Are you sure you want to cancel your subscription?

If you cancel, your subscription will remain active through the paid term. You will be able to reactivate the subscription until that date.

Sorry to see you go

Your subscription will remain active until . If you change your mind, you may rectivate your subscription anytime before that date.

Are you sure you want to reactivate?
Welcome Back!

Your subscription has been reactivated and you will continue to be charged on .

Reactivate Subscription

Thank you for choosing to reactivate your subscription. In order to lock in your previous subscription rate, you owe: .

Your Subscription term is from - .

Questions? Call Sales.

Payment Due:

Auto-Renew Subscription

To auto-renew your subscription you need to select or enter your payment method in "Your Account" under Manage Payments.

Click continue to set up your payments.

CBT Nuggets License Agreement

Unless otherwise stated all references to “training videos” or to “videos” includes both individual videos within a series, entire series, series packages, and streaming subscription access to CBT Nuggets content. All references to CBT or CBT Nuggets shall mean CBT Nuggets LLC, a Delaware limited liability company located at 44 Country Club Road, Ste. 150, Eugene, Oregon.

A CBT Nuggets license is defined as a single user license. Accounts may purchase multiple users, and each user is assigned a single license.

  • GRANT OF LICENSE. CBT Nuggets grants you a non-transferable, non-exclusive license to use the training videos contained in this package or streaming subscription access to CBT content (the “Products”), solely for internal use by your business or for your own personal use. You may not copy, reproduce, reverse engineer, translate, port, modify or make derivative works of the Products without the express consent of CBT. You may not rent, disclose, publish, sell, assign, lease, sublicense, market, or transfer the Products or use them in any manner not expressly authorized by this Agreement without the express consent of CBT. You shall not derive or attempt to derive the source code, source files or structure of all or any portion of the Products by reverse engineering, disassembly, decompilation or any other means. You do not receive any, and CBT Nuggets retains all, ownership rights in the Products. The Products are copyrighted and may not be copied, distributed or reproduced in any form, in whole or in part even if modified or merged with other Products. You shall not alter or remove any copyright notice or proprietary legend contained in or on the Products.
  • TERMINATION OF LICENSE. Once any applicable subscription period has concluded, the license granted by this Agreement shall immediately terminate and you shall have no further right to access, review or use in any manner any CBT Nuggets content. CBT reserves the right to terminate your subscription if, at its sole discretion, CBT believes you are in violation of this Agreement. CBT reserves the right to terminate your subscription if, at its sole discretion, CBT believes you have exceeded reasonable usage. In these events no refund will be made of any amounts previously paid to CBT.
  • DISCLAIMER OF WARRANTY AND LIABILITY. The products are provided to you on an “as is” and “with all faults” basis. You assume the entire risk of loss in using the products. The products are complex and may contain some nonconformities, defects or errors. CBT Nuggets does not warrant that the products will meet your needs, “expectations or intended use,” that operations of the products will be error-free or uninterrupted, or that all nonconformities can or will be corrected. CBT Nuggets makes and user receives no warranty, whether express or implied, and all warranties of merchantability, title, and fitness for any particular purpose are expressly excluded. In no event shall CBT Nuggets be liable to you or any third party for any damages, claim or loss incurred (including, without limitation, compensatory, incidental, indirect, special, consequential or exemplary damages, lost profits, lost sales or business, expenditures, investments, or commitments in connection with any business, loss of any goodwill, or damages resulting from lost data or inability to use data) irrespective of whether CBT Nuggets has been informed of, knew of, or should have known of the likelihood of such damages. This limitation applies to all causes of action in the aggregate including without limitation breach of contract, breach of warranty, negligence, strict liability, misrepresentation, and other torts. In no event shall CBT Nuggets’ liability to you or any third party exceed $100.00.
  • REMEDIES. In the event of any breach of the terms of the Agreement CBT reserves the right to seek and recover damages for such breach, including but not limited to damages for copyright infringement and for unauthorized use of CBT content. CBT also reserves the right to seek and obtain injunctive relief in addition to all other remedies at law or in equity.
  • MISCELLANEOUS. This is the exclusive Agreement between CBT Nuggets and you regarding its subject matter. You may not assign any part of this Agreement without CBT Nuggets’ prior written consent. This Agreement shall be governed by the laws of the State of Oregon and venue of any legal proceeding shall be in Lane County, Oregon. In any proceeding to enforce or interpret this Agreement, the prevailing party shall be entitled to recover from the losing party reasonable attorney fees, costs and expenses incurred by the prevailing party before and at any trial, arbitration, bankruptcy or other proceeding and in any appeal or review. You shall pay any sales tax, use tax, excise, duty or any other form of tax relating to the Products or transactions. If any provision of this Agreement is declared invalid or unenforceable, the remaining provisions of this Agreement shall remain in effect. Any notice to CBT under this Agreement shall be delivered by U.S. certified mail, return receipt requested, or by overnight courier to CBT Nuggets at the following address: 44 Club Rd Suite 150, Eugene, OR 97401 or such other address as CBT may designate.

CBT Nuggets reserves the right, in its sole discretion, to change, modify, add, or remove all or part of the License Agreement at any time, with or without notice.

Billing Agreement

  • By entering into a Billing Agreement with CBT Nuggets, you authorize CBT Nuggets to use automatic billing and to charge your credit card on a recurring basis.
  • You agree to pay subscription charges on a monthly basis, under the following terms and conditions:
    • CBT Nuggets will periodically charge your credit card each monthly billing cycle as your subscription charges become due;
    • All payments are non-refundable and charges made to the credit card under this agreement will constitute in effect a "sales receipt" and confirmation that services were rendered and received;
    • To terminate the recurring billing process and/or arrange for an alternative method of payment, you must notify CBT Nuggets at least 24 hours prior to the end of the monthly billing cycle;
    • You will not dispute CBT Nugget’s recurring billing charges with your credit card issuer so long as the amount in question was for periods prior to the receipt and acknowledgement of a written request to cancel your account or cancel individual licenses on your account.
  • You guarantee and warrant that you are the legal cardholder for the credit card associated with the account, and that you are legally authorized to enter into this recurring billing agreement.
  • You agree to indemnify, defend and hold CBT Nuggets harmless, against any liability pursuant to this authorization.
  • You agree that CBT Nuggets is not obligated to verify or confirm the amount for the purpose of processing these types of payments. You acknowledge and agree that Recurring Payments may be variable and scheduled to occur at certain times.
  • If your payment requires a currency conversion by us, the amount of the currency conversion fee will be determined at the time of your payment. You acknowledge that the exchange rate determined at the time of each payment transaction will differ and you agree to the future execution of payments being based on fluctuating exchange rates.

CBT Nuggets reserves the right, in its sole discretion, to change, modify, add, or remove all or part of the Billing Agreement at any time, with or without notice.

Cisco CCNP TSHOOT 642-832

General TSHOOT: IOS Tools to Monitor and Maintain the Network, Part 2

This video is only available to subscribers.
Start your 7-day free trial today.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Titles Duration
1. TSHOOT: Setting Your Expectations
2. General TSHOOT: The Troubleshooting State of Mind
3. General TSHOOT: Troubleshooting Before You're Treading Water - Proactive Steps
4. General TSHOOT: Troubleshooting Before You're Treading Water - Proactive Steps, Part 2
5. General TSHOOT: IOS Tools to Monitor and Maintain the Network
6. General TSHOOT: IOS Tools to Monitor and Maintain the Network, Part 2
7. Switch TSHOOT: VLANs and Spanning Tree Concept Review
8. Switch TSHOOT: VLANs and Spanning Tree
9. Switch TSHOOT: VLANs and Spanning Tree, Part 2
10. Switch TSHOOT: L3 Switching and Redundancy Protocols Concept Review
11. Switch TSHOOT: L3 Switching and Redundancy Protocols
12. Switch TSHOOT: L3 Switching and Redundancy Protocols, Part 2
13. Route TSHOOT: L3 Connectivity and EIGRP Concept Review
14. Route TSHOOT: L3 Connectivity and EIGRP
15. Route TSHOOT: L3 Connectivity and EIGRP, Part 2
16. Route TSHOOT: L3 Connectivity and EIGRP, Part 3
17. Route TSHOOT: OSPF and Route Redistribution Concept Review
18. Route TSHOOT: OSPF and Route Redistribution
19. Route TSHOOT: OSPF and Route Redistribution, Part 2
20. Route TSHOOT: BGP Concept Review
21. Route TSHOOT: BGP
22. Route TSHOOT: Router Performance Issues Concept Review
23. Route TSHOOT: Router Performance Issues
24. Security TSHOOT: Access List Concept Review
25. Security TSHOOT: Access List Chaos
26. IPv6 TSHOOT: IPv6 and IPv6 Routing Protocols

