However, if the intermediate switch is a multilayer switch that is routing a particular packet, this switch shows up as a hop in the traceroute output. Traceroute finds the address of the first hop by examining the source address field of the ICMP time-to-live-exceeded message. The first router decrements the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards the datagram, and returns the time-to-live-exceeded message to the source.
This process continues until the TTL is incremented to a value large enough for the datagram to reach the destination host or until the maximum TTL is reached. To learn when a datagram reaches its destination, traceroute sets the UDP destination port number in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram destined to itself containing a destination port number that is unused locally, it sends an ICMP port-unreachable error to the source.
Because all errors except port-unreachable errors come from intermediate hops, the receipt of a port-unreachable error means that this message was sent by the destination port. Beginning in privileged EXEC mode, follow this step to trace that the path packets take through the network:. Note Though other protocol keywords are available with the traceroute privileged EXEC command, they are not supported in this release.
This example shows how to perform a traceroute to an IP host:. The display shows the hop count, the IP address of the router, and the round-trip time in milliseconds for each of the three probes that are sent. Administratively unreachable.
Usually, this output means that an access list is blocking traffic. When running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal.
For example, a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire. If one of the twisted-pair wires is open, TDR can find the length at which the wire is open. When you run TDR on an interface, you can run it on the stack master or a stack member. To display the results, enter the show cable-diagnostics tdr interface interface-id privileged EXEC command. For a description of the fields in the display, see the command reference for this release.
These sections explains how you use debug commands to diagnose and resolve internetworking problems:. Note For complete syntax and usage information for specific debug commands, see the command reference for this release.
In a switch stack, when you enable debugging, it is enabled only on the stack master. To enable debugging on a stack member, you must start a session from the stack master by using the session switch-number privileged EXEC command. Then, enter the debug command at the command-line prompt of the stack member. All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments. The switch continues to generate output until you enter the no form of the command.
If you enable a debug command and no output appears, consider these possibilities:. Use the show running-config command to check its configuration. Alternately, in privileged EXEC mode, you can enter the undebug form of the command:.
To display the state of each debugging option, enter this command in privileged EXEC mode:. Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics:. The no debug all privileged EXEC command disables all diagnostic output. Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled. By default, the network server sends the output from debug commands and system error messages to the console.
If you use this default, you can use a virtual terminal connection to monitor debug output instead of connecting to the console port or the Ethernet management port. Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server. The syslog format is compatible with 4. Note Be aware that the debugging destination you use affects system overhead.
Logging messages to the console produces very high overhead, whereas logging messages to a virtual terminal produces less overhead. Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method. When stack members generate a system error message, the stack master displays the error message to all stack members. The syslog resides on the stack master. Note Make sure to save the syslog to flash memory so that the syslog is not lost if the stack master fails.
For more information about system message logging, see "Configuring System Message Logging. The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system.
Depending upon the parameters entered about the packet, the output provides lookup table results and port maps used to calculate forwarding destinations, bitmaps, and egress information. Note For more syntax and usage information for the show platform forward command, see the switch command reference for this release. Most of the information in the output from the command is useful mainly for technical support personnel, who have access to detailed information about the switch application-specific integrated circuits ASICs.
However, packet forwarding information can also be helpful in troubleshooting. This is an example of the output from the show platform forward command on port 1 in VLAN 5 when the packet entering that port is addressed to unknown MAC addresses. The packet should be flooded to all other ports in VLAN 5. It should be forwarded from the port on which the address was learned.
Because there is no default route set, the packet should be dropped. It should be forwarded as specified in the routing table. The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail crash. The switch writes the crash information to the console at the time of the failure.
The switch creates two types of crashinfo files:. The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and a stack trace. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command. Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number, so the file with the largest sequence number describes the most recent failure.
Version numbers are used instead of a timestamp because the switches do not include a real-time clock.
