System Management



Comments



Description

Introduction to CDP (CiscoDiscovery Protocol) 2 votes       Let’s talk a bit about network management. Perhaps not the most exciting topic but I’m going to show you how you can use CDP (Cisco Discovery Protocol) to help you build network maps and what other information it can reveal. Most networks have multiple switches and/or routers and to make our life easier it’s good to have a network map that shows us how everything is connected to each other, what kind of devices we have, to what VLAN they belong and the IP addresses that we are using. CDP is a Cisco protocol that runs on all Cisco devices that helps us discover Cisco devices on the network. CDP is Cisco proprietary, runs on the data-link layer and is enabled by default. Let’s take a look at a network map: Above we have 3 routers. Now if I had no idea what the network looked like we could use CDP to build the network map that you see above. Let me show you how: Berlin#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Port ID London Ser 0/0 Local Intrfce Ser 0/0 Holdtme 167 Capability R S I Platform 3640 Use the show cdp neighbors command to see all directly connected neighbors. Above you see that router Berlin is connected to router London and you can also see the platform (3640 router) and the interfaces on both sides. Let me show you the other routers as well: London#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID Berlin Ser 0/0 144 R S I 3640 Ser 0/0 Amsterdam Fas 1/0 164 R S I 3640 Fas 1/0 Amsterdam#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Port ID London Fas 1/0 Local Intrfce Fas 1/0 Holdtme 135 Capability R S I Platform 3640 Now we have all the information we need to build a network map with the router names and interfaces. CDP can tell us even more however… Berlin#show cdp neighbors detail ------------------------Device ID: London Entry address(es): IP address: 192.168.12.2 Platform: Cisco 3640, Capabilities: Router Switch IGMP Interface: Serial0/0, Port ID (outgoing port): Serial0/0 Holdtime : 136 sec Version : Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(16), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 20-Jun-07 11:43 by prod_rel_team advertisement version: 2 VTP Management Domain: '' Use show cdp neighbors detail to reveal even more information. For example you can see the IP address and the IOS version. This can be very useful to us but it’s also a security risk. By default CDP is enabled and runs on all interfaces so it might be a good idea to disable it on certain interfaces: Berlin(config)#interface serial 0/0 Berlin(config-if)#no cdp enable This is how you can disable it for a single interface, just type no cdp enable. This is how you can do it globally for all interfaces: Berlin(config)#no cdp run That's all there is to CDP. Besides revealing networking information CDP is also used for Cisco IP phones but that's another story. Keep in mind CDP only runs on Cisco hardware, there's also a "standards" based version called LLDP that runs on Cisco hardware and some other networking vendor equipment. Rate this Lesson:   1ab version of LLDP. Devices that support LLDP use TLVs to send and receive information to their directly connected neighbors. Here’s an example of some basic TLVs:   Port description TLV System name TLV .    Link Layer Discovery Protocol (LLDP) 2 votes       LLDP is a layer two discovery protocol. Cisco devices support the IEEE 802. The big difference between the two is that LLDP is a standard while CDP is a Cisco proprietary protocol. This allows non-Cisco devices to advertise information about themselves to our network devices. These are called TLVs (Type. Length. LLDP uses attributes that contain a type. length and value descriptions. similar to Cisco’s CDP. Value). To accomplish this. directly connected to each other. (O) Other Device ID ID Local Intf Hold-time Capability Port . After a couple of seconds we can see something: SW1#show lldp neighbors Capability codes: (R) Router. (C) DOCSIS Cable Device (W) WLAN Access Point. Let’s take a look at an example: I have two Cisco Catalyst 3560 switches. (S) Station. (P) Repeater. SW2 (config)#lldp run This enables LLDP globally on all interfaces. Configuration of LLDP is really simple. (T) Telephone. (B) Bridge. This is typically known as LLDP-MED. depending on your switch and IOS version it might be enabled or disabled by default.   System description TLV System capabilities TLV Management Address TLV Some network end devices (like IP Phones) can use LLDP for VLAN assignment or PoE (Power over Ethernet) requirements. LLDP is disabled by default on these switches so let’s enable it: SW1. an enhancement was made which is called MED (Media Endpoint Discovery). capabilities etc.R Enabled Capabilities: B Management Addresses . Version 12. it's hostname.bb0b. enabled Physical media capabilities: 100base-TX(FD) 100base-TX(HD) 10base-T(FD) 10base-T(HD) Media Attachment Unit type: 16 --------------------------------------------Total entries displayed: 1 Above you can see some details about SW2.not advertised Auto Negotiation . C3560 Software (C3560-ADVIPSERVICESK9-M). We can also take a detailed look at our neighbor: SW1#show lldp neighbors detail Chassis id: 0011.com System Description: Cisco IOS Software. platform. Here's an example: SW1(config)#interface FastEthernet 0/24 .SW2 Fa0/24 Fa0/24 120 B Total entries displayed: 1 This output looks very similar to CDP. One little extra that LLDP offers is that it also sends interface descriptions.361a Port id: Fa0/24 Port Description: FastEthernet0/24 System Name: SW2.2(46)SE. Inc. Compiled Thu 21-Aug-08 15:26 by nachen Time remaining: 106 seconds System Capabilities: B.supported. IOS version.cisco. RELEASE SOFTWARE (fc2) Copyright (c) 1986-2008 by Cisco Systems. cisco.com Hopefully this example has helped to understand LLDP and how to enable it on your Cisco devices.569d. If you have any questions.SW1(config-if)#description LINK_SW1_SW2 This description will show up if we look on SW2: SW2#show lldp neighbors detail Chassis id: 0019.571a Port id: Fa0/24 Port Description: LINK_SW1_SW2 System Name: SW1. feel free to leave a comment! Rate this Lesson:       Conditional Debug on Cisco IOS Router 1 vote     . 0.  Conditional debug is very useful to filter out some of the debug information that you see on a (busy) router.0/24 via 0.1) RIP: build update entries 192.168.1) RIP: build update entries 192.168. It’s best to demonstrate this with an example.9 (192.0.0.0. tag 0 via FastEthernet0/1 metric 1. so let me show you the following router that is running RIP on two interfaces: Let’s enable RIP debugging on this router: R1#debug ip rip RIP protocol debugging is on We will see RIP debug information from both interfaces: R1# RIP: sending v2 update to 224.0.13. via FastEthernet0/0 metric 1. username and some other items.168. R1# RIP: sending v2 update to 224.0. MAC address.12.13.0/24 via 0.0.0.12.0. tag 0 If I only want to see the debug information from one interface then I can use a debug condition: .9 (192. It allows us to only show debug information that matches a certain interface.168.0. 0/24 via 0. Removing all conditions may cause a flood of debugging messages to result.13. I’ll use the interface as a condition: R1#debug condition interface fastEthernet 0/0 Condition 1 set Using this debug condition we will only see RIP debug information from the FastEthernet 0/0 interface: R1# RIP: sending v2 update to 224.0.0. unless specific debugging flags are first removed.R1#debug condition ? application Application called called number calling calling card card glbp interface group interface interface ip IP address mac-address MAC address match-list apply the match-list standby interface group username username vcid VC ID vlan vlan voice-port voice-port number xconnect Xconnect conditional debugging on segment pair This is quite a list with different items to choose from.168.0. tag 0 When you want to get rid of the debug condition then you can use the following command: R1#undebug condition interface fastEthernet 0/0 This condition is the last interface condition set.1) RIP: build update entries 192.0.12.168. Proceed with removal? [yes/no]: yes .0.9 via FastEthernet0/0 (192. metric 1. I hope this helps you to make debugging easier to work with.. You need to remove it using the command that I just showed you! That's all there is to it. Be careful..Condition 1 has been removed The router will warn you that you might be flooded with debug information after removing the debug condition. If you have a router that generates a lot of debug information then this is something to be aware. If you have any questions feel free to leave a comment! Rate this Lesson:       Cisco IOS Embedded Event Manager (EEM) 1 vote      .using no debug all or undebug all doesn't remove the condition.  Embedded Event Manager (EEM) is a technology on Cisco Routers that lets you run scripts or commands when a certain event happens. It’s probably best just to show you some examples to see how it works. This is the topology that I will use: Syslog Events Syslog messages are the messages that you see by default on your console. Interfaces going up or down, OSPF neighbors that dissapear and such are all syslog messages. EEM can take action when one of these messages show up. Let’s start with an example that enables an interface once it goes down. Interface Recovery R2(config)# event manager applet INTERFACE_DOWN event syslog pattern "Interface FastEthernet0/0, changed state to down" action 1.0 cli command "enable" action 2.0 cli command "conf term" action 3.0 cli command "interface fa0/0" action 4.0 cli command "no shut" The applet is called “INTERFACE_DOWN” and the event is a syslog pattern that matches the text when an interface goes down. When this occurs, we run a number of commands. What happens is that whenever someone shuts the interface, EEM will do a “no shut” on it. To demonstrate that this works I’ll enable a debug: R2#debug event manager action cli Debug EEM action cli debugging is on This will show the commands that EEM runs when the event occurs. Let’s do a shut on that interface: R2(config)#interface FastEthernet 0/0 R2(config-if)#shutdown Within a few seconds you will see this: R2# %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : called. %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : term %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : configuration commands, one per line. End with %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : R2(config)#interface fa0/0 %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : if)# %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : if)#no shut %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : if)# %HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : called. : CTL : cli_open : : : : OUT IN OUT IN : : : : R2> R2>enable R2# R2#conf : OUT : Enter CNTL/Z. : OUT : R2(config)# : IN : : OUT : R2(config: IN : R2(config- : OUT : R2(config: CTL : cli_close %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up The interface went down, EEM runs the commands and the interface is up again. Simple but I think this is a good example to demonstrate how EEM works. Let’s see what else we can do… OSPF Adjacency Changes The next example is perhaps useful. Whenever the OSPF adjacency dissapears you will see a syslog message on your console. We’ll use this message as the event and once it occurs, we enable OSPF adjacency debugging and send an e-mail: R2(config)# event manager applet OSPF_DOWN event syslog pattern "Nbr 192.168.12.1 on FastEthernet0/0 from FULL to DOWN" action 1.0 cli command "enable" action 2.0 cli command "debug ip ospf adj" action 3.0 mail server "smtp.ziggo.nl" to "[email protected]" from "[email protected]" subject "OSPF IS DOWN" body "Please fix OSPF" The event that I used is a syslog message that should look familiar. The first two actions are executed on the CLI but the third action is for the e-mail. It will send a message to [email protected] through SMTP-server “smtp.ziggo.nl”. Let’s