Cisco – How to identify unknown protocols on the Cisco 2811

ciscotroubleshooting

I have a misbehaving Cisco 2811. It serves our office of 20 with internet and phones via Call Manager Express. Except that lately the phones aren't working right and internet is choppy. The outside interface attached to our ISP is fine. The inside interface is attached to a 2960 where our internal network is connected. There are obvious issues in the show interface:

    FastEthernet0/1 is up, line protocol is up 
  Hardware is MV96340 Ethernet, address is 001b.d40a.e071 (bia 001b.d40a.e071)
  Internet address is 192.168.1.254/24
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, 
     reliability 255/255, txload 13/255, rxload 19/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  1., loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:54:10
  Input queue: 1/150/420/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 7463000 bits/sec, 1038 packets/sec
  5 minute output rate 5244000 bits/sec, 880 packets/sec
     3021883 packets input, 2691686783 bytes
     Received 7649 broadcasts, 0 runts, 0 giants, 95 throttles
     2155 input errors, 0 CRC, 0 frame, 0 overrun, 2155 ignored
     0 watchdog
     0 input packets with dribble condition detected
     2537251 packets output, 1717084791 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     464 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

I have replaced the cable with a brand new one, with no effect. I have set the switchport nonegotiate on the 2960 it is attached to. I have verified that the settings are the same on both interfaces (100M, Auto/Auto). I have ensured CDP is on, and keepalives are off.

I am remote today, but I'm going to put a SPAN port on the 2960 tomorrow to try to get more info. Is there anything else I can do to figure out where these problems are coming from?

I did a sho interface mac-accounting and one person's computer is sending about 80% of the total traffic to the router…2800M bytes out of 3100M bytes total. My assistant checked on her PC and found nothing out of the ordinary.

EDIT:

By request, here's the sh int from the switch port:

GigabitEthernet1/0/48 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet, address is b414.89ba.32b0 (bia b414.89ba.32b0)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 22/255, rxload 4/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:03, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 20147
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1883000 bits/sec, 693 packets/sec
  5 minute output rate 8721000 bits/sec, 1020 packets/sec
     64561402 packets input, 46701593519 bytes, 0 no buffer
     Received 109892 broadcasts (102372 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 102372 multicast, 0 pause input
     0 input packets with dribble condition detected
     66138056 packets output, 36914890016 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

Best Answer

So, going off a troubleshooting background, I'd look at it this way.

Everything is choppy/slow right? Internet and phones. And you've shown us the interface statistics. I'm looking at this bit here:

   ->3021883 packets input, 2691686783 bytes
->Received 7649 broadcasts, 0 runts, 0 giants, 95 throttles
->2155 input errors, 0 CRC, 0 frame, 0 overrun, 2155 ignored
->464 unknown protocol drops

First, lets eliminate the easy one, protocol drops and input errors. 464 drops accounts for 0.01% of those 3,021,883 packets input, again the input errors are a similar story. These things do happen occasionally, it is a concern that you have any, but I'm willing to bet you would say its worse than 0.01% slower right?

So anyway, the throttles may shed some light on the issues, throttles happen when then the device is overloaded. So that might be something to look into.

Slowness is a pain in the bum to diagnose though, I'd really try to tie it down to a time period, maybe stay late one night when most people have gone and see if its still slow? 90% of the time, I've found all slowness is capacity related.

So a few things to check.

  • Check the CPU usage ("show process cpu history") and see if there have been any peaks at all.
  • Are you using QoS? check for drops on the interface ("show policy-map interface xx/xx)
  • How many VLANs are you running? I assume you'll be using a router-on-a-stick setup if so?

I personally suspect some sort of CPU/Memory bottleneck somewhere, this wont show up on normal interface show commands. From the show command you've pasted, I don't see any "real" problems, nothing that would be causing noticeable issues.

Also, give it a reboot. You never know :)

Related Topic