CCNA Lab 14: Network Health Checks, BKMs, and Command Reference

Consistent health checks catch small problems before they become outages. This is a complete maintenance framework backed by a comprehensive command reference.

Daily Health Check (5 Minutes)

Run these every morning:

# 1. CPU and memory
show processes cpu | include CPU
show memory | include Free
 
# 2. Interface errors on uplinks
show interfaces Gi0/23 | include errors|CRC|runts|giants
show interfaces Gi0/24 | include errors|CRC|runts|giants
 
# 3. Temperature and power
show environment | include Temp|Fan|Power
 
# 4. Recent critical logs
show logging | include down|err|flap|changed|MALLOCFAIL
 
# 5. STP root bridge status
show spanning-tree root | include Root

Green flags:

CPU < 50% sustained
Zero CRC, runts, giants on uplinks
Temperature within normal range (check switch model specs)
No recent interface flaps unless maintenance was in progress

Weekly Health Check (15 Minutes)

# 1. Full process CPU sorted
show processes cpu sorted
 
# 2. Memory top consumers
show processes memory sorted | head 10
 
# 3. Interface counters for all ports
show interfaces counters errors | include CRC|error
 
# 4. Uplink utilization (check for saturation)
show interfaces Gi0/23 | include rate
show interfaces Gi0/24 | include rate
 
# 5. MAC address table size
show mac address-table count
 
# 6. EtherChannel status
show etherchannel summary
 
# 7. VLAN consistency
show vlan brief
show interfaces trunk
 
# 8. AAA server reachability
show aaa servers
show radius server
show tacacs
 
# 9. Logging summary
show logging | last 50
 
# 10. Inventory
show inventory
show version | include uptime

Checklist:

No port in err-disabled (except known locked ports)
No flapping MAC addresses
Uplink utilization < 70% of link capacity
EtherChannel all member ports bundled (P)
All trunk ports have matching allowed VLANs on both ends
AAA servers reachable
No authentication failures in logs
All switches on recommended IOS version

Monthly Health Check (30 Minutes)

# 1. TCAM utilization — check for pressure
show platform tcam utilization
show sdm prefer
 
# 2. CPU history over time
show processes cpu history
 
# 3. Full environment status
show environment all
 
# 4. Config backup
archive config
copy running-config tftp://backup-server/monthly/SWITCH-NAME-$(date +%Y%m).cfg
 
# 5. NTP synchronization
show ntp status
show ntp associations
 
# 6. SNMP statistics
show snmp
show snmp statistics
 
# 7. Port security violations
show port-security
show port-security address
 
# 8. DHCP snooping binding count
show ip dhcp snooping binding | count
 
# 9. CDP/LLDP neighbor changes
show cdp neighbors | count
show lldp neighbors | count
 
# 10. System uptime
show version | include uptime
show reload

Monthly tasks:

Review and update the switch naming/documentation
Clean up unused VLANs
Remove stale static MAC addresses
Review AAA/TACACS+ server certificates
Check IOS/EOL status for the hardware

Configuration Validation

Config Diff

Compare current running config with your standard template:

diff running-config standard-config.txt

Or using IOS itself:

show running-config | include hostname|enable secret|username|aaa|snmp|ntp|logging

Compliance Checks

# Check DTP is disabled
show interfaces switchport | include Dynamic
 
# Check no default VLAN 1 on trunks
show interfaces trunk | include Native
 
# Check SSH is enforced
show running-config | include transport input
 
# Check password encryption
show running-config | include service password-encryption
 
# Check exec-timeout
show running-config | include exec-timeout
 
# Check VTP mode
show vtp status | include Mode

Validation Script

#!/bin/bash
# check-config-compliance.sh
 
for switch in CORE-SW DIST-SW-1 ACCESS-SW-1; do
    echo "=== Checking $switch ==="
    ssh admin@"$switch" "show running-config | include transport input" | grep -q "ssh" && \
        echo "  SSH OK" || echo "  SSH FAIL"
 
    ssh admin@"$switch" "show interfaces switchport | include Dynamic" | grep -q "Dynamic" && \
        echo "  DTP FAIL (dynamic enabled)" || echo "  DTP OK"
 
    ssh admin@"$switch" "show spanning-tree root | include Root" | grep -q "This bridge is root" && \
        echo "  STP ROOT: Is root" || echo "  STP ROOT: Not root"
done

Best Known Methods (BKMs)

Before Any Change

Backup the running config
Schedule a maintenance window
Notify stakeholders
Have a rollback plan
Have a console session open (not just SSH)
Know the device’s physical location

After Any Change

Change Management Template

Change:       [Description]
Change ID:    [CHG000000]
Device:       [Hostname]
Date/Time:    [YYYY-MM-DD HH:MM]
Backup taken: [Yes/No]
Commands:
  [command 1]
  [command 2]
Verification:
  [test 1]
  [test 2]
Rollback:
  [rollback command 1]
  [rollback command 2]
Status:       [Success/Failed/Rolled Back]