give it a try. I have to enable another debug if I want to see the mail action: R2#debug event manager action mail Debug EEM action mail debugging is on Once the OSPF neighbor adjacency is established, I’ll shut the interface on one of the routers so it breaks: R2> R2>enable R2# R2#debug ip ospf : DEBUG(cli_lib) : : OUT : OSPF adjacency : DEBUG(cli_lib) : : OUT : R2# : DEBUG(smtp_lib) : smtp_connect_attempt: 1 OSPF: Build router LSA for area 0. My router isn’t connected to the Internet but you can see it’s trying to contact the SMTP server and send an e-mail. router ID 192.nl".168..255.nl".12. process 1 OSPF: No full nbrs to build Net Lsa for interface FastEthernet0/0 OSPF: Build network LSA for FastEthernet0/0.255.ziggo..1 on FastEthernet0/0 from FULL to DOWN.12.255. seq 0x8000000B.. It also enabled the OSPF adjacency debug thanks to the CLI commands. Nbr 192.2 OSPF: Build network LSA for FastEthernet0/0.168.255) %OSPF-5-ADJCHG: Process 1.ziggo.12.255. router ID 192.R1(config)#interface FastEthernet 0/0 R1(config-if)#shutdown And this is what you’ll see: R2# Translating "smtp.domain server (255.168. .nl : timeout error %HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : CTL : cli_close called.2.ziggo..168.2 %HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : fh_smtp_connect failed at attempt 1 Translating "smtp. router ID 192.255) %HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : smtp_connect_attempt: 2 %HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : fh_smtp_connect callback timer is awake %HA_EM-3-FMPD_SMTP: Error occurred when sending mail to SMTP server: smtp.12. Neighbor Down: Dead timer expired %HA_EM-6-LOG: OSPF_DOWN %HA_EM-6-LOG: OSPF_DOWN %HA_EM-6-LOG: OSPF_DOWN %HA_EM-6-LOG: OSPF_DOWN %HA_EM-6-LOG: OSPF_DOWN adj %HA_EM-6-LOG: OSPF_DOWN events debugging is on %HA_EM-6-LOG: OSPF_DOWN %HA_EM-6-LOG: OSPF_DOWN : : : : : DEBUG(cli_lib) DEBUG(cli_lib) DEBUG(cli_lib) DEBUG(cli_lib) DEBUG(cli_lib) : : : : : : : : : : CTL OUT IN OUT IN : : : : : cli_open called.domain server (255. CLI Events The previous two examples used syslog messages as the event but you can also take action based on commands that are used on the CLI.0 puts "$_cli_result" action 4. The example below is a funny one.. You will see the output of the running configuration and if you left the debug on.. the script will run “show run | exclude interface” instead and gives you the output.0 set $_exit_status "0" As you can see above the event is a CLI pattern. this tells EEM to run the script before running the “show run” command. it sets the exit status to 0. you’ll see what EEM is doing behind the scenes: R2# %HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES cli_open called. When the script is done.0 cli command "enable" action 2.0 cli command "show run | exclude interface" action 3. whenever someone watches the running-configuration it will exclude all lines with the word “interface” in it: R2(config)# event manager applet SHOW_RUN_NO_INTERFACES event cli pattern "show run" sync yes action 1. Let’s see what the result is… R2#show running-config Building configuration. %HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES %HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES R2>enable %HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : CTL : : DEBUG(cli_lib) : : OUT : R2> : DEBUG(cli_lib) : : IN : : DEBUG(cli_lib) : : OUT : R2# . the “sync yes” parameter is required. Basically this means that whenever someone uses the “show run” command. To make this work. the router will calculate the load of the interface every 30 seconds. it's best to change the load interval of the interface first: R2(config)#interface FastEthernet 0/0 R2(config-if)#load-interval 30 By using this command. Here’s an example: R2#show interfaces fastEthernet 0/0 | incl load reliability 255/255. Interface Events You have seen syslog and CLI pattern events. but we have some others.2 255.%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : IN : R2#show run | exclude interface %HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : OUT : Building configuration.12.255. rxload 1/255 Let's create a script that does something when the interface load hits a certain value. What about interface counters? It might be useful to perform an action when some interface counters have a certain value.168. txload 1/255.255. the default is 5 minutes.0 duplex auto speed auto While this isn’t very useful. I think this is a good example to see what it does. Somewhere further down the running-config you can see that the lines with “interface” in them were removed: ! ip address 192. Let's create the script: ... A good real life scenario might be hiding all lines that have “username” or “enable secret” in them for certain users. 0 syslog priority informational msg "INTERFACE OVERLOADED" This event is a bit harder to read. Scheduling Events Instead of launching actions based on syslog or CLI messages we can also use scheduled tasks. a syslog message is produced. Here's an example: R2(config)# event manager applet TIMER event timer watchdog time 60 action 1. To demonstrate this we'll send some packets from R1 towards R2: R1#ping 192.2 repeat 9999999 size 15000 timeout 0 Once the interface rx load is above 10 you'll see the following message on the console: R2# %HA_EM-6-LOG: INTERFACE_LOAD: INTERFACE OVERLOADED Pretty neat right? Sending an e-mail as the action might be a good idea when the interface load is above 60-70%.12. When the event occurs.168..R2(config)# event manager applet INTERFACE_LOAD event interface name FastEthernet0/0 parameter rxload entry-op gt entry-val 10 entry-type value poll-interval 10 action 1.0 cli command "write memory" . Every 10 seconds we will check if we reached this value or not..when the rx load of the interface is above 10/255 then we will take action.0 cli command "enable" action 2. This means that you can run actions every X minutes / hours / days etc. it will produce a syslog message. After waiting for 60 seconds we'll see this: R2# %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : configuration. Once it's done. Other Events and Actions You have seen a couple of events and actions but EEM has a lot of options.action 3. %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : %HA_EM-6-LOG: TIMER: Configuration has %HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : : : : : : CTL OUT IN OUT IN OUT : : : : : : cli_open called..0 syslog priority informational msg "Configuration has been saved" This script runs every 60 seconds and runs the "write memory" command.. Here's a list to give you some ideas: R2(config-applet)#event ? application Application specific event cli CLI event config Configuration policy event counter Counter event env Environmental event interface Interface event ioswdsysmon IOS WDSysMon event ipsla IPSLA Event nf NF Event none Manually run policy event oir OIR event resource Resource event rf Redundancy Facility event routing Routing event rpc Remote Procedure Call event snmp SNMP event snmp-notification SNMP Notification Event syslog Syslog event . R2> R2>enable R2# R2#write memory Building : OUT : [OK] : OUT : R2# been saved : CTL : cli_close called. tag timer track event tag identifier Timer event Tracking object event Some other useful events are changes in the routing table.0 ? add Add append Append to a variable break Break out of a conditional loop cli Execute a CLI command cns-event Send a CNS event comment add comment context Save or retrieve context information continue Continue to next loop iteration counter Modify a counter value decrement Decrement a variable divide Divide else else conditional elseif elseif conditional end end conditional block exit Exit from applet run force-switchover Force a software switchover foreach foreach loop gets get line of input from active tty handle-error On error action help Read/Set parser help buffer if if conditional increment Increment a variable info Obtain system specific information mail Send an e-mail multiply Multiply policy Run a pre-registered policy publish-event Publish an application specific event puts print data to active tty regexp regular expression match reload Reload system set Set a variable snmp-trap Send an SNMP trap string string commands subtract Subtract syslog Log a syslog message track Read/Set a tracking object wait Wait for a specified amount of time . There is also a big list of possible actions: R2(config-applet)#action 1. IP SLA. object tracking and configuration changes. while while loop Running CLI commands and sending e-mails are maybe the most important ones but you can also generate SNMP traps or reload the router. Rate this Lesson:       Cisco Network Time Protocol (NTP) 4 votes       . If you have any other good EEM examples please leave a comment and I'll add them here. please share it with your friends and colleagues. Anyway that's the end of this tutorial. If you enjoyed this. When you configure multiple NTP servers. This is a cluster of NTP servers that many servers and network devices use to synchronize their clocks. Cisco routers and switches can use 3 different NTP modes:    NTP client mode. you want to make sure you know exactly what and when it happened. NTP server mode. switches or firewalls this is very important because we want to make sure that logging information and timestamps have the accurate time and date. a device with stratum 1 is a very accurate device and might have an atomic clock attached to it. A good example of a NTP server is ntp. . For example. For network devices like routers. the client will prefer the NTP server with the lowest stratum value. Normally a router or switch will run in NTP client mode which means that it will adjust its clock based on the time of a NTP server. NTP symmetric active mode. Another NTP server that is using this stratum 1 server to sync its own time would be a stratum 2 device because it’s one NTP hop further away from the source. it’s used as a backup mechanism when they are unable to reach the (external) NTP server.pool. The symmetric active mode is used between NTP devices to synchronize with each other. Basically the NTP protocol describes the algorithm that the NTP clients use to synchronize their clocks with the NTP server and the packets that are used between them.org.NTP (Network Time Protocol) is used to allow network devices to synchronize their clocks with a central source clock. NTP uses a concept called “stratum” that defines how many NTP hops away a device is from an authorative time source. If you ever have network issues or get hacked. It is connected to the Internet and will use one of the NTP servers from pool. Configuration This is the topology I will use: The router on the top is called “CoreRouter” and its the edge of my network.org to .In the remaining of this tutorial I will demonstrate how to configure NTP on a Cisco router and switches.ntp. There is one more command that gives us more information about the NTP configuration: .outlyer.synchronize its clock. ~ configured Above we see the show ntp associations command that tells us if our clock is synchronized or not.000 0. You can see this because there is no * in front of the IP address and the “st” field (stratum) is currently 16.ntp.org as the external NTP server for this example.185. Router configuration First we will configure the CoreRouter on top. * sys.ntp. + candidate.223 . Our next step is to configure the NTP server: CoreRouter(config)#ntp server pool. We need to make sure that the router is able to resolve hostnames: CoreRouter(config)#ip name-server 8.8. # selected.INIT.130. The network also has two internal switches that require synchronized clocks.8 I will use Google DNS for this. We can verify our work like this: CoreRouter#show ntp associations address ref clock st when poll reach delay offset disp ~146. thus making the CoreRouter a NTP server.000 16000. x falseticker. Both switches will become NTP clients of the CoreRouter. I will use pool. just one command and we will synchronize our clock with the public server. 