Correcting the Problem at the Transport and Application Layers презентация

2005 Cisco Systems, Inc. All rights reserved.

CIT 5.2—5-

{tcp | udp} source source-wildcard destination destination-wildcard [log]

router(config-if)#

Defines an extended access list.

ip access-list {standard | extended} {access-list-name}

router(config-if)#

Defines a standard or extended named access list.

ip access-group {access-list-number | access-list-name}

router(config)#

Applies an extended access list.

Animation

Click for Animation

extended Traffic
Columbia(config-ext-nacl)#permit tcp 172.22.0.0 0.0.255.255 any eq telnet
Columbia(config-ext-nacl)#exit
Columbia#
Dec 19 16:16:02: %SYS-5-CONFIG_I: Configured from console by console
Columbia#show access-lists Traffic
Extended IP access list Traffic
permit icmp any any (15 matches)
permit tcp 172.22.0.0 0.0.255.255 any eq ftp-data
permit tcp 172.22.0.0 0.0.255.255 any eq ftp
permit tcp 172.22.0.0 0.0.255.255 any eq www
permit udp 172.22.0.0 0.0.255.255 any eq tftp
permit tcp 172.22.0.0 0.0.255.255 any eq telnet
Columbia#

Correcting an Extended Access List Problem at the Transport Layer

Router
 
-- Baseline --
 
BaseBaseBaseBaseBaseBaseBaseBaseBaseBaseBaseBaseBaseBase
 
 
 
User Access Verification
 
Password:
Baltimore>

Verifying the Correction to the Misconfigured Access List

SanFran(config-if)#^Z
SanFran#

Configuring IP Cache Flow Switching on SanFran and Oakland

Oakland#conf t
Oakland(config-if)#interface fastethernet 0/1
Oakland(config-if)#ip route-cache flow
Oakland(config-if)#interface fastethernet 0/0
Oakland(config-if)#ip route-cache flow
Oakland(config-if)#^Z
Oakland#

12.2(10a), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Tue 21-May-02 13:57 by pwade Image text-base: 0x80008088, data-base: 0x80A11A68 ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) SanFran uptime is 35 minutes System returned to ROM by reload System image file is "flash:c2600-io3-mz.122-10a.bin" cisco 2621 (MPC860) processor (revision 0x200) with 28672K/4096K bytes of memory. Processor board ID JAD051605U8 (2328523549) M860 processor: part number 0, mask 49 Bridging software. X.25 software, Version 3.0.0. 1 Ethernet/IEEE 802.3 interface(s) 2 FastEthernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) Configuration register is 0x2102
SanFran#

Viewing the Cisco IOS Version on SanFran

Navigator

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .962 .018 .000 .000 .000 .000 .000 .000 .000 .018 .000 .000 .000 .000
 
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
 
IP Flow Switching Cache, 278544 bytes
3 active, 4093 inactive, 5 added
105 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
UDP-other 1 0.0 1 328 0.0 0.0 15.1
ICMP 1 0.0 1 84 0.0 0.0 15.5
Total: 2 0.0 1 206 0.0 0.0 15.3
 
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0 10.1.23.17 Local 172.26.141.10 06 0887 0017 39
Fa0/0 172.24.141.1 Null 224.0.0.10 58 0000 0000 6
Fa0/0 172.24.141.9 Null 224.0.0.10 58 0000 0000 6
 
SanFran#

Reviewing IP Cache Flow on SanFran

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .096 .864 .006 .010 .002 .001 .006 .000 .000 .000 .000 .000 .000 .000
 
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .001 .008 .000 .000 .000 .000 .000 .000
 
IP Flow Switching Cache, 278544 bytes
1049 active, 3047 inactive, 1559937 added
7934358 ager polls, 0 flow alloc failures
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 228 0.0 67 101 0.0 27.0 11.8
TCP-WWW 8357 0.0 3 260 0.0 3.7 8.7
TCP-SMTP 38 0.0 15 199 0.0 4.1 2.1
TCP-other 25536 0.0 5 186 0.0 4.8 8.6
UDP-DNS 561 0.0 42 68 0.0 29.6 9.0
UDP-NTP 1973 0.0 1 76 0.0 0.0 13.8
UDP-other 7352 0.0 4 156 0.0 2.4 13.3
ICMP 1514689 0.3 1 91 0.3 0.0 12.7
IP-other 142 0.0 27 60 0.0 123.0 3.2
Total: 1558876 0.3 1 102 0.4 0.1 12.6
 
. . .

