This module describes how to identify and resolve software problems related to the Cisco IOS software on the switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.
Additional troubleshooting information, such as LED descriptions, is provided in the hardware installation guide.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Switch software can be corrupted during an upgrade, by downloading the incorrect file to the
switch, and by deleting the image file. In all of these cases, the switch does not pass
the power-on self-test (POST), and there is no connectivity.
The default configuration for the switch allows an end user with physical access to the
switch to recover from a lost password by interrupting the boot process during power-on
and by entering a new password. These recovery procedures require that you have physical
access to the switch.
Note
On these switches, a system administrator can disable some of the functionality of
this feature by allowing an end user to reset a password only by agreeing to return
to the default configuration. If you are an end user trying to reset a password when
password recovery has been disabled, a status message shows this during the recovery
process.
A PoE-capable switch port automatically supplies power to one of these connected devices if the switch senses that there is no power on the circuit:
Cisco pre-standard powered device (such as a Cisco IP Phone or a Cisco Aironet Access Point)
IEEE 802.3af-compliant powered device
A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power source. The device does not receive redundant power when it is only connected to the PoE port.
After the switch detects a powered device, the switch determines the device power requirements and then grants or denies power to the device. The switch can also sense the real-time power consumption of the device by monitoring and policing the power usage.
If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port
and is powered by an AC power source loses power from the AC power source, the device might
enter an error-disabled state. To recover from an error-disabled state, enter the
shutdown interface configuration command, and then enter
the no shutdown interface command. You can also configure
automatic recovery on the switch to recover from the error-disabled state.
On a switch, the errdisable recovery cause loopback and the
errdisable recovery intervalseconds global configuration commands automatically take the
interface out of the error-disabled state after the specified period of time.
Disabled Port Caused by False Link Up
If a Cisco powered device is connected to a port and you configure the port by using the
power inline never interface configuration command, a false link up can occur,
placing the port into an error-disabled state. To take the port out of the error-disabled
state, enter the shutdown and the no
shutdown interface configuration commands.
You should not connect a Cisco powered device to a port that has been configured with the
power inline never command.
Ping
The switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. Ping returns one of these responses:
Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on network traffic.
Destination does not respond—If the host does not respond, a no-answer message is returned.
Unknown host—If the host does not exist, an unknown host message is returned.
Destination unreachable—If the default gateway cannot reach the specified network, a destination-unreachable message is returned.
Network or host unreachable—If there is no entry in the route table for the host or network, a network or host unreachable message is returned.
The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device. Layer 2 traceroute supports only unicast source and destination MAC addresses. It finds the path by using the MAC address tables of the switches in the path. When the switch detects a device in the path that does not support Layer 2 traceroute, the switch continues to send Layer 2 trace queries and lets them time out.
The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host.
Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For
Layer 2 traceroute to function properly, do not disable CDP.
If any devices in the physical path are transparent to CDP, the switch cannot
identify the path through these devices.
A switch is reachable from another switch when you can test connectivity by using the
ping privileged EXEC command. All switches in the
physical path must be reachable from each other.
The maximum number of hops identified in the path is ten.
You can enter the traceroute mac or the
traceroute mac ip privileged EXEC command on a switch
that is not in the physical path from the source device to the destination device.
All switches in the path must be reachable from this switch.
The traceroute mac command output shows the Layer 2 path
only when the specified source and destination MAC addresses belong to the same VLAN.
If you specify source and destination MAC addresses that belong to different VLANs,
the Layer 2 path is not identified, and an error message appears.
If you specify a multicast source or destination MAC address, the path is not
identified, and an error message appears.
If the source or destination MAC address belongs to multiple VLANs, you must specify
the VLAN to which both the source and destination MAC addresses belong. If the VLAN
is not specified, the path is not identified, and an error message appears.
The traceroute mac ip command output shows the Layer 2 path when the specified source
and destination IP addresses belong to the same subnet. When you specify the IP
addresses, the switch uses the Address Resolution Protocol (ARP) to associate the IP
addresses with the corresponding MAC addresses and the VLAN IDs.
If an ARP entry exists for the specified IP address, the switch uses the
associated MAC address and identifies the physical path.
If an ARP entry does not exist, the switch sends an ARP query and tries to
resolve the IP address. If the IP address is not resolved, the path is not
identified, and an error message appears.
When multiple devices are attached to one port through hubs (for example, multiple
CDP neighbors are detected on a port), the Layer 2 traceroute feature is not
supported. When more than one CDP neighbor is detected on a port, the Layer 2 path is
not identified, and an error message appears.
This feature is not supported in Token Ring VLANs.
IP Traceroute
You can use IP traceroute to identify the path that packets take through the network on a
hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as
routers, that the traffic passes through on the way to the destination.