TSHOOT: Setting Your Expectations

General TSHOOT: The Troubleshooting State of Mind

General TSHOOT: Troubleshooting Before You're Treading Water - Proactive Steps

General TSHOOT: Troubleshooting Before You're Treading Water - Proactive Steps, Part 2

General TSHOOT: IOS Tools to Monitor and Maintain the Network

General TSHOOT: IOS Tools to Monitor and Maintain the Network, Part 2

00:00:00 - Alright, let's move into IOS tools to monitor and maintain the
00:00:03 - network part two. I got be honest with you. After I finished
00:00:09 - the last nugget, essentially, part one of this. I felt a little
00:00:13 - weird; I finished the recording, and I was like well I guess
00:00:16 - there it is; I sat there and I said to myself something feels
00:00:21 - weird. Not necessarily wrong or anything like that. I'm like
00:00:26 - what is it. I was like what?; that is cool information that's
00:00:30 - interesting, and then it hit me, I was like, you know what I
00:00:34 - didn't really say, well here is a practical scenario you know,
00:00:38 - it was like, I was given cool tools. Like you can filter a show
00:00:42 - command in here; you can use this to pipe the output for a TFTP
00:00:47 - server; all of those kinds of things, and I sat there, and then
00:00:49 - I realized, I was like, I didn't give, I didn't feel fulfilled,
00:00:54 - like how it's fulfilling to me, when I create this brilliant
00:00:58 - real world scenario, I said alright how do you solve all this
00:01:01 - puzzle, and then I said here's how we do it, and then I put all
00:01:04 - the pieces together again, and I was like oh right that was awesome.
00:01:06 - The last nugget we really didn't do that, you can filter doing
00:01:09 - this or you could do this, and then I sat, and I kind of comforted
00:01:14 - myself well look at the drama I go through just to convey information.
00:01:20 - I comforted myself and I said Jeremy, we're not doing real world
00:01:24 - scenarios at this point, but solving problems, like the rest
00:01:28 - of all the t-shoot series is all about, right now we are just
00:01:31 - looking at tools, kind of, take it this way, you know you out
00:01:34 - in your garage and you go check it out. This is a field screw
00:01:37 - driver see? It can screw in this Phillips screw, and you wow
00:01:42 - that's cool, and you go like let's move on; It's interesting
00:01:46 - information, but I didn't have the, well, let's, well let us
00:01:51 - screw a Phillips screw. Let's put this on the wall over here
00:01:55 - and hold that lay there upper or something like that, so that's,
00:01:59 - so bear with me right now as I dump my feelings about this because,
00:02:05 - I started with this next one, and I'm like ok this is going to
00:02:07 - be cool too, but I'm like ah! I don't want to not have any real
00:02:10 - world solving that we're doing yet, but that's ok, we're going
00:02:14 - to be doing that as soon as get into the troubleshooting of t-shoot
00:02:18 - series and get into all the different scenarios that we're going
00:02:21 - to see. So for now, you're like, yeah let's move on and some
00:02:26 - of you are probably like I'm going to fast forwarding, so ok
00:02:28 - there we go. Let's get into what we're talking about here; let's
00:02:32 - talk about how do you check resources on your router, the comment
00:02:36 - from somebody saying the internet seems slow it would be good
00:02:39 - to just do a resource check and see if my router is dropping
00:02:42 - packets; it's over loaded processing memory all those of kinds
00:02:46 - of things. We'll get into monitoring with span and rspan, and
00:02:50 - finally I kind of did the miscellaneous grab bag over here; these
00:02:54 - are all, except for EEM, they're all kind of one liners if you
00:02:57 - will. Things you can do to help monitor your network more efficiently;
00:03:03 - just like the previous nugget I'm going to batch in the line
00:03:06 - interface pretty much through all the nugget areas. First off
00:03:12 - let's go into checking resources, again
00:03:16 - someone comes to you and says things are running slow and that
00:03:19 - could encompass a whole gamma of troubleshooting and issues;
00:03:22 - but one of the things that should be able to do is to check the
00:03:25 - resources on the devices on the path of the packet flow; couple
00:03:29 - of ways that we can do that, we can jump into, I'll jump into
00:03:33 - my CME router first,
00:03:35 - let's so the same show command we did last time show process
00:03:39 - cpu. The processor on your device is going to be one of the key
00:03:43 - ingredients to finding out how much, I don't know, cycles are
00:03:48 - being eaten and if the processor of a router is the cause of
00:03:52 - bottleneck; then if you shoot up too high in process utilization
00:03:55 - the router can't keep up and starts dropping packets and things
00:03:58 - and feels slow, things slow down. So what the most useful line
00:04:02 - is, and I know we filter this last time so we can see what processors
00:04:05 - where consuming resources and what not and so on, but one of
00:04:07 - the most useful lines of it is this one right here. CPU utilization
00:04:12 - for five seconds, one minute and five minutes; now one thing
00:04:17 - that I have always accepted and I never really question was this
00:04:20 - five seconds right here it says zero per cent slash zero percent;
00:04:24 - let me see if I can get it to, there we go, so now I've got another
00:04:27 - one, one percent slash zero per cent; and for years when I was
00:04:32 - at Cisco I would like ok it's probably somewhere between one
00:04:36 - per cent and zero per cent, damn, I just kind of figure it was
00:04:39 - an average of the those two values, but that's not true. These
00:04:42 - two values actually measure different things, the first number
00:04:46 - is just processor utilization
00:04:50 - based on, scratch that, let's back up, this one over here it's
00:04:55 - just processor utilization eaten up by packets being forwarded
00:04:59 - through this router; this one is the value of processor utilization
00:05:04 - for packets in processes running through this router. Now you're
00:05:08 - probably going say that again, say it slower, rewind, no, check
00:05:12 - this out. This is what we have, we have our router right here,
00:05:16 - and our router is doing all kinds of things day in and day out.
00:05:20 - Let's say we've got two interfaces fast Ethernet one and fast
00:05:23 - Ethernet zero over here; packets slowing through this router
00:05:26 - just the fact that packets are coming into this router and passing
00:05:30 - through and being processed by that router is going to increase
00:05:33 - the processor utilization; there's a piece of the processor that
00:05:35 - is processing those packets as they come through; now low end
00:05:39 - routers, and when I say low end, I'm talking about the 2800 series,
00:05:43 - the 2900 series, you say well that's not low end business router,
00:05:48 - well compared to like a CRS1 in a service provider it is low
00:05:52 - end, it's just a consumer grade or enterprise grade router, mid-size
00:05:57 - business that people kind of put all over the place; those kinds
00:06:01 - of routers use the processor for both processors running on the
00:06:06 - router and packet forwarding. You know take processes running
00:06:10 - on the router, what is that, well when you ssh into a router
00:06:15 - there's got to be something on that router handling the generation
00:06:18 - of encryption keys something that's handling
00:06:23 - the processing of every character type, you know, the show commands
00:06:27 - that you are entering, when you have to dig in and show commands
00:06:31 - and gather that information out of the router; that's all processes
00:06:35 - that are running on the router and that are happening right here
00:06:38 - in the processes. It has nothing to do with packets going through
00:06:41 - the router over by itself; this first number is a total of all
00:06:46 - the processes running on the router and how much processor cycles
00:06:51 - is being eaten by packets forwarding. Again what I was trying
00:06:54 - to convey, I feel like I'm jumping all around here, is as packets
00:06:58 - go through the same processor on this mid-line routers handle
00:07:02 - the processes running in your router and the packet forwarding.
00:07:06 - Now the packet forwarding is not actually assigned to any one
00:07:10 - of these processes; let me show you I've got a connection up
00:07:12 - here to my UC520 which is actually running my network connection
00:07:17 - right now; I'm going to do a show process cpu one here; ok, well
00:07:22 - not much going on, let's get him talking, I'm not doing anything,
00:07:26 - I've got a VPN connection, see if I can find it, open here to
00:07:31 - a remote server and you can see I just have, I just have this
00:07:35 - msi file; let's just this 22 MB file or so, I'm just going to
00:07:39 - drag and drop that to my desktop, so I can start a transfer going
00:07:44 - from that; right now packets are flowing through my UC520, I'm
00:07:48 - gonna do a show process cpu, and we see this increase to 2 per
00:07:52 - cent slash 3 per cent; let me hit the upper again, if it goes
00:07:55 - up, 3 per cent and 2 per cent, so as packets are going through
00:07:59 - the router, and, I need to copy that again, as it's going through
00:08:02 - this router this is reflected; so this is good enough; 3 per
00:08:06 - cent represents the total of all the packet processing and the
00:08:13 - processes running on this router. One per cent represents just
00:08:18 - the packets that are processing on this router. So when I copy
00:08:22 - that 22 MB file packets start flowing through my UC500,
00:08:29 - my, I can't write, UC500, and you see flowing and that increased
00:08:33 - my processing utilization by one per cent. Now there are also
00:08:36 - processes running on that router; it's processing the show commands
00:08:39 - as I am hitting the up arrow; my ssh session, all of this and
00:08:42 - all of that, and they shot up to three per cent. Now the packets
00:08:46 - themselves are not seen in any one of these processes. Meaning
00:08:50 - the packets are processed less, if you will, Cisco does not identify
