.168.13.0 [90/2172416] via 10.1.1.1, 00:00:07, FastEthernet0/0

3.0.0.0/32 is subnetted, 1 subnets

D 3.3.3.3 [90/156160] via 10.2.2.3, 00:00:04, FastEthernet1/0

111.0.0.0/32 is subnetted, 1 subnets

D 111.111.111.111 [90/156160] via 10.1.1.1, 00:00:07, FastEthernet0/0

10.0.0.0/24 is subnetted, 3 subnets

D 10.4.4.0 [90/2172416] via 10.2.2.3, 00:00:04, FastEthernet1/0

[90/2172416] via 10.1.1.1, 00:00:04, FastEthernet0/0

11.0.0.0/32 is subnetted, 1 subnets

D 11.11.11.11 [90/156160] via 10.1.1.1, 00:00:07, FastEthernet0/0

Now we will set the offset on R2

R2(config)#access-list 25 permit 1.0.0.0 0.255.255.255

R2(config)#router eigrp 100

R2(config-router)#offset-list 25 in 43840

Checking the routing table, we see the 1.0.0.0 network metric is 200000.

2(config-router)#do show ip route eigrp

1.0.0.0/32 is subnetted, 3 subnets

D 1.1.1.1 [90/200000] via 10.1.1.1, 00:00:01, FastEthernet0/0

D 1.3.3.3 [90/200000] via 10.1.1.1, 00:00:01, FastEthernet0/0

D 1.2.2.2 [90/200000] via 10.1.1.1, 00:00:01, FastEthernet0/0

192.168.13.0/30 is subnetted, 1 subnets

D 192.168.13.0 [90/2172416] via 10.1.1.1, 00:01:20, FastEthernet0/0

3.0.0.0/32 is subnetted, 1 subnets

D 3.3.3.3 [90/156160] via 10.2.2.3, 00:01:17, FastEthernet1/0

111.0.0.0/32 is subnetted, 1 subnets

D 111.111.111.111 [90/156160] via 10.1.1.1, 00:01:20, FastEthernet0/0

10.0.0.0/24 is subnetted, 3 subnets

D 10.4.4.0 [90/2172416] via 10.2.2.3, 00:01:17, FastEthernet1/0

[90/2172416] via 10.1.1.1, 00:01:17, FastEthernet0/0

11.0.0.0/32 is subnetted, 1 subnets

D 11.11.11.11 [90/156160] via 10.1.1.1, 00:01:20, FastEthernet0/0

Cisco.Limitar ancho de banda en servicios que se encuentran detras del router

Esta configuración funciona con las versiones de IOS que soportan QoS. Con esto lo que se hará es limitar el ancho de banda de los servicios que están detrás del Router Cisco.

Para configurar el rate-limit necesitaremos también dos valores más que se recomienda calcular con la formula proporcionada por Cisco. Estos valores son el "normal burst" y el "extended burst".

Según Cisco estos valores se calcula por:

"normal burst" = rate * (1 byte)/(8 bits) * 1.5 seconds

"extended burst" = 2 * "normal burst"

Lo que haremos es limitar el ancho de banda a estos servicios. Lo primero que haremos es especificar cuanto ancho de banda quiero para cada servicio teniendo en cuenta los 1mbps/512kbps.

Para entrada de correo una limitación de 256kbps (respecto los 1mbps).

Para salida de correo una limitación de 128kbps (respecto los 512kbps).

Para salida de contenido Web una limitación de 256kbps (respecto los 512kbps).

<!--[if !supportLineBreakNewLine]-->

<!--[endif]-->

Para restringir el ancho de banda a los servicios se utilizara una ACL.

Configuración:

Router(config)# access-list 10 permit tcp any eq www any

(limitamos el trafico Web saliente)

Router(config)# access-list 11 permit tcp any any eq smtp

(limitamos el trafico smtp entrante)

Router(config)# access-list 12 permit tcp any eq smtp any

(limitamos el trafico smtp saliente)

Implementar el comando rate-limit en la interfaz que conecta a internet o cualquier otro Router:

Router(config)# interface GigabitEthernet0/0

Router(config-if)#

rate-limit output access-group 10 256000 48000 96000 conform-action transmit exceed-action drop

(liminado el ancho de banda del trafico Web saliente)

Router(config-if)#

rate-limit input access-group 11 256000 48000 96000 conform-action transmit exceed-action drop

(limitamos el ancho de banda del correo entrante)

Router(config-if)#

rate-limit output access-group 12 128000 24000 48000 conform-action transmit exceed-action drop

(limitamos el ancho de banda del correo saliente)

Comandos para verificación

show interfaces rate-limit

(Para Muestra información sobre un determinado rate-limit en la interfaz)

Cisco.Layer by Layer troubleshooting

Every network admin is going to have trouble with network links on a Cisco router, at one point or another. The best way to troubleshoot any networking issues is to use the OSI model and go layer by layer. In my article How to use the OSI Model to Troubleshoot Networks, we talked about the different troubleshooting approaches and how to use them to troubleshoot your network, in general. In this article, you will find out how to use the OSI model to troubleshoot, bottom up, using a Cisco router.

