Cisco IOS Embedded Event Manager (EEM) - …



SYSTEM MANAGEMENTIntroduction to CDP (Cisco Discovery Protocol)Let’s talk a bit about network management. Perhaps not the most exciting topic but I’m going to show you how you can use CDP (Cisco Discovery Protocol) to help you build network maps and what other information it can reveal.Most networks have multiple switches and/or routers and to make our life easier it’s good to have a network map that shows us how everything is connected to each other, what kind of devices we have, to what VLAN they belong and the IP addresses that we are using. CDP is a Cisco protocol that runs on all Cisco devices that helps us discover Cisco devices on the network. CDP is Cisco proprietary, runs on the data-link layer and is enabled by default.Let’s take a look at a network map:Above we have 3 routers. Now if I had no idea what the network looked like we could use CDP to build the network map that you see above. Let me show you how:R1#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - RepeaterDevice ID Local Intrfce Holdtme Capability Platform Port IDR2 Ser 0/0 167 R S I 3640 Ser 0/0Use the?show cdp neighbors?command to see all?directly connected?neighbors. Above you see that R1?is connected to R2?and you can also see the platform (3640 router) and the interfaces on both sides. Let me show you the other routers as well:R2#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - RepeaterDevice ID Local Intrfce Holdtme Capability Platform Port IDR1 Ser 0/0 144 R S I 3640 Ser 0/0R3 Fas 1/0 164 R S I 3640 Fas 1/0R3#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - RepeaterDevice ID Local Intrfce Holdtme Capability Platform Port IDR2 Fas 1/0 135 R S I 3640 Fas 1/0Now we have all the information we need to build a network map with the router names and interfaces. CDP can tell us even more however…R1#show cdp neighbors detail -------------------------Device ID: R2Entry address(es): IP address: 192.168.12.2Platform: Cisco 3640, Capabilities: Router Switch IGMP Interface: Serial0/0, Port ID (outgoing port): Serial0/0Holdtime : 136 secVersion :Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(16), RELEASE SOFTWARE (fc1)Technical Support: (c) 1986-2007 by Cisco Systems, piled Wed 20-Jun-07 11:43 by prod_rel_teamadvertisement version: 2VTP Management Domain: ''Use?show cdp neighbors detail?to reveal even more information. For example you can see the IP address and the IOS version. This can be very useful to us but it’s also a security risk. By default CDP is enabled and runs on all interfaces so it might be a good idea to disable it on certain interfaces:R1(config)#interface serial 0/0R1(config-if)#no cdp enableThis is how you can disable it for a single interface, just type no cdp enable. This is how you can do it globally for all interfaces:R1(config)#no cdp runThat's all there is to CDP. Besides revealing networking information CDP is also used for Cisco IP phones but that's another story. Keep in mind CDP only runs on Cisco hardware, there's also a "standards" based version called LLDP that runs on Cisco hardware and some other networking vendor equipment.Link Layer Discovery Protocol (LLDP)LLDP is a layer two discovery protocol, similar to?Cisco’s CDP. The big difference between the two is that LLDP is a standard while CDP is a Cisco proprietary protocol.Cisco devices support the IEEE 802.1ab version of LLDP. This allows non-Cisco devices to advertise information about themselves to our network devices.LLDP uses attributes that contain a type, length and value descriptions. These are called TLVs (Type, Length, Value). Devices that support LLDP use TLVs to send and receive information to their directly connected neighbors. Here’s an example of some basic TLVs:Port description TLVSystem name TLVSystem description TLVSystem capabilities TLVManagement Address TLVSome network end devices (like IP Phones) can use LLDP for VLAN assignment or PoE (Power over Ethernet) requirements. To accomplish this, an enhancement was made which is called MED (Media Endpoint Discovery). This is typically known as LLDP-MED.Configuration of LLDP is really simple, depending on your switch and IOS version it might be enabled or disabled by default. Let’s take a look at an example:I have two Cisco Catalyst 3560 switches, directly connected to each other. LLDP is disabled by default on these switches so let’s enable it:SW1, SW2(config)#lldp runThis enables LLDP globally on all interfaces. After a couple of seconds we can see something:SW1#show lldp neighborsCapability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) OtherDevice ID Local Intf Hold-time Capability Port IDSW2 Fa0/24 120 B Fa0/24Total entries displayed: 1This output looks very similar to CDP. We can also take a detailed look at our neighbor:SW1#show lldp neighbors detailChassis id: 0011.bb0b.361aPort id: Fa0/24Port Description: FastEthernet0/24System Name: SW2.System Description:Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)Copyright (c) 1986-2008 by Cisco Systems, piled Thu 21-Aug-08 15:26 by nachenTime remaining: 106 secondsSystem Capabilities: B,REnabled Capabilities: BManagement Addresses - not advertisedAuto Negotiation - supported, enabledPhysical media capabilities: 100base-TX(FD) 100base-TX(HD) 10base-T(FD) 10base-T(HD)Media Attachment Unit type: 16---------------------------------------------Total entries displayed: 1Above you can see some details about SW2, it's hostname, platform, IOS version, capabilities etc. One little extra that LLDP offers is that it also sends interface descriptions. Here's an example:SW1(config)#interface FastEthernet 0/24SW1(config-if)#description LINK_SW1_SW2This description will show up if we look on SW2:SW2#show lldp neighbors detailChassis id: 0019.569d.571aPort id: Fa0/24Port Description: LINK_SW1_SW2System Name: SW1.Conditional Debug on Cisco IOS RouterConditional debug is very useful to filter out some of the debug information that you see on a (busy) router. It allows us to only show debug information that matches a certain interface, MAC address, username and some other items.It’s best to demonstrate this with an example, so let me show you the following router that is running RIP on two interfaces:Let’s enable RIP debugging on this router:R1#debug ip rip RIP protocol debugging is onWe will see RIP debug information from both interfaces:R1#RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.12.1)RIP: build update entries192.168.13.0/24 via 0.0.0.0, metric 1, tag 0R1#RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1 (192.168.13.1)RIP: build update entries192.168.12.0/24 via 0.0.0.0, metric 1, tag 0If I only want to see the debug information from one interface then I can use a debug condition:R1#debug condition ? application Application called called number calling calling card card glbp interface group interface interface ip IP address mac-address MAC address match-list apply the match-list standby interface group username username