You cannot change the name of the file that the system will use when it creates the file. However, after the file is created, you can use the rename privileged EXEC command to rename it, but the contents of the renamed file will not be displayed by the show stacks or the show tech-support privileged EXEC command. You can delete crashinfo files by using the delete privileged EXEC command. You can display the most recent basic crashinfo file that is, the file with the highest sequence number at the end of its filename by entering the show stacks or the show tech-support privileged EXEC command.
You also can access the file by using any command that can copy or display files, such as the more or the copy privileged EXEC command. The switch creates the extended crashinfo file when the system is failing. The information in the extended file includes additional information that can help determine the cause of the switch failure. You provide this information to the Cisco technical support representative by manually accessing the file and using the more or the copy privileged EXEC command.
You can configure the switch to not create the extended creashinfo file by using the no exception crashinfo global configuration command. You can use the on-board-failure logging OBFL feature to collect information about the switch. The information includes uptime, temperature, and voltage information and helps Cisco technical support representatives to troubleshoot switch problems.
We recommend that you keep OBFL enabled and do not erase the data stored in the flash memory. By default, OBFL is enabled. It collects information about the switch and small form-factor pluggable SFP modules. The switch stores this information in the flash memory:. If the switch fails, contact your Cisco technical support representative to find out how to retrieve the data.
To enable OBFL, use the hw-module module [ switch-number ] logging onboard [ message level level ] global configuration command. The range for switch-number is from 1 to 9. Use the message level level parameter to specify the severity of the hardware-related messages that the switch generates and stores in the flash memory.
To copy the OBFL data to the local network or a specific file system, use the copy logging onboard module stack-member destination privileged EXEC command. To disable OBFL, use the no hw-module module [ switch-number ] logging onboard [ message level ] global configuration command.
In a switch stack, you can enable OBFL on a standalone switch or on all stack members by using the hw-module module logging onboard [ message level level ] global configuration command. For more information about the commands in this section, see the command reference for this release. Display the hardware-related messages generated by a standalone switch or the specified stack members. Display the power consumption of PoE ports on a standalone switch or the specified stack members.
Display the temperature of a standalone switch or the specified switch stack members. Display the time when a standalone switch or the specified stack members start, the reason the standalone switch or specified stack members restart, and the length of time that the standalone switch or specified stack members have been running since they last restarted.
Display the system voltages of a standalone switch or the specified stack members. For more information about using the commands in Table and for examples of OBFL data, see the command reference for this release. Skip to content Skip to search Skip to footer. Book Contents Book Contents.
Find Matches in This Book. PDF - Complete Book Updated: February 15, Chapter: Troubleshooting. Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the switch. This recovery procedure requires that you have physical access to the switch. Several lines of information about the software appear along with instructions: The system has been interrupted prior to initializing the flash file system.
Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password.
When you complete them, power on the switch. At the setup prompt, do nothing: The switch begins the initial configuration as described in the "Initial Configuration" section. When the full configuration file is loaded on your switch, you need to do nothing else.
One or more templates for each type of device, with the ConfigID of the device mapped to the template. Note For more information about running the setup program and creating templates on the Configuration Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1. The default port number is If omitted, this is the primary gateway.
For retry-count , enter the number of unanswered keepalive messages that the switch sends before the connection is terminated. The default for each is 0.
Note Though visible in the command-line help string, the encrypt and the clock-timeout time keywords are not supported. You can enable the Cisco IOS agent with these commands:. You can then use the Configuration Engine to remotely send incremental configurations to the switch. Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and initiate an initial configuration on the switch:.
Enter a command line for the CNS connect template. Repeat this step for each command line in the template. The range is 1 to The default is 3. The range is 1 to 40 seconds. The default is 10 seconds. The range is 0 to seconds. The default is 0. The range is 10 to seconds. The default is Optional For subinterface subinterface-number , specify the point-to-point subinterface number that is used to search for active DLCIs.
