Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CCNA4v5 Chapter 8 - Monitoring the Netwok

Chapter eight of Cisco CCNA curriculum covering three protocols used to monitor the network which are Syslog, SNMP, and NetFlow.
This is a custom presentation created manually which is different from the regular presentations provided by Cisco.
One of the most basic networking courses is provided by Cisco Systems via the Cisco Networking Academy.
The academy provides a comprehensive program allowing students to get started in information technology and have multiple certifications.
Cisco created academies in 9,000 learning institutions spread across more than 170 countries that offer the Cisco Networking Academy curriculum.
The Associate level of Cisco Certifications can begin directly with CCNA for network installation, operations and troubleshooting or CCDA for network design. Think of the Associate Level as the foundation level of networking certification.
The Associate level of Cisco Certifications can begin directly with CCNA for network installation, operations and troubleshooting or CCDA for network design. Think of the Associate Level as the foundation level of networking certification.

Find me on:


Google Plus





Google Scholar







  • Be the first to comment

CCNA4v5 Chapter 8 - Monitoring the Netwok

  1. 1. CCNA 4 - CHAPTER 8 MONITORING THE NETWORK Ahmed Fawzy Gad MENOUFIA UNIVERSITY FACULTY OF COMPUTERS AND INFORMATION INFORMATION TECHNOLOGY DEPARTMENT DIGITAL NETWORKS ‫المنوفية‬ ‫جامعة‬ ‫والمعلومات‬ ‫الحاسبات‬ ‫كلية‬ ‫المعلومات‬ ‫تكنولوجيا‬ ‫قسم‬ ‫الرقمية‬ ‫الشبكات‬ ‫المنوفية‬ ‫جامعة‬
  2. 2. INTRODUCTION Monitoring an operational network can provide a network administrator with information to manage the network and collect network usage statistics. Monitoring is not meant to modify any node in the network. Network monitoring just reports information to the administrator and then the administrator itself can decide what to do. Error Rates Link Status Monitoring Protocols Syslog SNMP NetFlow NTP Network Time Protocol
  4. 4. MONITORING PROTOCOLS SYSLOG VS. SNMP VS. NETFLOW Cisco Device Interface Up/Down IP Change Protocol Activated Monitoring Options
  5. 5. MONITORING PROTOCOLS SYSLOG VS. SNMP VS. NETFLOW Cisco Device Interface Up/Down IP Address Confliction Protocol Activated Console
  6. 6. MONITORING PROTOCOLS SYSLOG VS. SNMP VS. NETFLOW Node Node Node Node Node NodeSNMP Server CPU Usage Interface Status Objects Set Get Messages
  7. 7. MONITORING PROTOCOLS SYSLOG VS. SNMP VS. NETFLOW SNMP Device CPU - Memory IP Protocols Interfaces Modifications NetFLow Use NetFlow to focus only on just IP traffic.
  8. 8. SYSLOG
  9. 9. SYSLOG Systlog is a standard protocol that uses UDP port 514. Syslog uses client-server architecture. Client sends system log messages to the Syslog server. Syslog server is the message collector that receives messages from different devices. Many networking devices support the syslog protocol like routers, switches, firewalls, and others. Syslog allows networking devices to send their system messages across an IP network.
  10. 10. SYSLOG PRIMARY FUNCTIONS The ability to gather logging information for monitoring and troubleshooting. The ability to select the type of logging information that is captured. The ability to specify the destinations of captured syslog messages.
  11. 11. Popular destinations for syslog messages include: 1. Logging buffer (RAM inside a router or switch) 2. Console line 3. Terminal line 4. Syslog server SYSLOG PRIMARY FUNCTIONS The ability to specify the destinations of captured syslog messages.
  12. 12. SYSLOG MESSAGE FORMAT Every syslog message contains a severity level and a facility. The smaller the numerical value of the severity level, the more critical syslog alarms. The severity level of the messages can be set to control where each type of message is displayed. Severity Name/Facility = Category. MNEMONIC => More Information. Facility Severity Mnemonic Description
  13. 13. SYSLOG MESSAGE FORMAT Facility Severity Mnemonic Description
  14. 14. SYSLOG CONFIGURATION DEFAULT LOGGING By default, Cisco routers and switches send log messages for all severity levels to the console. On some IOS versions, the device also buffers log messages by default. Use show logging user-privileged executive mode command to show destination of the log messages. level debugging means that level 7 and all lower levels are activated. R1(global)#logging console : Enable console logging. R1(global)#logging buffered : Enable buffer logging.