vcid VC ID vlan vlan voice-port voice-port number xconnect Xconnect conditional debugging on segment pairThis is quite a list with different items to choose from. I’ll use the interface as a condition:R1#debug condition interface fastEthernet 0/0Condition 1 setUsing this debug condition we will only see RIP debug information from the FastEthernet 0/0 interface:R1#RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.12.1)RIP: build update entries192.168.13.0/24 via 0.0.0.0, metric 1, tag 0When you want to get rid of the debug condition then you can use the following command:R1#undebug condition interface fastEthernet 0/0This condition is the last interface condition set.Removing all conditions may cause a flood of debuggingmessages to result, unless specific debugging flagsare first removed.Proceed with removal? [yes/no]: yesCondition 1 has been removedThe router will warn you that you might be flooded with debug information after removing the debug condition. If you have a router that generates a lot of debug information then this is something to be aware.Be careful...using?no debug all?or?undebug all?doesn't remove the condition. You need to remove it using the command that I just showed you!That's all there is to it. I hope this helps you to make debugging easier to work with. If you have any questions feel free to leave a comment!Cisco IOS Embedded Event Manager (EEM)Embedded Event Manager (EEM) is a technology on Cisco Routers that lets you run scripts or commands when a certain event happens. It’s probably best just to show you some examples to see how it works. This is the topology that I will use:?Syslog EventsSyslog messages are the messages that you see by default on your console. Interfaces going up or down, OSPF neighbors that dissapear and such are all syslog messages. EEM can take action when one of these messages show up. Let’s start with an example that enables an interface once it goes down.Interface RecoveryR2(config)#event manager applet INTERFACE_DOWN event syslog pattern "Interface FastEthernet0/0, changed state to down" action 1.0 cli command "enable" action 2.0 cli command "conf term" action 3.0 cli command "interface fa0/0" action 4.0 cli command "no shut"The applet is called “INTERFACE_DOWN” and the event is a syslog pattern that matches the text when an interface goes down. When this occurs, we run a number of commands. What happens is that whenever someone shuts the interface, EEM will do a “no shut” on it.To demonstrate that this works I’ll enable a debug:R2#debug event manager action cliDebug EEM action cli debugging is onThis will show the commands that EEM runs when the event occurs. Let’s do a shut on that interface:R2(config)#interface FastEthernet 0/0R2(config-if)#shutdownWithin a few seconds you will see this:R2#%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : CTL : cli_open called.%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2>%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : IN : R2>enable%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2#%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : IN : R2#conf term%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z.%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2(config)#%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : IN : R2(config)#interface fa0/0%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2(config-if)#%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : IN : R2(config-if)#no shut%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2(config-if)#%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : CTL : cli_close called.%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upThe interface went down, EEM runs the commands and the interface is up again. Simple but I think this is a good example to demonstrate how EEM works. Let’s see what else we can do…OSPF Adjacency ChangesThe next example is perhaps useful. Whenever the OSPF adjacency dissapears you will see a syslog message on your console. We’ll use this message as the event and once it occurs, we enable OSPF adjacency debugging and send an e-mail:R2(config)#event manager applet OSPF_DOWN event syslog pattern "Nbr 192.168.12.1 on FastEthernet0/0 from FULL to DOWN" action 1.0 cli command "enable" action 2.0 cli command "debug ip ospf adj" action 3.0 mail server "smtp.ziggo.nl" to "info@" from "R2@" subject "OSPF IS DOWN" body "Please fix OSPF"The event that I used is a syslog message that should look familiar. The first two actions are executed on the CLI but the third action is for the e-mail. It will send a message to info@ through SMTP-server “smtp.ziggo.nl”.Let’s give it a try. I have to enable another debug if I want to see the mail action:R2#debug event manager action mail Debug EEM action mail debugging is onOnce the OSPF neighbor adjacency is established, I’ll shut the interface on one of the routers so it breaks:R1(config)#interface FastEthernet 0/0R1(config-if)#shutdownAnd this is what you’ll see:R2#Translating "smtp.ziggo.nl"...domain server (255.255.255.255)%OSPF-5-ADJCHG: Process 1, Nbr 192.168.12.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : CTL : cli_open called.%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : OUT : R2>%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : IN : R2>enable%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : OUT : R2#%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : IN : R2#debug ip ospf adj%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : OUT : OSPF adjacency events debugging is on%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : OUT : R2#%HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : smtp_connect_attempt: 1OSPF: Build router LSA for area 0, router ID 192.168.12.2, seq 0x8000000B, process 1OSPF: No full nbrs to build Net Lsa for interface FastEthernet0/0OSPF: Build network LSA for FastEthernet0/0, router ID 192.168.12.2OSPF: Build network LSA for FastEthernet0/0, router ID 192.168.12.2%HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : fh_smtp_connect failed at attempt 1Translating "smtp.ziggo.nl"...domain server (255.255.255.255)%HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : smtp_connect_attempt: 2%HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : fh_smtp_connect callback timer is awake%HA_EM-3-FMPD_SMTP: Error occurred when sending mail to SMTP server: smtp.ziggo.nl : timeout error%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : CTL : cli_close called.My router isn’t connected to the Internet but you can see it’s trying to contact the SMTP server and send an e-mail. It also enabled the OSPF adjacency debug thanks to the CLI commands.CLI EventsThe previous two examples used syslog messages as the event but you can also take action based on commands that are used on the CLI. The example below is a funny one, whenever someone watches the running-configuration it will exclude all lines with the word “interface” in it:R2(config)#event manager applet SHOW_RUN_NO_INTERFACES event cli pattern "show run" sync yes action 1.0 cli command "enable" action 2.0 cli command "show run | exclude interface" action 3.0 puts "$_cli_result" action 4.0 set $_exit_status "0"As you can see above the event is a CLI pattern. the “sync yes” parameter is required, this tells EEM to run the script before running the “show run” command. When the script is done, it sets the exit status to 0. Basically this means that whenever someone uses the “show run” command, the script will run “show run | exclude interface” instead and gives you the output.Let’s see what the result is…R2#show running-config Building configuration...You will see the output of the running configuration and if you left the debug on, you’ll see what EEM is doing behind the scenes:R2#%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : CTL : cli_open called.