Reviewing IP Cache Flow on Oakland

SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 10.18.131.16 Fa0/0 172.24.141.70 11 0358 0316 1
Fa0/0 172.18.2.70 Fa0/1 10.18.131.16 11 0316 0358 1
Fa0/1 10.18.131.16 Fa0/0 172.24.141.42 11 0035 8173 282
Fa0/0 172.24.141.42 Fa0/1 10.18.131.16 11 8173 0035 282
Fa0/0 172.24.141.206 Fa0/1 172.18.187.207 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.206 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.205 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.204 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.203 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.202 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.201 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.200 01 0000 0800 1
Fa0/0 172.24.141.25 Fa0/1 172.18.131.16 11 007B 007B 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.199 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.190.200 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.190.199 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.190.198 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.190.196 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.190.195 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.190.194 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.190.193 01 0000 0800 1
. . .

Reviewing IP Cache Flow on Oakland (Cont.)

172.24.141.206 Fa0/1 172.18.187.207 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.18.187.206 01 0000 0800 1
. . .
Fa0/0 172.24.141.228 Fa0/1 172.15.26.248 01 0000 0800 1
Fa0/0 172.24.141.237 Fa0/1 172.15.250.241 01 0000 0800 1
Fa0/0 172.24.141.228 Fa0/1 172.15.26.249 01 0000 0800 1
Fa0/0 172.24.141.237 Fa0/1 172.15.250.240 01 0000 0800 1
Fa0/0 172.24.141.228 Fa0/1 172.15.26.250 01 0000 0800 1
Fa0/0 172.24.141.237 Fa0/1 172.15.250.243 01 0000 0800 1
Fa0/0 172.24.141.228 Fa0/1 172.15.26.251 01 0000 0800 1
Fa0/0 172.24.141.237 Fa0/1 172.15.250.242 01 0000 0800 1
. . .
Fa0/0 172.24.141.206 Fa0/1 172.19.24.112 01 0000 0800 1
Fa0/0 172.24.141.236 Fa0/1 172.15.40.79 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.19.24.113 01 0000 0800 1
Fa0/0 172.24.141.236 Fa0/1 172.15.40.48 01 0000 0800 1
Fa0/0 172.24.141.236 Fa0/1 172.15.40.49 01 0000 0800 1
Fa0/0 172.24.141.206 Fa0/1 172.19.24.15 01 0000 0800 1
Fa0/0 172.24.141.236 Fa0/1 172.15.40.50 01 0000 0800 1
Fa0/0 172.24.141.236 Fa0/1 172.15.40.51 01 0000 0800 1
. . .
Fa0/0 172.24.141.229 Fa0/1 172.19.239.229 01 0000 0800 1
Fa0/0 172.24.141.229 Fa0/1 172.19.239.228 01 0000 0800 1
Fa0/0 172.24.141.229 Fa0/1 172.19.239.231 01 0000 0800 1
. . .

Reviewing IP Cache Flow on Oakland (Cont.)

[rw | ro] {access-list number}

router(config)#

Configures a community string to act like a password to regulate read-write and read-only access to the agent on the router.

snmp-server host

router(config)#

Configures the recipient of an SNMP trap operation.

Commands Used to Correct Network Management Problems

peer.

ntp source {type number}

router(config)#

Configures the interface for the NTP source address.

Commands Used to Correct Network Management Problems (Cont.)

system to time-stamp logging messages.

service timestamps debug datetime localtime

router(config)#

Configures the system to time-stamp debugging messages.

Commands Used to Correct Network Management Problems (Cont.)

service dhcp

router(config)#

Enables and disables DHCP server and relay functionality on the router.