16 64 0 0. . The ~ in front of the IP address tells us that we configured this server but we are not synchronized yet.peer.8.org That was easy enough. .0000 Hz. The router tells us that we are unsynchronized and that there is no reference clock…we will just wait a couple of minutes and take a look at these commands again: CoreRouter#show ntp associations address ref clock st when poll reach delay offset disp *~146.000000000 s/s system poll interval is 64. never updated.5 * sys.595 7937.CoreRouter#show ntp status Clock is unsynchronized.185.50 msec . precision is 2**24 reference time is 00000000.outlyer.185.16 msec. The “poll” field tells us that we will try to synchronize the time every 64 seconds.00 msec root dispersion is 0. The * in front of the IP address tells us that we have synchronized and the stratum is 2…that means that this NTP server is pretty close to a reliable time source. # selected.857 -5. peer dispersion is 0.130. root delay is 13. actual freq is 250.58 msec root dispersion is 7966. + candidate.0000 msec.00 msec loopfilter state is 'FSET' (Drift set from file).0000 Hz.223 193.66A4CDA6 (12:40:20. reference is 146.130.000 UTC Mon Jan 1 1900) clock offset is 0. root delay is 0.5952 msec. stratum 16. no reference clock nominal freq is 250. peer dispersion is 7937.00000000 (00:00:00.0000 Hz.0000 Hz. actual freq is 250.400 UTC Mon Jul 7 2014) clock offset is -5. Let’s check the other command that we just saw: CoreRouter#show ntp status Clock is synchronized. ~ configured A few minutes later and the output has changed.237. precision is 2**24 reference time is D76513B4.peer.22 nominal freq is 250. drift is 0.14 2 26 64 1 10. stratum 3. x falseticker.62 msec.79. 000000018 s/s system poll interval is 64.loopfilter state is 'CTRL' (Normal Controlled Loop).853 UTC Mon Jul 7 2014 CoreRouter#show calendar 12:42:30 UTC Mon Jul 7 2014 That’s all I wanted to configure on the CoreRouter for now. Here’s how to see both clocks: CoreRouter#show clock 12:41:25. NTP synchronization can be very slow so you have to be patient when your clocks are not synchronized. last update was 43 sec ago. Cisco routers have two different clocks. We still have to configure two switches to synchronize their clocks. drift is -0.197 UTC Mon Jul 7 2014 CoreRouter#show calendar 12:43:24 UTC Mon Jul 7 2014 The show clock command shows me the software clock while the show calendar command gives me the hardware clock. that makes sense since the public stratum server has a stratum of 2 and we are one “hop” away from it. . One way to speed it up a bit is to adjust your clock manually so it is closer to the current time. you can do it like this: CoreRouter#(config)ntp update-calendar The ntp update-calendar command will update the hardware clock with the time of the software clock. they have a software clock and a hardware clock and they operate separately from each other. The two clocks are not in sync so this is something we should fix. Our clock has been synchronized and our own stratum is 3. here’s the result: CoreRouter#show clock 12:42:31. 123. Let’s do the same for SW2: SW2(config)#ntp server 192.2089 Hz. + selected.168.835 UTC Mon Jul 7 2014) clock offset is 1. ~ configured SW1#show ntp status Clock is synchronized. actual freq is 119. Let’s configure them to use the CoreRouter first: SW1(config)#ntp server 192.168. precision is 2**18 reference time is D765271D.5 1.D6021302 (14:03:09. reference is 192. This makes sense since it’s one “hop” further away from its NTP server (CoreRouter). peer dispersion is 15875.185. .130. root delay is 14. * master (synced).123. stratum 4.3 Once again it might take a few minutes to synchronize but this is what you will see: SW1#show ntp associations address ref clock st when poll reach delay offset disp *~192.0229 msec.168.00 msec. # master (unsynced).02 15875.02 msec The clock of SW1 has been synchronized and its stratum is 4.31 msec root dispersion is 16036.3 Let’s be patient for a few more minutes and this is what we’ll get: SW2#show ntp associations .123.223 3 21 64 1 2.2092 Hz.123.candidate.168.Switch Configuration The two switches will be configured to use the CoreRouter as the NTP server and I will also configure them to synchronize their clocks with each other.3 nominal freq is 119.3 146. 84 msec SW1 and SW2 are now using CoreRouter to synchronize their clocks.168. actual freq is 119. .candidate. This is the symmetric active mode I mentioned before.2 -2.168.168.2 SW2(config)#ntp peer 192.89 875.185.168.3 4 50 128 376 2.8875 msec.130. basically the two switches will “help” each other to synchronize…this might be useful in case the CoreRouter fails some day: SW1(config)#ntp peer 192.123. + selected.3 146.123. peer dispersion is 875. .223 3 59 64 37 3.223 3 17 64 37 3. + selected. precision is 2**18 reference time is D765274D.832 UTC Mon Jul 7 2014) clock offset is 1. stratum 4. ~ configured SW2#show ntp associations address disp offset ref clock st when poll reach delay .185.123.2 192.04 1.candidate.123. ~ configured SW2#show ntp status Clock is synchronized.4 1.0 -0. # master (unsynced). root delay is 15.3 * master (synced).168. Let’s also configure them to use each other for synchronization.18 msec root dispersion is 1038. # master (unsynced).130.39 msec.2092 Hz.1 After waiting a few minutes you’ll see that SW1 and SW2 have synchronized with each other: SW1#show ntp associations address ref clock st when poll reach delay offset disp *~192.123.168.3 nominal freq is 119.123.74 877.168.8 * master (synced).4 +~192.D51A0546 (14:03:57.123.2084 Hz.3 146. reference is 192.address ref clock st when poll reach delay offset disp *~192. 168. ~ configured Great everything is now in sync. + selected. The CoreRouter and the two switches use unicast (UDP port 123) for synchronization but you can also use multicast or broadcast. We can enable multicast or broadcast on the interface level.130. Are we done? Not quite yet…there are a few more things we can do with NTP. Let me give you an example… Multicast and Broadcast If you have more than 20 network devices or a router that has limited system memory or CPU resources you might want to consider using NTP broadcast or multicast as it requires less resources. .223 3 45 128 377 2.1 192.3 146.0 ~192.candidate.8 2. This is what it looks like: .123. # master (unsynced).3 4 67 1024 376 1.168.168.To demonstrate this I will add two routers below SW1 and SW2 that will synchronize themselves using multicast or broadcast.*~192.4 * master (synced).185.9 1.123.123.40 1.95 1. 1.1.1 and SW2 will send NTP updates through broadcast: SW1(config)#interface vlan 10 SW1(config-if)#ntp multicast 239.1.1.1.I’ll configure SW1 to use multicast address 239. let's see if it worked: .1 SW2(config-if)#interface vlan 20 SW2(config-if)#ntp broadcast R5 will synchronize itself by using multicast: R5(config)#interface fastEthernet 0/0 R5(config-if)#ntp multicast client 239.1 The commands are pretty self-explanatory.1. peer dispersion is 0.168.0000 Hz.035 0.206 * sys.00 msec loopfilter state is 'CTRL' (Normal Controlled Loop).127 * sys.15979782 (16:08:54.20. last update was 35 sec ago.2 nominal freq is 250. x falseticker.528 -1. # selected. stratum 5. # selected.59 msec.10. drift is -0.00 msec loopfilter state is 'CTRL' (Normal Controlled Loop).000052939 s/s system poll interval is 64. peer dispersion is 0.0000 Hz.168.0040 msec.01 msec root dispersion is 0. Let's see if we can get broadcast to work on R6: R6(config)#interface fastEthernet 0/0 R6(config-if)#ntp broadcast client R6#show ntp associations address ref clock st when poll reach delay offset disp * 192. precision is 2**24 reference time is D7654496.000069583 s/s system poll interval is 64.outlyer.R5#show ntp associations address ref clock st when poll reach delay offset disp * 192. ~ configured R5#show ntp status Clock is synchronized.123. actual freq is 250.DA56D83C (16:08:27.852 UTC Mon Jul 7 2014) clock offset is -0.0174 Hz.01 msec root dispersion is 0. last update was 29 sec ago. root delay is 0. reference is 192.084 UTC Mon Jul 7 2014) clock offset is -0.outlyer.168. x falseticker. actual freq is 250.0132 Hz. drift is -0. .3 4 29 64 1 1.168. reference is 192. . stratum 5.123.16 msec. .1 192.20.0012 msec. You can see that it has synchronized itself and it shows the IP address of SW1.3 4 14 64 1 1. ~ configured R6#show ntp status Clock is synchronized. + candidate.284 -4. precision is 2**24 reference time is D765447B.168.168.10.209 0.peer.peer.1 nominal freq is 250. root delay is 0. + candidate.2 192. .123.Excellent! Two more network devices that are synchronized. To protect our network. The ntp authenticationkey command is required to set the key number and the password.security! Right now our routers will accept any source as the NTP server and they will serve any NTP client that requests updates.168. Let's start with authentication. Authentication When we enable authentication.3 configured. You now know how to configure NTP but there is one more important topic to cover. We'll configure the router first: CoreRouter(config)#ntp CoreRouter(config)#ntp CoreRouter(config)#ntp CoreRouter(config)#ntp CoreRouter(config)#ntp authenticate trusted-key 1 trusted-key 2 authentication-key 1 md5 NETWORKLESSONS1 authentication-key 2 md5 NETWORKLESSONS2 Each switch will use a different key for authentication. The packets will be authenticated using HMAC MD5 which carries a key number. I want to make sure that SW1 and SW2 will authenticate the CoreRouter so they don't just accept any NTP updates from a device that has IP address 192. if you don't use it then the key that you configured will not be activated so don't forget it..123. we will have to configure authentication and access-control. Let's configure the switches now: SW1(config)#ntp SW1(config)#ntp SW1(config)#ntp SW1(config)#ntp SW2(config)#ntp SW2(config)#ntp SW2(config)#ntp authenticate authentication-key 1 md5 NETWORKLESSONS1 trusted-key 1 server 192. all NTP packets that can update the clock have to be authenticated.168.3 key 1 authenticate authentication-key 2 md5 NETWORKLESSONS2 trusted-key 2 . The ntp trusted-key command is a bit weird. Authentication is great but there is still one security problem to tackle.130.let's take a look! Access-Control First I will configure the CoreRouter so it only accepts one IP address as its NTP server.168.SW2(config)#ntp server 192.3 key 2 The configuration on the switches is similar but the difference is that we also specified the key for the NTP server.. A NTP server will serve updates to any NTP client and a NTP client will accept any IP address as the NTP server. configure a key and make it trusted.168.123.2 authentication-key trusted-key 12 peer 192.1 12 md5 NETWORKLESSONS12 key 12 12 md5 NETWORKLESSONS12 key 12 The configuration is similar. SW1 and SW2 will only use 192.. This is tricky since the IP address might change in the future.123.3 to synchronize their clocks if the MD5 signature is correct.168.185. if you implement this on a production network you'll have to make sure that you add all the possible IP address in the access-list: CoreRouter(config)#access-list 1 permit 146.223 CoreRouter(config)#ntp access-group peer 1 . To solve this we can implement some access-list.168.123. Earlier we configured SW1 and SW2 to use each other as peers and of course we can also use authentication for this.123. We change the NTP peer command to that it requires authentication. It looks like this: SW1(config)#ntp SW1(config)#ntp SW1(config)#ntp SW2(config)#ntp SW2(config)#ntp SW2(config)#ntp authentication-key trusted-key 12 peer 192. 