Your switches can participate as the source or destination of the
traceroute privileged EXEC command and might or might not
appear as a hop in the traceroute command output. If the switch
is the destination of the traceroute, it is displayed as the final destination in the
traceroute output. Intermediate switches do not show up in the traceroute output if they
are only bridging the packet from one port to another within the same VLAN. However, if the
intermediate switch is a multilayer switch that is routing a particular packet, this switch
shows up as a hop in the traceroute output.
The traceroute privileged EXEC command uses the Time To Live (TTL) field in
the IP header to cause routers and servers to generate specific return messages. Traceroute
starts by sending a User Datagram Protocol (UDP) datagram to the destination host with the
TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and
sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded message to the
sender. Traceroute finds the address of the first hop by examining the source address field
of the ICMP time-to-live-exceeded message.
To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first
router decrements the TTL field by 1 and sends the datagram to the next router. The second
router sees a TTL value of 1, discards the datagram, and returns the time-to-live-exceeded
message to the source. This process continues until the TTL is incremented to a value large
enough for the datagram to reach the destination host (or until the maximum TTL is
reached).
To learn when a datagram reaches its destination, traceroute sets the UDP destination port
number in the datagram to a very large value that the destination host is unlikely to be
using. When a host receives a datagram destined to itself containing a destination port
number that is unused locally, it sends an ICMP port-unreachable error to the
source. Because all errors except port-unreachable errors come from intermediate hops, the
receipt of a port-unreachable error means that this message was sent by the destination
port.
You can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems. When running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal.
TDR is supported only on 10/100/1000 copper Ethernet ports. It is not supported on 10-Gigabit Ethernet ports and on SFP module ports.
TDR can detect these cabling problems:
Open, broken, or cut twisted-pair wires—The wires are not connected to the wires from the remote device.
Shorted twisted-pair wires—The wires are touching each other or the wires from the remote device. For example, a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire.
If one of the twisted-pair wires is open, TDR can find the length at which the wire is open.
Use TDR to diagnose and resolve cabling problems in these situations:
Replacing a switch
Setting up a wiring closet
Troubleshooting a connection between two devices when a link cannot be established or when it is not operating properly
When you run TDR, the switch reports accurate information in these situations:
The cable for the Gigabit link is a solid-core cable.
The open-ended cable is not terminated.
When you run TDR, the switch does not report accurate information in these situations:
The cable for the Gigabit link is a twisted-pair cable or is in series with a solid-core cable.
The link is a 10-Megabit or a 100-Megabit link.
The cable is a stranded cable.
The link partner is a Cisco IP Phone.
The link partner is not IEEE 802.3 compliant.
Debug Commands
Caution
Because debugging output is assigned high priority in the CPU process, it can render the
system unusable. For this reason, use debug commands only to
troubleshoot specific problems or during troubleshooting sessions with Cisco technical
support staff. It is best to use debug commands during periods
of lower network traffic and fewer users. Debugging during these periods decreases the
likelihood that increased debug command processing overhead
will affect system use.
All debug commands are entered in privileged EXEC mode, and most
debug commands take no arguments.
The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch generates two files at the time of the failure: full core and crashinfo.
The information in the crashinfo file includes the Cisco IOS image name and version that
failed, a list of the processor registers, and a stack trace. You can provide this
information to the Cisco technical support representative by using the show
tech-support privileged EXEC command.
The file names have the following format:
[fullcore | crashinfo]_[process that crashed]_[date]-[timestamp]-UTC
From IOS, you can view the crashinfo files on each switch by using the following command:
Switch# dir crashinfo?
crashinfo-1: crashinfo-2: crashinfo-3: crashinfo:
Switch#
For example, to access the crashinfo directory for switch 1, enter
Switchdir crashinfo-1
From the ROMMON prompt, you can view the crashinfo files by using the dir command:
Switch: dir sda1
The following is sample output of a crashinfo file
Switch# dir crashinfo:
Directory of crashinfo:/
12 -rwx 2768 Dec 31 1969 16:00:15 -08:00 koops.dat
15 -rwx 0 Jan 12 2000 22:53:40 -08:00 deleted_crash_files
16 -rwx 4246576 Jan 12 2000 22:53:40 -08:00 crashinfo_stack-mgr_20000113-065250-UTC
17 -rwx 50 Oct 2 2012 03:18:42 -08:00 last_crashinfo
26 -rwx 39 Jan 22 2013 14:14:14 -08:00 last_systemreport
18 -rwx 2866565 Jan 12 2000 22:53:41 -08:00 fullcore_stack-mgr_20000113-065250-UTC
20 -rwx 4391796 Feb 1 2000 17:50:44 -08:00 crashinfo_stack-mgr_20000202-014954-UTC
21 -rwx 2920325 Feb 1 2000 17:50:45 -08:00 fullcore_stack-mgr_20000202-014954-UTC
34817 -rw- 1050209 Jan 10 2013 20:26:23 -08:00 system-report_1_20130111-042535-UTC.gz
18434 -rw- 1016913 Jan 11 2013 10:35:28 -08:00 system-report_1_20130111-183440-UTC.gz
18435 -rw- 1136167 Jan 22 2013 14:14:11 -08:00 system-report_1_20130122-221322-UTC.gz
34821 -rw- 1094631 Jan 2 2013 17:59:23 -08:00 system-report_1_20130103-015835-UTC.gz
6147 -rw- 967429 Jan 3 2013 10:32:44 -08:00 system-report_1_20130103-183156-UTC.gz
34824 -rwx 50 Jan 22 2013 14:14:14 -08:00 deleted_sysreport_files
6155 -rwx 373 Jan 22 2013 14:14:13 -08:00 last_systemreport_log
145898496 bytes total (18569216 bytes free)
stack3#
The file name of the most recent crashinfo file is stored in last_crashinfo.