00:08:54 - the packet processing by any one process, so this is how they
00:08:57 - kind of differentiate between the two. Does that make sense?
00:09:01 - So if I wanted to say, ok, how much is just the processes
00:09:06 - running on my router, not the packet processing, how much is
00:09:09 - the ssh, the shows commands, you know all the other stuff that
00:09:12 - my router does. How much is that consuming it's just a simple
00:09:15 - math problem; is my style of math, three minus one it's two,
00:09:18 - so I would say ok the actual
00:09:21 - processor utilization by these processes, all this stuff right
00:09:24 - here, it's two per cent, if I were to filter this down, I would
00:09:27 - be able to add up and there would be about two per cent of utilization
00:09:31 - if I added all these things together that was being used eating
00:09:34 - up the processor. Does that make sense I feel like I was talking
00:09:38 - to myself totally inefficient describing that but that makes
00:09:40 - sense. So that's how we can check out the processor; now let
00:09:45 - me do a little sidebar on that; this UC500 that I have has a
00:09:49 - built-in switch; it's using the same hardware that a normal Cisco
00:09:53 - switch does, so I'm gonna go, and actually have a, folder here,
00:09:58 - that's going, I'm gonna pull out my old CBT nuggets BSCI series
00:10:02 - because these files are huge; you can see I've got 229 MB there,
00:10:07 - 218, so I'm going to take these guys right here, and I'm going
00:10:11 - to copy them, now this is going across my LAN, I'm going to copy
00:10:15 - them to my desktop, so you can see I'm copying 448
00:10:19 - MB going about 16,
00:10:21 - 15ish MB per second or about eighty or so, I'm doing the math
00:10:26 - in my head, MB per second, I gotta stop talking, I'm gonna shoot
00:10:29 - over here to my router my UC520 and do a show process cpu; check
00:10:33 - that out
00:10:35 - it's zero per cent, even no, even though my file transfer is
00:10:40 - going way faster than I could across my VPN connection, it just
00:10:44 - completed right there, but still the processors remain at zero
00:10:48 - per cent. The reason for that is because those packets were not
00:10:53 - routed; they were running through the switch engine or essentially
00:10:58 - the x86. The application specific circuitry inside of that UC520
00:11:04 - that is powering the switch now off loads all of that packet
00:11:08 - processing, so it doesn't hit the processor at all, so the reason
00:11:12 - I bring this up is that if you're on a switch, you know any Cisco
00:11:16 - switch; you know a 2900 series, a 750, a 6500 and you do a show
00:11:21 - process cpu and you see the switch hovering around 40 or 50 per
00:11:25 - cent something is wrong man; something is very wrong because
00:11:29 - your processor on the switch should almost never go up unless
00:11:32 - you are doing some really weird stuff on it, or some really advanced
00:11:34 - features on the IOS because Cisco designs those switches to where
00:11:39 - ASICS handles of the packet processing, so when you do the process
00:11:43 - show on the switch, you're only seeing things that are hitting
00:11:47 - the processor meaning processes that are running on the switch
00:11:50 - are handling all the packet processing just when I showed you
00:11:52 - that 400 or so MB copying to my desktop, is all handling, I am
00:11:57 - deleting it in the background, it's all being handled by the
00:12:01 - ASICS inside of the switch. So again your output may vary based
00:12:06 - on the kind of the device that you are on.
00:12:08 - Alright the next command you can use, to add to our resources,
00:12:12 - is who memory on the router; it's a very simple command. Showmemory
00:12:18 - it's going to, it's going to divide the memory into two major
00:12:22 - pieces: processor and IO. When you are looking at these two this
00:12:28 - is used for the router processes as again all these processes
00:12:32 - that are running on the router; this is used for input output
00:12:36 - processes or in plain English the packets going through your
00:12:39 - router are using these memory buffers. Now due to just looking
00:12:42 - at this, I can't sit here and go, oh yeah, we're looking at,
00:12:47 - yeah that's not good, yeah, no, this is really low, you can't
00:12:52 - do that because on this your mileage may vary; it depends on
00:12:56 - what processes you are actually running on the router, the only
00:12:59 - true, well if it says free, zero, that's probably a problem,
00:13:02 - but the only real way to know whether there's an issue with the
00:13:06 - memory on your router
00:13:08 - is by establishing a baseline, you can do that, it's monitoring
00:13:13 - software, for instance, I know I've mentioned this many times
00:13:16 - I used prtg for all of my monitoring
00:13:19 - graphs generating. This is information I'm gathering from one
00:13:23 - of the routers that I watch from prtg, and you can see from right
00:13:28 - here, let me just kind of center that guy in there; this is watching
00:13:32 - the free processor memory. This is one of the graphs that I'm
00:13:35 - looking at. Now this is only the last twenty hours; you're looking
00:13:38 - like wow you are all over the board buddy; well not really look
00:13:42 - at the site over here in kilobytes; we are essentially at 43
00:13:47 - MB of free memory that we're hovering between going up and down
00:13:51 - falling down just a few kilobytes as time goes on; better view
00:13:55 - to look at two days, and you would say oh it's a little more
00:13:59 - even right there or scan across thirty days and you really a
00:14:02 - good feel that on average this router over the last thirty days,
00:14:07 - except right there we got a little outage window, this router
00:14:11 - over the last thirty days hovers around 30 MB of memory free,
00:14:16 - so you might set an alarm in your monitoring system that would
00:14:18 - say ok if we ever go below thirty MB shoot me an email, sent
00:14:23 - me a text message, do whatever your monitoring system does because
00:14:25 - that's normal. Now what would tell us if the router starts loosing
00:14:30 - memory; well couple of things, one could be running a protocol
00:14:36 - and someone is performing a denial of service attack by flooding
00:14:40 - your table with all kinds of entries, ally weeded up. BGP and
00:14:43 - we'll say BGP can bury our router; for instance that little router
00:14:47 - I showed you right there; that's a little 855
00:14:53 - router don't run BGP on that guy, at least, not with a full internet
00:14:57 - router table, you'll just watch the router melt. So again the
00:15:00 - amount of routes that are in your running table or you could
00:15:03 - have a process in the router that is leaking memory. Now you
00:15:06 - know if you've had Microsoft for any amount of times you probably
00:15:09 - know what a memory loss is, nothing against Microsoft, it just
00:15:11 - happens, a process goes bad and that is why nearly 99 per cent
00:15:16 - of the problems are solved on Windows by rebooting because it
00:15:20 - solves all the memory leaks until all leaks out again, and that,
00:15:23 - you know when you get everything running slow and you have to
00:15:26 - reboot it again. So what would cause leaks on a router, typically
00:15:30 - an IOS bug to where Cisco really release a t-train of software
00:15:34 - or something like that; there's a process that leaks memory again
00:15:37 - to solve it upgrade the IOS or set you router to reboot every
00:15:41 - x number of days or weeks to reset the memory back to default.
00:15:46 - Now I say all this but one of the things I've got to mention
00:15:50 - is that if your router runs out of memory, some of you may notice,
00:15:54 - what happens?
00:15:57 - Bad things, bad things, the router crashes; and at that point,
00:16:01 - once the router crashes is inaccessible, this is not like Windows
00:16:04 - where you go oh yeah start, restart and then go from there. This
00:16:08 - could be a router that's in Istanbul
00:16:12 - where ever that is, and you don't know how to get there somebody
00:16:16 - has to go flip a power switch on a router; that's not good, so
00:16:19 - it's definitely something worth monitoring in your routers at
00:16:22 - any time. It's one of the standard sensors that are creating
00:16:24 - in almost every monitoring system that's out there. So oh one
00:16:29 - other thing if you're watching syslog; you see a message, something
00:16:34 - like this: mal
00:16:38 - failed. What's that suppose to mean; memory allocation fail;
00:16:43 - it means run, run to the router as fast as you can or the switch,
00:16:47 - the memory has leaked so far that the processes are asking for
00:16:51 - memory and the router is now generating syslog messages saying
00:16:54 - I couldn't give that process memory, and it's only a matter of
00:16:57 - time once you see those before your whole router or switch locks
00:17:00 - up because as it's on its way out. So that's your, you can see
00:17:04 - from that level your disaster status on the message. So those
00:17:10 - are messages to watch out for; so now next let's talk about the
00:17:14 - interfaces themselves looking at interface statistics; how do
00:17:18 - you know if something is wrong. Let's just bring a show interface
00:17:22 - command, and look at one of them, we'll go
00:17:25 - to ones that actually have packets going thru it. Let's do a
00:17:29 - show ip interface brief,
00:17:32 - alright I'm going to do a show interface fa zero slash zero right
00:17:36 - there, and we can see
00:17:40 - a bunch of packets going thru this guy. So when you do show interface;
00:17:44 - a couple of things are looking for that signal trouble. Number
00:17:47 - one is, let's see, let me filter this out, includes, let's do
00:17:52 - a drop, and
00:17:57 - there we go, I'm looking at the interface just filtering it down,
00:18:03 - and you can see here I've got zero input errors; that's a good
00:18:06 - sign. Input errors typically, well I'll group this one, we've
00:18:10 - got twelve output errors; input errors and output errors typically
00:18:14 - signal a few things. It can be cabling, could be a bad network