168. here's an example for SW1: SW1#show ntp associations detail 192.123.ntp. SW1 and SW2 are the NTP clients for the CoreRouter but right now everyone can use our router as the NTP server.1 IP address. only SW1 and SW2 are now accepted as NTP clients. authenticated. If you do this you'll need the NTP master command and your device will synchronize its own clock using the 127.org) but you can also configure a router or switch as the NTP master and set a stratum number yourself.123.3 SW2(config)#ntp access-group peer 3 The configuration above allows SW1 and SW2 to use CoreRouter and each other as NTP server. peer poll intvl 1024 . no other sources are allowed.123. our_master. The ntp access-group peer command is used to activate the access-list. Let's fix this so only SW1 and SW2 are allowed as NTP clients: CoreRouter(config)#ntp access-group serve-only 12 CoreRouter(config)#access-list 12 permit 192. Make sure you permit this IP address in your access-list! After we configured authentication we can verify if its working or not.The IP address above is what pool.2 SW1(config)#access-list 3 permit 192.168. In my example I used a public server for NTP (pool.3 configured.168.3 SW1(config)#ntp access-group peer 3 SW2(config)#access-list 3 permit 192. Our CoreRouter is now protected but let's make some changes on SW1 and SW2 as well: SW1(config)#access-list 3 permit 192.168.185.123.ntp.223.168. stratum 3 ref ID 146.1 or 127.1. peer mode server. time D7656103.1 CoreRouter(config)#access-list 12 permit 192.127.123.622 UTC Mon Jul 7 2014) our mode client.168.2 Problem solved.9F50193C (18:10:11.7.123.127. sane. our poll intvl 1024.1 SW2(config)#access-list 3 permit 192.130.168.123.org resolves to for me. valid. 23 -1. offset -0.73 1. authenticated. version 3 org time D76562BA. sync dist 164.231 delay 1.79 -3. peer mode active.74 192.03 -3. root disp 144.14 79.43 1.42 82. dispersion 1.168.DE84436E (18:17:30.95 -1.21 1. dispersion 5.92 -4.196F1052 (18:27:18.55 35.57 19.17C145F3 (18:14:23. selected.88 -4.50 1.29 filterror = 1.43 1.7465 msec.109 UTC Mon Jul 7 2014) xmt time D7656486.719 delay 4.43 msec.17 50.123.20 0. sync dist 162.870 UTC Mon Jul 7 2014) filtdelay = 4.93. valid.31 -0.97 17.64 31.59 18.37 1. time D76561FF. stratum 4 ref ID 192.63 2.DED15803 (18:25:10.70 filterror = 0.28 msec.79 -2.869 UTC Mon Jul 7 2014) rcv time D76562BA.092 UTC Mon Jul 7 2014) our mode active. If you enjoyed reading this.DEE4A769 (18:17:30.12 79.14 1.89 62.75 -0. please share it with your friends / colleagues or leave a comment if you have any questions! Rate this Lesson:    .02 15.2 configured.099 UTC Mon Jul 7 2014) rcv time D7656506.98 precision 2**18.869 UTC Mon Jul 7 2014) filtdelay = 1.27 1.39 4.168.20 -4.15.123.21 msec. our poll intvl 1024. reach 377. Hopefully this NTP tutorial is helpful for you to understand and configure NTP in your network.39 1.870 UTC Mon Jul 7 2014) xmt time D76562BA.97 msec.69 -1. root disp 149. peer poll intvl 1024 root delay 14.52 78.40 1.03 0.17 filtoffset = -7.8822 msec.28 -3.80 66.48 precision 2**24. offset -7.root delay 12.76 4. reach 377. version 3 org time D7656506.63 filtoffset = -0. sane.51 2.05 That's all there is to it.27 46.1BFDEA18 (18:27:18.3.DE7AA858 (18:17:30. for example each 24 hours or so. When you have multiple snapshots you can use a show command to see the difference between the configurations and easily restore (rollback) to a previous version. Cisco calls these snapshots ‘configuration archives’ and they are very useful as it allows you to store multiple versions of your configuration. Let’s take a look at the configuration shall we? .   Configuration Archive and Rollback on Cisco IOS 2 votes       Cisco IOS routers and switches are able to create ‘snapshots’ of their configuration using the archive feature. The configuration archive can be created every time you save your running configuration or you can create one based on a time schedule. . whenever the running-config is saved as the startup-config might be a good idea to create a backup: Router(config-archive)#write-memory I will also configure a schedule. Everything is now in place. for example to create a configuration archive each 24 hours: Router(config-archive)#time-period 1440 1440 minutes means we’ll create a snapshot each 24 hours. When you use the path command you can see what options we have: Router(config)#archive Router(config-archive)#path ? flash: Write archive on flash: file system ftp: Write archive on ftp: file system http: Write archive on http: file system https: Write archive on https: file system pram: Write archive on pram: file system rcp: Write archive on rcp: file system scp: Write archive on scp: file system slot0: Write archive on slot0: file system tftp: Write archive on tftp: file system Normally an external location would be a good idea but to keep things simple I will use the flash memory of my router: Router(config-archive)#path flash:router-backup Each configuration archive file will start with “router-backup” in the filename. For example. Besides the destination we also have to choose when we want to create a configuration archive. let’s see if it is working.Configuration First we need to configure where we want to store our configuration archives. Verification We can use the show archive command to see how many snapshots we have. The next archive file will be named flash:router-backup-1 Archive # Name 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Now we will save the running-config and thanks to the write-memory command it will also create a configuration archive: Router#copy running-config startup-config Destination filename [startup-config]? Building configuration. OK (0xDCF1) When we look again at the show archive command we’ll see our first configuration archive: Router#show archive There are currently 2 archive configurations saved. At the moment no snapshots were made so the list is empty: Router#show archive There are currently 1 archive configurations saved.. [OK] Verifying checksum... The next archive file will be named flash:router-backup-2 Archive # Name .. .255.1 255. 16776308 available.0 We’ll save the running-config to the startup-config so that another archive is created: Router#copy running-config startup-config Destination filename [startup-config]? Building configuration.1.1. [OK] . I’ll make some changes to the runningconfig so that we’ll end up with two different configuration archives: Router(config)#interface loopback0 Router(config-if)#ip address 1. 16777212 total] 16384K bytes of ATA System CompactFlash (Read/Write) Having extra backups feels great! Before we are going to recover one I’ll show you how you can compare different archives..255.0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 flash:router-backup-1 <.Most Recent As configured you can see that it has been stored on the flash of the router: Router#show flash: System CompactFlash directory: File Length Name/status 1 840 router-backup-1 [904 bytes used. Luckily there’s a command that tells us exactly the difference between the two files: Router#show archive config differences flash:router-backup-1 flash:router-backup-2 Contextual Config Diffs: +interface Loopback0 +ip address 1.255.1 255.Most Recent 3 4 5 6 7 8 9 10 11 12 13 14 So we now have two configuration archives but we don’t know the differences between them.symbol then it means those lines have been removed..Verifying checksum. If you see a . IOS tells us that the second one is the latest version but this doesn’t always mean that it’s the best configuration that we have.0 The + symbol tells us that the second file has some additional lines. The next archive file will be named flash:router-backup-3 Archive # Name 0 1 flash:router-backup-1 2 flash:router-backup-2 <..1. .255. OK (0xDCF1) Let’s find out if we have another snapshot: Router#show archive There are currently 3 archive configurations saved.1. I created that loopback interface so it's showing up here with the IP address. ipl= 0. Rate this Lesson:     .Now we can replace our running configuration and select one of our snapshots like this: Router#configure replace flash:router-backup-1 list This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file. changed state to administratively down The router tells us which commands it has executed in order to rollback to the configuration that we selected. pid= 92 %LINK-5-CHANGED: Interface Loopback0. Enter Y if you are sure you want to proceed. !Pass 1 !List of Commands: no interface Loopback0 end Total number of passes: 1 Rollback Done Router# %PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "Exec". ? [no]: yes/pre> Rollback:Acquired Configuration lock. In my example it has removed the loopback 0 interface. I hope this has been a useful tutorial for you! If you have any questions feel free to leave a comment. not a partial configuration. That's all I wanted to show you for now. which is assumed to be a complete configuration.   Configuration Change Notification and Logging 3 votes       Change notification is a nice feature on Cisco IOS devices that lets you keep track of the changes that have been made to your configuration. Configuration Let’s look at a Cisco router where we enable this feature: Router(config)#archive Router(config-archive)#log config Router(config-archive-log-cfg)#logging enable First you should use the archive command and then enter the log config section. This is one of those features that is very useful when something suddenly doesn’t work anymore and everyone tells you that “nobody made any changes”. Use the logging enable command and the router will keep track of the . It can even track the user who made these changes and it can send this information to a syslog server. configuration changes. You can use the following command to disable this: Router(config-archive-log-cfg)#hidekeys Verification Whenever you make a change to the configuration you will see the following message on your console: Router#configure terminal Router(config)#interface loopback 0 Router(config-if)# %PARSER-5-CFGLOG_LOGGEDCMD: User:console loopback 0 logged command:interface You can see the change that was made (interface loopback 0) and the user that did this (console). All the changes will be kept locally on your router but we can send it to the syslog server if we want: Router(config-archive-log-cfg)#notify syslog Last but not least. There’s a number of other items that are useful to configure however: Router(config-archive-log-cfg)#logging size 1000 By default your router will keep 100 entries in the configuration log but we can increase it to 1000 using the logging size command. it might be a good idea not to store any passwords in the configuration change logs. Let’s make some more changes to the configuration of this router: Router(config-if)#shutdown Router(config-if)#no shutdown You will see these changes on the console: . . If you want to re-use some of the commands that you found then there’s a useful command for you to use: Router#show archive log config all provisioning archive log config logging enable logging size 1000 notify syslog hidekeys interface loopback 0 shutdown no shutdown This gives you the logged configuration changes in the same format as you can find them in the running configuration. I'll configure an enable secret: .Router# %PARSER-5-CFGLOG_LOGGEDCMD: User:console %PARSER-5-CFGLOG_LOGGEDCMD: User:console shutdown logged command:shutdown logged command:no We can also use some show commands to verify what changes have been made: Router#show archive log config all idx sess user@line 1 1 console@console 2 1 console@console 3 1 console@console 4 1 console@console 5 1 console@console 6 1 console@console 7 1 console@console Logged command | logging enable | logging size 1000 | notify syslog | hidekeys | interface loopback 0 | shutdown | no shutdown Above you find all the commands that I typed in the console so far.let's find out if this is true. What about passwords in my configuration? I used the hidekeys command so they shouldn't be visible.. if you have any changes feel free to leave a comment! Rate this Lesson:       How to configure Cisco IOS Banners 1 vote .Router(config)#enable secret Cisco123 Your console will show this: Router# %PARSER-5-CFGLOG_LOGGEDCMD: User:console secret ***** logged command:enable It's masking the secret so it's not giving away any information. You'll find the same thing in the overview of commands: Router#show archive log config all | include secret 8 2 console@console |enable secret ***** I hope this tutorial has been helpful to you. Don’t use anything that says “welcome”. make sure to check your legal council first. here’s a good example on the website of the California Technology Agency that gives you more information about what a good banner should contain and some sample texts. That there is no expectation of privacy. It might be a good idea to present a banner to users who are trying to connect to your device. That all traffic will be monitored. let’s look at the different banners… Different Banners Cisco IOS routers support a number of banners. Incoming banner: used for users that connect through reverse telnet. Exec banner: displayed before the user sees the exec prompt. Having said that. They are often used to inform users about their legal rights. Login banner: this one is displayed just before the authentication prompt. here are some items you might want to think about:      To show that only authorized users are allowed to connect. . Don’t add any contact information or information about the router in the banner.      