The file name of the most recent system report is stored in last_systemreport.
Switch#
When a switch reloads or crashes, a system report is automatically generated for each switch in the switch stack. The system report file captures all the trace buffers, and other system-wide logs found on the switch. System reports are located in the crashinfo directory in the following format:
After a switch reload or crash, you should check if a system report file was generated. The name of the most recently generated system report file is stored in the last_systemreport file under the crashinfo directory. The system report and crashinfo files assist TAC when troubleshooting your issue.
Onboard Failure Logging on the Switch
You can use the on-board-failure logging (OBFL) feature to collect information about the switch. The information includes uptime, temperature, and voltage information and helps Cisco technical support representatives to troubleshoot switch problems. We recommend that you keep OBFL enabled and do not erase the data stored in the flash memory.
By default, OBFL is enabled. It collects information about the switch and small form-factor
pluggable (SFP) modules. The switch stores this information in the flash memory:
CLI commands—Record of the OBFL CLI commands that are entered on a standalone switch
or a switch stack member
Environment data—Unique device identifier (UDI) information for a standalone switch
or a stack member and for all the connected FRU devices: the product identification
(PID), the version identification (VID), and the serial number
Message—Record of the hardware-related system messages generated by a standalone
switch or a stack member
Power over Ethernet (PoE)—Record of the power consumption of PoE ports on a
standalone switch or a stack member
Temperature—Temperature of a standalone switch or a stack member
Uptime data—Time when a standalone switch or a stack member starts, the reason the
switch restarts, and the length of time the switch has been running since it last
restarted
Voltage—System voltages of a standalone switch or a stack member
You should manually set the system clock or configure it by using Network Time Protocol
(NTP).
When the switch is running, you can retrieve the OBFL data by using the show
logging onboard privileged EXEC commands. If the switch fails, contact
your Cisco technical support representative to find out how to retrieve the data.
By default, the feature is disabled. When more than one of the fans in a field-replaceable
unit (FRU) or in a power supply fails, the switch does not shut down, and this error
message appears:
Multiple fan(FRU/PS) failure detected. System may get overheated. Change fan quickly.
The switch might overheat and shut down.
To enable the fan failures feature, enter the system env fan-fail-action
shut privileged EXEC command. If more than one fan in the switch fails,
the switch automatically shuts down, and this error message appears:
Faulty (FRU/PS) fans detected, shutting down system!
After the first fan shuts down, if the switch detects a second fan failure, the switch
waits for 20 seconds before it shuts down.
To restart the switch, it must be power cycled.
Possible Symptoms of High CPU Utilization
Excessive CPU utilization might result in these symptoms, but the symptoms could also result from other causes.
Spanning tree topology changes
EtherChannel links brought down due to loss of communication
Failure to respond to management requests (ICMP ping, SNMP timeouts, slow Telnet or SSH sessions)
UDLD flapping
IP SLAs failures because of SLAs responses beyond an acceptable threshold
DHCP or IEEE 802.1x failures if the switch does not forward or respond to requests
Layer 3 switches:
Note
Layer 3 functions are not supported on switches running the LAN base feature set.
Dropped packets or increased latency for packets routed in software
The default configuration for the switch allows an end user with physical access to the
switch to recover from a lost password by interrupting the boot process during power-on
and by entering a new password. These recovery procedures require that you have physical
access to the switch.
Note
On these switches, a system administrator can disable some of the functionality of
this feature by allowing an end user to reset a password only by agreeing to return
to the default configuration. If you are an end user trying to reset a password when
password recovery has been disabled, a status message shows this during the recovery
process.
SUMMARY STEPS
1.Connect a terminal or PC to the switch.
2.Set the line speed on the emulation software to 9600 baud.
3.On a switch, power off the standalone switch or the entire switch stack. On a
switch, power off the switch.
4.Reconnect the power cord to the or the . Within 15 seconds,
press the Mode button while the System LED is still
flashing green. Continue pressing the Mode button until all the system LEDs turn on and remain solid; then release the
Mode button.
5.After recovering the password, reload the switch or the .
6.Power on the remaining switches in the stack.