00:18:19 - card, you could be going by interference that's scrambling the
00:18:23 - data on the line, and all that's going to do is give you a ton
00:18:26 - of drops and slow down the connection. Now if it's voice over
00:18:29 - IP it's easy to detect because your voice will be breaking up,
00:18:32 - all kinds of audios, but with data connection, data uses TCP
00:18:35 - for the most part, so it naturally recovers those drops, it just
00:18:38 - runs slower. So if you see a bunch of input output errors then
00:18:43 - investigate that; the other big one that can cause these types
00:18:46 - of errors are duplex mismatch, so if you have a duplex mismatch
00:18:52 - that's going on you going from half duplex to full duplex things
00:18:56 - like that; you'll see a bunch of errors coming in, so that's
00:19:00 - also signaled by collisions right here, see we've got collisions
00:19:04 - in another one in the field, and I sort of lifted past here,
00:19:09 - late collision, if you see a bunch of late collisions on the
00:19:13 - interface that is almost a sure fire sign of a duplex mismatch.
00:19:17 - A late collision is when a collision happens past a, oh forget
00:19:21 - it, it's a, I'm
00:19:25 - sure if you google it you can find it, it doesn't really matter;
00:19:28 - essentially when you look at the old hub world, and you look
00:19:33 - at the architecture behind it CSMA
00:19:36 - CD and not that is specific to hubs, Ethernet uses that, the
00:19:41 - collision detection algorithm essentially listens to see if everything
00:19:45 - is clear, and if everything is clear then it sends its packet.
00:19:47 - Well based on the timers and all that kind of stuff, if two devices
00:19:52 - are listening at the same time then you know this is how a collision
00:19:55 - happens in the hub world if two devices are listening at the
00:19:58 - same time and both go to send; just the way the timers work the
00:20:01 - collisions will almost always happen, I'm gonna throw this out
00:20:05 - there, I think it's right but I could be off, say the first sixty
00:20:08 - four bytes or, it's either sixty four or thirty two bytes of
00:20:11 - the frame, it's always going to happen there because of the timers
00:20:15 - that they've created on CSMA CD. So what
00:20:20 - does that have to do with what we're talking about, a late collision,
00:20:24 - no, right here, a late collision happens, is if it's after, if
00:20:28 - the collision happens after the sixty four bytes or thirty two
00:20:32 - bytes or whatever the normal collision factor is. Late collision
00:20:36 - means, well, the timers are just weird here you're not following
00:20:40 - CSMA CD standards almost always happens if you've got a duplex
00:20:45 - mismatch. So if you see a bunch of late collisions then immediately,
00:20:48 - bing in your mind, duplex mismatch. Let's investigate; so input
00:20:53 - output errors those are typically cabling issues, late collisions
00:20:57 - let's also talk about the drops, let's see where we are, he we
00:21:02 - are. Input queue you can see right here we've got the input queue
00:21:06 - dot 75 slash zero that means how big is it maximum size it, how
00:21:11 - many drops have you had, that's what I'm talking about; that's
00:21:13 - the input drops. Now there are two different drop statistics
00:21:17 - that you can gather there's the output drops and there's the
00:21:19 - input drops. Input drops are typically related to processor utilization
00:21:27 - meaning as packets are coming into the router right here; your
00:21:31 - processor is so busy it does not have the time to handle them,
00:21:35 - so your router just starts dropping packets as they come into
00:21:38 - the router that's almost always an input drop. Output drop in
00:21:43 - the other hand is a normal thing to occur because typically a
00:21:46 - router is converting between link types, and I know my diagram
00:21:50 - is getting a little messy, so typically you might have a Gigabit
00:21:54 - Ethernet connection coming in going at a thousand MB per second
00:21:57 - going out on a cable modem or a T1 line or whatever; we're dropping
00:22:02 - it down to 1.5 Megabits per second, so this is like a given output
00:22:07 - drops are going to happen. If you've got a computer here it will
00:22:11 - initially try to send at whatever maximum bandwidth it is, it's
00:22:14 - going to build that TCP window, and it's going to flood the router
00:22:18 - and this is going to immediately flood and start dropping packets.
00:22:21 - Those are all considered output drops, once the memory buffer
00:22:24 - inside here that are waiting to go out that T1 line has filled
00:22:27 - with packets you've reach the end, and it's going to start dropping
00:22:29 - as it goes out. If you see a bunch of output drops don't immediately
00:22:32 - panic because that's normal that's normal because routers are
00:22:36 - dealing with bandwidth mismatches all the time, fine. Last thing
00:22:39 - I want to say on these statistics. Right
00:22:43 - here, you might look at this and say I see twelve output errors,
00:22:48 - reason for alarm, probably not; if I look at my statistics and
00:22:52 - I see you know fifteen packets out and there's twelve output
00:22:56 - errors ok that's a good reason for alarm; you just don't, means
00:23:00 - you just brought the router up, and you're getting a bunch, percentage
00:23:02 - wise of output errors, and I look at this and I see what ninety
00:23:05 - one million packets output with that many bytes in errors, I
00:23:09 - pad myself in the back, and I'm like good job Jeremy you've got
00:23:12 - some good cabling there; that's some phenomenal statistic rate
00:23:15 - to do that, so things are always relative always look at the
00:23:18 - number, if that number were a thousand output errors, I would
00:23:23 - probably, well, I know I would look at and say that is totally
00:23:27 - fine then relative to the number of total packets that I have.
00:23:30 - A thousand output errors is totally normal. Ok, last two commands
00:23:35 - I want to toss at you, and I'll jump back over to my CME router.
00:23:38 - For this is the show inventory and show diag. Show inventory
00:23:45 - allows you to see all of the different models and makes of the
00:23:48 - cards that are installed inside of this router which is great
00:23:53 - if you're looking for a serial number, you can see the serial
00:23:56 - numbers for each one, you're looking for exactly what model of
00:23:59 - card is installed. You might say oh no I lost the card what model
00:24:03 - was that, well you go that was a VIC two dash two FXS. Here's
00:24:07 - the chassis that I'm running; here's WIC card that's installed
00:24:11 - inside of there, so you can put one of those guys in google and
00:24:15 - find a replacement part for it that you can purchase to replace
00:24:19 - that. You can do a show diag and that would give you more detailed
00:24:23 - information about each one of those. You can see slot zero, you
00:24:26 - can see our main board of the router. I mean typically you are
00:24:29 - typing this when you are on the phone with TAC and you go give
00:24:32 - me the serial number of motherboard we need to make sure that
00:24:34 - blah, blah, blah, whatever they're trying to have you do, and
00:24:37 - if you scroll down it will actually give you statistics for every
00:24:40 - single device or card that's inside of here, so that's a little
00:24:45 - daughter card that is PVDM that is voice modules that are inside
00:24:49 - of this V2801. So this gives you statistics and detail part firmware
00:24:54 - information about each and every one of those cards that are
00:24:56 - inside of there; so great way to get a list of those. Ok, let
00:25:02 - me clear some of this off. I need some space to talk about the
00:25:06 - next one. I'm even going to take off my button, goodbye, so let's
00:25:14 - take a look at span and rspan. Now span stands for switch port
00:25:20 - analyzer; I know a lot of you think about spanning tree, but
00:25:22 - span is actually a switch port analyzer, and what it allows you
00:25:25 - to do is sniff packet traffic on a switch; as many of you know,
00:25:30 - when you install switch versus a hub, a switch divides all of
00:25:34 - the ports into their own collision domain, and all that means
00:25:38 - is everybody kind of has their own fabric to talk across; so
00:25:42 - if this computer talks to that server through the switch then
00:25:47 - this conversation will be isolated from all the other devices
00:25:51 - that are going on that switch right now. Now I don't know if
00:25:55 - I mentioned this but I actually really got into wireshark, about
00:26:00 - a year ago, I gotta learn this hardcore let's go after it, and
00:26:05 - I bought a book by a Laura,
00:26:08 - Laura somebody very known gal in the wireshark ethereal world;
00:26:14 - she wrote a book called wireshark official certification manual
00:26:17 - which it goes through kind of giving tips; you know learning
00:26:21 - the information from that; and one of the things that she says
00:26:24 - when she opens the book in the introduction is most people save
00:26:28 - packet sniffing for wireshark until the last possible phase of
00:26:32 - troubleshooting, and she said I propose that it should be the
00:26:36 - first phase of troubleshooting, and I read that I looked, I scratched
00:26:39 - my head and went no, no, no, no you don't bust out wireshark
00:26:44 - as your first phase of troubleshooting, and I can say a year
00:26:47 - later, I still disagree with that statement, you know right,
00:26:50 - but you probably thought I was going to agree right, no, I still
00:26:53 - don't bust wireshark as my first phase of troubleshooting, but
00:26:56 - I will say, now that I know a lot more about it, and a lot of
00:26:59 - the filtering options and things like that, I do pull it a lot
00:27:03 - sooner than I used to do. Now on a switch, you have, let's say
00:27:08 - right here; it's reporting communication issues with this server.
00:27:12 - You've done your basic troubleshooting, and you go ok I need
00:27:15 - to go see the packets; I need to see what's happening; well on
00:27:17 - a switch is going to allow you to see those packets, let's say
00:27:21 - this is your monitoring statement station running a wireshark;