Cisco IOS devices support a number of banners that are presented to users when they use the console line or when they connect remotely using telnet or SSH. here they are:     MOTD banner: the “message of the day” banner is presented to everyone that connects to the router. Before you implement any banners. 1 Trying 1. violaters will be shot on sight! A nice and welcome banner that everyone will see…let’s move on to the login banner now. This is what the MOTD banner looks like: R1#exit R1 con0 is now available Press RETURN to get started.1. Open .We’ll take a look at how to configure these different banners now.1. MOTD Banner We’ll start with the message of the day banner that will be presented to anyone accessing the router: R1(config)#banner motd # Enter TEXT message.. violaters will be shot on sight! # The # symbol is a start and stop character.1. End with the character '#'. Authorized users only.1.1 . Login banner The login banner is presented to users that access the router remotely using telnet or SSH: R1(config)#banner login $ Authenticate yourself! $ Let’s try it out: R1#telnet 1. You can use any other character if you want.. Authorized users only. Authorized users only. Exec banner The exec banner is shown just before the exec prompt: R1(config)#banner exec # Enter TEXT message. violaters will be shot on sight! You are connected to line 0 at router R1 As you can see it shows to which line I am connected (line 0 is the console) and the hostname of my router (R1). Reverse telnet can be used to access the console of another device by connecting the AUX port of the router to . You are connected to line $(line) at router $(hostname) # This time I added an extra line in the banner and I also used some operators like $ (line) and $(hostname).Authorized users only. Let’s see what that looks like: R1#exit R1 con0 is now available Press RETURN to get started. One more banner to go! Banner incoming The last banner is used for reverse telnet connections. It would have been better if I added some empty lines so that the login banner would show up below the MOTD banner. End with the character '#'. violaters will be shot on sight! Authenticate yourself! Above you see that the login banner is displayed after the MOTD banner. End with the character '$'. R1(config)#banner incoming $ Enter TEXT message.495: %SYS-5-CONFIG_I: Configured from console by console R1#show line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int * 0 CTY 2 1 0/0 97 AUX 9600/9600 0 0 0/0 98 VTY 2 0 0/0 99 VTY 0 0 0/0 100 VTY 0 0 0/0 101 VTY 0 0 0/0 102 VTY 0 0 0/0 - Now we can reverse telnet to the AUX port like this: R1#telnet 1.the console port of another router.1. This allows you to 'telnet' into the console port of another router.1 6097 . now we'll have to check what line our AUX port uses: R1#show line *Mar 1 01:48:09.1. This is a banner for Reverse Telnet $ We'll have to configure the AUX port in order to test it: R1(config)#line aux 0 R1(config-line)#transport input telnet We will enable telnet on the aux port. Open Authorized users only. We have different levels of importance for logging information.1. By default you’ll see the logging information on your console. like this one: .Trying 1. 6097 .1. violaters will be shot on sight! This is a banner for Reverse Telnet As you can see it presents us the "incoming banner".1.. I hope this has been helpful to you to understand the banners! Rate this Lesson:       Cisco IOS Syslog Messages 5 votes       Everything that happens on your router or switch can be logged.. Errors 4.080 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. There are different severity levels for logging information. changed state to administratively down May 16 2012 15:24:54.080 CET: %LINK-5-CHANGED: Interface FastEthernet0/0. You have probably seen this one before: May 16 2012 15:25:19. Alerts 2. Debugging By default you’ll see all of these messages on the console. Emergencies 1. If you don’t want to see everything you can change this behavior: Router(config)#logging console errors . Here are the severity levels: 0. Notifications 6. changed state to down This is an example of an interface that’s going down. Warnings 5.May 16 2012 15:24:53. Critical 3.893 CET: %SYS-5-CONFIG_I: Configured from console by console You’ll see it when you exit the global configuration mode. Informational 7. An interface that goes down is probably more important to know than a message that tells us we exited the global configuration. For example you can use configure the logging console command so it only shows you severity level 3 (errors) and lower. Kiwi syslog server has a free version of their syslog server. This logging information is saved in the RAM of your device. All logging information will be sent towards this server with the exception of debugging (level 7) messages by default. The message about the interface that was going down is a notification in case you were wondering. you can change the size of the buffer: Router(config)#logging buffered 4096 As soon as the buffer is full old logging information will be discarded. saving level warnings or higher 29 messages ignored. In the example above we have 4096 bytes we can use for logging information.168. Normally you probably only want to see debug information on your console or telnet/SSH session but you can store it in on your logging server too if you want: . It’s not a good idea to store logging information locally on your device. Router#show logging history Syslog History Table:1 maximum table entries. It doesn’t store everything. Once you reboot it you will lose this logging history. If you want to try this. One reboot and you’ll lose valuable information. changed state to up timestamp: 1688 We can use the show logging history command to see the logging history of this Cisco router. It’s best to use an external server for this: Router(config)#logging 192. 0 recursion drops 2 table entries flushed SNMP notifications not enabled entry number 3 : LINK-3-UPDOWN Interface FastEthernet0/0.100 Use the logging command to set the IP address for your logging server. If required. You can see it says “saving level warnings or higher”.1. 11 dropped. Router(config)#logging trap 7 You need to use the logging trap command to 7 so it will also store debug information on your logging server. Rate this Lesson:       Introduction to SNMP 6 votes       Imagine you have a large network that has many switches and routers. a dozen servers and hundreds of workstations…wouldn’t it be great if you could monitor all those devices somehow? Using a NMS (Network Management System) it’s possible to monitor all devices in your network. That's all I have on syslog for now. if you have any questions feel free to leave a comment. Whenever something bad happens (like an . an IP address.interface that goes down) you will receive an e-mail or text message on your phone so you can respond to it immediately. The idea was that most devices like computers. The SNMP manager will be able to send periodic polls to the router and it will use store this information. . the SNMP agent runs on the network device. This way it’s possible to create graphs to show you the CPU load or interface load from the last 24 hours. month or whatever you like. They all have an interface. Sounds good? Back in the 80s some smart folks figured out that we should have something to monitor all IP based network devices. An object in the MIB is called an OID (Object Identifier). The database that I just described is called the MIB (Manament Information Base) and an object could be the interface status on the router (up or down) or perhaps the CPU load at a certain moment. buffers and so on. They created a database with variables that could be used to monitor different items of network devices and this resulted in SNMP (Simple Network Management Protocol). SNMP runs on the application layer and consists of a SNMP manager and a SNMP agent. printers and routers share some characteristics. a hostname. The SNMP manager is the software that is running on a pc or server that will monitor the network devices. week. This might be useful to configure a large amount of switches or routers from your network management system so you don’t have to telnet/ssh into each device separately to make changes.It’s also possible to configure your network devices through SNMP. Here’s what it looks like: . Linux.observium. Network Management System To give you an example of what a NMS looks like. I’ll show you some screenshots of Observium. You can download it athttp://www. Observium is a free SNMP based network monitoring platform which can monitor Cisco. Windows and some other devices.org. It’s easy to install so if you never worked with SNMP or monitoring network devices before I can highly recommend giving it a try. The packet that we use to poll information is called a SNMP GET message and the packet that is used to write a configuration is a SNMP SET message. There are two linux devices. two Cisco devices and there’s a VMWare ESXi server. You can see the uptime of all devices.Above you see an overview of all the devices that our NMS manages. Let’s take a closer look at one of the Cisco devices: . . It gives us a nice overview of the CPU load. Let’s take a closer look at the temperature of this switch: . the temperature and the interfaces that are up or down.This switch is called “mmcoreswitch01” and it’s a Cisco Catalyst 3560E. . When the temperature exceeds a certain value (let’s say 50 degrees celcius) then we can tell our NMS to send us an e-mail.Here’s the temperature of this switch from the last month. Let’s take a look at an interface of this switch: . . You can see how much traffic is sent and received on this interface. We can zoom in one one the graphs if we want: .Here’s an overview of the VLAN 10 interface. This is great for monitoring the temperature or traffic statistics but the downside of using these SNMP GET messages is that it might take a few minutes for the NMS to discover that an interface is down. I hope this gives you an idea of what a NMS looks like and why this might be useful. for example an interface that goes down: . A trap is a notification that it sent immediately as soon as something occurs. If you want to take a look at Observium yourself you can use the live demo on their website: http://demo.observium.This gives a nice overview of how much traffic was sent in the last 24 hours of this particular interface.org/ SNMP Messages All the information that Observium shows us is retrieved by using SNMP GET messages: The NMS will send SNMP GET messages to request the current state of certain OIDs every few minutes or so. a SNMP agent can also send SNMP traps. Besides using SNMP GET messages. the MIB is organized into a hierarchy that looks like a tree. Since there are so many OIDs. .As soon as something bad happens (like the interface that goes down) the SNMP agent will send a SNMP trap immediately to the NMS. OID (Object Identifier) We can use a NMS to monitor one of our network devices but how do we exactly know what to monitor? There are so many things we could check for…a single interface on a router has over 20 things we could check: input/output errors. text message or a notification on the screen. and so on. SNMP version 3 deals with this problem with an alternative message which uses an acknowledgment called the inform message. Cisco for example. The NMS will respond by sending you an e-mail. sent/received packets. Each of these things to check has a different OID (Object Identifier). has variables to monitor EIGRP and other Cisco protocols. so you never know if the trap made it to the NMS or not. interface status. In this tree you will find a number of branches with OIDs that are based on RFC standards but you will also find some vendor specific variables. These SNMP trap messages sound like a good idea but there’s one problem with them…there is no acknlowledgment for the SNMP trap. Note that the branches have numbers…instead of typing out the names I can just use the numbers.9.6.1.1.9.1.3. The tree starts with the “iso” branch and then we drill our way down to org. enterprises.1. 