Network Verification and Testing
Systematic approach to verify network configurations and identify issues - check settings, test connectivity, and validate security policies.
Verify Trunk Configuration
Section titled “Verify Trunk Configuration”Check if interface is configured as trunk and which VLANs are allowed.
Switch# show interfaces trunkTypical output:
Port Mode Encapsulation Status Native vlanGig0/1 on 802.1q trunking 1
Port Vlans allowed on trunkGig0/1 20,21,22,23,30
Port Vlans allowed and active in management domainGig0/1 20,21,22,23,30Check specific interface:
Switch# show interfaces GigabitEthernet0/1 switchportKey fields to check:
Administrative Mode: trunk(should be trunk)Operational Mode: trunk(confirms it’s actually trunking)Trunking VLANs Enabled:(verify correct VLANs are allowed)
Verify Password Encryption
Section titled “Verify Password Encryption”Check if passwords are encrypted in configuration.
Switch# show running-config | include passwordLook for:
service password-encryption(should be present)enable secret 5 $1$mERr$...(encrypted with MD5)username admin secret 5 $1$mERr$...(encrypted)
Bad example (unencrypted):
enable password cisco123username admin password WELkom@1Good example (encrypted):
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0username admin secret 5 $1$mERr$9cTjUIEqNNIjz7kF4sFr1.service password-encryptionVerify SSH and Disable Telnet
Section titled “Verify SSH and Disable Telnet”Check remote access methods.
Switch# show running-config | section line vtyCorrect configuration (SSH only):
line vty 0 4 login local transport input sshIncorrect (Telnet enabled):
line vty 0 4 login local transport input telnet sshVerify SSH is enabled:
Switch# show ip sshTest SSH connectivity:
laptop> ssh admin@10.30.0.4Verify Enable Password/Secret
Section titled “Verify Enable Password/Secret”Check if privileged EXEC mode is protected.
Switch# show running-config | include enableLook for:
enable secret 5 $1$mERr$...(best - MD5 encrypted)- OR
enable password 7 ...(weaker - Type 7 encryption)
Missing enable protection (security issue):
! No enable command foundFix:
Switch(config)# enable secret WELkom@1Verify NTP Configuration
Section titled “Verify NTP Configuration”Check if device is synchronized with NTP server.
Switch# show running-config | include ntpExpected output:
ntp server 10.30.0.100Verify NTP synchronization:
Switch# show ntp statusCheck NTP associations:
Switch# show ntp associationsTypical output:
address ref clock st when poll reach delay offset disp*~10.30.0.100 .GPS. 1 64 64 377 0.50 -0.23 0.12 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configuredVerify Syslog Configuration
Section titled “Verify Syslog Configuration”Check if logging to syslog server is configured.
Switch# show running-config | include loggingExpected output:
logging host 10.30.0.100logging trap informationalVerify logging status:
Switch# show loggingKey information:
Trap logging: level informational, <number> message lines loggedLogging to: 10.30.0.100
If missing, configure:
Switch(config)# logging host 10.30.0.100Switch(config)# logging trap informationalVerify IOS Version
Section titled “Verify IOS Version”Check running IOS version and compare to documentation.
Switch# show versionKey information:
Cisco IOS Software, ... Version 12.2(25r)(version number)System image file is "flash:c2960-lanbasek9-mz.122-25r.bin"
Quick version check:
Switch# show version | include IOSCompare against expected versions from documentation table.
Test Connectivity with Ping
Section titled “Test Connectivity with Ping”Basic connectivity test between devices.
Ping from PC to server:
PC> ping 10.10.0.100
Reply from 10.10.0.100: bytes=32 time<1ms TTL=128Reply from 10.10.0.100: bytes=32 time<1ms TTL=128Reply from 10.10.0.100: bytes=32 time<1ms TTL=128Reply from 10.10.0.100: bytes=32 time<1ms TTL=128Ping from router with source interface:
Router# ping 10.10.0.100 source GigabitEthernet0/0/0Extended ping (more options):
Router# pingProtocol [ip]:Target IP address: 10.10.0.100Repeat count [5]: 10Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: 10.30.0.1Type of service [0]:Set DF bit in IP header? [no]:Validate reply data? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:Test HTTP/Web Access
Section titled “Test HTTP/Web Access”Test if PC can reach intranet web server.