00:27:25 - it's going to allow you to see those packets unless you enable
00:27:30 - span; and this enablement is so simple I just didn't even want
00:27:34 - to setup a whole switch topology and all that it's very very
00:27:38 - simple. You just go into, go into global communication mode in
00:27:43 - that switch, that IOS emulator, so switch and config and you
00:27:49 - type bin monitor
00:27:52 - session and then you give it a session number, oh, you gotta
00:28:00 - spell it right. Now depending on the size of switch that you
00:28:04 - have; it can support five sessions or ten monitor sessions; it
00:28:07 - can support a lot of monitor sessions, a lot of the cycles switches
00:28:10 - support that, so I would say monitor session, let's say session
00:28:14 - one, and the session number just identifies this instance of
00:28:18 - span, so you can say I am monitoring this and then another instance
00:28:22 - is monitoring over here, this one. So you first identify your
00:28:26 - source; I'll say source, interface, running out of room, hold
00:28:31 - on let me move this over,
00:28:34 - right there;
00:28:36 - source, interface, we'll do fast Ethernet zero slash one which
00:28:41 - connects to the server right here; I want to be able to see everything
00:28:44 - that gets sent to that server, and then I go back to, and I got
00:28:47 - my config, pops right back up, and I say monitor
00:28:53 - session one destination,
00:28:56 - interface, and then I would say whatever interface my ethereal
00:29:01 - or wireshark is connected to, it looks like about four over right?
00:29:05 - So fast Ethernet zero slash four right? and what that does now
00:29:08 - is pipe all the information that is sent to that server out to
00:29:13 - this interface as well, so you can see it all happening in wireshark.
00:29:17 - Now you can also dance with this, you can see it allows you to
00:29:22 - monitor like the send side or the receive side or the end receive;
00:29:26 - you can also do a change of ports; you can say I want to see
00:29:29 - fast Ethernet zero one through ten; the range syntax differs
00:29:32 - based upon what device you are on. So fast file all kinds of
00:29:37 - different things, these sources are coming to this destination
00:29:40 - and that will get you going, so that is setting up just basic
00:29:45 - monitoring on a switch. Now the trouble is, and it's funny, because
00:29:50 - there's this guy, and when I first introduced him to rspan, and
00:29:52 - he's like oh this saves me so much pain because he just knew
00:29:56 - about span which is monitoring within your own switch; rspan
00:30:00 - stands for remote switch analyzer, and it allows you to monitor
00:30:05 - traffic that is on another switch; so let's say there's another
00:30:07 - switch right here
00:30:10 - is connected to we'll say another switch via a trunk link that
00:30:16 - is sending traffic, and you want to monitor this port. Well the
00:30:19 - trouble is you've got to monitor this port station plugged in
00:30:21 - here, and you want a monitor this guy over here, and it's funny,
00:30:25 - when I talk about this guy over here, it's like oh, I always
00:30:26 - had to move my monitor station and plug it in different IT rooms;
00:30:29 - and if that's all you know then you're probably like hey that's
00:30:31 - what I gotta do; but once you know rspan man I'm telling you,
00:30:35 - your chair gets so much warmer because you just get to sit there
00:30:38 - all day. You don't have to move, so what you can do is enable
00:30:42 - rspan. I'm gonna clear a few of these things off, there you go,
00:30:45 - and then let's just identify again, we've got our target up here,
00:30:53 - change colors, we want to monitor this guy up on switch two;
00:30:57 - and then we've got our source right here I guess our monitor
00:31:01 - I'll just this guy right here on switch one. Now when you're
00:31:04 - setting up rspan you need to create a dedicated VLAN just for
00:31:11 - rspan, just for rspan traffic, it's, well let me show you the
00:31:15 - config, and we'll talk about it. So let me start where my target
00:31:19 - is up here on switch two; let's say I'm on switch two on config
00:31:23 - mode, let's save some typing time, copy that to my clipboard,
00:31:28 - so I am config mode on switch two; let's create the VLAN, we'll
00:31:31 - create VLAN fifty,
00:31:34 - and I'll say that will be
00:31:39 - my rspan VLAN, and now I'm just going to name it, naming it doesn't
00:31:43 - have to be rspan, it can be whatever you want, it just has to,
00:31:47 - I'm just identifying it to myself. Now underneath VLAN fifty
00:31:51 - I have to identify it to the switch, so it knows that is the
00:31:54 - one I'm going to use for networking monitoring by typing in the
00:31:58 - remote span command;
00:32:01 - now once I've done that the switch now knows that VLAN is just
00:32:04 - for rspan traffic that will it whatever we can sniff on switch
00:32:09 - two and go across that; again we have to allow VLAN fifty on
00:32:11 - the trunk of course; we'll cross that trunk and be received over
00:32:14 - here on switch one, so now I've identified the VLAN that's going
00:32:21 - to be used, and now I go back to my monitor session commands.
00:32:23 - I can do monitor, let's do session two, since we did session
00:32:28 - one last time, and I'll say the source
00:32:32 - interface, this is on switch two, is fast Ethernet zero slash
00:32:37 - twenty four, it looks like he's at the far end there. So I'm
00:32:40 - monitoring that guy, and then the
00:32:45 - destination will be remote VLAN fifty,
00:32:53 - so what does that tell the switch, it says take all the traffic
00:32:57 - on, fast Ethernet zero dash 24, this guy here, into watch, and
00:33:02 - send it to VLAN fifty which it goes VLAN fifty that's a remote
00:33:06 - span end VLAN, so we will pipe that across the trunk. Now I know
00:33:10 - some of you are already thinking, so I will concur with your
00:33:13 - thoughts, be warned, be careful because this can easily swamp
00:33:17 - a trunk link if you put too much; I mean think about it if you
00:33:20 - do monitor session two source interface fast Ethernet zero slash
00:33:25 - one through twenty four, you monitor all those ports, and then
00:33:30 - pipe them out VLAN fifty, this trunk link is going to die because
00:33:33 - then all of the traffic that is in one through twenty four, out
00:33:36 - that trunk link, even if it's a higher pass thru link; you run
00:33:39 - a major risk by doing that. So be careful of the ramifications
00:33:44 - if you have a high bandwidth center using rspan; now you have
00:33:47 - to configure the other side, let's see if I can squeeze right
00:33:49 - here between these two. Let's do a switch one is now receiving
00:33:54 - so, what I'll do, if only I could, well I guess we can do this
00:33:58 - on Cisco switches if we use notepad; on switch one
00:34:04 - we have to do the same configuration
00:34:08 - that we have on switch two; we have to create the VLAN fifty,
00:34:13 - now vlan rspan identify and all that, but now when we're on switch
00:34:17 - one, let's go back over here to switch one in
00:34:21 - config mode; now on switch one I need to setup the monitor session,
00:34:26 - just slightly different, monitor, session, and then again I'll
00:34:29 - say two, even, I know some of you might be thinking, this number
00:34:32 - does not have to be the same between switches; you can use session
00:34:36 - three, session four, session one, whatever you want on session
00:34:38 - one; it is a locally significant number, so it does not have
00:34:41 - to be the same. So I'll say monitor session two, and we'll say
00:34:45 - the destination, I'm
00:34:48 - going to start with the destination, interface will be fast Ethernet
00:34:51 - zero slash four, my monitor workstation, I'm going to pipe it
00:34:54 - out to there, oh, I think I forgot interface,
00:34:59 - so destination, interface fast Ethernet zero four, and then I'm
00:35:02 - going to type in some of you know where this is going thinking,
00:35:05 - monitor session two, the source, what will the source be,
00:35:11 - remote VLAN fifty you got it, so you see how this works, it's
00:35:16 - going to grab the traffic from VLAN fifty which is the rspan
00:35:20 - VLAN, and then pipe it out to the monitor port, the monitor interface
00:35:25 - on fast Ethernet zero slash four, pretty sweet, so both monitoring
00:35:29 - on the local switch and monitoring across the network, you can
00:35:32 - go across your whole campus with rspan, again with the same warning,
00:35:36 - be careful, you know about the trunk links, you don't want to
00:35:38 - kill them using span and rspan.
00:35:41 - Alright, I'll once again wipe the screen clean here that is what
00:35:46 - span and rspan are all about, so let's now jump to
00:35:50 - this final little gambit here. Now first thing I want to mention
00:35:54 - is I could talk for
00:35:56 - probably thirty minutes on syslog, and hour plus, I would say,
00:36:02 - maybe four hours on SNMP, and
00:36:05 - hour or so on netflow and unlimited values on EEM and when I
00:36:11 - said unlimited it would be with most reaches, and documentation,
00:36:14 - because EEM documentation is very scripting orienting. So what
00:36:17 - I'm going to give is then again the fly by view of this, so to
00:36:20 - introduce the tool, so you're able to see it. I'm sure you've
00:36:25 - seen before, but let's make sure you see them all right here.
00:36:29 - Syslog allows you to pipe the output that is commonly logged
00:36:35 - on your console's comm port via syslog to an outside syslog server;
00:36:40 - now many of you have connected to the console port and have seen
00:36:45 - the messages that are coming across and let me just back out
00:36:49 - here I'm in the console. Here's the syslog message, it's good
00:36:52 - to gather those in one place. Quick and easy way to do it, go
00:36:56 - to google download the kiwi syslog it's a nice syslog server
00:37:01 - for windows, you know pick your favorite syslog there is Splunk;
00:37:04 - all kinds of free ones that are out there, and ones that you
00:37:06 - can pay excessively for, and go in your Cisco devices and do