1.4. private.Let me give you an example of this tree by showing where the ‘hostname’ and ‘domainname’ objects are located. .2. cisco. internet.1. local.4.3.6. dod. lcpu and there we find the hostname and domainname objects.3 will be used to get information about the hostname and 1.2.1. These objects can be used to discover the hostname and domainname of the router.4 for the domainname. net/projects/net-snmp/ Here’s an example of SNMPGET where I use a linux host to query a router that has been configured for SNMP: # snmpget -v2c -c MYSTRING 192.168.1.9.6. SNMP Versions SNMP has three versions:    Version 1 Version 2c Version 3 Version 1 is so old that it’s very unlikely that you will encounter it on a production network.9.1.6.4.2.6.168. Here’s another example for the domainname: # snmpget -v2c -c MYSTRING 192.2.4.1.2.0 = STRING: "Router" The community string that I used is MYSTRING. Version 1 and 2 both use community-strings as a password to .9.9.1.1.1.1.2.1.1.6.0 = STRING: "localdomain" I didn’t configure any domainname on this router so the result is “localdomain”.4.9.0 iso.4.4.4.1 and the object I’m interested in is 1.3.3. that’s why most NMSes have a nice GUI that lets you select the things you want to monitor without having to worry about the object numbers. the IP address of the router is 192.1.1.0 iso.1. As a result the router reports its hostname.1.3.1.3.1.6. If you want to test SNMP you don’t have to install a NMS.3.1.3.168.3.4.1 1. you can use SNMPGET which is a free tool that you can download here: http://sourceforge.The MIB is huge and knowing where to find the right objects can be troublesome.1.3.1 1.2.1. Rate this Lesson:       . authNoPriv: MD5 or SHA authentication but no encryption. if you have any questions feel free to leave a comment. Even if you decide to use SNMP version 3 without authentication or encryption. There are 3 different security modes:    noAutoNoPriv: username authentication but no encryption. The only thing left is to configure this on your network devices which I have covered in other lessons:   How to configure SNMPv2 on Cisco IOS router. I hope you enjoyed this lesson.authenticate access to the SNMP agent. How to configure SNMPv3 on Cisco IOS router. you can still track activity down to a username. Conclusion In this lesson you have learned how SNMP allows us to monitor our network devices. authPriv: MD5 or SHA authentication and encryption. SNMP version 3 is a better choice nowadays because it supports username based authentication instead of a community-string and also supports encryption. These community-strings are sent in cleartext which makes SNMP version 1 and 2 very insecure. How to configure SNMPv2 on Cisco IOS Router 3 votes       Besides syslog there is another method to store logging information to an external server. SNMP (Simple Network Management Protocol) can be used to collect statistics from network devices including Cisco routers and switches. The SNMP agents run on the network devices that we want to monitor. Let me show you a simple example for SNMP version 2c: Router(config)#snmp-server community TSHOOT ro . SNMP consists of 2 items:  NMS (Network Management System)  SNMP Agents The NMS is the external server where you want to store logging information. SNMP has multiple versions. The NMS can query a SNMP agent to collect information from the network device. SNMP version 2c however is still pretty common. the most popular ones being:   SNMP version 2c SNMP version 3 SNMP version 3 offers security through authentication and encryption which SNMP version 2c does not. 2 version 2c TSHOOT I also have to specify the SNMP version and the community string. I called mine “TSHOOT”.12. we can also use it to configure our network devices. let's activate the traps: Router(config)#snmp-server enable traps If I use the snmp-server enable traps command it will enable all SNMP traps: Router#show run | include traps snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps ds1 snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps casa snmp-server enable traps xgcp snmp-server enable traps bulkstat collection transfer snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 . SNMP isn’t just for retrieving information.First we’ll have to configure a community string. The messages that the SNMP agent sends to the NMS are called SNMP traps. Of course we want to send these to an external server so I’ll configure the IP address of the SNMP server: Router(config)#snmp-server host 192. This way you’ll at least know where the device is located whenever you receive information through SNMP.com These two steps are not required but it’s useful to specify a location and contact. Last but not least. Think of this as a password that the SNMP agent and NMS have to agree upon. Let’s continue… Router(config)#snmp-server location Amsterdam Router(config)#snmp-server contact [email protected]. The ro stands for read-only. If you want to test this with a SNMP server then I can highly recommend to take a look at Observium. One of the SNMP traps in the example above is related to EIGRP. Rate this Lesson:       How to configure SNMPv3 on Cisco IOS Router 2 votes      . If anything happens with the EIGRP routing protocol a SNMP trap will be send towards the SNMP server.This is only a portion of everything that you’ll see in the running-configuration. They offer a free "community" edition of their network monitoring software that supports many network devices out of the box (Cisco included). This is a great way to test SNMP but on a production network it’s better to take a look at the different traps and only enable the ones you feel are necessary. SNMPv1 and SNMPv2 use a community-string that is used as the password and there’s no authentication or encryption. The community-string for SNMPv1 and SNMPv2 is send in clear-text. groups and 3 different security levels. SNMPv3 is similar to SNMPv1 or SNMPv2 but has a completely different security model. 3DES or AES. Users will be applied to a group and access policies will be applied to a group so that you can determine what groups have read or read-write access and which MIBs (Management Information Bases) they should be able to access. AuthPriv = authentication AND encryption. SNMPv3 is able to use both authentication and encryption and has a new security model that works with users. SNMPv3 is far more secure because it doesn’t send the user passwords in clear-text but uses MD5 or SHA1 hash-based authentication. When you decide to use noAuthNoPriv for SNMPv3 then the username will replace the community-string.    noAuthNoPriv = no authentication and no encryption. SNMPv1 and SNMPv2 only support noAuthNoPriv since they don’t offer any authentication or encryption. AuthNoPriv = authentication but no encryption. Let’s take a look at a simple SNMPv3 configuration example on a Cisco IOS router. SNMPv3 supports any of the three security levels. encryption is done using DES. . Security Levels SNMP offers 3 different security levels:    noAuthNoPriv AuthNoPriv AuthPriv Auth stands for Authentication and Priv for Privacy (encryption). The notify view is used to send notifications to members of the group. .Configuration Example First we’ll create a new group and select a security model: R1(config)#snmp-server v1 group using the v2c group using the v3 group using the group MYGROUP ? v1 security model v2c security model User Security Model (SNMPv3) We’ll call our group “MYGROUP” and of course we will select SNMPv3 as the security model. Without a write view then nothing is writable. Optionally you can select certain views:    If you don’t specify a read view then all MIB objects are accessible. Use this if you want to limit the number of MIBs that your NMS (Network Management Software) can monitor. If you don’t specify any then it will be disabled by default. There are a number of options for security levels: R1(config)#snmp-server group MYGROUP v3 priv ? access specify an access-list associated with this group context specify a context to associate these views for the group match context name match criteria notify specify a notify view for the group read specify a read view for the group write specify a write view for the group <cr> The first item is the access-list. you will have read-only access. you can use this to select what IP addresses or subnets should be permitted for users. Next step is to select the security level: R1(config)#snmp-server group MYGROUP v3 ? auth group using the authNoPriv Security Level noauth group using the noAuthNoPriv Security Level priv group using SNMPv3 authPriv security level By using the priv parameter we will select the AuthPriv security level. take a look below: R1#show running-config | incl snmp snmp-server group MYGROUP v3 priv Above you only see the group configuration. Encryption is done using AES 128-bit and the encryption key is "MYKEY123". this means that we’ll have full read access to all MIBs: R1(config)#snmp-server group MYGROUP v3 priv The next step is to create a user account: R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123 Configuring snmpv3 USM user. We use SNMPv3 as the security model and use MD5 for authentication. persisting snmpEngineBoots. We'll create a new user called "MYUSER" and assign it to the "MYGROUP" group. This user will use "MYPASS123" as the password..To keep this example simple we won’t use any views for now.. user accounts can be found with another command: R1#show snmp user User name: MYUSER Engine ID: 800000090300C200128F0000 .. Please Wait. Let's try if we can get access.. Verification User accounts are not stored in the configuration. This router is now SNMPv3 enabled and we can monitor it using SNMPv3 from a NMS. 1.2.9. It works for SNMPv1.cisco.168.1.6. If you are a Linux user you can use the excellent snmpwalk command-line utility that tests if your router can be accessed using SNMP.1.138 iso.1.3.2.1.3.0 = OID: iso.1.3.com/techsupport Copyright (c) 1986-2012 by Cisco Systems.6.1. Version 12.1.1. RELEASE SOFTWARE (fc1) Technical Support: http://www.6.3. 2800 Software (C2800NM-ADVIPSERVICESK9-M).4(24)T8.2.576 iso.1.1.1. Compiled Sun 09-Sep-12 04:01 by prod_rel_team" iso. We can also check the group configuration: R1#show snmp group groupname: ILMI readview : *ilmi notifyview: <no notifyview specified> row status: active security model:v1 writeview: *ilmi groupname: ILMI readview : *ilmi notifyview: <no notifyview specified> row status: active security model:v2c writeview: *ilmi groupname: MYGROUP readview : v1default writeview specified> notifyview: <no notifyview specified> row status: active security model:v3 priv writeview: <no Above you can see that we have our group called "MYGROUP" and that we use the default read view.0 = STRING: "Cisco IOS Software. Inc.0 = Timeticks: (27513) 0:04:35. security options and to which group the user belongs.storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: AES128 Group-name: MYGROUP Here you can see the username.2.6.1. v2 and v3: rene@linux ~ $ snmpwalk -v3 -u MYUSER -l AuthPriv -a md5 -A MYPASS123 -x aes -X MYKEY123 192.6.13 iso.1.3.3.4.82.1.0 = "" .2.4.1. 