Commands Used to Correct DHCP Problems

Layer

"DEFAULT_GATEWAY=" not found
rommon 8 > DEFAULT_GATEWAY= 172.21.128.130
rommon 9 > TFTP_SERVER=172.22.128.129
rommon 10 > TFTP_FILE=c1700-sv8y-mz.122-8.YL.bin
rommon 11 >

Correcting a TFTP Problem at the Application Layer

IP_SUBNET_MASK: 255.255.255.128
DEFAULT_GATEWAY: 172.21.128.130
TFTP_SERVER: 172.22.128.129
TFTP_FILE: flash:/c1700-sv8y-mz.122-8.YL.BIN
 
Invoke this command for disaster recovery only.
WARNING: all existing data in all partitions on flash will be lost!
Do you wish to continue? y/n: [n]: y
 
Receiving c1700-sv8y-mz.122-8.YL.BIN from 172.22.128.129 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
.
.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
File reception completed.
Copying file c1700-sv8y-mz.122-8.YL.BIN to flash.
Erasing flash at 0x62fe0000
Programming location 61980000
rommon 12 >

Invoking the TFTP Server

decompressing the image : ######################################################################################################################################################################################### [OK]
.
.
.  
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SV8Y-M), Version 12.2(8)YL, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.2(10.3)T1
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Wed 17-Jul-02 14:04 by ealyon
Image text-base: 0x80008124, data-base: 0x8122D408
.
.
. 
Press RETURN to get started!

Booting Up the Router to Restore the Cisco IOS Image

local= 172.26.167.1, remote= 172.26.167.2,
local_proxy= 172.26.164.0/255.255.254.0/0/0 (type=4),
remote_proxy= 172.27.0.0/255.255.0.0/0/0 (type=4)
Dec 21 9:30:25.353: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.26.167.1, remote= 172.26.167.2,
local_proxy= 172.26.164.0/255.255.254.0/0/0 (type=4),
remote_proxy= 172.27.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x71B65BF8(1907776504), conn_id= 0, keysize= 0, flags= 0x400C
Kingston#
Dec 21 9:30:55.355: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 172.26.167.1, remote= 172.26.167.2,
local_proxy= 172.26.164.0/255.255.254.0/0/0 (type=4),
remote_proxy= 172.27.0.0/255.255.0.0/0/0 (type=4)
Kingston#
Dec 21 9:31:09: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 172.26.161.2, src_addr= 172.27.227.9, prot= 1
Dec 21 9:31:10.753: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.26.167.1, remote= 172.26.167.2,
local_proxy= 172.26.164.0/255.255.254.0/0/0 (type=4),
remote_proxy= 172.27.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x22C15DFB(583097851), conn_id= 0, keysize= 0, flags= 0x400C
Kingston#

Reviewing Debug Output on Kingston

local= 172.26.167.2, remote= 172.26.167.1,
local_proxy= 172.27.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 172.26.164.0/255.255.254.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
Dec 21 9:31:11.708: IPSEC(validate_transform_proposal): proxy identities not supported
Dec 21 9:31:11: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.26.167.1
Toronto#

Reviewing Debug Output on Toronto

Extended IP access list 133
access-list 133 permit ip 172.26.160.0 0.0.3.255 172.20.0.0 0.3.255.255
access-list 133 permit ip 172.26.164.0 0.0.1.255 172.20.0.0 0.3.255.255
access-list 133 permit ip 172.26.160.0 0.0.3.255 172.24.0.0 0.1.255.255
access-list 133 permit ip 172.26.164.0 0.0.1.255 172.24.0.0 0.1.255.255
access-list 133 permit ip 172.26.160.0 0.0.3.255 172.27.0.0 0.0.255.255
access-list 133 permit ip 172.26.164.0 0.0.1.255 172.27.0.0 0.0.255.255
access-list 133 permit ip 172.26.160.0 0.0.3.255 172.28.0.0 0.0.255.255
access-list 133 permit ip 172.26.164.0 0.0.1.255 172.28.0.0 0.0.255.255
Current peer: 172.26.167.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
auth2,
}
Interfaces using crypto map test:
Serial1/0
Kingston#

