Get to know the Cisco IOS show interfaces command- Basic Network Command-Part2

If you don't know what's really going on with the interfaces on your Cisco routers/Switches, then you likely don't know which changes you need to make.

In my opinion, a network engineer must know the “show interface” in depth; indeed, this command is useful to obtain various interface information like a drop, duplex mismatch, error, tx/RX loads, …Usually, the IOS switch/router have a similar “show interface” output; the differences are dictated by devices, interface, and IOS.

Below a show interface of a FastEthernet interface.

SW1#show interfaces fa0/1

 FastEthernet0/1 is up, line protocol is up (connected)
 Hardware is C6k 1000Mb 802.3, address is 0040.0b21.0b01 (bia 0040.0b21.0b01)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:08, output 00:00:05, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     956 packets input, 193351 bytes, 0 no buffer
     Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     2357 packets output, 263570 bytes, 0 underruns
     0 output errors, 0 collisions, 10 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

The output from the command above is explained each output one by one. 

FastEthernet/0 is up, line protocol is up

This means that the interface is physically up and that the protocol is operational. When you use Ethernet, the protocol is normally up unless you configured port-security or BPDU guard. When a violation occurs, you might see err-disabled here."Disabled" indicates the switch has received errors in a keep-alive interval and sometimes you have port security setup you will see error-disabled.

Hardware is C6k 1000Mb 802.3, address is 0040.0b21.0b01 (bia 0040.0b21.0b01)

Identify the hardware interface and the interface mac-address. The interface hardware is Gt96k and the current MAC address is 0040.0b21.0b01. The BIA (Burned-In-Address) is the same. If you would spoof (change) the MAC address then the first MAC address would be the spoofed one, the BIA address never changes. You can change the MAC address with the “mac-address” command on the interface.

 MTU 1500 bytes, BW 100000 Kbit/sec, DLY 1000 usec,

MTU-Maximum Transmission Unit. By default, this is 1500 bytes, which describes the largest packet that can be sent through the interface before the packet is fragmented.

 BW – Bandwidth. The bandwidth command is only there to communicate the speed of the interface to higher-level protocols. Most of the time, a routing protocol needs to know the speed of the interface so it can choose the best route. In the case of routing protocols, IGRP, EIGRP, and OSPF all use the bandwidth statement.

DLY 1000 usec: The delay of 1000 used is the delay it takes for information to transmit from one point and be received by another down a line or through the air. Delay is another number used by a routing protocol to decide on the “best” route for traffic. It was intended to be the “delay” for packets over that path, so a routing protocol could choose the lowest delay path to send packets.

reliability 255/255, txload 1/255, rxload 1/255

reliability 255/255: When the input and output errors increase, they affect the reliability counter. This indicates how likely it is that a packet can be delivered or received successfully. Reliability is calculated like this: reliability = number of packets/number of total frames. The value of 255 is the highest value meaning that the interface is very reliable at the moment. The calculation above is done every 5 minutes.

txload 1/255: This indicates how “busy” the interface is when it comes to transmitting frames. This is calculated every 5 minutes.

 rxload 1/255: The same as above but for receiving frames.

Encapsulation ARPA, loopback not set 

Encapsulation ARPA:

It defines the interface encapsulation; nowadays, you will see only the ARPA. In the past, there were also SAP and SNAP encapsulation. ARP type defines the encapsulation type of the interface; typically, for ethernet interface is ARPA. This is the layer 2 protocol that we use when we use Ethernet it shows up as ARPA (Advanced Research Projects Agency) which is Ethernet version 2 encapsulation.

 Loopbacks are an important part of troubleshooting; they are used to isolate the fault on an end-to-end circuit (especially when the circuit is down).loopback not set: serial interfaces can be “set” in loopback mode, this is used to test the interface. Don’t confuse this one with the loopback interface.

Last input 00:00:08, output 00:00:05, output hang never

Last input, the output is the number of hours, minutes, and seconds since the last packet was successfully received or transmitted by the interface.

Note: This counter is updated only when packets are process switched, not when packets are fast switched.

The last input is the number of hours(00), minutes(00), and seconds(03) since the last packet was successfully received by an interface. This is useful for determining when a dead interface. The last output is the number of hours (00), minutes (01), and seconds (08) since the last packet was successfully transmitted by an interface. This is useful for determining when a dead interface failed. The output hang is the number of hours, minutes, and seconds (or never) since the interface was last reset because of a transmission that took too long.)