%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : OUT : R2>%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : IN : R2>enable%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : OUT : R2#%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : IN : R2#show run | exclude interface%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : OUT : Building configuration...Somewhere further down the running-config you can see that the lines with “interface” in them were removed:! ip address 192.168.12.2 255.255.255.0 duplex auto speed autoWhile this isn’t very useful, I think this is a good example to see what it does. A good real life scenario might be hiding all lines that have “username” or “enable secret” in them for certain users.Interface EventsYou have seen syslog and CLI pattern events, but we have some others. What about interface counters? It might be useful to perform an action when some interface counters have a certain value. Here’s an example:R2#show interfaces fastEthernet 0/0 | incl load reliability 255/255, txload 1/255, rxload 1/255Let's create a script that does something when the interface load hits a certain value. To make this work, it's best to change the load interval of the interface first:R2(config)#interface FastEthernet 0/0R2(config-if)#load-interval 30By using this command, the router will calculate the load of the interface every 30 seconds, the default is 5 minutes. Let's create the script:R2(config)#event manager applet INTERFACE_LOAD event interface name FastEthernet0/0 parameter rxload entry-op gt entry-val 10 entry-type value poll-interval 10 action 1.0 syslog priority informational msg "INTERFACE OVERLOADED"This event is a bit harder to read...when the rx load of the interface is above 10/255 then we will take action. Every 10 seconds we will check if we reached this value or not. When the event occurs, a syslog message is produced.To demonstrate this we'll send some packets from R1 towards R2:R1#ping 192.168.12.2 repeat 9999999 size 15000 timeout 0Once the interface rx load is above 10 you'll see the following message on the console:R2#%HA_EM-6-LOG: INTERFACE_LOAD: INTERFACE OVERLOADEDPretty neat right? Sending an e-mail as the action might be a good idea when the interface load is above 60-70%.Scheduling EventsInstead of launching actions based on syslog or CLI messages we can also use scheduled tasks. This means that you can run actions every X minutes / hours / days etc. Here's an example:R2(config)#event manager applet TIMER event timer watchdog time 60 action 1.0 cli command "enable" action 2.0 cli command "write memory" action 3.0 syslog priority informational msg "Configuration has been saved"This script runs every 60 seconds and runs the "write memory" command. Once it's done, it will produce a syslog message. After waiting for 60 seconds we'll see this:R2#%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : CTL : cli_open called.%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : OUT : R2>%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : IN : R2>enable%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : OUT : R2#%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : IN : R2#write memory%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : OUT : Building configuration...%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : OUT : [OK]%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : OUT : R2#%HA_EM-6-LOG: TIMER: Configuration has been saved%HA_EM-6-LOG: TIMER : DEBUG(cli_lib) : : CTL : cli_close called.Other Events and ActionsYou have seen a couple of events and actions but EEM has a lot of options. Here's a list to give you some ideas:R2(config-applet)#event ? application Application specific event cli CLI event config Configuration policy event counter Counter event env Environmental event interface Interface event ioswdsysmon IOS WDSysMon event ipsla IPSLA Event nf NF Event none Manually run policy event oir OIR event resource Resource event rf Redundancy Facility event routing Routing event rpc Remote Procedure Call event snmp SNMP event snmp-notification SNMP Notification Event syslog Syslog event tag event tag identifier timer Timer event track Tracking object eventSome other useful events are changes in the routing table, IP SLA, object tracking and configuration changes. There is also a big list of possible actions:R2(config-applet)#action 1.0 ? add Add append Append to a variable break Break out of a conditional loop cli Execute a CLI command cns-event Send a CNS event comment add comment context Save or retrieve context information continue Continue to next loop iteration counter Modify a counter value decrement Decrement a variable divide Divide else else conditional elseif elseif conditional end end conditional block exit Exit from applet run force-switchover Force a software switchover foreach foreach loop gets get line of input from active tty handle-error On error action help Read/Set parser help buffer if if conditional increment Increment a variable info Obtain system specific information mail Send an e-mail multiply Multiply policy Run a pre-registered policy publish-event Publish an application specific event puts print data to active tty regexp regular expression match reload Reload system set Set a variable snmp-trap Send an SNMP trap string string commands subtract Subtract syslog Log a syslog message track Read/Set a tracking object wait Wait for a specified amount of time while while loopRunning CLI commands and sending e-mails are maybe the most important ones but you can also generate SNMP traps or reload the router.Anyway that's the end of this tutorial. If you enjoyed this, please share it with your friends and colleagues. If you have any other good EEM examples please leave a comment and I'll add them here.Cisco Network Time Protocol (NTP)NTP (Network Time Protocol) is used to allow network devices to synchronize their clocks with a central source clock. For network devices like routers, switches or firewalls this is very important because we want to make sure that logging information and timestamps have the