Reviewing the Crypto Map on Kingston

Extended IP access list 133
access-list 133 permit ip 172.26.160.0 0.0.3.255 172.20.0.0 0.3.255.255
access-list 133 permit ip 172.26.164.0 0.0.1.255 172.20.0.0 0.3.255.255
access-list 133 permit ip 172.26.160.0 0.0.3.255 172.24.0.0 0.1.255.255
access-list 133 permit ip 172.26.164.0 0.0.1.255 172.24.0.0 0.1.255.255
access-list 133 permit ip 172.26.160.0 0.0.3.255 172.27.0.0 0.0.255.255
access-list 133 permit ip 172.26.164.0 0.0.1.255 172.27.0.0 0.0.255.255
access-list 133 permit ip 172.26.160.0 0.0.3.255 172.28.0.0 0.0.255.255
access-list 133 permit ip 172.26.164.0 0.0.1.255 172.28.0.0 0.0.255.255
Current peer: 172.26.167.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
auth2,
}
Interfaces using crypto map test:
Serial1/0
Toronto#

Reviewing the Crypto Map on Toronto

133
Toronto(config)#access-list 133 permit ip 172.20.0.0 0.3.255.255 172.26.160.0 0.0.3.255
Toronto(config)#access-list 133 permit ip 172.20.0.0 0.3.255.255 172.26.164.0 0.0.1.255
Toronto(config)#access-list 133 permit ip 172.24.0.0 0.1.255.255 172.26.160.0 0.0.3.255
Toronto(config)#access-list 133 permit ip 172.24.0.0 0.1.255.255 172.26.164.0 0.0.1.255
Toronto(config)#access-list ip 172.27.0.0 0.0.255.255 172.26.160.0 0.0.3.255
Toronto(config)#access-list ip 172.27.0.0 0.0.255.255 172.26.164.0 0.0.1.25
Toronto(config)#access-list ip 172.28.0.0 0.0.255.255 172.26.160.0 0.0.3.255
Toronto(config)#access-list ip 172.28.0.0 0.0.255.255 172.26.164.0 0.0.1.255
Toronto(config)#exit
Toronto#
Toronto#show access-list 133
Extended IP access list 133
permit ip 172.20.0.0 0.3.255.255 172.26.160.0 0.0.3.255
permit ip 172.20.0.0 0.3.255.255 172.26.164.0 0.0.1.255
permit ip 172.24.0.0 0.1.255.255 172.26.160.0 0.0.3.255
permit ip 172.24.0.0 0.1.255.255 172.26.164.0 0.0.1.255
permit ip 172.27.0.0 0.0.255.255 172.26.160.0 0.0.3.255
permit ip 172.27.0.0 0.0.255.255 172.26.164.0 0.0.1.255
permit ip 172.28.0.0 0.0.255.255 172.26.160.0 0.0.3.255
permit ip 172.28.0.0 0.0.255.255 172.26.164.0 0.0.1.255
Toronto#

Correcting the Crypto Map Access List on Toronto

172.27.227.9, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 72/72/72 ms
Kingston_SW#ping cit_server
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.227.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms
Kingston_SW#

Testing Connectivity from the Kingston Switch

Correcting Transport and Application Layer Problems

correct problems with TCP and UDP at the transport layer.
Troubleshooters can use the appropriate commands to make configuration changes to correct problems with network management protocols at the application layer.
Some transport and application layer support resources are as follows:
Cisco Systems TAC
Internetwork Troubleshooting Handbook
Cisco Systems technologies reference
Following a systematic procedure increases the chances that you will successfully and effectively correct an isolated problem at the transport or application layer.

authentication message-digest
no area 2 authentication message-digest
!
! b) example shown for POD2
no ip access-list extended CIT
ip access-list standard CIT
remark Include the other pods as /16 networks
permit 172.21.0.0 0.0.255.255
permit 172.23.0.0 0.0.255.255
permit 172.24.0.0 0.0.255.255
permit 172.25.0.0 0.0.255.255
permit 172.26.0.0 0.0.255.255
!
 
