Global Protocol Classifications

As mentioned, each layer of the OSI model utilizes specific protocols that enable the layer to perform
the necessary functions and communicate with adjacent layers. Each protocol has specific
properties based on the functions that it needs to accomplish. Throughout all seven layers, there
are two major protocol classifications: connection-oriented and connectionless. 1098.2.

The OSI Reference Model

This section is a review of the OSI model, which was originally discussed in
CCNA: Cisco Certified
Network Associate Study Guide, 4th ed
., by Todd Lammle (Sybex, 2004). The
OSI model
(the Open Systems Interconnection reference model) is the template used to design applications
or protocols that allow nonhomogenous computers or networks to communicate with one
another. The ISO (International Organization for Standardization) developed the OSI model.
The OSI model consists of seven layers. Each layer communicates directly with its adjacent layers,
as well as with the corresponding layer of the destination system (depicted in Figure 36.1).
Communication between layers facilitates the transfer of data up and down the OSI model. Communication
between the corresponding layers of the source system and the destination system
enables two heterogeneous networks or computers to understand each other.
The OSI template defines the services and roles that each layer is to provide. Because each
layer provides different services and functions, the layers need to communicate so that the data
can be transmitted up and down the seven layers and onto the destination system. The following
list summarizes the responsibility of each of the seven layers, starting from the Physical layer
and working up to the Application layer:
Physical
This layer sends and receives bits with values of 1s and 0s. The Physical layer is
in charge of determining how it sends these values. If the physical connection between two
machines is fiber-optic, then the Physical layer has to use light to transmit the 1s and 0s. If
the connection is electrical, then electrical signals are sent to represent the 1s and 0s.

Data Link
This layer takes all the data that is accumulated as packets are handed from one layer
to the next and then packages it into frames. The Data Link layer equates the Network layer address
(IP address) to a data link address, or MAC address, of the next hop. Once the physical address is
known, the frame is sent to that address. The receiving interface uses the Data Link layer to extract
the packet from the frame, discards the frame, and then sends the packet up to the Network layer.
Network
This layer defines the topology of the network through the use of logical addressing.
Routing protocols use this information to route packets.
Transport
This layer takes care of end-to-end communications. It is responsible for the
connection to the destination system, as well as for packet segmentation and assembly. The
Transport layer includes both connection-oriented and connectionless protocols (for example,
TCP and UDP).
Session
This layer is responsible for coordinating communication among applications, which
it does through dialog-control methods.
Presentation
This layer negotiates syntax, so it is responsible for the proper method of presenting
the data to the Application layer. Some of the Presentation layer functions are compression/
decompression and encryption/decryption of data.

Application
This is the user and application interface. The Application layer is responsible for
data exchange and job management. It also handles file, print, message, database, and application
services.
You saw how the logical data flow of the OSI model works, but look at Figure 36.2, in
which you can see the actual data flow. This figure depicts data that is handed from the Application
layer all the way down to the Physical layer. At that point, the data is transmitted
across any variety of physical media to the next hop, or destination system. Once the 1s and
0s arrive at the Physical layer of the destination system, the information is sent to layer 2 (the
Data Link layer). This layer discards the frame, and then the extracted packet is handed up
to the Network layer. The network packet header is stripped off, and the resulting packet is
handed up to the Transport layer. This process is repeated for each layer until it arrives at the
Application layer.
Now that each layer of the OSI reference model has been explained briefly, you need to
focus on the functions of each layer in detail. This detail provides the necessary background
and information to effectively troubleshoot network problems that occur within specific layers
of the OSI model.

Protocol Attributes

THE CCNP EXAM TOPICS COVERED IN THIS
BLOG INCLUDE THE FOLLOWING:

Verify network connectivity.

Use the optimal troubleshooting approach in resolving
network problems.

Minimize downtime during troubleshooting.

Use Cisco IOS commands to identify problems.

Determine the layer or layers on which a problem is occurring.

As you know, to successfully troubleshoot network problems, it is
important to have a good understanding of how network components,
including PCs and servers, communicate with each other.
Without this basic knowledge, troubleshooting a network problem is like trying to read a book in
a foreign language. The information is there, but it just isn’t comprehensible. Although the troubleshooting
model discussed in Chapter 33, “Troubleshooting Methodology,” provides the method of
retrieving all the necessary information, the data is useless without an understanding of the information
presented.
This chapter is a review of the protocols used by layers 2, 3, and 4 of the OSI model. We briefly
review the seven layers of the OSI model, and then discuss how they communicate with one another.
We then discuss layer 2 and layer 3 protocols. More specific information on some of the material
covered here can be found in later chapters and is cross-referenced here where appropriate.