From PC command prompt:
PC> ping 10.10.0.100Open browser and navigate to:
http://10.10.0.100From router/switch (if HTTP client available):
Switch# telnet 10.10.0.100 80If connection succeeds, HTTP port is open.
Verify VLAN Configuration
Section titled “Verify VLAN Configuration”Check if VLANs exist and which ports are assigned.
Switch# show vlan briefTypical output:
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/2420 Productie active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/521 KlantenService active Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/1022 HRM active Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/1523 Marketing active Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/2030 IT_Beheer active Fa0/2499 Ongebruikt active Fa0/21, Fa0/22, Fa0/23Verify specific port assignment:
Switch# show interfaces FastEthernet0/1 switchport | include Access Mode VLANVerify IP Addresses
Section titled “Verify IP Addresses”Check if correct IP addresses are configured.
Switch# show ip interface briefTypical output:
Interface IP-Address OK? Method Status ProtocolVlan30 10.30.0.4 YES manual up upGigabitEthernet0/1 unassigned YES unset up upDetailed interface info:
Switch# show ip interface Vlan30Verify Routing
Section titled “Verify Routing”Check if routes exist to reach remote networks.
Router# show ip routeTest specific route:
Router# show ip route 10.10.0.0Verify gateway reachability:
Router# ping 172.16.0.1Verify Interface Status
Section titled “Verify Interface Status”Check if interfaces are up and operational.
Switch# show interfaces statusTypical output:
Port Name Status Vlan Duplex Speed TypeFa0/1 Productie connected 20 a-full a-100 10/100BaseTXFa0/2 Productie connected 20 a-full a-100 10/100BaseTXFa0/24 IT_Beheer connected 30 a-full a-100 10/100BaseTXGig0/1 Trunk to Core connected trunk a-full a-1000 10/100/1000BaseTXCheck specific interface:
Switch# show interfaces GigabitEthernet0/1Look for:
GigabitEthernet0/1 is up, line protocol is up(should be up/up)Full-duplex, 1000Mb/s
Create Verification Checklist
Section titled “Create Verification Checklist”Use this template for systematic verification:
| Check Item | Device(s) | Command | Expected Result | Status | Issue |
|---|---|---|---|---|---|
| Trunk VLANs | SW1-SW3 | show interfaces trunk | VLANs 20,21,22,23,30 | ❌ | SW3 allows all VLANs |
| Telnet disabled | All | show run | section vty | transport input ssh | ✅ | - |
| Passwords encrypted | All | show run | include secret | enable secret 5 | ✅ | - |
| Enable password set | All | show run | include enable | Present | ❌ | Missing on SW2, SW3 |
| NTP configured | All | show run | include ntp | ntp server 10.30.0.100 | ✅ | - |
| Syslog configured | All | show logging | Logging to 10.30.0.100 | ✅ | - |
| IOS version | All | show version | Per documentation table | ❌ | Multiple version mismatches |
| Web access | PCs | ping 10.10.0.100 | Successful | ✅ | - |
Common Issues and Fixes
Section titled “Common Issues and Fixes”Issue: Trunk allows all VLANs instead of specific VLANs
Switch# show interfaces trunk! Shows: Vlans allowed on trunk: 1-4094
Switch(config)# interface GigabitEthernet0/1Switch(config-if)# switchport trunk allowed vlan 20,21,22,23,30Issue: No enable password configured
Switch# show run | include enable! No output
Switch(config)# enable secret WELkom@1Issue: Telnet still enabled
Switch(config)# line vty 0 4Switch(config-line)# transport input sshIssue: Passwords not encrypted
Switch(config)# service password-encryptionIssue: Wrong IOS version
Document the discrepancy for management - IOS upgrades require change control process.
Expected: 12.2(25r)Actual: 12.2(55)SEAction: Document for upgrade planning