accurate time and date. If you ever have network issues or get hacked, you want to make sure you know exactly what and?when?it happened.Normally a router or switch will run in NTP client mode which means that it will adjust its clock based on the time of a NTP server. Basically the NTP protocol describes the algorithm that the NTP clients use to synchronize their clocks with the NTP server and the packets that are used between them.A good example of a NTP server is?ntp.. This is a cluster of NTP servers that many servers and network devices use to synchronize their clocks.NTP uses a concept called “stratum” that defines how many NTP hops away a device is from an authorative time source. For example, a device with stratum 1 is a very accurate device and might have an atomic clock attached to it. Another NTP server that is using this stratum 1 server to sync its own time would be a stratum 2 device because it’s one NTP hop further away from the source. When you configure multiple NTP servers, the client will prefer the NTP server with the lowest stratum value.Cisco routers and switches can use 3 different NTP modes:NTP client mode.NTP server mode.NTP symmetric active mode.The symmetric active mode is used between NTP devices to synchronize with each other, it’s used as a backup mechanism when they are unable to reach the (external) NTP server.In the remaining of this tutorial I will demonstrate how to configure NTP on a Cisco router and switches.ConfigurationThis is the topology I will use:The router on the top is called “CoreRouter” and its the edge of my network. It is connected to the Internet and will use one of the NTP servers from pool. to synchronize its clock. The network also has two internal switches that require synchronized clocks. Both switches will become NTP clients of the CoreRouter, thus making the CoreRouter a NTP server.Router configurationFirst we will configure the CoreRouter on top. I will use pool. as the external NTP server for this example. We need to make sure that the router is able to resolve hostnames:CoreRouter(config)#ip name-server 8.8.8.8I will use Google DNS for this. Our next step is to configure the NTP server:CoreRouter(config)#ntp server pool.That was easy enough, just one command and we will synchronize our clock with the public server. We can verify our work like this:CoreRouter#show ntp associations address ref clock st when poll reach delay offset disp ~146.185.130.223 .INIT. 16 - 64 0 0.000 0.000 16000. * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configuredAbove we see the?show ntp associations?command that tells us if our clock is synchronized or not. The ~ in front of the IP address tells us that we configured this server but we are?not synchronized yet. You can see this because there is no * in front of the IP address and the “st” field (stratum) is currently 16.There is one more command that gives us more information about the NTP configuration:CoreRouter#show ntp statusClock is unsynchronized, stratum 16, no reference clocknominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)clock offset is 0.0000 msec, root delay is 0.00 msecroot dispersion is 0.16 msec, peer dispersion is 0.00 msecloopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/ssystem poll interval is 64, never updated.The router tells us that we are unsynchronized and that there is no reference clock…we will just wait a couple of minutes and take a look at these commands again:CoreRouter#show ntp associations address ref clock st when poll reach delay offset disp*~146.185.130.223 193.79.237.14 2 26 64 1 10.857 -5.595 7937.5 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configuredA few minutes later and the output has changed. The * in front of the IP address tells us that we have synchronized and the stratum is 2…that means that this NTP server is pretty close to a reliable time source. The “poll” field tells us that we will try to synchronize the time every 64 seconds. Let’s check the other command that we just saw:CoreRouter#show ntp status Clock is synchronized, stratum 3, reference is 146.185.130.22nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24reference time is D76513B4.66A4CDA6 (12:40:20.400 UTC Mon Jul 7 2014)clock offset is -5.5952 msec, root delay is 13.58 msecroot dispersion is 7966.62 msec, peer dispersion is 7937.50 msecloopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000018 s/ssystem poll interval is 64, last update was 43 sec ago.Our clock has been synchronized and our own stratum is 3, that makes sense since the public stratum server has a stratum of 2 and we are one “hop” away from it.NTP synchronization can be very slow so you have to be patient when your clocks are not synchronized. One way to speed it up a bit is to adjust your clock manually so it is closer to the current time.Cisco routers have two different clocks, they have a software clock and a hardware clock and they operate separately from each other. Here’s how to see both clocks:CoreRouter#show clock 12:41:25.197 UTC Mon Jul 7 2014CoreRouter#show calendar 12:43:24 UTC Mon Jul 7 2014The?show clock command?shows me the software clock while the?show calendar command?gives me the hardware clock. The two clocks are not in sync so this is something we should fix, you can do it like this:CoreRouter#(config)ntp update-calendarThe?ntp update-calendar?command will update the hardware clock with the time of the software clock, here’s the result:CoreRouter#show clock 12:42:31.853 UTC Mon Jul 7 2014CoreRouter#show calendar 12:42:30 UTC Mon Jul 7 2014That’s all I wanted to configure on the CoreRouter for now. We still have to configure two switches to synchronize their clocks.Switch ConfigurationThe two switches will be configured to use the CoreRouter as the NTP server and I will also configure them to synchronize their clocks with each other. Let’s configure them to use the CoreRouter first:SW1(config)#ntp server 192.168.123.3Once again it might take a few minutes to synchronize but this is what you will see:SW1#show ntp associations address ref clock st when poll reach delay offset disp*~192.168.123.3 146.185.130.223 3 21 64 1 2.5 1.02 15875. * master (synced), # master (unsynced), + selected, - candidate, ~ configuredSW1#show ntp status Clock is synchronized, stratum 4, reference is 192.168.123.3nominal freq is 119.2092 Hz, actual freq is 119.2089 Hz, precision is 2**18reference time is D765271D.D6021302 (14:03:09.835 UTC Mon Jul 7 2014)clock offset is 1.0229 msec, root delay is 14.31 msecroot dispersion is 16036.00 msec, peer dispersion is 15875.02 msecThe clock of SW1 has been synchronized and its stratum is 4. This makes sense since it’s one “hop” further away from its NTP server (CoreRouter). Let’s do the same for SW2:SW2(config)#ntp server 192.168.123.3Let’s be patient for a few more minutes and this is what we’ll get:SW2#show ntp associations address ref clock st when poll reach delay offset disp*~192.168.123.3 146.185.130.223 3 17 64 37 3.4 