  16. 16. SYSLOG CONFIGURATION CLIENT CONFIGURATION Step 1. Configure the destination hostname or IP address of the syslog server in global configuration mode: R1(config)#logging Step 2. Control the messages that will be sent to the syslog server with the logging trap level global configuration mode command. For example, to limit the messages to levels 4 and lower (0 to 4), use one of the two equivalent commands: R1(config)#logging trap 4 R1(config)#logging trap warning Step 3. Optionally, configure the source interface with the logging source-interface interface-type interface number global configuration mode command. R1(config)#logging source-interface g0/0
  17. 17. SYSLOG SERVER LOG INSPECTION Change the status of another interface other than one used to connect the server or create a loopback interface then change its state to create logging messages. These messages will be received by the server.
  18. 18. SNMP
  19. 19. SNMP SNMP uses UDP, port number 162, to retrieve and send management information. SNMP was developed to allow administrators to manage nodes, such as servers, workstations, routers, switches, and security appliances, on an IP network. SNMP is an application layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of three elements: 1. SNMP manager 2. SNMP agents (managed node) 3. Management Information Base (MIB)
  20. 20. SNMP SYSTEM ELEMENTS The SNMP manager is part of a network management system (NMS). The SNMP manager is part of a network management system (NMS). The SNMP manager runs SNMP management software. The SNMP manager can collect information from an SNMP agent using the “get” action and can change configurations on an agent using the “set” action. Network devices that must be managed, such as switches, routers, servers, firewalls, and workstations, are equipped with an SMNP agent software module SNMP agents can forward information directly to an NMS using “traps”.
  21. 21. SNMP SYSTEM ELEMENTS MIBs store data about the device operation and are meant to be available to authenticated remote users. The SNMP agent is responsible for providing access to the local MIB of objects that reflects resources and activity. The SNMP manager then uses the SNMP agent to access information within the MIB.
  22. 22. SNMP SERVER REQUESTS There are two primary SNMP manager requests 1. Get: A get request is used by the NMS to query the device for data. 2. Set: A set request is used by the NMS to change configuration variables in the agent device. A set request can also initiate actions within a device. For example, a set can cause a router to reboot, send a configuration file, or receive a configuration file.
  23. 23. SNMP AGENT RESPONSES TO SNMP SERVER The SNMP agent responds to SNMP manager requests as follows: 1. Get an MIB variable - The SNMP agent performs this function in response to a GetRequest- PDU from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. 2. Set an MIB variable - The SNMP agent performs this function in response to a SetRequest- PDU from the NMS. The SNMP agent changes the value of the MIB variable to the value specified by the NMS. An SNMP agent reply to a set request includes the new settings in the device.
  24. 24. COMMUNITY STRINGS For SNMP to operate, the NMS must have access to the MIB. To ensure that access requests are valid, some form of authentication must be in place. SNMPv1 and SNMPv2c use community strings that control access to the MIB. Community strings are plaintext passwords. SNMP community strings authenticate access to MIB objects. There are two types of community strings: 1. Read-only (ro) - Provides access to the MIB variables, but does not allow these variables to be changed, only read. Because security is minimal in version 2c, many organizations use SNMPv2c in read-only mode. 2. Read-write (rw) - Provides read and write access to all objects in the MIB. To view or set MIB variables, the user must specify the appropriate community string for read or write access. Note: Plaintext passwords are not considered a security mechanism. This is because plaintext passwords are highly vulnerable to man-in-the-middle attacks, in which they are compromised through the capture of packets.