1.2.7.1.6.1.1.2.2.iso.0 = Timeticks: (0) 0:00:00.6.6.9.7.6.7.9.112 iso.7.0 = "" iso.1.5.47 [output omitted] As you can see snmpwalk is able to extract information from my router.3.1.9.2.3.1.9.9.1.2.4.0 = INTEGER: 78 iso.3.3.1.1.3.6.6.8. If your environment has a lot of Cisco or Linux devices then I can highly recommend to give it a try: .1.129 iso.6.local" iso.1.9.106 iso.1.1. I'm using Observium which is an excellent free and open source NMS.1.9.5 = OID: iso.1.6.1.4 = OID: iso.2.4.00 iso.2.1.265 iso.6.1.7.6.1.3 = OID: iso.3.1.7.2.2.3.9.6.6.1.1.1.2.9.9.1.1.1.1.1.rmcs.3.2.3.7.1.1.1.3.6 = OID: iso.1.4.3.2.0 = STRING: "R1.4.4.2 = OID: iso.115 iso.1.1.1.1 = OID: iso. We'll add the router to a NMS now.2.6.2.3.1.1.6.1.1.3.2.3.1.1.6.4.3.1.9.3.1.6.2.1.1.1.6.9.1. . encryption key and protocol. password. authentication algorithm. Once the router has been added Observium will be able to extract information from it using SNMP: .We'll have to specify our security level. username. Above you can see that Observium is now monitoring our router using SNMPv3. This should give you an idea of how SNMPv3 works and how to configure it on your Cisco devices. If you have any questions just leave a comment. Rate this Lesson:       RMON Absolute VS Delta 1 vote       RMON can be used to monitor certain SNMP MIBs and generate an event for a certain threshold. One of the things you have to do when configuring RMON is choosing between absolute or deltasampling. In short, this is the difference between the two:  Delta: values that always constantly increase OR constantly decrease.  Absolute: values that can increase or decrease. Delta should be used for values that will always increase or decrease (one of the two), for example interface counters like the number of input errors, CRC errors, output packets, interface resets etc. These are values that will always increase unless you reset the interface counters. I can’t think of any counters on a Cisco router or switch that always decrease. Absolute should be used for values that increase or decrease over a certain amount of time, a good example is CPU usage. You probably want to receive a notification each time when your CPU load hits a certain threshold (like 85%) and receive a notification when it goes below another threshold (10% or so), this is absolute sampling. Another example of absolute sampling could be the input or output rate of an interface as this can increase or decrease over the span of time. At one moment it might be 10.000 bits/sec, 10 minutes later it could be 5.000 bits/sec and 45 minutes later it might be 20.000 bits/sec. I hope this helps to understand the difference between the two. If you need some more examples just leave a comment. Rate this Lesson:       RMON Configuration Example 2 votes       In this article we’ll take a look at a simple RMON configuration where we want to receive a SNMP trap when we receive more than 200 unicast packets and also when we receive less than 10 unicast packets. When this occurs we will send a SNMP trap to a SNMP server. I will be using the following topology for this: Just two routers…I will configure R1 to use RMON and we’ll use R2 to generate traffic so that we can test things. Configuration First i’ll configure a SNMP server that should receive the SNMP trap, there is none in this example but it doesn’t matter: R1(config)#snmp-server host 192.168.12.254 MYTRAPS I’ll use a community called “MYTRAPS”. We can use the “ifInUcastPkts” MIB to track the number of unicast packets but we need to check the interface number: R1#show snmp mib ifmib ifindex FastEthernet0/0: Ifindex = 1 it will launch “event 1”. With the alarm in place we can configure the events that should occur when the thresholds are met: R1(config)#rmon event 1 trap MYTRAP description "Above 200" R1(config)#rmon event 2 trap MYTRAP description "Below 10" The first event will generate a SNMP trap with description "Above 200" and the second event will generate a SNMP trap that says "Below 10". The “10” means that the sampling interval is 10 seconds.12.1 where the . If you don’t know the difference take a look at my delta vs absolute article. The rising-threshold is set to 200 packets and when this occurs. Now we can create an alarm: R1(config)#rmon alarm 1 ifInUcastPkts.1 is the FastEthernet0/0 interface.Null0: Ifindex = 4 VoIP-Null0: Ifindex = 3 FastEthernet0/1: Ifindex = 2 I want to monitor the FastEthernet0/0 interface as its connected to R2. R2#ping 192. it will launch “event 2”. Verification Let's see if our configuration is working.1 repeat 10000 timeout 0 .1 10 delta rising-threshold 200 1 falling-threshold 10 2 The command above requires some explanation:       First we create an alarm called “alarm 1”. The falling-threshold is set to 10 packets and when this occurs..168. Secondly I’m refering to MIB object ifInUcastPkts.. Delta means we use “delta” sampling instead of “absolute” sampling. .. assigned to event 2 ....Type escape sequence to abort.. community-string and SNMP version.. last value was 0 Rising threshold is 200.. this reveals the IP address..12........ R1#show rmon alarms Alarm 1 is active....254 udp-port: 162 type: trap user: MYTRAPS security model: v1 Use show snmp host to check your SNMP configuration.1 exceeded the rising-threshold value 200 As you can see it's sending a trap because it's receiving more than 200 packets... 100-byte ICMP Echos to 192. ....168........ owned by config Monitors ifInUcastPkts.... I'll send some quick pings from R2 towards R1... timeout is 0 seconds: ....1 has fallen below the falling-threshold value 10 Show commands There's also a number of show commands you can use to check your configuration: R1#show snmp host Notification host: 192.168....12.. Once the pings stop and we don't receive any more traffic you will see another message on R1: R1# %RMON-5-FALLINGTRAP: Falling trap is generated because the value of ifInUcastPkts.......1......... Sending 10000.......1 every 10 second(s) Taking delta samples.... assigned to event 1 Falling threshold is 10. This is what you will see on R1: R1# %RMON-5-RISINGTRAP: Rising trap is generated because the value of ifInUcastPkts... I hope this simple example helps you to understand RMON.00:44:19 Event 2 is active. Rate this Lesson:       RMON Statistics Collection on Cisco Catalyst Switch 2 votes  .00:33:50.00:33:40.On startup enable rising or falling alarm Above you can see the RMON alarm that we configured. R1#show rmon events Event 1 is active. owned by config Description is Below 10 Event firing causes trap to community MYTRAP. Current uptime 0y0w0d. owned by config Description is Above 200 Event firing causes trap to community MYTRAP. last event fired at 0y0w0d. last event fired at 0y0w0d.00:44:19 And an overview with the events that we are using. if you have any questions feel free to ask. Current uptime 0y0w0d.      Most network engineers who are familiar with RMON know to use the “alarms” and “events” to monitor things like the CPU loading hitting a certain threshold or looking for the number of incoming packets on an interface. If you want to enable this then you have two options:   Native Mode (Analyze packets that are destined for your interface). Promiscuous Mode (Analyze all packets that you encounter on the segment). Cisco Catalyst switches support some RMON features that allow you to collect more information about packets that arrive on your interfaces. Here’s an example how you can enable it on your Catalyst switch: Switch(config)#interface fastEthernet 0/1 Switch(config-if)#rmon ? collection Configure Remote Monitoring Collection on an interface native Monitor the interface in native mode promiscuous Monitor the interface in promiscuous mode First you need to decide whether you want to use the native or promiscuous mode. You can enable this for switchports (layer 2) or routed ports (layer 3) but it’s impossible to enable it on SVI (switch virtual interface) interfaces. I’ll select promiscuous: Switch(config-if)#rmon promiscuous Second step is to configure how often and how much statistics we want to collect: . 0 fragments and 0 jabbers. you can pick any value you like.10006 which has Received 34577 octets. # of dropped packet events (due to lack of resources): 0 # of packets received of length (in octets): 64: 65. is 50. 0 undersized and 0 oversized packets. # of dropped packet events is 0 .Switch(config-if)#rmon collection history 1 ? buckets Requested buckets of intervals. 39 broadcast and 395 multicast packets.. 1024-1518:0 Above you see that it has captured 441 packets and it also shows the different packet sizes. and owned by config. 0 CRC alignment errors and 0 collisions. By default RMON will sample data each 1800 seconds. 512-1023: 2. Monitors ifIndex. 65-127: 368.10001 every 5 second(s) Requested # of time intervals. 128-255: 5. 58 packets. ie buckets. You can also take a look at the samples that RMON has taken so far: Switch#show rmon history Entry 1 is active. 0 fragments and 0 jabbers. 4 broadcast and 54 multicast packets. 441 packets. 0 undersized and 0 oversized packets. and owned by Monitors ifIndex. 0 CRC alignment errors and 0 collisions.this is a little too long for my example so I’ll reduce it to 5 seconds: Switch(config-if)#rmon collection history 1 interval 5 Now let’s see if my switch has collected anything: Switch#show rmon statistics Collection 10006 on FastEthernet0/1 is active. 256-511: 1. Default is 50 buckets interval Interval to sample data for each bucket. Default is 1800 seconds owner Set the owner of this RMON collection <cr> The “1” is the RMON collection control index. Sample # 1 began measuring at 04:03:20 Received 5002 octets. 0 CRC alignment errors and 0 collisions. hopefully this tutorial has been helpful to you! If you have any questions. 3 broadcast and 59 multicast packets. That’s all I wanted to show you. You can see that it’s working since sample 1 has captured 58 packets and sample 2 captured 64 packets 5 seconds later.Network utilization is estimated at 0 Sample # 2 began measuring at 04:03:25 Received 4732 octets. 64 packets. Rate this Lesson:       Introduction to Cisco NetFlow 5 votes    . # of dropped packet events is 0 Network utilization is estimated at 0 Above you can see the samples that are taken each 5 seconds. 0 undersized and 0 oversized packets. feel free to leave a comment. 0 fragments and 0 jabbers. protocol. A flow is a stream of packets that share the same characteristics like source/destination port. One of the things we can’t do with those tools is tracking all flows in our network. For each of the flows. memory usage.   