1.89 875.8 * master (synced), # master (unsynced), + selected, - candidate, ~ configuredSW2#show ntp status Clock is synchronized, stratum 4, reference is 192.168.123.3nominal freq is 119.2092 Hz, actual freq is 119.2084 Hz, precision is 2**18reference time is D765274D.D51A0546 (14:03:57.832 UTC Mon Jul 7 2014)clock offset is 1.8875 msec, root delay is 15.18 msecroot dispersion is 1038.39 msec, peer dispersion is 875.84 msecSW1 and SW2 are now using CoreRouter to synchronize their clocks. Let’s also configure them to use each other for synchronization. This is the symmetric active mode I mentioned before, basically the two switches will “help” each other to synchronize…this might be useful in case the CoreRouter fails some day:SW1(config)#ntp peer 192.168.123.2SW2(config)#ntp peer 192.168.123.1After waiting a few minutes you’ll see that SW1 and SW2 have synchronized with each other:SW1#show ntp associations address ref clock st when poll reach delay offset disp*~192.168.123.3 146.185.130.223 3 59 64 37 3.0 -0.74 877.4+~192.168.123.2 192.168.123.3 4 50 128 376 2.2 -2.04 1.3 * master (synced), # master (unsynced), + selected, - candidate, ~ configuredSW2#show ntp associations address ref clock st when poll reach delay offset disp*~192.168.123.3 146.185.130.223 3 45 128 377 2.9 1.95 1.0 ~192.168.123.1 192.168.123.3 4 67 1024 376 1.8 2.40 1.4 * master (synced), # master (unsynced), + selected, - candidate, ~ configuredGreat everything is now in sync.Are we done? Not quite yet…there are a few more things we can do with NTP. The CoreRouter and the two switches use unicast (UDP port 123) for synchronization but you can also use multicast or broadcast. Let me give you an example…Multicast and BroadcastIf you have more than 20 network devices or a router that has limited system memory or CPU resources you might want to consider using NTP broadcast or multicast as it requires less resources. We can enable multicast or broadcast on the interface level.To demonstrate this I will add two routers below SW1 and SW2 that will synchronize themselves using multicast or broadcast. This is what it looks like:I’ll configure SW1 to use multicast address 239.1.1.1 and SW2 will send NTP updates through broadcast:SW1(config)#interface vlan 10SW1(config-if)#ntp multicast 239.1.1.1SW2(config-if)#interface vlan 20 SW2(config-if)#ntp broadcastR5 will synchronize itself by using multicast:R5(config)#interface fastEthernet 0/0R5(config-if)#ntp multicast client 239.1.1.1The commands are pretty self-explanatory, let's see if it worked:R5#show ntp associations address ref clock st when poll reach delay offset disp* 192.168.10.1 192.168.123.3 4 14 64 1 1.528 -1.209 0.206 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configuredR5#show ntp status Clock is synchronized, stratum 5, reference is 192.168.10.1 nominal freq is 250.0000 Hz, actual freq is 250.0174 Hz, precision is 2**24reference time is D765447B.DA56D83C (16:08:27.852 UTC Mon Jul 7 2014)clock offset is -0.0012 msec, root delay is 0.01 msecroot dispersion is 0.16 msec, peer dispersion is 0.00 msecloopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000069583 s/ssystem poll interval is 64, last update was 35 sec ago.You can see that it has synchronized itself and it shows the IP address of SW1. Let's see if we can get broadcast to work on R6:R6(config)#interface fastEthernet 0/0R6(config-if)#ntp broadcast client R6#show ntp associations address ref clock st when poll reach delay offset disp* 192.168.20.2 192.168.123.3 4 29 64 1 1.284 -4.035 0.127 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configuredR6#show ntp status Clock is synchronized, stratum 5, reference is 192.168.20.2 nominal freq is 250.0000 Hz, actual freq is 250.0132 Hz, precision is 2**24reference time is D7654496.15979782 (16:08:54.084 UTC Mon Jul 7 2014)clock offset is -0.0040 msec, root delay is 0.01 msecroot dispersion is 0.59 msec, peer dispersion is 0.00 msecloopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000052939 s/ssystem poll interval is 64, last update was 29 sec ago.Excellent! Two more network devices that are synchronized.You now know how to configure NTP but there is one more important topic to cover...security! Right now our routers will accept any source as the NTP server and they will serve any NTP client that requests updates. To protect our network, we will have to configure authentication and access-control. Let's start with authentication.AuthenticationWhen we enable authentication, all NTP packets that can update the clock have to be authenticated. The packets will be authenticated using HMAC MD5 which carries a key number.I want to make sure that SW1 and SW2 will authenticate the CoreRouter so they don't just accept any NTP updates from a device that has IP address 192.168.123.3 configured. We'll configure the router first:CoreRouter(config)#ntp authenticateCoreRouter(config)#ntp trusted-key 1CoreRouter(config)#ntp trusted-key 2CoreRouter(config)#ntp authentication-key 1 md5 NETWORKLESSONS1CoreRouter(config)#ntp authentication-key 2 md5 NETWORKLESSONS2Each switch will use a different key for authentication. The?ntp authentication-key?command is required to set the key number and the password. The?ntp trusted-key?command is a bit weird, if you don't use it then the key that you configured will not be activated so don't forget it.Let's configure the switches now:SW1(config)#ntp authenticate SW1(config)#ntp authentication-key 1 md5 NETWORKLESSONS1SW1(config)#ntp trusted-key 1SW1(config)#ntp server 192.168.123.3 key 1SW2(config)#ntp authenticateSW2(config)#ntp authentication-key 2 md5 NETWORKLESSONS2SW2(config)#ntp trusted-key 2SW2(config)#ntp server 192.168.123.3 key 2The configuration on the switches is similar but the difference is that we also specified the key for the NTP server. SW1 and SW2 will only use 192.168.123.3 to synchronize their clocks if the MD5 signature is correct.Earlier we configured SW1 and SW2 to use each other as peers and of course we can also use authentication for this. It looks like this:SW1(config)#ntp authentication-key 12 md5 NETWORKLESSONS12SW1(config)#ntp trusted-key 12SW1(config)#ntp peer 192.168.123.2 key 12 SW2(config)#ntp authentication-key 12 md5 NETWORKLESSONS12 SW2(config)#ntp trusted-key 12 SW2(config)#ntp peer 192.168.123.1 key 12The configuration is similar, configure a key and make it trusted. We change the NTP peer command to that it requires authentication.Authentication is great but there is still one security problem to tackle. A NTP server will serve updates to?any?NTP client and a NTP client will accept?any?IP address as the NTP server. To solve this we can implement some access-list...let's take a look!Access-ControlFirst I will configure the CoreRouter so it only accepts one IP address as its NTP server. This is tricky since the IP address might change in the future, if you implement this on a production network you'll have to make sure that you add all the possible IP address in