  25. 25. MANAGEMENT INFORMATION BASE OBJECT IDENTIFIER (MIBOID) The MIB organizes variables hierarchically. MIB variables enable the management software to monitor and control the network device. Formally, the MIB defines each variable as an object ID (OID). OIDs uniquely identify managed objects in the MIB hierarchy. The MIB tree for any given device includes some branches with variables common to many networking devices and some branches with variables specific to that device or vendor. OIDs belonging to Cisco are numbered as follows: .iso (1).org (3).dod (6).internet (1).private (4).enterprises (1).cisco (9). This is displayed as
  26. 26. SNMP SERVER CONFIGURATION REQUIRED COMAMNDS Step 1. Configure the community string and access level (read-only or read-write) with this command: R1(config)#snmp-server community string ro | rw For example, two create a read-only community string: R1(config)#snmp-server community ahmed ro For example, two create a read-write community string: R1(config)#snmp-server community ahmedd rw
  27. 27. SNMP CLIENT MIB BROWSER Query the host for a variable value using the previously entered community strings.
  29. 29. 1. IP Address 2. Port Number 3. Read Community String 4. Write Community String 5. Version SNMP CLIENT SERVER DETAILS
  30. 30. SNMP CLIENT OID Example of valid OID: . It tells if the route to the destination has failed and an active search for alternative path is in progress.
  31. 31. SNMP VERIFICATION R1#show snmp
  32. 32. SNMP VERIFICATION R1#show snmp community
  33. 33. NETFLOW
  34. 34. NETFLOW NetFlow is a Cisco IOS technology that provides statistics on packets flowing through a Cisco router or multilayer switch. NetFlow technology was developed because networking professionals needed a simple and efficient method for tracking TCP/IP flows in the network, and SNMP was not sufficient for these purposes. While SNMP attempts to provide a very wide range of network management features and options, NetFlow is focused on providing statistics on IP packets flowing through network devices. Another difference between NetFlow and SNMP is that NetFlow only gathers traffic statistics, whereas SNMP can also collect many other performance indicators, such as interface errors, CPU usage, and memory usage. On the other hand, the traffic statistics collected using NetFlow have a lot more granularity than the traffic statistics that can be collected using SNMP.
  35. 35. NETFLOW USES Organizations use NetFlow for some or all of the following important data collection purposes: 1. Measuring who is using what network resources for what purpose. 2. Accounting and charging back according to the resource utilization level. 3. Using the measured information to do more effective network planning so that resource allocation and deployment is well-aligned with customer requirements. 4. Using the information to better structure and customize the set of available applications and services to meet user needs and customer service requirements.
  36. 36. NETFLOW PACKET FIELDS Original NetFlow distinguished flows using a combination of seven fields: 1. Source IP address 2. Destination IP address 3. Source port number 4. Destination port number 5. Layer 3 protocol type (TCP/UDP) 6. Type of Service (ToS) marking: The ToS byte in the IPv4 header holds information about how devices should apply quality of service (QoS) rules to the packets in that flow. 7. Input logical interface
  37. 37. NETFLOW CONFIGURATION A NetFlow flow is unidirectional. This means that one user connection to an application exists as two NetFlow flows, one for each direction. To define the data to be captured for NetFlow in interface configuration mode: Capture NetFlow data for monitoring incoming packets on the interface using this command: R1(config-if)#ip flow ingress Capture NetFlow data for monitoring outgoing packets on the interface using this command: R1(config-if)#ip flow eggress
  38. 38. NETFLOW CONFIGURATION To enable the NetFlow data to be sent to the NetFlow collector, there are several items to configure on the router in global configuration mode: NetFlow collector’s IP address and UDP port number - Use this command: R1(config)#ip flow-export destination ip-address udp-port The collector has one or more ports, by default, for NetFlow data capture. The software allows the administrator to specify which port or ports to accept for NetFlow capture. Some common UDP ports allocated are 99, 2055, and 9996.
  39. 39. VERIFYING NETFLOW R1#show ip cache flow This command gives details about the following: 1. IP Packet Size Distribution 2. Protocol Statistics 3. Interface Statistics
  40. 40. VERIFYING NETFLOW PROTOCOL R1#show ip cache flow
  41. 41. VERIFYING NETFLOW INTERFACE R1#show ip cache flow
  42. 42. VERIFYING NETFLOW R1#show ip flow interface