OSI Model - Bottom Up Troubleshooting

If you will recall, the OSI model starts with the physical layer (layer 1) and goes up to layer 7 (application). When troubleshooting with a Cisco router, much of your time will be spent working in layers 1-3. They are:

• Layer 3 - Network

• Layer 2 - Data Link

• Layer 1 - Physical

Because these layers build on each other, Layer 1 is most critical, without layer 1, layer 2 will not function. Without layer 1 & 2, layer 3 will not function, and so on. For this reason, I start troubleshooting at layer 1, physical, and move on up from there.

Router Troubleshooting at OSI Layer 1 & 2 - Physical & Data link

Remember, if Layer 1 isn't up, nothing else will work so make sure you start here. Examples of layer 1 are your T1 circuit or your Ethernet cable - physical connectivity. I usually troubleshoot layer 1 and layer 2 in union because they are so closely paired. Examples of layer 2 - data link - are your line protocol (such as Ethernet, ATM, 802.11, PPP, frame-relay, HDLC, or PPP).

To troubleshoot at these layers, the first thing I would do on your router is a show interface. Here is an example of a LAN Gigabit Ethernet circuit:

Router# show interface
GigabitEthernet0/0 is up, line protocol is up
Hardware is BCM1125 Internal MAC, address is 0015.2b46.5000 (bia 0015.2b46.5000)
Description: LAN Connection to Data center
Internet address is 10.20.100.1/16
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is autonegotiation, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 750000 kilobits/sec
5 minute input rate 3218000 bits/sec, 1715 packets/sec
5 minute output rate 1390000 bits/sec, 2129 packets/sec
1416888620 packets input, 15402720 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1556005 multicast, 0 pause input
0 input packets with dribble condition detected
1666663097 packets output, 573841802 bytes, 0 underruns
19 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
19 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

Here is what a WAN T1or T3 circuit might look like:

Routerl# show interface serial 3/0
Serial3/0 is up, line protocol is up
Hardware is DSXPNM Serial
Description: Sprint T3
Internet address is 10.2.100.2/30
MTU 4470 bytes, BW 9000 Kbit, DLY 200 usec,
reliability 255/255, txload 77/255, rxload 26/255
Encapsulation HDLC, crc 16, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 18394
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 927000 bits/sec, 1914 packets/sec
5 minute output rate 2752000 bits/sec, 1504 packets/sec
1560997932 packets input, 3254680247 bytes, 0 no buffer
Received 255480 broadcasts, 1 runts, 1 giants, 0 throttles
1567 input errors, 1567 CRC, 976 frame, 496 overrun, 0 ignored, 908 abort
1303636803 packets output, 3737276508 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 output buffer failures, 0 output buffers swapped out
1 carrier transitions
DSU mode 1, bandwidth 9000, real bandwidth 9000, scramble 0

Here is the quick version:

Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.20.100.1 YES NVRAM up up
Serial3/0 10.2.100.2 YES NVRAM up up

Here is what you look for:

• Is the interface UP?
• Is the line protocol UP?
• If both the interface and line protocol are NOT up, your connection is never going to work.
• To resolve a line down, I look at the cable or the keepalives
• To resolve a line protocol down, check to make sure that the protocols match on each side of the connection(notice the "line protocol" on each of the interfaces above).
• Are you taking input, CRC, framing, or other errors on the line (notice how the serial interface above does show errors)? If so, check your cable or contact your provider.

In general, verify that you have a good cable on each side, verify that line protocols match, and that clocking settings are correct.

If this is an Ethernet connection, is there a link light on the switch?

If this is a serial connection, do you have an external CSU/DSU? If it is an external CSU, check that the Carrier Detect (CD) light & data terminal ready (DTR) lights are on. If not, contact your provider. This also applies if you have an internal Cisco WIC CSU card. If that is the case, take a look at this Cisco link on understanding the lights on that card.

You can, of course, use the Cisco IOS test commands to test your network interfaces with internal staff and with your telecommunications providers.

Do not proceed to upper level layers until your Physical interface on the router shows as being UP and your line protocol is UP. Until then, don't worry about IP addressing, pinging, access-lists or anything like that.

