Network Analysis Tools Flashcards
Elements of Diagnosis
Gathered information: Gathering information about what is happening is essential to the troubleshooting process. Usually, the problem report does not contain enough information for you to formulate a good hypothesis without first gathering more information. You can gather information and symptoms either directly by observing processes or indirectly by executing tests.
Analysis: The gathered information is analyzed. Compare the symptoms against your knowledge of the system, processes, and baseline to separate the normal behavior from the abnormal behavior.
Elimination: By comparing the observed behavior against expected behavior, you can eliminate possible problem causes.
Proposed hypotheses: After gathering and analyzing information and eliminating the possible causes, you will be left with one or more potential problem causes. You need to assess the probability of each of these causes, so you can propose the most likely cause as the hypothetical cause of the problem.
Testing: Test the hypothetical cause to confirm or deny that it is the actual cause. The simplest way to perform testing is to propose a solution that is based on this hypothesis, implement that solution, and verify if it solves the problem. If this method is impossible or disruptive, the hypothesis can be strengthened or invalidated by gathering and analyzing more information.
Router Categories
Routers can be classified into three categories:
Software-based routers: These routers have a shared control and data plane and a single CPU responsible for all operations.
Hardware-based routers: These routers have a separated control and data plane, a single CPU to manage the control plane, and an ASIC that has been designed with the only purpose to forward packets very fast. When the ASIC cannot forward a packet, it punts it to the CPU.
Hardware-assisted routers: These types of routers have a separated control and data plane, a single CPU to manage the control plane, and a Network Processor (NP) significantly increasing the throughput of the device. If the NP cannot forward a packet, it punts it to the CPU.
CPU Functions
When a device has completed the boot process, the CPU has two distinct functions. The first function is to run the different processes under IOS to carry out the function for a device operating in a network. The second is to send/receive packets to/from the switching hardware. The CPU is doing both of these functions simultaneously.
In the show processes cpu sorted 1min command display, the CPU utilization for five seconds field contains two elements: 7 percent and 4 percent. The first number is the total CPU utilization, and the second number is the interrupt utilization. Interrupt utilization indicates the volume of network traffic the CPU is receiving.
Memory Symptoms
The show memory command displays the amount of processor memory and I/O memory that is in use and available (free). I/O memory is used for temporary packet buffering.
When device performance is a concern during network troubleshooting, check the free memory. As a result of a lack of memory, device performance can drastically slow, or get to a point that causes the device to automatically reboot. You should always plan and take into consideration the free amount of memory on your device.
When a process cannot allocate the needed memory due to unavailability of enough memory, the router or the switch will log a memory allocation failure with a %SYS-2-MALLOCFAIL message.
Interface Statistics
Input queue drops: These signify that the traffic is dropping because the router was receiving more traffic than it could process.
Output queue drops: These are usually a result of a congested link.
Input errors: These may be a result of interface problems, duplex errors, and CRC errors.
Output errors: These are usually related to duplex issues.
Your device may have various controllers that relate to different interfaces. Depending on the interface hardware, the show controllers command gives you a more detailed packet and error statistics than the show interface command for that particular type of hardware.
Common Show Filters
exclude
include
begin
section
Regular Expressions
^ = Matches the character at the beginning of the string
| = Matches one of the characters or character patterns on either side of the pipe. This action is similar to the logical OR
$ = Matches the character or null string at the end of a regular expression
* = Matches zero or more sequences of the character preceding the asterisk. Also acts as a wildcard for matching any number of characters.
Traceroute
The traceroute tool is very useful if you want to determine the specific path that a frame takes to its destination. If there is an unreachable destination, you can determine where on the path the issue lies.
Traceroute works by sending the remote host a sequence of three UDP datagrams with a TTL of 1 in the IP header and the destination ports 33434 (first packet), 33435 (second packet), and 33436 (third packet). The TTL of 1 causes the datagram to “timeout” when it hits the first router in the path. The router responds with an ICMP “time exceeded” message, meaning the datagram has expired.
The next three UDP datagrams are sent with TTL of 2 to destination ports 33437, 33438 and 33439.
After passing through the first router which decrements the TTL to 1, the datagram arrives at the ingress interface of the second router. The second router drops the TTL to 0 and responds with an ICMP “time exceeded” message.
This process continues until the packet reaches the final destination and the ICMP “time exceeded,” messages are sent by all the routers along the path.
When the packet reaches the final destination, the device responds with an ICMP “port unreachable.”
Traceroute Responses
xx msec = the RTT to the hop
A = administratively prohibited
Q = Source quench (destination too busy)
I = User interrupted test
U = Port unreachable
H = Host unreachable
N = Network unreachable
P = Protocol unreachable
T = timeout
? = Unknown packet type
Debug Outputs
Console: By default, logging is enabled on the console port. Hence, the console port always processes debug output even if you are actually using some other port or method (such as aux, vty, or buffer) to capture the output.
Excessive debugs to the console port of a router can cause it to hang. You should consider changing where the debug messages are captured and turn off logging to the console with the no logging console command.
Some debug commands are very verbose and therefore, you cannot easily view any subsequent commands you wish to type while the debug is in process. To remedy the situation, configure logging synchronous on the console line.
AUX and VTY Ports: To receive debug messages when connected to the AUX port or remotely logged into the device via TELNET or SSH through the VTY lines, type the command terminal monitor.
Logs: Like any syslog message, debug messages can also be collected in logs. You can use the logging command to configure messages to be captured in an internal device buffer or external syslog server.
Debug ip packet
Packets generated by a router or destined for a router are process-switched and are therefore displayed with the debug ip packet command.
Packets that are forwarded through a router that is configured for fast-switching or CEF are not provided to the processor, and hence the debugging does not show anything. To display packets forwarded through a router with the debug ip packet command, you need to disable fast-switching on the router with the no ip route-cache command (for unicast packets) or no ip mroute-cache (for multicast packets). This command is configured on the interfaces where the traffic is supposed to flow. You can verify whether fast switching is enabled with the show ip interface command.
Note
Disabling fast-switching on a router that handles many packets can cause CPU utilization to spike so that the box hangs or loses its connection to its peers.
Note
Do not disable fast-switching on a router running Multiprotocol Label Switching (MPLS). MPLS is used along with CEF. Therefore, disabling fast-switching on the interface can have disastrous effect.
Service Level Agreement (SLA)
a contract between a network provider and its customers, or between a network department and its internal corporate customer
IP SLA
IP SLA is a Cisco proprietary solution that uses the 1967 UDP port for control messages. When configuring ISP SLA source and responder, specify a different Layer 4 port where testing will be executed.
Switchport Analyzer (SPAN) Types
Local (SPAN)
Remote (RSPAN)
Encapsulated Remote (ERSPAN)
Remote SPAN (RSPAN)
RSPAN supports source and destination ports on different switches, while local SPAN supports only source and destination ports on the same switch.
RSPAN consists of the RSPAN source session, RSPAN VLAN, and RSPAN destination session.