the access-list:CoreRouter(config)#access-list 1 permit 146.185.130.223CoreRouter(config)#ntp access-group peer 1The IP address above is what pool. resolves to for me. The?ntp access-group peer?command is used to activate the access-list. SW1 and SW2 are the NTP clients for the CoreRouter but right now everyone can use our router as the NTP server. Let's fix this so only SW1 and SW2 are allowed as NTP clients:CoreRouter(config)#ntp access-group serve-only 12CoreRouter(config)#access-list 12 permit 192.168.123.1CoreRouter(config)#access-list 12 permit 192.168.123.2Problem solved, only SW1 and SW2 are now accepted as NTP clients. Our CoreRouter is now protected but let's make some changes on SW1 and SW2 as well:SW1(config)#access-list 3 permit 192.168.123.2SW1(config)#access-list 3 permit 192.168.123.3SW1(config)#ntp access-group peer 3SW2(config)#access-list 3 permit 192.168.123.1SW2(config)#access-list 3 permit 192.168.123.3SW2(config)#ntp access-group peer 3The configuration above allows SW1 and SW2 to use CoreRouter and each other as NTP server, no other sources are allowed.In my example I used a public server for NTP (pool.) but you can also configure a router or switch as the NTP master and set a stratum number yourself. If you do this you'll need the NTP master command and your device will synchronize its own clock using the 127.127.7.1 or 127.127.1.1 IP address. Make sure you permit this IP address in your access-list!After we configured authentication we can verify if its working or not, here's an example for SW1:SW1#show ntp associations detail 192.168.123.3 configured, authenticated, our_master, sane, valid, stratum 3ref ID 146.185.130.223, time D7656103.9F50193C (18:10:11.622 UTC Mon Jul 7 2014)our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024root delay 12.28 msec, root disp 144.93, reach 377, sync dist 162.231delay 1.43 msec, offset -0.7465 msec, dispersion 1.48precision 2**24, version 3org time D76562BA.DE84436E (18:17:30.869 UTC Mon Jul 7 2014)rcv time D76562BA.DEE4A769 (18:17:30.870 UTC Mon Jul 7 2014)xmt time D76562BA.DE7AA858 (18:17:30.869 UTC Mon Jul 7 2014)filtdelay = 1.43 1.39 1.37 1.40 1.51 2.43 1.50 1.63filtoffset = -0.75 -0.79 -3.92 -4.03 -3.95 -1.69 -1.23 -1.70filterror = 0.02 15.64 31.27 46.89 62.52 78.14 79.12 79.74192.168.123.2 configured, authenticated, selected, sane, valid, stratum 4ref ID 192.168.123.3, time D76561FF.17C145F3 (18:14:23.092 UTC Mon Jul 7 2014)our mode active, peer mode active, our poll intvl 1024, peer poll intvl 1024root delay 14.97 msec, root disp 149.15, reach 377, sync dist 164.719delay 4.21 msec, offset -7.8822 msec, dispersion 5.98precision 2**18, version 3org time D7656506.196F1052 (18:27:18.099 UTC Mon Jul 7 2014)rcv time D7656506.1BFDEA18 (18:27:18.109 UTC Mon Jul 7 2014)xmt time D7656486.DED15803 (18:25:10.870 UTC Mon Jul 7 2014)filtdelay = 4.21 1.63 2.76 4.39 4.73 1.27 1.14 1.17filtoffset = -7.88 -4.20 -4.28 -3.79 -2.31 -0.20 0.03 0.29filterror = 1.97 17.59 18.57 19.55 35.17 50.80 66.42 82.05That's all there is to it. Hopefully this NTP tutorial is helpful for you to understand and configure NTP in your network.this, please share it with your friends / colleagues or leave a comment if you have any questions!Configuration Archive and Rollback on Cisco IOSCisco IOS routers and switches are able to create ‘snapshots’ of their configuration using the archive feature. Cisco calls these snapshots ‘configuration archives’ and they are very useful as it allows you to store multiple versions of your configuration.The configuration archive can be created every time you save your running configuration or you can create one based on a time schedule, for example each 24 hours or so.When you have multiple snapshots you can use a show command to see the difference between the configurations and easily restore (rollback) to a previous version.Let’s take a look at the configuration shall we?ConfigurationFirst we need to configure where we want to store our configuration archives. When you use the path command you can see what options we have:Router(config)#archive Router(config-archive)#path ? flash: Write archive on flash: file system ftp: Write archive on ftp: file system http: Write archive on http: file system https: Write archive on https: file system pram: Write archive on pram: file system rcp: Write archive on rcp: file system scp: Write archive on scp: file system slot0: Write archive on slot0: file system tftp: Write archive on tftp: file systemNormally an external location would be a good idea but to keep things simple I will use the flash memory of my router:Router(config-archive)#path flash:router-backupEach configuration archive file will start with “router-backup” in the filename. Besides the destination we also have to choose when we want to create a configuration archive. For example, whenever the running-config is saved as the startup-config might be a good idea to create a backup:Router(config-archive)#write-memoryI will also configure a schedule, for example to create a configuration archive each 24 hours:Router(config-archive)#time-period 14401440 minutes means we’ll create a snapshot each 24 hours. Everything is now in place, let’s see if it is working.VerificationWe can use the show archive command to see how many snapshots we have. At the moment no snapshots were made so the list is empty:Router#show archive There are currently 1 archive configurations saved.The next archive file will be named flash:router-backup-1 Archive # Name 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Now we will save the running-config and thanks to the write-memory command it will also create a configuration archive:Router#copy running-config startup-configDestination filename [startup-config]? Building configuration...[OK]Verifying checksum... OK (0xDCF1)When we look again at the show archive command we’ll see our first configuration archive:Router#show archive There are currently 2 archive configurations saved.The next archive file will be named flash:router-backup-2 Archive # Name 0 1 flash:router-backup-1 <- Most Recent 2 3 4 5 6 7 8 9 10 11 12 13 14 As configured you can see that it has been stored on the flash of the router:Router#show flash: System CompactFlash directory:File Length Name/status 1 840 router-backup-1 [904 bytes used, 16776308 available, 16777212 total]16384K bytes of ATA System CompactFlash (Read/Write)Having extra backups feels great! Before we are going to recover one I’ll show you how you can compare different archives. I’ll make some changes to the running-config so that we’ll end up with two different configuration archives:Router(config)#interface loopback0Router(config-if)#ip address 1.1.1.1 255.255.255.0We’ll save the running-config to the startup-config so that another archive is created:Router#copy running-config startup-configDestination filename [startup-config]? Building configuration...