Router Troubleshooting at OSI Layer 3 - Network

Once you have Layers 1 & 2 working (your show interface command shows the line is "UP & UP", it is time to move on to layer 3 - the OSI Network layer. The easiest thing to do here to see if layer 3 is working is to ping the remote side of the LAN or WAN link from this router. Make sure you ping as close as possible to the router you are trying to communication with - from one side across to the other side.

Here are examples of successful & failed pings:

Router# ping 10.2.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router#
Router#
Router#
Router#
Router# ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

The easiest way to check the status of Layer 3 - the network layer - is to do a show ip interface brief, as I did above. Here is an example:

Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.20.100.1 YES NVRAM up up
Serial3/0 10.2.100.2 YES NVRAM up up

Notice the IP addressing on each of these interface. Also do a show running-config, like this (you can even specify an interface, like this):

Router# show running-config int serial3/0
Building configuration...

Current configuration : 225 bytes
!
interface Serial3/0
description Sprint T3
bandwidth 9000
ip address 10.2.100.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
dsu mode 1
dsu bandwidth 9000
no cdp enable
end

Router#

I would recommend taking this interface configuration and comparing it, side by side, with the remote WAN connection to ensure they are the same. Ask yourself questions like:

• Are these interfaces on the same IP network?

• Do these interfaces have the same subnet mask?
• Are there any access-lists (ACL) that are blocking your traffic?

• Can you remove all optional IP features to make sure that the basic configuration works before adding additional features that could be causing trouble?

Here is an example. Look at the two interfaces below. What is the real problem, causing these two to not communicate?

Router 1

interface Serial3/0 description Sprint T3 - TO ROUTER 2 bandwidth 9000 ip address 10.2.100.2 255.255.255.252

Router 2

interface Serial3/0 description Sprint T3 - TO ROUTER 1 bandwidth 1500 ip address 10.2.100.5 255.255.255.252

No, there is no problem with the bandwidth statement. Bandwidth statements are only used as comments and by routing protocols to select the best route. The real problem here is that the second router's serial interface is not on the same IP subnet as router #1. Even though they have the same subnet, the 10.2.100.5 IP address will never be able to communicate to the 10.2.100.2 IP address because they are on different networks but directly connected.

Let's say that you are now able to ping across the link, from one side to another. While that is a great sign, it doesn't always mean that everything is "fixed". You still may not be able to communicate from a client on the LAN of one router, to a client on the LAN of another router, due to things like improperly configured IP routing protocols.

For one LAN to communicate to another LAN, through routers (through a WAN, usually), you MUST have either static routes  or dynamic routes configured. To ensure you have a route configured for the network you are trying to reach, do:

Router# show ip routes

and look at

Router# show ip protocols

For troubleshooting layers 3, all the way up, look at the output of this command:

Router# show ip interfaces

GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.20.100.1/16
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP CEF switching is enabled
IP CEF Flow Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Subint Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled

Router Troubleshooting at OSI Layers 4 - 7

Now, let's say that you have made it to the point where you can ping from LAN to LAN, through your WAN. Congratulations - that is a very good sign. If you are still having trouble, it must be in OSI Layers4-7. Here are those layers listed out and possible issues you might experience in each layer:

• Layer 4 - Transport - in the transport layer are TCP and UDP - you could be have an ACL or QoS feature blocking or slowing this traffic. Your TCP traffic could also be fragmented to the point that it could not be reassembled. Another option is that you may not be receiving an ACK back from your traffic that was successfully sent.
• Layer 5 - Session - in the session layer are protocols like SQL, NFS, SMB, or RPC - you could be taking errors on any one of these session protocols. I would recommend using a protocol analyzer like Wireshark to analyze your session data.
• Layer 6 - Presentation - in the Presentation layer are data encryption, compression, and formatting - your VPN tunnel could be failing or perhaps you are sending one type of data (like a MPEG) and the receiver is trying to view it as a WMV file.
• Layer 7 - Application - in the Application layer are, of course, your applications like FTP, HTTP, SCP, TFTP, TELNET, SSH, and more - you could be trying to connect to a telnet server with the SSH protocol, for example.
• Layer 8 - End User - the standing joke is that "Layer 8" is the user - the user could be just mistyping their username or password or you, the network admin, could have been troubleshooting the wrong IP address all along.

Summary

In summary, using the OSI model to troubleshoot connectivity issues is the fastest and most efficient way to troubleshoot any network issue. Even if someone calls you to work on a Windows share problem, all of the same principles in this article apply to that troublesooting process. So remember, the next time you work on a network issue - remember the OSI model and how to use the bottom-up approach to troubleshooting! It could same you a while lot of time!