You can specify more than one template. Note If both the event and image keywords are omitted, the image-id value is used to identify the switch. If the no-persist keyword is not entered, using the cns config initial command causes the resultant configuration to be automatically written to NVRAM.
Note Though visible in the command-line help string, the encrypt , status url , and inventory keywords are not supported. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown the CNS Zero Touch feature. This example shows how to configure an initial configuration on a remote switch when the switch IP address is known.
The Configuration Engine IP address is Note Though visible in the command-line help string, the encrypt keyword is not supported. To cancel a partial configuration, use the cns config cancel privileged EXEC command. Displays information about incremental partial CNS configurations that have started but are not yet completed. Displays a list of event agent subjects that are subscribed to by applications.
Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. PDF - Complete Book Updated: February 18, DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus.
Hostname and DeviceID The DeviceID is fixed at the time of the connection to the event gateway and does not change even when the switch hostname is reconfigured. Caution When using the Configuration Engine user interface, you must first set the DeviceID field to the hostname value that the switch acquires after -not before -you use the cns config initial global configuration command at the switch. Otherwise, subsequent cns config partial global configuration command operations malfunction.
Synchronized Configuration When the switch receives a configuration, it can defer application of the configuration upon receipt of a write-signal event. Step 4 show cns event connections Verify information about the event agent.
Step 5 show running-config Verify your entries. For more information, see the "Configuring Username and Password Pairs" section. Multiple networking devices can then use the same database to obtain user authentication and, if necessary, authorization information. A simple way of providing terminal access control in your network is to use passwords and assign privilege levels.
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. Table shows the default password and privilege level configuration. No password is defined.
The default is level 15 privileged EXEC level. The password is not encrypted in the configuration file. The password is encrypted before it is written to the configuration file. The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password:. Define a new password or change an existing password for access to privileged EXEC mode.
For password , specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. It can contain the question mark? When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?
The enable password is not encrypted and can be read in the switch configuration file. To remove the password, use the no enable password global configuration command.
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 traditional privileged EXEC mode access :. To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol TFTP server, you can use either the enable password or enable secret global configuration commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode the default or any privilege level you specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords:. Define a secret password, which is saved using a nonreversible encryption method.
Level 1 is normal user EXEC mode privileges. The default level is 15 privileged EXEC mode privileges. By default, no password is defined. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you copy from another switch configuration. Note If you specify an encryption type and then enter a clear text password, you can not re-enter privileged EXEC mode.
You cannot recover a lost encrypted password by any method. Optional Encrypt the password when the password is defined or when the configuration is written. Encryption prevents the password from being readable in the configuration file. If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level.
Use the privilege level global configuration command to specify commands accessible at various levels. For more information, see the "Configuring Multiple Privilege Levels" section. If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.
To remove a password and level, use the no enable password [ level level ] or no enable secret [ level level ] global configuration command. To disable password encryption, use the no service password-encryption global configuration command. By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
The password-recovery disable feature protects access to the switch password by disabling part of this functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to set the system back to the default configuration.
With password recovery disabled, you can still interrupt the boot process and change the password, but the configuration file config. Note If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values.
Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When the switch is returned to the default system configuration, you can download the saved files to the switch by using the Xmodem protocol.
For more information, see the "Recovering from a Lost or Forgotten Password" section on page Beginning in privileged EXEC mode, follow these steps to disable password recovery:. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Verify the configuration by checking the last few lines of the command output. To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot up manually by using the boot manual global configuration command.
This command produces the boot loader prompt switch: after the switch is power cycled. When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use.
The setup program also prompts you to configure your switch for Telnet access through a password. If you did not configure this password during the setup program, you can configure it now through the command-line interface CLI. Attach a PC or workstation with emulation software to the switch console port, or attach a PC to the Ethernet management port.
The default data characteristics of the console port are , 8, 1, no parity. You might need to press the Return key several times to see the command-line prompt. Configure the number of Telnet sessions lines , and enter line configuration mode. There are 16 possible sessions on a command-capable switch. The 0 and 15 mean that you are configuring all 16 possible Telnet sessions.