End-System Documentation and Troubleshooting Exam Essentials

Know what end-system network configuration tables are and the information they contain.
End-system network configuration tables are used to record key settings of end systems in the
network. Items commonly included in an end-system network configuration table are system
name, system manufacturer/model, CPU speed, RAM, storage, system purpose, media type,
interface speed, VLAN, IP address, default gateway, subnet mask, WINS, DNS, operating system
(including version), network-based applications, high-bandwidth applications, and lowlatency
applications.

Know what end-system network topology diagrams are and the information they contain.
End-system network topology diagrams are graphical representations of the network and are
usually built with many of the same components as the end-system network configuration
tables. Some common components of the end-system network topology diagram are system
name, connection to the network, system purpose, VLAN, IP address, subnet mask, and network
applications.
Know the commands to discover information and troubleshoot end systems. There are Unix
and Windows versions of the discovery and troubleshooting commands, and many of them correlate
directly to Cisco IOS commands. Some of these commands are arp, ifconfig, ipconfig,
netstat, ping, route, telnet, and traceroute.

End-System Documentation and Troubleshooting Summary

End-system documentation is just as important as the network documentation in terms of the overall
documentation strategy. The two main components that make up end-system documentation are
the end-system network configuration table and the end-system network topology table.
End-system network configuration tables are documents that show the key configuration
parameters in place on the end systems in the network. Some of the common items in an endsystem
network configuration table are the system name, system manufacturer/model, CPU
speed, RAM, storage, system purpose, media type, interface speed, VLAN, IP address, default
gateway, subnet mask, WINS, DNS, operating system (including version), network-based applications,
high-bandwidth applications, and low-latency applications. The specific items included
on the end-system network configuration table depend on the purpose of the documentation. In
most cases, the end-system table is kept in a spreadsheet or database format. As is the case with
all the documentation covered in this book, be sure to keep hardcopies of the documents to use
in the event of a network outage.
End-system network topology diagrams are graphical representations of the end systems in
the network. In many cases, they are just additions to the network topology diagram; however,
they can be their own entity. The data included in an end-system network topology diagram is
usually a small subset of that maintained in the end-system network configuration tables. The
topology diagrams are meant to make the network administrator better able to visualize the
path across the network. Some of the standard items that go into an end-system network topology
are system name, connection to the network, system purpose, VLAN, IP address, subnet
mask, and network applications.
Finally, in this chapter we covered a number of commands that can be used to effectively
troubleshoot problems on end systems. These commands include ping and its record route
option, traceroute, arp, route, nbtstat, netstat, and ipconfig. All of these commands
have Windows NT/2000/XP and Unix equivalents, and most have a direct relationship to a
Cisco IOS command.

The nbtstat Command

As was touched on earlier, Windows systems can also use WINS (NetBIOS) to resolve names
into IP addresses. In these cases the ipconfig /displaydns command will not show these
associations. In order to view this information you need to use the nbtstat command. The
options that are available for this command are listed in the following example:
C:\>nbtstat /?
Displays protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).
NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n]
[-r] [-R] [-RR] [-s] [-S] [interval] ]
-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its IP
address.

-c (cache) Lists NBT's cache of remote [machine] names and their
IP addresses
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP addresses
-s (sessions) Lists sessions table converting destination IP
addresses to computer NETBIOS names.
-RR (ReleaseRefresh) Sends Name Release packets to WINS and then, starts
Refresh
RemoteName Remote host machine name.
IP address Dotted decimal representation of the IP address.
interval Redisplays selected statistics, pausing interval seconds between
each display. Press Ctrl+C to stop redisplaying statistics.
The two options that you will most likely use in a troubleshooting situation are the -c and
-R options. The -c option is used to display the current name resolution cache, and the -R option
is used to clear this cache. Sample output from both of these commands is displayed here:
C:\>nbtstat -c
Local Area Connection:
Node IpAddress: [10.1.1.1] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
------------------------------------------------------------
MICHELE <20> UNIQUE 10.2.2.2 570
NERMAL <20> UNIQUE 10.100.100.100 580
NERMAL <00> UNIQUE 10.100.100.100 575
PICASO <42> UNIQUE 10.8.8.8 415
ALEX <20> UNIQUE 10.9.9.9 582
LEAH <20> UNIQUE 10.10.10.10 492
\Device\NetBT_Tcpip_{D84EDBA9-F40F-4AFF-8409-24613C6A325B}:
C:\> nbtstat -R
Successful purge and preload of the NBT Remote Cache Name Table.