Network management protocols like SNMP allow us to monitor our network. type. packet sizes and more. service marking. We can use this information to solve problems like bottlenecks. Configuration This is the topology we will use: . We can check things like cpu load. source/destination address. interface status and even the load of an interface. You can configure your router to keep track of all flows and then export them to a central server where we analyze our traffic. In this lesson I will show you how to configure NetFlow on a Cisco IOS router and we will take a look at a NetFlow server. NetFlow will track the number of packets sent. Other tools likeNBAR allow us to see what kind of protocols are used. etc. NetFlow allows us to track these flows on our network. how much bandwidth they use etc. bytes sent. identify what applications are used. On the left side we have a host that will be browsing the Internet through R1. This is open source traffic analysis software that supports NetFlow so if you want to give this a try. here’s how to do it: R1(config)#ip flow-export version 9 I will configure the router to use version 9. First we have to specify the server: R1(config)#ip flow-export destination 192.1 2055 The router will export all flows to 192.1. it’s worth checking out.168.1 with destination UDP port 2055. At the bottom there’s antop server.1. NetFlow supports multiple versions so if you want to use a specific version. we can configure what interface the router should use to source the updates from: R1(config)#ip flow-export source FastEthernet 0/0 The last thing we have to do is tell the router on what interfaces to track the flows: . Optionally. Configuring ntop is outside the scope of this lesson so I’ll focus on how to configure the router.168. Here’s the first command: R1#show ip flow export Flow export v9 is enabled for main cache Export source and destination details : VRF ID : Default Source(1) 192. it will track all flows on the physical and all sub-interfaces.254 (FastEthernet0/0) Destination(1) 192.1. With the next command you can see some information about the flows: R1#show ip cache flow IP packet size distribution (98406 total packets): .168. let’s verify our work.1. You can also use the ip flow egress or ip flow ingresscommands if you only want to enable it on one sub- interface or in one direction.168. Verification Cisco IOS Router On our router we can check a couple of things to see if NetFlow is working. the source.R1(config)#interface FastEthernet 0/1 R1(config-if)#ip route-cache flow I will use the ip route-cache flow command for this. destination and how many flows have been exported.1 (2055) Version 9 flow records 433 flows exported in 28 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures Above you can see the version of NetFlow. When you use this command. Everything is now in place. 27 Fa0/0 10.000 .000 .1 8.8.8. 680 added.54.41 11 0035 185.000 .8 Local 10.000 .7 11.0 15.59.4 Total: 643 0.2 152 1461 42. 680 added to flow 0 alloc failures.52. 278544 bytes 37 active.000 .56. 987 inactive.102.000 .56.966 .1 360 1479 41. 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------Flows /Sec /Flow /Pkt /Sec /Flow TCP-WWW 262 0.9 SrcIf DstP Pkts Fa0/1 C1AA 1 SrcIPaddress DstIf DstIPaddress Pr SrcP 52.6 TCP-other 153 0.102.000 .000 .0 21 1014 1.1-32 64 96 128 160 192 224 256 288 320 352 384 416 480 .41 06 0050 8.56.000 .8 Local 10.010 .27 Fa0/0 10.000 IP Flow Switching Cache.013 .234.2 2.102.000 .102.0 1.000 . 680 added 10154 ager polls.56.0 1 153 0.2 UDP-other 228 0.000 .000 . 0 force free 1 chunk.8.56.8 Local 10. 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache.102.17 Fa0/0 10.000 .000 . 4059 inactive.41 11 0035 8.000 .000 .41 06 0050 SrcIf DstP Pkts Fa0/1 C21D 5 Fa0/1 F244 1 Fa0/1 C228 3 Fa0/1 D424 1 Fa0/1 D4C1 1 SrcIPaddress DstIf DstIPaddress Pr SrcP 23.41 11 0035 .8.000 .8.150.17.2 /Flow 3.8.5 0.001 .41 06 0050 8.000 448 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 . 34056 bytes 37 active.000 .102.000 .56.4 9. 8 Local 10.20 Fa0/0 10.41 06 0050 31.8.56.21 Fa0/0 10.125.22.8.8.8.141 Fa0/0 10.41 06 01BB 74.239.80.141 Fa0/0 10.154.20 Fa0/0 10.41 11 0035 8.8.125.102.102.102.56.102.41 06 0050 213.80.80.8.56.71.41 06 0050 31.Fa0/1 D4D4 Fa0/1 C4F5 Fa0/1 E92E Fa0/1 C93C Fa0/1 CD0E Fa0/1 C21F Fa0/1 C225 Fa0/1 C224 Fa0/1 C223 Fa0/1 C222 Fa0/1 C220 Fa0/1 DDDA Fa0/1 C1FF Fa0/1 C21E Fa0/1 C21C Fa0/1 C227 Fa0/1 C226 Fa0/1 C227 Fa0/1 C226 1 1 1 1 1 46 40 36 42 48 57 1 2 8 8 2 3 1 1 SrcIf DstP Pkts Fa0/1 C221 3 Fa0/1 C221 4 Fa0/1 C217 12 8.239.239.56.102.141 Fa0/0 10.154.102.41 06 0050 .41 06 0050 213.239.102.8 Local 10.102.56.239.138 Fa0/0 10.102.102.239.21 Fa0/0 10.41 06 0050 8.80.141 Fa0/0 10.56.21 Fa0/0 10.8.80.21 Fa0/0 10.141 Fa0/0 10.56.138 Fa0/0 10.56.41 11 0035 8.22.21 Fa0/0 10.8.41 06 01BB 213.154.102.102.41 06 0050 213.41 06 0050 31.141 Fa0/0 10.8 Local 10.56.21 Fa0/0 10.239.154.8 Local 10.56.41 11 0035 8.56.102.8.154.8.154.80.8 Local 10.56.41 06 0050 SrcIPaddress DstIf DstIPaddress Pr SrcP 213.41 06 01BB 213.56.56.8 Local 10.41 06 0050 31.22.102.56.41 11 0035 31.22.102.102.56.56.56.22.239.8.22.41 11 0035 8.56.102.102.71.56.154.8.41 06 0050 31.154.41 11 0035 74.102.102.102.41 06 0050 213.56.102.56.41 06 0050 213. 125.41 06 0050 213.102.56.21 Fa0/0 10.154.239.56.21 Fa0/0 10.239.56.41 06 0050 213.41 06 0050 213. let me show you some screenshots of Ntop. Ntop Server To show you what makes Netflow so useful.21 Fa0/0 10.56.154. The output above is useful to check if NetFlow is working on the router but it’s far more interesting to look at the flows on the external server.Fa0/1 C217 Fa0/1 C219 Fa0/1 C21B Fa0/1 C21A Fa0/1 C218 Fa0/1 C219 Fa0/1 C21B Fa0/1 C21A Fa0/1 C218 Fa0/1 C229 3 42 3 10 58 11 3 92 9 4 213.102. Here you can see the top talkers of all flows: .56.102.239.154.154.154.154.154.20 Fa0/0 10.20 Fa0/0 10.239.102.102.239.56.41 06 0050 213.239.71.41 06 0050 213.20 Fa0/0 10.154.102.102.41 06 0050 74.239.21 Fa0/0 10.21 Fa0/0 10.102.239.41 06 0050 213.56.41 06 0050 213.154 Fa0/0 10.102.56.56.102.154.56.41 06 0050 213.239.21 Fa0/0 10.41 06 0050 Above you can see some of the flows. . Ntop can also show you the network load: You can also see the throughput for each application: . . where these calls . It's the equivalent of a "phone bill" that specifies all calls that were made.You can also see the different packet sizes that are used in your flows: Conclusion NetFlow is a great protocol to get an insight in your network traffic. I hope this lesson has been useful. if you have any questions feel free to leave a comment! Rate this Lesson:       AAA Local Command Authorization 3 votes       Cisco IOS allows authorization of commands without using an external TACACS+ server. Only this time. we are tracking all IP packets on the network. by default there are 16 privilege levels and even without thinking about it you are probably already familiar with 3 of them: .took place. Cisco routers and switches work with privilege levels. the duration. etc. Creating different privilege levels is a good idea if you work with different user groups. You can create a new privilege level and assign some level 15 commands to it. For example. the most used command is probably ‘enable’. also known as “enable mode” or “privileged mode“. You can move some commands from level 1 to a higher level so that you can disallow some commands for level 1 users. privilege level 8 will include all the commands of level 0 – 7. When you are going to assign commands to different privilege levels you need to understand that IOS has two modes:   Exec Mode Configuration Mode Exec mode will look like this: Router# And configuration mode looks like this: . If you want to assign commands to a certain privilege level. Level 1: This is the default exec user level. Privilege level 15 will have all the commands of level 0 – 14 and so on. You can use some of the show commands but you won’t be able to configure anything.   Level 0: Only a few commands are available. you have a couple of options:    You can assign some privilege level 15 commands to level 1 so that all users that are allowed to log in to the router can use them. Higher privilege levels will support all the commands of the lower privilege levels. Level 15: The highest privilege level. You probably only want your senior network engineers to have privilege level 15 and your junior network engineers a lower privilege level so they don’t have access to all commands. 0 = arguments.1 255. 192.Router(config)# Each “mode” also has different “sub-modes” like the interface configuration: Router(config-if)# Commands also have a certain structure that you need to understand. address = sub-command. you can do it like this: Router>show privilege .255. think about configuring an IP address: Rack1SW1(config-if)#ip address 192. secondary = options (not shown in my example) When I assign a command to a privilege level.1. Let’s take a look at a couple of examples of moving commands and creating new privilege levels shall we? Configuration First we’ll check what our privilege level is.1 255.255. Basically commands look like this: command sub-command [arguments] [arguments-values] [options] To give you an example.0 We can break it down like this:     ip = command.255.255. If I give someone the entire “ip” command they can also configure things like “ip unreachables” or “ip arp” and so on.1. I can select the entire “ip” command or only the “ip address” sub-command.168.168. Not a very wise idea but it’ll work: Router>show running-config Building configuration. We’ll do it like this: Router(config)#privilege exec level 15 show ip arp Level 1 users will discover that they can’t use show ip arp anymore: . This is how we do it: Router(config)#privilege exec level 1 show running-config All level 1 users now are able to use the show running-config command. We’ll start with a simple example.. By default once you are logged in you will be in level 1. I’m going to give privilege level 1 users the power to use the show running-configuration command. Let’s say I don’t want them to use “show ip arp”. Current configuration : 53 bytes ! boot-start-marker boot-end-marker ! We can also take commands away from the level 1 users. Let’s go to enable mode now: Router>enable Router#show privilege Current privilege level is 15 And as you can see enable has privilege level 15..Current privilege level is 1 Use the show privilege command to check your privilege level. I will create a new username for this with a new privilege level. . here’s how to do it: Router(config)#username JUNIOR privilege 8 password CISCO First we’ll create a new user account called JUNIOR. Disable all debugging Use the show running-configuration command. Now you have seen how to add or remove commands to a certain privilege level. Now we’ll add some commands to it: Router(config)#privilege Router(config)#privilege Router(config)#privilege Router(config)#privilege exec exec exec exec level level level level 8 8 8 8 configure terminal debug ip routing undebug all show running-config The commands above are for exec mode. Use the debug ip routing command. I still have to add some commands for the configuration mode: Router(config)#privilege configure level 8 interface Router(config)#privilege interface level 8 shutdown Router(config)#privilege interface level 8 no shutdown The commands above will allow the user to go into the interface configuration and use the shutdown and no shutdown command. I’ll assign this user privilege level 8.Router>show ip arp ^ % Invalid input detected at '^' marker. How about we create a user with a new privilege level that has access only to a couple commands? We’ll create a new user account that is allowed to do these things:     Shutdown or no shutdown an interface. Router con0 is now available Press RETURN to get started. User Access Verification Username: JUNIOR Password: After entering the credentials we can check the privilege level: Router#show privilege Current privilege level is 8 The level is looking good. Let's try some debug commands: Router#debug ? all Enable all debugging ip IP information Router#debug ip ? routing Routing table events The only debug we can use is debug ip routing..Let's test our new user account: Router(config)#line con 0 Router(config-line)#login local Don't forget to enable local authentication or we won't get a username/password prompt.. What about the configuration commands? Router#configure terminal Router(config)#interface fastEthernet 0/1 Router(config-if)#? Interface configuration commands: . ..default exit help no shutdown Set a command to its defaults Exit from interface configuration mode Description of the interactive help system Negate a command or set its defaults Shutdown the selected interface These are the only commands available. Let's shut the interface: Router(config)#interface fastEthernet 0/1 Router(config-if)#shutdown If this user tries the show running-configuration command it won't see the entire configuration but only the commands that the privilege level is allowed to use: Router#show running-config Building configuration. Current configuration : 930 bytes ! boot-start-marker boot-end-marker ! ! interface Loopback0 ! interface FastEthernet0/1 shutdown There's more in the configuration but this user is only allowed to see the shutdown command. I hope this is helpful to you! If you have any questions just leave a comment.. Rate this Lesson:   . That's all I wanted to show for now..     .
Copyright © 2024 DOKUMEN.SITE Inc.