! c) !
router bgp 65021
neighbor 10.177.177.7 distribute-list CIT in
neighbor 10.177.178.8 distribute-list CIT in

Troubleshooting Log—Trouble Ticket G Core Router/Switch

a) The wrong area running authentication

b) Bogus access-list CIT

c) Mistyped access list in distribute list (ClT for CIT)

set ip next-hop 172.22.127.129
no set interface Serial1/1
!
!c)
no ip access-list extended END_USERS
ip access-list extended END_USERS
remark Allow PC End Users
permit ip any 172.22.124.0 0.0.0.255
permit ip any 172.22.122.0 0.0.1.255
!

Troubleshooting Log—Trouble Ticket G Distribution Router

a) Cannot connect to console (no exec)

b) MISSING ICMP, telnet goes slow path

c) Use of physical interface on route map

via Telnet to fix
 
! b)
no ip access-list extended Traffic
ip access-list extended Traffic
remark Allow ICMP, TCP outbound, FTP & WWW
permit icmp 172.22.0.0 0.0.255.255 any
permit tcp 172.22.0.0 0.0.255.255 any eq telnet
permit tcp 172.22.0.0 0.0.255.255 any eq ftp-data
permit tcp 172.22.0.0 0.0.255.255 any eq ftp
permit tcp 172.22.0.0 0.0.255.255 any eq www
permit udp 172.22.0.0 0.0.255.255 any eq tftp
 

Troubleshooting Log—Trouble Ticket G Access Router

a) Cannot connect to console (line speed)
 
b) MISSING www statement, ICMP denies END users

c) SEE NEXT FIGURE

172.22.123.1
ip dhcp excluded-address 172.22.124.1
no ip dhcp excluded-address 172.22.122.2
no ip dhcp excluded-address 172.22.123.2
no ip dhcp excluded-address 172.22.124.2
!

c) DHCP does not provide addresses

Troubleshooting Log—Trouble Ticket G Access Router (Cont.)

console
! c)
reload cancel
! d)
router bgp 65011
neighbor 10.177.177.7 update-source Loopback0
neighbor 10.177.178.8 update-source Loopback0
vlan 27
no shut
vlan 28
no shut
!

Troubleshooting Log—Trouble Ticket H Core Router/Switch

a) Wrong banner/host name missing service prompt

b) No console messages

c) Reload in xxx

d) Cannot reach BGP neighbors

e) SEE NEXT FIGURE

acme
ip ospf message-digest-key 27 md5 acme
!
interface Vlan28
no ip ospf message-digest-key 27 md5 acme
ip ospf message-digest-key 28 md5 ACME
!

Troubleshooting Log—Trouble Ticket H Core Router/Switch (Cont.)

e) MD5 keys messed up (extra space, wrong places)

router eigrp 101
no eigrp stub
!
! d)
router ospf 101
no distribute-list Access_Routes in
distribute-list Access_Routes out
!
! e)
interface serial 1/0
no mtu 64
!
interface serial 1/1
no mtu 64
!

Troubleshooting Log—Trouble Ticket H Distribution Router

a) Wrong banner and host name

b) Wrong prompt

c) No need for EIGRP stub

d) Distribute list in OSPF
going wrong way

e) Small MTU breaks serial links for EIGRP

match ip address Admin
set interface Serial1/1.1
!
route-map USE_FAST deny 20
match ip address End_Users
!
! c)
interface serial 1/0
no frame-relay lmi-type ansi
!
interface serial 1/1
no frame-relay lmi-type ansi
!

Troubleshooting Log—Trouble Ticket H Access Router

a) Wrong banner and host name

b) Route map permit/deny swapped, sends ARP from 0.0.0.0 out ser 1/1.1

c) Wrong ANSI type on frame relay

d) SEE NEXT FIGURE

ip access-group Traffic in
!
interface serial 1/0.1
ip access-group Traffic out
no ip access-group Traffic in
!

Troubleshooting Log—Trouble Ticket H Access Router (Cont.)

d) Access-group applied wrong way on serial links

vlan 2
switchport trunk native vlan 901
switchport mode trunk
!

Troubleshooting Log—Trouble Ticket H Access Switch

a) SVI shutdown

b) No trunk on VLAN 1