Last clearing of "show interface" counters never

It is the last time the clear counters command was issued since the last time the switch was rebooted. The clear counters command is used to reset interface statistics. All the counters in the output of the show interface can be cleared, this shows us when these counters have been cleared.

 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

This tells us how many packets are in the input queue and it’s the maximum size (75). Drops are the number of packets that have been dropped. Flushes are used to count SPD (Selective Packet Discard). SPD is a protocol that drops low priority packets when the CPU is too busy so that it can save capacity for higher priority packets (routing protocols and such).

The input queue is the number of packets in the input queue.

Size/max/drops = the current number of frames in the queue / the max number of frames the queue can hold before it must start dropping frames / the actual number of frames dropped because the max queue size was exceeded. Flushes is used to count Selective Packet Discard. SPD is a mechanism that quickly drops low priority packets when the CPU is overloaded in order to save some processing capacity for high priority packets. The flushes counter in the show interface command output increments as part of selective packet discard (SPD), which implements a selective packet drop policy on the IP process queue of the router. Therefore, it applies to the only process switched traffic.

The purpose of SPD is to ensure that important control packets, such as routing updates and keepalives, are not dropped when the IP input queue is full. When the size of the IP input queue is between the minimum and maximum thresholds, normal IP packets are dropped based on a certain drop probability. These random drops are called SPD flushes.

Total output drops are the number of packets dropped because the output queue is full. A common cause of this might be traffic from a high bandwidth link being switched to a lower bandwidth link or traffic from multiple inbound links being switched to a single outbound link. For example, if a large amount of bursty traffic comes in on a gigabit interface and is switched out to a 100Mbps interface, this might cause output drops to increment on the 100Mbps interface. This is because the output queue on that interface is overwhelmed by the excess traffic due to the speed mismatch between the inbound and outbound bandwidths.

 Queueing strategy: fifo

The current queueing strategy is FIFO (First In, First Out). This is the default for interfaces with a bandwidth above 2 Mbps. With the FIFO Queuing strategy, packets are forwarded through the interface in the order that they are received. Other methods can be WFQ, CBWFQ,.

Output queue :0/40 (size/max) 

The size of the output queue which shows current packets and the maximum it can handle.The number of packets in the output queue. Size/max means the current number of frames in the queue/the max number of frames the queue can hold before it is full and must start dropping frames.

5 minute input rate 0 bits/sec, 0 packets/sec, 5 minute output rate 0 bits/sec, 0 packets/sec 

The average input and output rate have seen by the interface in the last five minutes. In order to get a more accurate reading by specifying a shorter period of time (to better detect traffic bursts for example), issue the “load-interval <seconds>” interface command.

956 packets input, 193351 bytes, 0 no buffer

Packets input: Total number of error-free packets received by the system.

Bytes: Total number of bytes, including data and MAC encapsulation, in the error-free packets received by the system.

No buffers: Number of received packets discarded because there was no buffer space in the main system. Compare with the ignored count. Broadcast storms on Ethernet networks and bursts of noise on serial lines are often responsible for no input buffer events.

Received 956 broadcasts, 0 runts, 0 giants, 0 throttles

The total number of broadcast or multicast packets received by the interface.

Runts: Number of packets that are discarded because they are smaller than the minimum packet size of the medium. For instance, any Ethernet packet that is less than 64 bytes is considered a runt.

Giants: Number of packets that are discarded because they exceed the maximum packet size of the medium. For example, any Ethernet packet that is greater than 1518 bytes is considered a giant.

Throttles: the number of times the receiver on the port is disabled, possibly because of buffer or processor overload. If an asterisk (*) appears after the throttles counter value, it means that the interface is throttled at the time the command is run.

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

Input error:

This counter will increase when the interface receives a frame with any kind of error, this Includes runts, giants, no buffer available, CRC errors, etc.

Includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts. Other input-related errors can also cause the input errors to count to be increased, and some datagrams may have more than one error; therefore, this sum may not balance with the sum of enumerated input error counts.

CRC: Cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data.

Frame: Number of packets received incorrectly having a CRC error and a noninteger number of octets. On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device.

Overrun: Number of times the receiver hardware was unable to hand received data to a hardware buffer because the input rate exceeded the receiver’s ability to handle the data.

Ignored: Number of received packets ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different from the system buffers mentioned previously in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased.

0 watchdog, 0 multicasts, 0 pauses input

Watchdog: Number of times watchdog receive timer expired. It happens when receiving a packet with a length greater than 2048.

Pause input: Counter incrementing means that the port is receiving a pause frame. Pause frame is a packet that tells the far-end device to stop transmitting packets until the sender is able to handle all the traffic and clear its buffers. It could be caused by oversubscription of bandwidth, or a burst traffic pattern.