00:37:11 - logging and type in the IP address of your syslog server; that's
00:37:17 - I would say all the configuration right there. Now again we can
00:37:21 - talk on the ramifications of filtering that output seeing which
00:37:24 - ones need to be included, all that kind of stuff, but essentially
00:37:28 - logging such and such, and anytime you see a message that happens;
00:37:32 - see right there that message right there. It says now it just
00:37:36 - started logging that's cool. Just started logging out to syslog
00:37:40 - coming out on the CLI; now that IP address doesn't actually exist
00:37:44 - but that will not receive those messages. I can choose the level
00:37:48 - of the messages being sent into this syslog server by typing
00:37:52 - in logging trap and then typing the level and above. Then again
00:37:56 - this goes into the syslog messages, I typically want to see warnings
00:38:00 - and below; some people want to see errors and below; some people
00:38:04 - want to see debugging and below again you gotta have a lot of
00:38:07 - space in your system. In your syslog server and that can impact
00:38:10 - your router processor because it's going to start piping that
00:38:12 - data out there; but that sets the level that is sent off to the
00:38:16 - syslog server, so that allows the router to log centrally all
00:38:20 - those messages. SNMP, SNMP is the life blood of your monitoring;
00:38:27 - simple network management protocol operates on a pull model;
00:38:31 - meaning if I have a router right here and my monitoring station
00:38:35 - right here. I'll use prtg, it's funny I it so often people might
00:38:40 - be thinking are you thinking about a kick back or something,
00:38:43 - no, I even asked him if they would, but I still use them anyway,
00:38:47 - but I've got prtg right here; I'm connection to the router
00:38:55 - every x amount of interval. You know I can go here and say I
00:38:58 - want to monitor the bandwidth usage of fast Ethernet zero slash
00:39:03 - zero every three seconds or every ten seconds or whatever. Again
00:39:07 - it's a pull model, so the monitoring system goes to the router
00:39:11 - and pulls that data down, and that's when I brought up the free
00:39:16 - memory, in this case, this is being checked
00:39:20 - every five minutes, on this every day, every five minutes going
00:39:27 - out and checking the free memory on this pull model basis; again
00:39:31 - the more pull the more resources you're going to consume, but
00:39:34 - the more you could say accurate, or specialized results you're
00:39:39 - going to get, so to configure a device to support SNMP, you go
00:39:45 - to the config of the device and type SNMP server, and then again
00:39:52 - I want to give you the basics but I want to show you, it's quite
00:39:55 - a bit, you want to. Quite a bit information that you can put
00:39:59 - on here. I'm going to go SNMP server community; I'll define my
00:40:03 - community stream. Now this should be a very cryptic very secure,
00:40:07 - I have seen people that have community strings, that no joke,
00:40:10 - look like this, including all kinds of weird characters, simply
00:40:14 - because if you have access to that string then you can sabotage
00:40:20 - the router. Let me back up on that, let me explain; let me say
00:40:22 - my community is cisco one; it's question mark, notice, right
00:40:27 - here, you are given the option of read only and read write. I
00:40:32 - would suggest have a very very very strong reason to do so only
00:40:37 - enable read only access via snmp to your router, again, moods
00:40:43 - managing system should only need read access for gathering or
00:40:47 - pulling that data from the router. They're not changing anything
00:40:50 - from the router. If you have read write access in your router,
00:40:54 - we have defined cisco one as a read write community string, and
00:40:57 - somebody figured out that string all security is gone in your
00:41:01 - router, all security all of it. Actually, there is a, go on google
00:41:05 - when you're bored and just type in cisco read write snmp hack
00:41:11 - or hacking commands
00:41:16 - or something like that. There, you, can send an
00:41:19 - snmp string, if you have write access to the router, again any
00:41:23 - value on that router can be changed with snmp if you have a read
00:41:26 - write access; you can change the enable password, you could change
00:41:29 - the ssh password, you could change the telnet password, you can
00:41:31 - change the user accounts, add user accounts, delete user accounts,
00:41:34 - you can do everything essentially all security is gone from your
00:41:37 - router if somebody gets that. That's one of the reasons I really
00:41:40 - prefer kiwi cat tools for all of my configuration backups because
00:41:45 - it actually telnets or sshs into the device to pull the configuration
00:41:50 - whereas a lot of other monitoring systems, I have seen, require
00:41:53 - you have read write access to the router, so you can pull the
00:41:56 - running config and do comparisons. I mean, now, am I saying never,
00:42:00 - never, never, ever enable read write,
00:42:03 - yes. Again
00:42:06 - I would say, it's very rare to do so, but there are some monitoring
00:42:10 - systems that when they detect something going wrong that they
00:42:12 - can make proactive changes, and you can see on this that you
00:42:15 - can attach access lists to say exactly what devices have read
00:42:20 - write access to this via IP addresses; likewise you can also
00:42:23 - use snmp version three which adds authentication to
00:42:28 - snmp. Again all I'm showing here is the basics of it, but this,
00:42:32 - once you have this setup, you would now go to your monitoring
00:42:36 - system, plug in the IP address of your router and say this is
00:42:39 - the read only community string, and you can start monitoring
00:42:41 - read only different messages; that are what counts here. Where
00:42:43 - you get to the management information basically, again, snmp
00:42:46 - we talk on for a long time about. So that is the core of it,
00:42:52 - so one other command that I can show you; I'm going to do snmp
00:42:57 - server, well it's actually right up here, this guy right here
00:43:02 - ifindex; it's a question mark, persists;
00:43:06 - I would suggest typing that in you router. What that does is
00:43:10 - it says the inner face index numbers, these are the kind of behind
00:43:14 - scenes numbers that are assigned by the IOS that identifies the
00:43:18 - interfaces to snmp will always stay the same. There are some
00:43:22 - IOS versions, there's some times that if you reboot your router,
00:43:26 - where the interface indexes will change, and at that point your
00:43:29 - monitoring system will say; ah! your interface is down, I can't
00:43:32 - find it anymore, so this will ensure that that counter, that
00:43:37 - identifier for the interface, always stays there. The next one
00:43:42 - on the list is netflow; netflow is really close to snmp in that
00:43:49 - it allows you to monitor the different devices, aspects of your
00:43:53 - router, but netflow is focused on the traffic flows going in
00:43:58 - and out of your router and switch, or whatever device you are
00:44:02 - enabling netflow on. You can get some really cool monitoring
00:44:06 - statistics using netflow; basically, what it does is when a flow,
00:44:10 - when you say flow, this guy it goes to a website, and let's say
00:44:15 - it's downloading information; that is a flow of traffic is identified
00:44:20 - by its port number, by how long it's been there, by the amount
00:44:24 - of traffic that's been sent on that, so can generate a netflow
00:44:27 - report, you can even do that on your router without needing a
00:44:29 - monitoring system, a netflow report that says, well show me the
00:44:33 - top five senders by IP address, so again excuse, somebody comes
00:44:39 - and says the internet is running really slow, you got netflow
00:44:42 - running, you go to your monitoring system,
00:44:44 - show me the top five and then you see that this guy has transferred
00:44:47 - 50 GBits, not GBits, but Gigabytes of data over the last say
00:44:53 - five hours; he's just sucking up bandwidth, so you go over and
00:44:56 - find out what that guy is doing, why are you downloading so much
00:44:58 - on our corporate time; again it helps you really identify wholes
00:45:02 - in your network and the traffic flows that are going through
00:45:05 - it. So to enable netflow, again, a lot of monitoring systems
00:45:08 - supported, go into your router, and you want to go under the
00:45:13 - interface, you want to go under fast Ethernet zero slash zero,
00:45:16 - and under the interface where you want to monitor and you type
00:45:21 - ip flow,
00:45:23 - and you can see we've got ingress or egress, so let's say fast
00:45:26 - Ethernet zero slash zero connects to
00:45:32 - the, let's say right here,
00:45:36 - I'm thinking as I, I'm thinking in and out, x right here, turn
00:45:41 - in on ingress network will monitor things as it's coming things
00:45:45 - this way. You really have to think about it because if you think
00:45:48 - about it if you monitor ingress this way, you're really just
00:45:51 - going to see IP addresses and how much bandwidth those public
00:45:53 - IP addresses are consuming, and you can enable it in both directions
00:45:56 - in both interfaces there's no problem, but it is a, it can consume
00:46:00 - resources so, I'm going to say IP flow ingress enter, that's
00:46:06 - it, at this point netflow is enabled on my router, and I can
00:46:10 - go out and I can start using some netflow commands, well show
00:46:13 - me, let's do who IP cache flow, and then you can start identifying
00:46:19 - all the flows, again going through your router, and there's not
00:46:22 - much going on right here that is coming here, and it has identified
00:46:25 - one flow, coming in this router, it's just a little lab router,
00:46:29 - but then again, if you want to go in the router that's great,
00:46:32 - but then you want to configure this to be monitored. Now netflow,
00:46:36 - unlike snmp, it's not a pull system, meaning, the monitoring
00:46:40 - system does not every x number of minutes pull it and then pull