DETAILED STEPS
Step 1
Connect a terminal or PC to the switch.
Connect a terminal or a PC with terminal-emulation software to the switch console port. If you are recovering the password for a switch stack, connect to the console port of the or
Connect a PC to the Ethernet management port. If you are recovering the password for a switch stack, connect to the Ethernet management port of a stack member .
Step 2
Set the line speed on the emulation software to 9600 baud.
Step 3
On a switch, power off the standalone switch or the entire switch stack. On a
switch, power off the switch.
Step 4
Reconnect the power cord to the or the . Within 15 seconds,
press the Mode button while the System LED is still
flashing green. Continue pressing the Mode button until all the system LEDs turn on and remain solid; then release the
Mode button.
Several lines of information about the software appear with instructions,
informing you if the password recovery procedure has been disabled or not.
If you see a message that begins with this:
The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system
proceed to the Procedure with Password Recovery Enabled section,
and follow the steps.
If you see a message that begins with this:
The password-recovery mechanism has been triggered, but is currently disabled.
proceed to the Procedure with Password Recovery Disabled section,
and follow the steps.
Step 5
After recovering the password, reload the switch or the .
On a switch:
Switch> reload
Proceed with reload? [confirm] y
On the active switch:
Switch> reload slot <stack-active-member-number>
Proceed with reload? [confirm] y
If the password-recovery mechanism is enabled, this message appears:
The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system, and finish loading the operating system software:
flash_init
load_helper
boot
SUMMARY STEPS
1.Initialize the flash file system.
2.If disabled, enable switch password recovery with the following command.
3.Ignore the startup configuration with the following command.
4.Boot the switch with the packages.conf file from flash.
5. Terminate the initial configuration dialog by answering No.
6.At the switch prompt, enter privileged EXEC mode.
7.Copy the startup configuration to running configuration.
8.Enter global configuration mode and change the enable password.
9.Write the running configuration to the startup configuration file.
10.Confirm that manual boot mode is enabled.
11.Reload the switch.
12.Return the Bootloader parameters (previously changed in Steps 2 and 3) to their original values.
13.Boot the switch with the packages.conf file from flash.
14.After the switch boots up, disable manual boot on the switch.
DETAILED STEPS
Step 1
Initialize the flash file system.
switch: flash_init
Step 2
If disabled, enable switch password recovery with the following command.
switch: SWITCH_DISABLE_PASSWORD_RECOVERY=0
Step 3
Ignore the startup configuration with the following command.
switch: SWITCH_IGNORE_STARTUP_CFG=1
Step 4
Boot the switch with the packages.conf file from flash.
switch: boot flash:packages.conf
Step 5
Terminate the initial configuration dialog by answering No.
Would you like to enter the initial configuration dialog? [yes/no]: No
Step 6
At the switch prompt, enter privileged EXEC mode.
Switch> enable
Switch#
Step 7
Copy the startup configuration to running configuration.
Boot the switch with the packages.conf file from flash.
switch: boot flash:packages.conf
Step 14
After the switch boots up, disable manual boot on the switch.
Switch(config)# no boot manual
Procedure with Password Recovery Disabled
If the password-recovery mechanism is disabled, this message appears:
The password-recovery mechanism has been triggered, but
is currently disabled. Access to the boot loader prompt
through the password-recovery mechanism is disallowed at
this point. However, if you agree to let the system be
reset back to the default system configuration, access
to the boot loader prompt can still be allowed.
Would you like to reset the system back to the default configuration (y/n)?
Caution
Returning the switch to the default configuration results in the loss of all existing
configurations. We recommend that you contact your system administrator to verify if
there are backup switch and VLAN configuration files.
If you enter n (no), the normal boot process continues as if the
Mode button had not been pressed; you cannot access the boot loader
prompt, and you cannot enter a new password. You see the message:
Press Enter to continue........
If you enter y (yes), the configuration file in flash memory and the VLAN
database file are deleted. When the default configuration loads, you can reset the
password.
SUMMARY STEPS
1.Elect to continue with password recovery and lose the existing configuration:
2.Load any helper files:
3.Display the contents of flash memory:
4.Boot up the system:
5.At the switch prompt, enter privileged EXEC mode:
6.Enter global configuration mode:
7.Change the password:
8.Return to privileged EXEC mode:
9.Write the running configuration to the startup configuration file:
10.You must now reconfigure the switch. If the system administrator has the backup
switch and VLAN configuration files available, you should use those.
DETAILED STEPS
Step 1
Elect to continue with password recovery and lose the existing configuration:
Would you like to reset the system back to the default configuration (y/n)? Y
Step 2
Load any helper files:
Switch: load_helper
Step 3
Display the contents of flash memory:
switch: dir flash:
The switch file system appears.
Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 switch_image
16128000 bytes total (10003456 bytes free)
Step 4
Boot up the system:
Switch: boot
You are prompted to start the setup program. To continue with password recovery,
enter N at the prompt:
Continue with the configuration dialog? [yes/no]: N
Step 5
At the switch prompt, enter privileged EXEC mode:
Switch> enable
Step 6
Enter global configuration mode:
Switch# configure terminal
Step 7
Change the password:
Switch (config)# enable secretpassword
The secret password can be from 1 to 25 alphanumeric characters, can start with a
number, is case sensitive, and allows spaces but ignores leading spaces.
Step 8
Return to privileged EXEC mode:
Switch (config)# exitSwitch#
Note
Before continuing to Step 9, power on any connected stack members and wait
until they have completely initialized.
Step 9
Write the running configuration to the startup configuration file:
Switch# copy running-config startup-config
The new password is now in the startup configuration.
Note
This procedure is likely to leave your switch virtual interface in a shutdown
state. You can see which interface is in this state by entering the
show running-config privileged EXEC command. To
re-enable the interface, enter the interface vlanvlan-id global configuration command, and specify the
VLAN ID of the shutdown interface. With the switch in interface configuration
mode, enter the no shutdown command.
Step 10
You must now reconfigure the switch. If the system administrator has the backup
switch and VLAN configuration files available, you should use those.
Preventing Switch Stack Problems
Note
Make sure that the switches that you add to or remove from the switch stack are powered off. For all powering considerations in switch stacks, see the “Switch Installation” chapter in the hardware installation guide.
After adding or removing stack members, make sure that the switch stack is operating at full bandwidth (32 Gb/s). Press the Mode button on a stack member until the Stack mode LED is on. The last two port LEDs on the switch should be green. Depending on the switch model, the last two ports are either 10/100/1000 ports or small form-factor pluggable (SFP) module. If one or both of the last two port LEDs are not green, the stack is not operating at full bandwidth.
We recommend using only one CLI session when managing the switch stack. Be careful when using multiple CLI sessions to the . Commands that you enter in one session are not displayed in the other sessions. Therefore, it is possible that you might not be able to identify the session from which you entered a command.
Manually assigning stack member numbers according to the placement of the switches in the stack can make it easier to remotely troubleshoot the switch stack. However, you need to remember that the switches have manually assigned numbers if you add, remove, or rearrange switches later. Use the switch current-stack-member-number renumber new-stack-member-number
global configuration command to manually assign a stack member number.
If you replace a stack member with an identical model, the new switch functions with the exact same configuration as the replaced switch. This is also assuming the new switch is using the same member number as the replaced switch.
Removing powered-on stack members causes the switch stack to divide (partition) into two or more switch stacks, each with the same configuration. If you want the switch stacks to remain separate, change the IP address or addresses of the newly created switch stacks. To recover from a partitioned switch stack:
Power off the newly created switch stacks.
Reconnect them to the original switch stack through their StackWise Plus ports.
Power on the switches.
Preventing Autonegotiation Mismatches
The IEEE 802.3ab autonegotiation protocol manages the switch settings for speed (10 Mb/s, 100 Mb/s, and 1000 Mb/s, excluding SFP module ports) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance. A mismatch occurs under these circumstances:
A manually set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port.
A port is set to autonegotiate, and the connected port is set to full duplex with no autonegotiation.
To maximize switch performance and ensure a link, follow one of these guidelines when changing the settings for duplex and speed:
Let both ports autonegotiate both speed and duplex.
Manually set the speed and duplex parameters for the ports on both ends of the connection.
Note
If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The speed parameter can adjust itself even if the connected port does not autonegotiate.
Troubleshooting SFP Module Security and Identification
Cisco small form-factor pluggable (SFP) modules have a serial EEPROM that contains the
module serial number, the vendor name and ID, a unique security code, and cyclic redundancy
check (CRC). When an SFP module is inserted in the switch, the switch software reads the
EEPROM to verify the serial number, vendor name and vendor ID, and recompute the security
code and CRC. If the serial number, the vendor name or vendor ID, the security code, or CRC
is invalid, the software generates a security error message and places the interface in an
error-disabled state.
Note
The security error message references the GBIC_SECURITY facility. The switch supports
SFP modules and does not support GBIC modules. Although the error message text refers to
GBIC interfaces and modules, the security messages actually refer to the SFP modules and
module interfaces.
If you are using a non-Cisco SFP module, remove the SFP module from the switch, and replace
it with a Cisco module. After inserting a Cisco SFP module, use the errdisable
recovery cause gbic-invalid global configuration command to verify the
port status, and enter a time interval for recovering from the error-disabled state. After
the elapsed interval, the switch brings the interface out of the error-disabled state and
retries the operation.
If the module is identified as a Cisco SFP module, but the system is unable to read
vendor-data information to verify its accuracy, an SFP module error message is generated.
In this case, you should remove and re-insert the SFP module. If it continues to fail, the
SFP module might be defective.
