Documente Academic
Documente Profesional
Documente Cultură
ng okat
show ip int to check if there are any acls in place and if the neighbor address
is blocked by them
show ip ospf int
show ip ospf neighbors
show ip ospf to look at the router id
several parameters have to match for ospf
area type show ip ospf
area no show ip ospf interface
hello dead timers show ip ospf interface
subnet and mask show ip interface
subnet and mask shold match
timers shold match
area no
area type
check if the acl is not blocking ssh
you can also check if ssh is allowed on vty lines by default transport input
show line to check which protocols are enbaled
ifwe need to kick some connection s
show line
clear line
mak sure correct ssh version and packeet size is there
so do check acls if ssh is not blobked there
also do check if ssh is nenabled on vty line as trasport input is going to limit
the protocols
show line to check what is enables
if the lines are busy and we want to clear the lines show line and clear line is
used then
make sure correct version if ssh is running and that correct packet size has bee
n set as well
if wrong authentication
virtula ip ar ewrogn then there be log messages about them
the different versions of hsrp are not compatible with each other
if wring group configured then dulicate addresees
if the wrong group config then the duplicate address problem will happen
if authen wrong then message will appear
wrong setting of the hsrp group log message will appear
two versions 1 and 2 are not compatible with each other
show standby is going to show a lot of info
line active ip mac adres
active router timers etc
incorrect routing information could be sourced from either the wrong devive atta
ched or it could also be sorced from normal device but its acting starange at th
e moment
its always better to manually configure the nrighbors instead of leaving this to
a routing protocol
so automatic discovery of neihbors on protocold try to dsiable that
and then manually config the neighbor and when done in eigrp then eifrp will do
the neighbor communication through unicast instead of
errored rouitng info can be generated from a peer which is falsly attaced from a
good peer for some reason propaagting wrong information
in ospf twomethids of auth eitehr teh whole area or the interfaces indi
eigrp and rip are doing auth on per interfaces base
in bgp we have to soecify the auth on the router config level for the whole devi
ce
so ospf will either have auth on the area base or it could also be on the interf
ace base
on eigrp and rip its always the interface base auth
bgp the auth is applied on the router config level so for the whole router at on
ce
vrrp problems coould be very similar to hsrp
there is virtal ip which could have been applied wrong
there is group id which could have been applied wrong
authentication is wrong
advert timers are wrong
acls blockage
virtual ip wrong
groupp id wrong
advert timers wrong
authe problems
acl
show vrrp brief a concise view of all the interfaces on the vrrp and config
show vrrp int on per int basis and what config on per interface
debug vrrp events , debug vrry errors, debug vrry state
debug vrrp all
debug vrrp pacekts and debug vrrp events
show vrrp brief show vrrp int
debug vrrp events debug vrry errors debug vrrp state debug vrrp all
debug vrrp packets debug vrrp events
debug vrrp auth
trunk mode
allowe vlan
native vlan
encap
state negotiation protocols for etherchannels are
pagp which is cosco
lacp open standard
no protcol
staes which will form etherchannel are
for pagp desi desi des auto
for lacp act act act pass
for no pro on on
for
link nego titation pro for ether
paggp lacp no
desir desi desi auto
active active
active passive
on on
hsrp and glbp that they will not allow virtual ip to be assigned to one of the r
outers while vrrp will do that and thats master router
vrrp will preempt default other two not
glbp can use four routers simu to forwars hence load blanacing
hsrp and glbp had longer timers and vrrp has shorter timers
so vrrp will allow virua; ip to be assigned to the router
but glbp and hsrp wll not and vrrp that will be the master router
vrrp will preempt fdeault other two wont
glbp will allow upto 4 routers forward simu therefore load balancing other ttw d
ont
timers on vrrp are shorter while the timers on otehr two longer
glbp is cisco pro as well
it have got inbuilt load means up 4 routers cab forward for each group
common proble
virtal ip wrong
group wron
auth wrong
preemt not done pro
acls blockin
so glbp is cisco pro just like fhrp
has built in load sharing and is going to allow 4 routers to foewar for each gro
up
wtong group assif
wrng ip assigned
auth pro
prempt prob
acls block
to get to know wjhts going
show glbp brief
show glbp stat
debug glbp paclet evern error all terse
show glbp breif
show glbp int
debug glbp pac een erro all terse
is enable per vlan basis
is a securitymeasure to aoid rouge dhcp servers to participate in the dhcp proce
ss
so certain
on trusted
and on non
ay so they
so trusted itefaces are the towards sereer uplink towards the server
dhcp snoopong will also built a binding database which will include the port no,
ip address assigned, mac address, vlan, host associated with, lease time, bindi
ng type
and then this all information is used to other security as arp inspection dynami
c
dhcp can also be used to limit dhcp messages maybe to lower the traffic of the n
etwork
dhcp snoping will keep a binding databse port host ip mac vlan bind type lease a
nd this can be used by other security tools
it cam also be used to limit the messages travelling in the network
ip dhcp snooping vlan vlan 10
ip dhcp snooping
ip dhcp snooping vlan ...
ip dhcp snooping trust
ip dhcp snooping limit rate ...
ip dhcp snooping
ip dhcp snooping vlan ..
ip dhcp snooping trust
ip dhcp snooping limit rate ...
ip dhcp snooping limit rate
...
eigrp ip could be wring subnet could be wrong
physical problem
network wrong config
k values are different on the neigh ki 1nad k3 equal to 1 are 0
acl could be blocking
passive interafce on wrong interface
incorrect as
if ip domain list is configured then default domian name is not going to be used
dns deafult is not going to be usd ip domain list has brrn configured
if certain dns addresses are failing then it could be the dns server problem
if dns server is reachable but still its not resolving the addresses then there
could be an acl blocking dns traffic whih is port 53
so if certain domains are failing then it could be the dns server issue
if dns server is reachable but resolution os failing then its most probab acls b
locking dns traffic
if ip domain lists are configured they will change the default domain names
there are two commands copy and configure replace
so coy is going to merge with the source and destination both and tehrefore does
n not necessarily need to be a complete config
configure replace is going to compare the two configs and then start copying and
therefore it has to be a complete config file with all the configs already been
there
it may replace the whole thing
so copy and configure replace are two different ways of copying the configs to t
he other device
copy doesn not ned to be a complete config as its going to merge the two things
so does not need to complete config
configure replace is going to to do the comaprison before its going to cpy te th
ing from source to the destination therefore has to be a complete config all tog
ether no matte what terfore two commands are diffeent from each other
automatic fallback methods are used to return the device back to a state which w
as workignand stable and was changed due to some change on the device
so as long as changes are not saved when reload will hit it will change the sett
ings back to the stable ones two commnads
reload in this much time and reload at this time
even if the changes made connection loss still when the reload hits it will retu
rn the connectivity back to the device
automatic fallback methods are reload in this much time
reload at ... this time
when we set this before making chnages to the device and the confg has made unde
sirable changes then when reload hits the device will get back to the stable pos
ition
even if the connectivity is lost due to config the device when hit the reload wi
ll get the connectivity back
if config is successful thenwe can defintely try reload cancel to cancel reload
using configure replace with fallback
configure replace url time ....
we use this whe we donot want startup config to replace instead this file locate
d at this location
in this much time
if config is successfull then we can use configure confirm
if we need that earlier then we use configure revert now