Network Maintenance Pro-Tips

Two changes at most per window — Complex changes have complex rollbacks
Staged rollouts — Change access switches before distribution, distribution before core
Test in a lab first — If you have a lab, use it. If you do not, you need one.
Write out commands beforehand — Do not type from memory in a maintenance window
Keep a console server — When SSH fails, the console is your only way in
Timing is everything — Max 4-hour window; your brain stops working after that

Comprehensive Command Reference

Discovery and Inventory

Command	Purpose
`show version`	IOS version, uptime, hardware
`show inventory`	Serial numbers, part numbers
`show cdp neighbors detail`	Connected Cisco devices with full detail
`show lldp neighbors detail`	Connected vendor-neutral devices
`show interface description`	Port descriptions in table format
`show ip interface brief`	L3 interface status summary
`show running-config	section hostname`

VLAN and Trunking

Command	Purpose
`show vlan brief`	VLAN to port mapping
`show vlan summary`	VLAN count summary
`show interfaces trunk`	Trunk port status and allowed VLANs
`show interfaces switchport`	Full switchport configuration
`show interfaces vlan 10`	SVI status

STP and Loops

Command	Purpose
`show spanning-tree`	STP topology per VLAN
`show spanning-tree root`	Root bridge per VLAN
`show spanning-tree blockedports`	Blocked ports
`show spanning-tree detail`	Full STP detail
`show mac address-table`	CAM table
`show mac address-table count`	CAM table utilization
`show mac address-table	include flapping`

Performance and Resources

Command	Purpose
`show processes cpu sorted`	CPU usage by process
`show processes cpu history`	CPU trend graph
`show processes memory sorted`	Memory usage by process
`show memory`	System memory summary
`show platform tcam utilization`	TCAM usage
`show sdm prefer`	SDM template allocation

Interface Troubleshooting

Command	Purpose
`show interfaces Gi0/1`	Interface status and counters
`show interfaces counters errors`	Error counters all ports
`show interfaces status`	Port link state table
`show interfaces trunk`	Trunk status
`show interface port-channel 1`	EtherChannel interface
`show etherchannel summary`	EtherChannel bundle status
`show lacp neighbor`	LACP peer details

Security Features

Command	Purpose
`show ip dhcp snooping binding`	DHCP binding table
`show ip dhcp snooping statistics`	DHCP snooping drop counts
`show ip arp inspection`	DAI status
`show ip arp inspection statistics`	DAI drop counts
`show ip verify source`	IPSG bindings
`show port-security`	Port security violations
`show port-security address`	Secure MAC addresses
`show aaa servers`	AAA server status
`show radius server`	RADIUS server statistics
`show tacacs`	TACACS+ server statistics

System and Management

Command	Purpose
`show logging`	System log buffer
`show logging	last 20`
`show ntp status`	NTP sync status
`show ntp associations`	NTP peer list
`show snmp`	SNMP configuration
`show environment`	Temperature, fans, power
`show environment all`	Full environmental detail
`show reload`	Scheduled reload status
`show clock`	System time
`show debug`	Active debugs

Archive and Config Management

Command	Purpose
`show archive`	Archived config versions
`show archive log config all`	Configuration change log
`show running-config`	Active configuration
`show startup-config`	Saved configuration
`show tech-support`	Full diagnostic bundle
`dir`	Flash file listing
`dir bootflash:`	Bootflash contents
`verify /md5 flash:filename`	File integrity check

One-Liner Reference

# Daily health
show processes cpu | include CPU; show environment; show logging | last 10
 
# Find all ports with errors
show interfaces counters errors | include CRC|runts
 
# Find all flapping MACs
show mac address-table | include flap
 
# List all VLANs and their ports
show vlan brief
 
# Last reload reason
show version | include reason|uptime
 
# All interface descriptions
show interfaces description
 
# SSSH bastion check — who is logged in
show users
 
# IP address summary
show ip interface brief | exclude unassigned

Switch Health Scorecard

Score your switch health on each check:

Category	Pass	Warn	Fail
CPU (5 sec)	< 50%	50-80%	> 80%
Memory free	> 25%	10-25%	< 10%
TCAM used	< 60%	60-80%	> 80%
CRC errors	0	1-10/day	> 10/day
MAC flaps	0	Occasional	Continuous
Temperature	Normal	Warning	Critical
Uplink utilization	< 50%	50-80%	> 80%
EtherChannel	All bundled	Some standby	Ports suspended
AAA servers	All reachable	1 unreachable	All unreachable
NTP sync	Synced	Stratum > 3	Unsynchronized

A single Fail needs immediate attention. Three or more Warn entries warrant a maintenance window.

Closing: The Network Engineer’s Golden Rule

The network is working exactly as configured. If it is not working, your configuration is wrong.

Every outage has a root cause. Health checks, automation, and consistent procedures are what separate reactive firefighting from proactive engineering.