You can check the physical or operational status of an SFP module by using the
show interfaces transceiver privileged EXEC command. This
command shows the operational status, such as the temperature and the current for an SFP
module on a specific interface and the alarm status. You can also use the command to check
the speed and the duplex settings on an SFP module.
Executing Ping
If you attempt to ping a host in a different IP subnetwork, you must define a static route
to the network or have IP routing configured to route between those subnets.
IP routing is disabled by default on all switches.
Note
Though other protocol keywords are available with the ping
command, they are not supported in this release.
Use this command to ping another device on the network
from the switch:
Command
Purpose
ping iphost | address
Switch# ping 172.20.52.3
Pings a remote host through IP or by supplying the hostname or network
address.
The switch monitors the temperature conditions and uses the temperature information to
control the fans.
Use the show env temperature status privileged EXEC command to display the temperature value,
state, and thresholds. The temperature value is the temperature in the switch (not the
external temperature).You can configure only the yellow threshold level (in Celsius) by
using the system env temperature threshold yellow value global configuration command to set the difference between the
yellow and red thresholds. You cannot configure the green or red thresholds.
Monitoring the Physical Path
You can monitor the physical path that a packet takes from a source device to a destination
device.
Table 1 Monitoring the Physical Path
Command
Purpose
tracetroute mac [interfaceinterface-id] {source-mac-address} [interfaceinterface-id] {destination-mac-address} [vlanvlan-id] [detail]
Displays the Layer 2 path taken by the packets from the specified source MAC address to the specified destination MAC address.
tracetroute mac ip {source-ip-address |
source-hostname}{destination-ip-address |
destination-hostname} [detail]
Displays the Layer 2 path taken by the packets from the specified source IP address or hostname to the specified destination IP address or hostname.
Executing IP Traceroute
Note
Though other protocol keywords are available with the
traceroute privileged EXEC command, they are not supported
in this release.
Command
Purpose
traceroute iphost
Switch# traceroute ip 192.51.100.1
Traces the path that packets take through the network.
When you run TDR on an interface, you can run it on the or a stack member.
To run TDR, enter the test cable-diagnostics tdr interfaceinterface-id privileged EXEC command:
To display the results, enter the show cable-diagnostics tdr interfaceinterface-id privileged EXEC command.
Redirecting Debug and Error Message Output
By default, the network server sends the output from debug
commands and system error messages to the console. If you use this default, you can use a
virtual terminal connection to monitor debug output instead of connecting to the console
port or the Ethernet management port.
Possible destinations include the console, virtual terminals, internal buffer, and UNIX
hosts running a syslog server. The syslog format is compatible with 4.3 Berkeley Standard
Distribution (BSD) UNIX and its derivatives.
Note
Be aware that the debugging destination you use affects system overhead. Logging
messages to the console produces very high overhead, whereas logging messages to a
virtual terminal produces less overhead. Logging messages to a syslog server produces
even less, and logging to an internal buffer produces the least overhead of any
method.
The output from the show platform forward privileged EXEC command
provides some useful information about the forwarding results if a packet entering an
interface is sent through the system. Depending upon the parameters entered about the
packet, the output provides lookup table results and port maps used to calculate forwarding
destinations, bitmaps, and egress information.
Most of the information in the output from the command is useful mainly for technical
support personnel, who have access to detailed information about the switch
application-specific integrated circuits (ASICs). However, packet forwarding information
can also be helpful in troubleshooting.
Configuring OBFL
Caution
We recommend that you do not disable OBFL and that you do not remove the data stored in
the flash memory.
To enable OBFL, use the hw-switch switch [switch-number]
logging onboard [message levellevel] global configuration command. On switches, the range for
switch-number is from 1 to 9. On switches, the switch number is always 1.
Use the message levellevel parameter to specify the severity of the hardware-related
messages that the switch generates and stores in the flash memory.
To copy the OBFL data to the local network or a specific file system, use the
copy onboard switchswitch-numberurl url-destination privileged EXEC command.
To disable OBFL, use the no hw-switch switch [switch-number]
logging onboard [message level] global configuration
command.
To clear all the OBFL data in the flash memory except for the uptime and CLI command
information, use the clear onboard switch switch-number privileged EXEC
command.
In a switch stack, you can enable OBFL on a standalone switch or on all stack members by
using the hw-switch switch [switch-number]
logging onboard [message levellevel] global configuration command.
You can enable or disable OBFL on a member switch from the .