The ipconfig Command

The “Creating an End-System Network Configuration Table” section earlier in this chapter
introduced the ipconfig command used with the /all option. While this option is useful for
gathering information on a system, other options in the ipconfig command are helpful
for troubleshooting purposes.
The first of these options are the /release and /renew options, which are used to release
and renew DHCP addresses. Here are two examples:
C:\>ipconfig /release
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :

C:\WINDOWS\system32>ipconfig /renew
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.22.5.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.22.5.1
The next option useful in troubleshooting is the /displaydns option. It allows you to see the
DNS-name-to-IP-address cache that is on the workstation. The following output is from an XP
machine right after pinging www.cisco.com:
C:\>ipconfig /displaydns
Windows IP Configuration
ns1.cisco.com
----------------------------------------
Record Name . . . . . : ns1.cisco.com
Record Type . . . . . : 1
Time To Live . . . . : 86227
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 128.107.241.185
1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 0
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost

ns2.cisco.com
----------------------------------------
Record Name . . . . . : ns2.cisco.com
Record Type . . . . . : 1
Time To Live . . . . : 86227
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 192.135.250.69
www.cisco.com
----------------------------------------
Record Name . . . . . : www.cisco.com
Record Type . . . . . : 1
Time To Live . . . . : 86227
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 198.133.219.25
Record Name . . . . . : ns1.cisco.com
Record Type . . . . . : 1
Time To Live . . . . : 86227
Data Length . . . . . : 4
Section . . . . . . . : Additional
A (Host) Record . . . : 128.107.241.185
Record Name . . . . . : ns2.cisco.com
Record Type . . . . . : 1
Time To Live . . . . : 86227
Data Length . . . . . : 4
Section . . . . . . . : Additional
A (Host) Record . . . : 192.135.250.69
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1

Time To Live . . . . : 0
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
In addition to the local DNS cache on the machine, Internet Explorer (IE) keeps its
own name resolution cache. By default, names are cached in Internet Explorer
versions 4.0 or higher for 30 minutes, and for 24 hours in IE versions below 4.0.
Shutting down Internet Explorer and restarting it will refresh this cache.
The final option for the ipconfig command that we will discuss is /flushdns, which is complementary
to the /displaydns option. The /flushdns option clears out all entries in the DNS
cache on the workstation. This works out well for troubleshooting stale DNS entries. The output
of the command is shown here:
C:\>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\>

The netstat Command

The netstat command is used to display current connections to the end system. This can be useful
in a troubleshooting scenario to assist in the verification of connectivity. In addition to the IP
addresses of the connections, the netstat command also shows the port the connections are
using. The Windows NT/2000/XP options and sample output of the command are shown here:
C:\>netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-o] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s
option.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
-p proto Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics
are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and
UDPv6; the -p option may be used to specify a subset of the
default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
C:\>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 10.12.1.11:3718 10.215.198.192:80 ESTABLISHED
TCP 10.12.1.11:3719 10.215.198.153:80 ESTABLISHED
TCP 10.12.1.11:3722 10.215.198.6:80 ESTABLISHED
TCP 10.12.1.11:3724 10.12.1.100:139 ESTABLISHED
TCP 10.12.1.11:3726 10.255.37.1:23 ESTABLISHED
The Unix version of the command is very similar to the Windows version. Its options and
sample output are as follows:
unix1% netstat -help
usage: netstat [-adgimnprsDMv] [-I interface] [interval]
unix1% netstat -n
TCP
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
----------------- ----------------- ----- ------ ----- ------ ------
10.4.132.58.32891 10.4.132.58.162 57344 0 57344 0 ESTAB
10.4.132.58.162 10.4.132.58.32891 57344 0 57344 0 ESTAB
10.4.132.58.53074 10.4.128.10.1960 24820 0 8760 0 ESTAB
10.4.132.58.38090 10.104.108.13.1960 62780 0 8760 0 ESTAB
...
...