00:46:45 - the information down. It's a push model meaning as the router
00:46:48 - collects enough data; it exports that data to the monitoring
00:46:52 - system who then can put in on the graph, so the router proactively
00:46:55 - pushes it on whatever amount of time that you specify. So the
00:47:00 - way that configure that is you go in and type ip flow export
00:47:06 - because you are exporting this data,, and I would say, well first
00:47:09 - off, I would say version, you can see there's two well three
00:47:12 - versions: one, five and nine. The big, I would say, most people
00:47:16 - now a days will use either five or nine. There's just little
00:47:19 - changes between each one of the versions, the key is that you
00:47:22 - have to match the version number on your monitoring software
00:47:25 - or else it won't work, so let's say I'm using version 9. I would
00:47:28 - then go in and say ip flow export
00:47:32 - destination; and then type in the IP address of my monitoring
00:47:35 - system and say a ten dot one dot one dot one. Now it's going
00:47:40 - to also ask for a port. Now on most these there's a default port
00:47:44 - but notice on this one there is no default port, and that is
00:47:47 - one of the weird things about netflow. When the netflow standard
00:47:51 - was created they never picked a port to be the default. So it's
00:47:56 - just pick one, you pick one that's not in use, you know a lot
00:48:00 - of people like using, and I've seen a lot of people use nine
00:48:02 - nine nine and a number, so nine nine nine and one. Then the key
00:48:05 - is that on your monitoring system you set to receive on that
00:48:09 - same UDP port. This is all UDP traffic based, so again you can
00:48:15 - get into all kinds of detail on this and specify intervals; how
00:48:21 - often it's gonna be checking all those kinds of things but that's
00:48:24 - just the basics of netflow to, in showing you that this tool
00:48:28 - will let you monitor things.
00:48:31 - Alright, the last one I want to talk about is EEM, embedded event
00:48:36 - manage; probably the most intriguing one of all them that are
00:48:40 - on the screen, but the one that suck your life away, spend the
00:48:44 - most time with. EEM is literally a scripting language for your
00:48:49 - router; if there is anything that the IOS cannot do that you
00:48:54 - wished it did then you'd probably write an EEM script for it.
00:48:58 - I'll give you some examples, maybe you want, maybe you want
00:49:03 - the IOS to send you a message any time somebody types the IP
00:49:11 - address command under an interface; you know changes an IP address,
00:49:14 - well that's not normal IOS, it doesn't log an IP address change
00:49:18 - on an interface, it would log like a shutdown event, but not
00:49:20 - an IP address change, so you would have to create an EEM script
00:49:25 - that did that, or like this, let me grab a router in here; you
00:49:30 - know cisco routers tell you anytime somebody leaves the configuration,
00:49:36 - for instance, if I hit control Z right here, you can say oh I
00:49:39 - now know somebody left, and if I was using centralized cisco
00:49:42 - logs, I would be like oh! Somebody just configured my router,
00:49:45 - let me see what is going on there, but what if you wanted it
00:49:48 - to send you a message when somebody went into configuration mode.
00:49:52 - In my opinion that would be a lot more useful because now you
00:49:55 - can catch somebody in the act rather than waiting to have them
00:49:58 - make changes in your router and then exit the configuration mode
00:50:02 - before you're actually notified about it; that would be something
00:50:04 - that you would create an EEM script to do. Now this is the one
00:50:09 - I'm not going to dive into by any means, I will be completely
00:50:13 - honest guys EEM is by far my weakest point out of all these tools
00:50:17 - simply because the IOS does what I need it to do, oh, I haven't
00:50:22 - ran into a situation yet where I needed a script to go beyond
00:50:26 - that, and I'll also say anytime somebody says scripting there's
00:50:30 - a little person inside of me that goes and crawls up into a tiny
00:50:34 - ball and shrivels. I actually went to college for computer science
00:50:38 - and years and years later left college, you know, and went to
00:50:44 - work for Pizza Hut, I kid you not because I
00:50:48 - so despised programming, I thought computers must not be my thing,
00:50:53 - I must not be good at this and thankfully within two days I realized,
00:50:57 - Pizza was not my thing either, so by the grace of god himself
00:51:01 - I ended up in a Networking ilk through a long chain of events,
00:51:05 - but anytime somebody brings up scripting I just kind of, I say
00:51:09 - there's people that do that, so let me actually give you a direction
00:51:14 - to go with this. If you are really interested in getting EEM
00:51:17 - going there's a whole EEM scripting community on Cisco's website,
00:51:20 - as a matter of fact, you can either google that thing I highlighted
00:51:23 - EEM scripting or here is the URL right here; just type that bad
00:51:28 - boy in your web browser, and you are on your way, but just to
00:51:33 - give you an idea of some of the scripts. This is a community
00:51:36 - where they post common scripts like let's grab network management,
00:51:40 - you can see in here we've got a tclsh script to do a DNS search
00:51:44 - in the IOS, we've got script logs; all outgoing
00:51:50 - snmp traps to a log file, so it kind of converts snmp to syslog
00:51:53 - if you will. Again, it sets up a monitoring
00:51:57 - that reports packet lost for WAN links, files and so on; you
00:52:01 - see kind of what this is; it's just a world,
00:52:05 - a whole world of going beyond, as a matter of fact, where did
00:52:09 - I see it, user interface, check this out. Somebody has created
00:52:15 - a Lotto eem script to allow a router to run a lotto gambling
00:52:19 - game on cisco IOS. I would say that there's a special place in
00:52:24 - cisco purgatory for people that do this on production routers
00:52:27 - don't don't do it. I mean you can, I mean look at this, you can
00:52:30 - send twitter messages from the IOS, so, I mean, this is, I know
00:52:34 - when you see that you're like that's pretty cool, somebody actually
00:52:37 - liked it they're ready to do, four stars. There's a lot of you
00:52:41 - can do out of box from what the IOS allows you to do; that's
00:52:46 - what eem is all about, just going beyond typical IOS commands
00:52:51 - to a scripting language where you can do just about anything.
00:52:54 - Well, as we wrap things up I want to give you a little taste
00:52:58 - of what's it's like to be in the real world of troubleshooting.
00:53:03 - I want to show you where I was last night literally I get a call
00:53:07 - in the morning from a friend of mine, he actually, he kind of
00:53:10 - does the same thing I do except on the development Windows side
00:53:13 - of things, and he calls me any time he has a network issue, and
00:53:16 - I call him every time I want somebody to type some code. We kind
00:53:19 - of help each other out and partner together. He calls me up and
00:53:22 - says dude, I just landed this massive contract you got to help
00:53:27 - me, and I go what do you mean, and he goes their network is just
00:53:30 - a mess, and then I go yeah ok, I understand, I understand. I
00:53:33 - had no idea, I'm going to show you a picture; this is one of
00:53:37 - their branch offices. Now there are many branch offices this
00:53:41 - is one of them. I am not kidding. You see those pictures on the
00:53:46 - internet, and you're like c'mon somebody obviously was like.
00:53:51 - Yeah, whatever, but it happened, and I was there, and I was like
00:53:55 - you're kidding me, so first you go and say look here's a cisco
00:53:58 - router right there; well that's just a manage router that was
00:54:01 - providing internet connectivity that, they didn't even touch
00:54:04 - that router. What I thought was hilarious once I regain composure
00:54:09 - walking in this room is the fact that they have cable management,
00:54:13 - they actually have cable management in this rack, and it's not
00:54:17 - even being used. It's like up here is like someone said I think
00:54:20 - I'll use some cable management today and run these two cables,
00:54:23 - no, I did that, I actually did that was the tenants that were
00:54:28 - in place. I actually had my brother with me, and I'm like dude
00:54:30 - you got to take a picture of this. I gotta show people, but just
00:54:34 - to give you an idea this is why these skills are so necessary
00:54:39 - is because this exists, and it's just not messy, and I'm not
00:54:43 - talking, this is one thing, yeah we can spend a day on that and
00:54:46 - get it all pretty do some cable management in your cabinet all
00:54:49 - that kind of stuff, but what I'm talking about is; this which
00:54:53 - is a little cisco switch goes to this which is a Juniper firewall,
00:54:58 - how did that get in the network and then it goes down to well
00:55:02 - you can't see it, it's kind of tugged behind here, a DSL modem,
00:55:07 - I kid you not, this is a real office with real people working
00:55:11 - in it, hundreds of them, that are all going through an action
00:55:15 - tech DSL modem for internet access, so when it comes to troubleshooting
00:55:21 - these skills are so necessary, you need to be able to do all
00:55:24 - these things; assuming you don't have Juniper, I mean I actually
00:55:27 - said that, assuming that you don't have a DSL modem, you should
00:55:30 - be able to read or redirect output to different places, test
00:55:33 - connectivity and all the different methods check the resources
00:55:36 - on your devices make sure processor memory is within check, span
00:55:41 - or rspan to do some port monitoring could get scary in these
00:55:45 - kinds of networks, and then why don't we walk through syslog
00:55:48 - and snmp and netflow and eem. All tools that you can add to your
00:55:52 - tool belt, as we get into, now, to the practical troubleshooting
00:55:55 - scenarios through the rest of this series. I hope this has been
00:55:58 - informative for you, and I'd like to thank you for viewing.