Displays the OBFL CLI commands that were entered on a standalone switch or
the specified stack members.
show onboard switchswitch-numberenvironment
Switch# show onboard switch 1 environment
Displays the UDI information for a standalone switch or the specified stack
members and for all the connected FRU devices: the PID, the VID, and the
serial number.
show onboard switchswitch-numbermessage
Switch# show onboard switch 1 message
Displays the hardware-related messages generated by a standalone switch or
the specified stack members.
show onboard switch switch-numbercounter
Switch# show onboard switch 1 counter
Displays the counter information on a standalone switch or the
specified stack members.
show onboard switch switch-numbertemperature
Switch# show onboard switch 1 temperature
Displays the temperature of a standalone switch or the specified switch
stack members.
show onboard switchswitch-numberuptime
Switch# show onboard switch 1 uptime
Displays the time when a standalone switch or the specified stack members
start, the reason the standalone switch or specified stack members restart,
and the length of time that the standalone switch or specified stack members
have been running since they last restarted.
show onboard switch switch-numbervoltage
Switch# show onboard switch 1 voltage
Displays the system voltages of a standalone switch or the specified stack
members.
show onboard switch switch-numberstatus
Switch# show onboard switch 1 status
Displays the status of a standalone switch or the specified stack
members.
Verifying the Problem and Cause for High CPU Utilization: Example
To determine if high CPU utilization is a problem, enter the show processes cpu
sorted privileged EXEC command. Note the underlined information in the
first line of the output example.
Switch# show processes cpu sorted
CPU utilization for five seconds: 8%/0%; one minute: 7%; five minutes: 8%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
309 42289103 752750 56180 1.75% 1.20% 1.22% 0 RIP Timers
140 8820183 4942081 1784 0.63% 0.37% 0.30% 0 HRPC qos request
100 3427318 16150534 212 0.47% 0.14% 0.11% 0 HRPC pm-counters
192 3093252 14081112 219 0.31% 0.14% 0.11% 0 Spanning Tree
143 8 37 216 0.15% 0.01% 0.00% 0 Exec
...
<output truncated>
This example shows normal CPU utilization. The output shows that utilization for the last
5 seconds is 8%/0%, which has this meaning:
The total CPU utilization is 8 percent, including both time running Cisco IOS
processes and time spent handling interrupts
The time spent handling interrupts is zero percent.
Table 3 Troubleshooting CPU Utilization Problems
Type of Problem
Cause
Corrective Action
Interrupt percentage value is almost as high as total CPU utilization
value.
The CPU is receiving too many packets from the network.
Determine the source of the network packet. Stop the flow, or change the
switch configuration. See the section on “Analyzing Network Traffic.”
Total CPU utilization is greater than 50% with minimal time spent on
interrupts.
One or more Cisco IOS process is consuming too much CPU time. This is
usually triggered by an event that activated the process.
Identify the unusual event, and troubleshoot the root cause. See the section
on “Debugging Active Processes.”
Scenarios for Troubleshooting the Software Configuration
Scenarios to Troubleshoot Power over Ethernet (PoE)
Table 4 Power Over Ethernet Troubleshooting Scenarios
Symptom or problem
Possible cause and solution
No PoE on only one port.
Trouble is on only one switch port. PoE and non-PoE devices do not work on
this port, but do on other ports.
Verify that the powered device works on another PoE port.
Use the show run, show interface
status, or show power inline
detail user EXEC commands to verify that the port is not
shut down or error disabled.
Note
Most switches turn off port power when the port is shut down, even though
the IEEE specifications make this optional.
Verify that the Ethernet cable from the powered device to the switch port is
good: Connect a known good non-PoE Ethernet device to the Ethernet cable,
and make sure that the powered device establishes a link and exchanges
traffic with another host.
Verify that the total cable length from the switch front panel to the
powered device is not more than 100 meters.
Disconnect the Ethernet cable from the switch port. Use a short Ethernet
cable to connect a known good Ethernet device directly to this port on the
switch front panel (not on a patch panel). Verify that it can establish an
Ethernet link and exchange traffic with another host, or ping the port VLAN
SVI. Next, connect a powered device to this port, and verify that it powers
on.
If a powered device does not power on when connected with a patch cord to
the switch port, compare the total number of connected powered devices to
the switch power budget (available PoE). Use the show inline
power and show inline power
detail commands to verify the amount of available
power.
No PoE on all ports or a group of ports.
Trouble is on all switch ports. Nonpowered Ethernet devices cannot establish
an Ethernet link on any port, and PoE devices do not power on.
If there is a continuous, intermittent, or reoccurring alarm related to
power, replace the power supply if possible it is a field-replaceable unit.
Otherwise, replace the switch.
If the problem is on a consecutive group of ports but not all ports, the
power supply is probably not defective, and the problem could be related to
PoE regulators in the switch.
Use the show log privileged EXEC command to review
alarms or system messages that previously reported PoE conditions or status
changes.
If there are no alarms, use the show interface
status command to verify that the ports are not shut down
or error-disabled. If ports are error-disabled, use the
shut and no shut
interface configuration commands to re-enable the ports.
Use the show env power and show power
inline privileged EXEC commands to review the PoE status
and power budget (available PoE).
Review the running configuration to verify that power inline
never is not configured on the ports.
Connect a nonpowered Ethernet device directly to a switch port. Use only a
short patch cord. Do not use the existing distribution cables. Enter the
shut and no shut
interface configuration commands, and verify that an Ethernet link is
established. If this connection is good, use a short patch cord to connect a
powered device to this port and verify that it powers on. If the device
powers on, verify that all intermediate patch panels are correctly
connected.