0 input packets with dribble condition detected 

Dribble bit error indicates that a frame is slightly too long. This frame error counter is incremented just for informational purposes; the router accepts the frame.

2357 packets output, 263570 bytes, 0 underruns

Packets output: Total number of messages transmitted by the system.

Bytes: Total number of bytes, including data and MAC encapsulation, transmitted by the system.

Underruns: Number of times that the transmitter has been running faster than the router can handle. This may never be reported on some interfaces.

0 output errors, 0 collisions, 10 interface resets 

Output errors: Sum of all errors that prevented the final transmission of datagrams out of the interface being examined. Note that this may not balance with the sum of the enumerated output errors, as some datagrams may have more than one error, and others may have errors that do not fall into any of the specifically tabulated categories.

Collisions: Number of messages transmitted because of an Ethernet collision. A packet that collides is counted only once in output packets.

Interface resets Number of times an interface has been completely reset. This can happen if packets queued for transmission were not sent within several seconds. On a serial line, this can be caused by a malfunctioning modem that is not supplying the transmit clock signal, or by a cable problem. If the system notices that the carrier detect line of a serial interface is up, but the line protocol is down, it periodically resets the interface in an effort to restart it. Interface resets can also occur when an interface is looped back or shut down.

0 babbles, 0 late collisions, 0 deferred

 Babbles: Babble errors occur due to the transmission of frames in excess of 1518 bytes in size.

Late collision: Number of late collisions. The late collision happens when a collision occurs after transmitting the preamble. The most common cause of late collisions is that your Ethernet cable segments are too long for the speed at which you are transmitting.

Deferred: Deferred indicates that the chip had to defer while ready to transmit a frame because the carrier was asserted.

0 lost carrier, 0 no carrier

 Lost carrier: Number of times the carrier was lost during transmission.

No carrier: Number of times the carrier was not present during the transmission.

PAUSE output: Pause outputs occur when the receiving port is getting overloaded and the so the device sends a pause request to the device connected to the port.

0 output buffer failures, 0 output buffers swapped out

 Output buffer failures: Number of failed buffers and the number of buffers swapped out.

Output buffers swapped out: If the outbound interface transmits queue is full, then the packet is copied from a hardware buffer to DRAM, then copied back to the transmit queue when there is room.

KeyNote:

There is a difference between the counter of the show interface command output for a physical interface and a VLAN interface. The input packet counters increment in the output of show interface for a VLAN interface when that packet is Layer 3 (L3) processed by the CPU. Traffic that is Layer 2 (L2) switched never makes it to the CPU and is not counted in the show interface counters for the VLAN interface. It would be counted on the show interface output for the appropriate physical interface.

In NX-OS (Nexus device) the “show interface” output is slightly different from the IOS output, but it is easy to understand. Below an example: 

NEXUS-SW# sh interface ethernet 1/1
Ethernet1/1 is up
 Dedicated Interface
  Hardware: 1000/10000 Ethernet, address: 000d.ecdd.2fc8 (bia 000d.ecdd.2fc8)
  Description: TERADATA - F4238
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA
  Port mode is access
  full-duplex, 10 Gb/s, media type is 10G
  Beacon is turned off
  Input flow-control is off, output flow-control is off
  Rate mode is dedicated
  Switchport monitor is off
  EtherType is 0x8100
  Last link flapped 5week(s) 6day(s)
  Last clearing of "show interface" counters never
  30 seconds input rate 51128 bits/sec, 2 packets/sec
  30 seconds output rate 109088 bits/sec, 15 packets/sec
  Load-Interval #2: 5 minute (300 seconds)
    input rate 78.13 Kbps, 9 pps; output rate 113.67 Kbps, 11 pps
  RX
    22236230840 unicast packets  4414705 multicast packets  997021 broadcast packets
    22241642569 input packets  27905275144675 bytes
    881597017 jumbo packets  0 storm suppression packets
    0 runts  0 giants  3 CRC  0 no buffer
    3 input error  0 short frame  0 overrun   0 underrun  0 ignored
    0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop
    0 input with dribble  0 input discard
    0 Rx pause
  TX
    12574452594 unicast packets  112812737 multicast packets  66330588 broadcast packets
    12753595920 output packets  5123002661192 bytes
    1001411772 jumbo packets
    1 output errors  0 collision  0 deferred  0 late collision
    0 lost carrier  0 no carrier  0 babble 0 output discard
    0 Tx pause

  9 interface resets