Switch TSHOOT: VLANs and Spanning Tree Concept Review

Switch TSHOOT: VLANs and Spanning Tree

Switch TSHOOT: VLANs and Spanning Tree, Part 2

Switch TSHOOT: L3 Switching and Redundancy Protocols Concept Review

Switch TSHOOT: L3 Switching and Redundancy Protocols

Switch TSHOOT: L3 Switching and Redundancy Protocols, Part 2

Route TSHOOT: L3 Connectivity and EIGRP Concept Review

Route TSHOOT: L3 Connectivity and EIGRP

Route TSHOOT: L3 Connectivity and EIGRP, Part 2

Route TSHOOT: L3 Connectivity and EIGRP, Part 3

Route TSHOOT: OSPF and Route Redistribution Concept Review

Route TSHOOT: OSPF and Route Redistribution

Route TSHOOT: OSPF and Route Redistribution, Part 2

Route TSHOOT: BGP Concept Review


Route TSHOOT: Router Performance Issues Concept Review

Route TSHOOT: Router Performance Issues

Security TSHOOT: Access List Concept Review

Security TSHOOT: Access List Chaos

IPv6 TSHOOT: IPv6 and IPv6 Routing Protocols

This forum is for community use – trainers will not participate in conversations. Share your thoughts on training content and engage with other members of the CBT Nuggets community. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Community Standards

We encourage you to share your wisdom, opinions, and questions with the CBT Nuggets community. To keep things civil, we have established the following policy.

We reserve the right not to post comments that:
contain obscene, indecent, or profane language; contain threats or defamatory statements; contain personal attacks; contain hate speech directed at race, color, sex, sexual orientation, national origin, ethnicity, age, religion, or disability; contributes to a hostile atmosphere; or promotes or endorses services or products. Non-commercial links, if relevant to the topic, are acceptable. Comments are not moderated, however, all comments will automatically be filtered for content that might violate our comment policies. If your comment is flagged by our filter, it will not be published.

We will be continually monitoring published comments and any content that violates our policies will be removed. Users who repeatedly violate our comments policy may be prohibited from commenting.

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

MP3 Downloads

Listen to videos anytime, anywhere

Annual Course Features

Transcender Practice Exams

These practice tests help you review your knowledge and prepare you for exams.
Available only with the annual subscription.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Add training to a playlist
or create a new list
Add to current playlist
or add to an existing list
Add to new playlist
Add New Bookmark

General TSHOOT: IOS Tools to Monitor and Maintain the Network, Part 2
Bookmark Title:

Login is required to access this feature.

Your browser cannot access Virtual Labs
Video Options

This advanced buffering is applied to all streams regardless if you installed the doublespeed control or not. Sometimes the advanced buffering causes the video to hang or behave erratically. If you are experienceing issues with video playback please disable the doublespeed buffer.

Remember to re-enable the buffer if you want to use the doublespeed control.

If you are experiencing problems with our content delivery, please click here to switch to our alternate content delivery network or go to our network FAQ.
For other common video playback issues, including firewall and corporate network issues, please visit our Tech Support forum.