The route Command

If an end station has multiple interfaces, it can be useful to know which of these interfaces is
being used for particular destinations. In theses cases, for both Windows NT/2000/XP stations
and Unix stations, you can use the route command. The following are the options and the syntax
for displaying the routing table for Windows NT/2000/XP:
C:\>route /?
Manipulates network routing tables.
ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway]
[METRIC metric] [IF interface]
-f Clears the routing tables of all gateway entries. If this is
used in conjunction with one of the commands, the tables are
cleared prior to running the command.
-p When used with the ADD command, makes a route persistent across
boots of the system. By default, routes are not preserved when
the system is restarted. Ignored for all other commands, which
always affect the appropriate persistent routes. This option
is not supported in Windows 95.
command One of these:
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
MASK Specifies that the next parameter is the 'netmask' value.
netmask Specifies a subnet mask value for this route entry. If not
specified, it defaults to 255.255.255.255.
gateway Specifies gateway.
interface The interface number for the specified route.
METRIC Specifies the metric, ie. cost for the destination.
All symbolic names used for destination are looked up in the network Database
file NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.
If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
(wildcard is specified as a star '*'), or the gateway argument may be omitted.
If Dest contains a * or ?, it is treated as a shell pattern, and only matching
destination routes are printed. The '*' matches any string, and '?' matches
any one char. Examples: 157.*.1, 157.*, 127.*, *224*.
Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) !=
DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is
invalid.
(Destination & Mask) != Destination.
Examples:
> route PRINT
> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^
Interface^
If IF is not given, it tries to find the best interface for a
given gateway.
> route PRINT
> route PRINT 157* .... Only prints those matching 157*
> route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2
CHANGE is used to modify gateway and/or metric only.
> route PRINT
> route DELETE 157.0.0.0
> route PRINT
C:\>route print
=======================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ... 00 04 f2 cd 65 1f...... NVIDIA nForce MCP Networking Adapter -
➥Packet Scheduler Miniport
=======================================================================
=======================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.12.1.1 10.12.1.11 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
10.12.1.0 255.255.255.0 10.12.1.11 10.12.1.11 20
10.12.1.11 255.255.255.255 127.0.0.1 127.0.0.1 20
10.12.1.255 255.255.255.255 10.12.1.11 10.12.1.11 20
224.0.0.0 240.0.0.0 10.12.1.11 10.12.1.11 20
255.255.255.255 255.255.255.255 10.12.1.11 10.12.1.11 1
Default Gateway: 10.12.1.1
=======================================================================
Persistent Routes:
None
For the Unix side of things, the options and sample printout are as follows:
unix1% route
usage: route [ -fnqv ] cmd [[ - ] args ]
unix1% route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.12.1.0 0.0.0.0 255.255.255.0 U 0 0 0 hme0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.12.1.1 0.0.0.0 UG 0 0 0 hme0

In addition to printing out the routing table, the route command can also be used to add or
delete static routes if they are needed.

The arp Command

Although the arp command was covered in the earlier discovery section, it is being repeated
here because it can be a very meaningful part of the troubleshooting process. As is the case on
the routers, sometimes it is necessary to verify that the layer-2-to-layer-3 translation is working
as expected on the end system. In both Unix and Windows NT/2000/XP systems, the command
to display this information is arp -a. The command options and sample output from an XP box
are as follows:
C:\>arp /?
Displays and modifies the IP-to-Physical address translation tables
used by address resolution protocol (ARP).
ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr]
-a Displays current ARP entries by interrogating the current
protocol data. If inet_addr is specified, the IP and Physical
addresses for only the specified computer are displayed. If
more than one network interface uses ARP, entries for each ARP
table are displayed.
-g Same as -a.
inet_addr Specifies an internet address.
-N if_addr Displays the ARP entries for the network interface specified
by if_addr.
-d Deletes the host specified by inet_addr. inet_addr may be
wildcarded with * to delete all hosts.
-s Adds the host and associates the Internet address inet_addr
with the Physical address eth_addr. The Physical address
address is given as 6 hexadecimal bytes separated by hyphens.
The entry is permanent.
eth_addr Specifies a physical address.
if_addr If present, this specifies the Internet address of the
interface whose address translation table should be modified.
If not present, the first applicable interface will be used.
Example:
> arp -s 157.55.85.212 00-aa-00-62-c6-09 .... Adds a static entry.
> arp -a .... Displays the arp table.
C:\>arp -a
Interface: 10.12.1.11 --- 0x2
Internet Address Physical Address Type
10.12.1.1 00-06-5a-23-06-f9 dynamic
Similar output from a Unix machine is shown next.
unix1% arp
Usage: arp hostname
arp -a
arp -d hostname
arp -s hostname ether_addr [temp] [pub] [trail]
arp -f filename
unix1% arp -a
Net to Media Table
Device IP Address Mask Flags Phys Addr
------ -------------------- --------------- ----- ---------------
hme0 10.12.1.1 255.255.255.255 00:06:5a:23:06:f9
hme0 10.12.1.68 255.255.255.255 00:04:f2:cd:65:1f
hme0 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00
In addition to displaying information about the translation from layer 2 to layer 3, the arp
command can also be used to add and delete entries to the ARP table.