[OK]Verifying checksum... OK (0xDCF1)Let’s find out if we have another snapshot:Router#show archive There are currently 3 archive configurations saved.The next archive file will be named flash:router-backup-3 Archive # Name 0 1 flash:router-backup-1 2 flash:router-backup-2 <- Most Recent 3 4 5 6 7 8 9 10 11 12 13 14 So we now have two configuration archives but we don’t know the differences between them. IOS tells us that the second one is the latest version but this doesn’t always mean that it’s the best configuration that we have. Luckily there’s a command that tells us exactly the difference between the two files:Router#show archive config differences flash:router-backup-1 flash:router-backup-2Contextual Config Diffs:+interface Loopback0 +ip address 1.1.1.1 255.255.255.0The + symbol tells us that the second file has some additional lines. I created that loopback interface so it's showing up here with the IP address. If you see a - symbol then it means those lines have been removed.Now we can replace our running configuration and select one of our snapshots like this:Router#configure replace flash:router-backup-1 list This will apply all necessary additions and deletionsto replace the current running configuration with thecontents of the specified configuration file, which isassumed to be a complete configuration, not a partialconfiguration. Enter Y if you are sure you want to proceed. ? [no]: yes/pre>Rollback:Acquired Configuration lock.!Pass 1!List of Commands:no interface Loopback0endTotal number of passes: 1Rollback DoneRouter#%PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "Exec", ipl= 0, pid= 92%LINK-5-CHANGED: Interface Loopback0, changed state to administratively downThe router tells us which commands it has executed in order to rollback to the configuration that we selected. In my example it has removed the loopback 0 interface.That's all I wanted to show you for now, I hope this has been a useful tutorial for you! If you have any questions feel free to leave a comment.Configuration Change Notification and LoggingChange notification is a nice feature on Cisco IOS devices that lets you keep track of the changes that have been made to your configuration. It can even track the user who made these changes and it can send this information to a syslog server.This is one of those features that is very useful when something suddenly doesn’t work anymore and everyone tells you that “nobody made any changes”.ConfigurationLet’s look at a Cisco router where we enable this feature:Router(config)#archiveRouter(config-archive)#log configRouter(config-archive-log-cfg)#logging enableFirst you should use the?archive?command and then enter the?log config?section. Use the?logging enable?command and the router will keep track of the configuration changes. There’s a number of other items that are useful to configure however:Router(config-archive-log-cfg)#logging size 1000By default your router will keep 100 entries in the configuration log but we can increase it to 1000 using the?logging size?command. All the changes will be kept locally on your router but we can send it to the syslog server if we want:Router(config-archive-log-cfg)#notify syslogLast but not least, it might be a good idea not to store any passwords in the configuration change logs. You can use the following command to disable this:Router(config-archive-log-cfg)#hidekeysVerificationWhenever you make a change to the configuration you will see the following message on your console:Router#configure terminalRouter(config)#interface loopback 0Router(config-if)#%PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface loopback 0 You can see the change that was made (interface loopback 0) and the user that did this (console). Let’s make some more changes to the configuration of this router:Router(config-if)#shutdownRouter(config-if)#no shutdownYou will see these changes on the console:Router#%PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:shutdown %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no shutdown We can also use some show commands to verify what changes have been made:Router#show archive log config all idx sess user@line Logged command 1 1 console@console | logging enable 2 1 console@console | logging size 1000 3 1 console@console | notify syslog 4 1 console@console | hidekeys 5 1 console@console | interface loopback 0 6 1 console@console | shutdown 7 1 console@console | no shutdown Above you find all the commands that I typed in the console so far. If you want to re-use some of the commands that you found then there’s a useful command for you to use:Router#show archive log config all provisioning archive log config logging enable logging size 1000 notify syslog hidekeys interface loopback 0 shutdown no shutdown This gives you the logged configuration changes in the same format as you can find them in the running configuration. What about passwords in my configuration? I used the hidekeys command so they shouldn't be visible...let's find out if this is true. I'll configure an enable secret:Router(config)#enable secret Cisco123Your console will show this:Router#%PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:enable secret ***** It's masking the secret so it's not giving away any information. You'll find the same thing in the overview of commands:Router#show archive log config all | include secret 8 2 console@console |enable secret ***** I hope this tutorial has been helpful to you, if you have any changes feel free to leave a comment!How to configure Cisco IOS BannersCisco IOS devices support a number of banners that are presented to users when they use the console line or when they connect remotely using telnet or SSH. They are often used to inform users about their legal rights. It might be a good idea to present a banner to users who are trying to connect to your device, here are some items you might want to think about:To show that only authorized users are allowed to connect.That all traffic will be monitored.That there is no expectation of privacy.Don’t use anything that says “welcome”.Don’t add any contact information or information about the router in the banner.here’s a?good example on the website of the California Technology Agency?that gives you more information about what a good banner should contain and some sample texts. Before you implement any banners, make sure to check your legal council first. Having said that, let’s look at the different banners…Different BannersCisco IOS routers support a number of banners, here they are:MOTD banner: the “message of the day” banner is presented to everyone that connects to the router.Login banner: this one is displayed just before the authentication prompt.Exec banner: displayed before the user sees the exec prompt.Incoming banner: used for users that connect through reverse telnet.We’ll take a look at how to configure these different banners now.MOTD BannerWe’ll start with the message of the day banner that will be presented to anyone accessing the router:R1(config)#banner motd #Enter TEXT message.? End with