The password is listed under the command line vty 0 To remove the password, use the no password global configuration command. This example shows how to set the Telnet password to let45me67in89 :. You can configure username and password pairs, which are locally stored on the switch.
Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password:. Spaces and quotation marks are not allowed.
The range is 0 to Level 15 gives privileged EXEC mode access. Level 1 gives user EXEC mode access. Enter 7 to specify that a hidden password will follow. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command. Enter line configuration mode, and configure the console port line 0 or the VTY lines line 0 to Enable local password checking at login time.
Authentication is based on the username specified in Step 2. To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password. The first command shows the password and access level configuration. The second command shows the privilege level configuration.
When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level level command global configuration command. This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands:. Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:.
For level , the range is from 0 to Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level.
They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level.
You might specify a high level or privilege level for your console line to restrict line usage. To return to the default line privilege level, use the no privilege level line configuration command. Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level:. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks as shown in Figure The authentication facility can conduct a dialog with the user for example, after a username and password are provided, to challenge a user with several questions, such as home address, mother's maiden name, service type, and social security number.
For example, a message could notify users that their passwords must be changed because of the company's password aging policy.
Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing. Accounting records include user identities, start and stop times, executed commands such as PPP , number of packets, and number of bytes. The daemon prompts for a username and password combination, but can include other items, such as the user's mother's maiden name.
If the switch is configured to require authorization, authorization begins at this time. If an ERROR response is received, the switch typically tries to use an alternative method for authenticating the user. After authentication, the user undergoes an additional authorization phase if authorization has been enabled on the switch.
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
You can configure the switch to use a single server or AAA server groups to group existing server hosts for authentication. You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts. Enter this command multiple times to create a list of preferred hosts. The software searches for hosts in the order in which you specify them.
The default is port The range is 1 to The default is 5 seconds. The range is 1 to seconds. To configure AAA authentication, you define a named list of authentication methods and then apply that list to various ports.
The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific port before any of the defined authentication methods are performed. The only exception is the default method list which, by coincidence, is named default.
The default method list is automatically applied to all ports except those that have a named method list explicitly defined. A defined method list overrides the default method list. A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list.
This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
Beginning in privileged EXEC mode, follow these steps to configure login authentication:. The default method list is automatically applied to all ports. The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Before you can use this authentication method, you must define an enable password by using the enable password global configuration command.
Before you can use this authentication method, you must define a line password. Use the password password line configuration command. You must enter username information in the database.
Use the username password global configuration command. You must enter username information in the database by using the username name password global configuration command. Enter line configuration mode, and configure the lines to which you want to apply the authentication list. To disable AAA, use the no aaa new-model global configuration command. Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command.
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it. Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.
The exec keyword might return user profile information such as autocommand information. The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. Each accounting record contains accounting attribute-value AV pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. This section describes how to enable and configure the RADIUS, which provides detailed accounting information and flexible administrative control over authentication and authorization processes.
Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
This is to help ensure that the RADIUS server remains accessible in case one of the connected stack members is removed from the switch stack. In an IP-based network with multiple vendors' access servers, dial-in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system.
See Figure The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources such as time, packets, bytes, and so forth used during the session. An Internet service provider might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs. When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur:.
The user is prompted to enter a username and password. REJECT—The user is either not authenticated and is prompted to re-enter the username and password, or access is denied. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. The timeout, retransmission, and encryption key values can be configured globally for all RADIUS servers, on a per-server basis, or in some combination of global and per-server settings.
To apply these settings globally to all RADIUS servers communicating with the switch, use the three unique global configuration commands: radius-server timeout , radius-server retransmit , and radius-server key. Note If you configure both global and per-server functions timeout, retransmission, and key commands on the switch, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands.
You can configure the switch to use AAA server groups to group existing server hosts for authentication. This procedure is required. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used.
Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.
0コメント