Disconnect all but one of the Ethernet cables from switch ports. Using a
short patch cord, connect a powered device to only one PoE port. Verify the
powered device does not require more power than can be delivered by the
switch port.
Use the show power inline privileged EXEC command
to verify that the powered device can receive power when the port is not
shut down. Alternatively, watch the powered device to verify that it powers
on.
If a powered device can power on when only one powered device is connected
to the switch, enter the shut and no
shut interface configuration commands on the remaining
ports, and then reconnect the Ethernet cables one at a time to the switch
PoE ports. Use the show interface status and
show power inline privileged EXEC commands
to monitor inline power statistics and port status.
If there is still no PoE at any port, a fuse might be open in the PoE
section of the power supply. This normally produces an alarm Check the log
again for alarms reported earlier by system messages.
Cisco IP Phone disconnects or resets.
After working normally, a Cisco phone or wireless access point
intermittently reloads or disconnects from PoE.
Verify all electrical connections from the switch to the powered device. Any
unreliable connection results in power interruptions and irregular powered
device functioning such as erratic powered device disconnects and reloads.
Verify that the cable length is not more than 100 meters from the switch
port to the powered device.
Notice what changes in the electrical environment at the switch location or
what happens at the powered device when the disconnect occurs?
Notice whether any error messages appear at the same time a disconnect
occurs. Use the show log privileged EXEC command
to review error messages.
Verify that an IP phone is not losing access to the Call Manager immediately
before the reload occurs. (It might be a network problem and not a PoE
problem.)
Replace the powered device with a non-PoE device, and verify that the device
works correctly. If a non-PoE device has link problems or a high error rate,
the problem might be an unreliable cable connection between the switch port
and the powered device.
Non-Cisco powered device does not work on Cisco PoE switch.
A non-Cisco powered device is connected to a Cisco PoE switch, but never
powers on or powers on and then quickly powers off. Non-PoE devices work
normally.
Use the show power inline command to verify that
the switch power budget (available PoE) is not depleted before or after the
powered device is connected. Verify that sufficient power is available for
the powered device type before you connect it.
Use the show interface status command to verify
that the switch detects the connected powered device.
Use the show log command to review system messages
that reported an overcurrent condition on the port. Identify the symptom
precisely: Does the powered device initially power on, but then disconnect?
If so, the problem might be an initial surge-in (or inrush) current
that exceeds a current-limit threshold for the port.
Switch# ping 172.20.52.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Switch#
Table 5 Ping Output Display Characters
Character
Description
!
Each exclamation point means receipt of a reply.
.
Each period means the network server timed out while waiting for a
reply.
U
A destination unreachable error PDU was received.
C
A congestion experienced packet was received.
I
User interrupted test.
?
Unknown packet type.
&
Packet lifetime exceeded.
To end a ping session, enter the escape sequence (Ctrl-^ X by default).
Simultaneously press and release the Ctrl, Shift, and 6 keys and
then press the X key.
This example shows how to perform a traceroute to an IP
host:
Switch# traceroute ip 192.0.2.10
Type escape sequence to abort.
Tracing the route to 192.0.2.10
1 192.0.2.1 0 msec 0 msec 4 msec
2 192.0.2.203 12 msec 8 msec 0 msec
3 192.0.2.100 4 msec 0 msec 0 msec
4 192.0.2.10 0 msec 4 msec 0 msec
The display shows the hop count, the IP address of the router, and the round-trip time
in milliseconds for each of the three probes that are sent.
Table 6 Traceroute Output Display Characters
Character
Description
*
The probe timed out.
?
Unknown packet type.
A
Administratively unreachable. Usually, this output means that an access
list is blocking traffic.
H
Host unreachable.
N
Network unreachable.
P
Protocol unreachable.
Q
Source quench.
U
Port unreachable.
To end a trace in progress, enter the escape sequence (Ctrl-^ X by default).
Simultaneously press and release the Ctrl, Shift, and 6 keys and
then press the X key.
Because debugging output takes priority over other network traffic, and because the
debug all privileged EXEC command generates more output
than any other debug command, it can severely diminish switch
performance or even render it unusable. In virtually all cases, it is best to use more
specific debug commands.
This command disables all-system diagnostics:
Switch# debug all
The no debug all privileged EXEC command disables all diagnostic
output. Using the no debug all command is a convenient way to
ensure that you have not accidentally left any debug commands
enabled.
The Cisco Support website provides extensive online resources,
including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.
To receive security and technical information about your
products, you can subscribe to various services, such as the
Product Alert Tool (accessed from Field Notices), the Cisco
Technical Services Newsletter, and Really Simple Syndication
(RSS) Feeds.
Access to most tools on the Cisco Support website requires a
Cisco.com user ID and password.