the character '#'.Authorized users only, violaters will be shot on sight! #The # symbol is a start and stop character. You can use any other character if you want. This is what the MOTD banner looks like:R1#exitR1 con0 is now availablePress RETURN to get started.Authorized users only, violaters will be shot on sight!A nice and welcome banner that everyone will see…let’s move on to the login banner now.Login bannerThe login banner is presented to users that access the router remotely using telnet or SSH:R1(config)#banner login $ Authenticate yourself! $Let’s try it out:R1#telnet 1.1.1.1Trying 1.1.1.1 ... OpenAuthorized users only, violaters will be shot on sight! Authenticate yourself!Above you see that the login banner is displayed after the MOTD banner. It would have been better if I added some empty lines so that the login banner would show up?below?the MOTD banner.Exec bannerThe exec banner is shown just before the exec prompt:R1(config)#banner exec #Enter TEXT message. End with the character '#'.You are connected to line $(line) at router $(hostname)#This time I added an extra line in the banner and I also used some operators like $(line) and $(hostname). Let’s see what that looks like:R1#exitR1 con0 is now availablePress RETURN to get started.Authorized users only, violaters will be shot on sight!You are connected to line 0 at router R1As you can see it shows to which line I am connected (line 0 is the console) and the hostname of my router (R1). One more banner to go!Banner incomingThe last banner is used for reverse telnet connections. Reverse telnet can be used to access the console of another device by connecting the AUX port of the router to the console port of another router. This allows you to 'telnet' into the console port of another router.R1(config)#banner incoming $Enter TEXT message. End with the character '$'.This is a banner for Reverse Telnet$We'll have to configure the AUX port in order to test it:R1(config)#line aux 0R1(config-line)#transport input telnetWe will enable telnet on the aux port, now we'll have to check what line our AUX port uses:R1#show line *Mar 1 01:48:09.495: %SYS-5-CONFIG_I: Configured from console by consoleR1#show line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int* 0 CTY - - - - - 2 1 0/0 - 97 AUX 9600/9600 - - - - - 0 0 0/0 - 98 VTY - - - - - 2 0 0/0 - 99 VTY - - - - - 0 0 0/0 - 100 VTY - - - - - 0 0 0/0 - 101 VTY - - - - - 0 0 0/0 - 102 VTY - - - - - 0 0 0/0 -Now we can reverse telnet to the AUX port like this:R1#telnet 1.1.1.1 6097Trying 1.1.1.1, 6097 ... OpenAuthorized users only, violaters will be shot on sight! This is a banner for Reverse TelnetAs you can see it presents us the "incoming banner". I hope this has been helpful to you to understand the banners!ConfigurationsR1Want to take a look for yourself? Here you will find the configuration of R1.hostname R1!banner exec ^C You are connected to line $(line) at router $(hostname) ^Cbanner incoming ^C This is a banner for Reverse Telnet ^Cbanner login ^C Authenticate yourself! ^Cbanner motd ^C Authorized users only, violaters will be shot on sight! ^C!endCisco IOS Syslog MessagesEven if you have never heard of syslog before, you probably have seen it when you worked on a router or switch. Take a look at the following lines:R1#*Feb 14 09:38:48.132: %SYS-5-CONFIG_I: Configured from console by consoleR1#*Feb 14 09:40:09.325: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up*Feb 14 09:40:10.326: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to upWhenever anything interesting is happening on the router or switch, Cisco IOS informs us in real-time. This is done by syslog.By default, these syslog messages are only outputted to the console. This is because the?logging console?command is enabled by default. If you log in through telnet or SSH, you won’t see any syslog messages. You can enable this with the?terminal monitor?command.Storing Syslog MessagesLocal HistoryLogging to the console or telnet/SSH is useful if you are around but what if you are not or if you want to see some older messages? Fortunately for us, Cisco IOS keeps a history of syslog messages. We can see these with the?show logging?command:R1#show logging Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)No Active Message Discriminator.No Inactive Message Discriminator. Console logging: level debugging, 34 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 34 messages logged, xml disabled, filtering disabled Exception Logging: size (8192 bytes) Count and timestamp logging messages: disabled Persistent logging: disabledNo active filter modules. Trap logging: level informational, 38 message lines logged Logging Source-Interface: VRF Name:Log Buffer (8192 bytes):*Mar 1 00:00:01.137: %VIRTIO-3-INIT_FAIL: Failed to initialize device, PCI 0/6/0/1002 , device is disabled, not supported*Mar 1 00:00:01.381: %ATA-6-DEV_FOUND: device 0x1F0*Mar 1 00:00:08.485: %ATA-6-DEV_FOUND: device 0x171*Mar 1 00:00:08.704: %NVRAM-5-CONFIG_NVRAM_READ_OK: NVRAM configuration 'flash:/nvram' was read from disk.*Feb 8 08:51:58.706: %PA-3-PA_INIT_FAILED: Performance Agent failed to initialize (Missing Data License)*Feb 8 08:52:05.064: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up*Feb 8 08:52:05.068: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to upAbove we can see some syslog messages in our history, it will store up to 8192 bytes of syslog messages in its RAM. When you reboot your router or switch, the history will be gone. It is possible to increase the size of the logging buffer. For example:R1(config)#logging buffered 16384This reserves up to 16384 bytes of RAM for syslog messages. We can see it here:R1#show logging | include Log BufferLog Buffer (16384 bytes):Syslog ServerA local history is nice but it is stored in RAM. If you reboot the router or switch, it will be gone. What if the router crashed?and you want to see if it logged anything before it went down? If you have dozens of routers and switches, logging into each device one-by-one to look for syslog messages is also not the best way to spend your time.In production networks, we use a central server called a syslog server. Syslog is a protocol, a standard and you can configure your routers and switches to forward syslog messages to the syslog server like this:R1(config)#logging 192.168.1.2Here’s a screenshot of a syslog server:Above you can see some syslog messages from 192.168.1.1 (my router). You can also use filters to search for certain syslog messages and more.If you want to test a syslog server in your lab, you can try the?Adiscon LogAnalyzer?for free.Syslog Message FormatLet’s take a closer look at one of the syslog messages:R1#*Feb 14 09:40:10.326: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to upAbove we can see that the line protocol of interface GigabitEthernet0/1 went up but there’s?a bit more info than just that. Let me break down how Cisco IOS formats these log messages:timestamp: Feb 14 0:40:10.326facility: %LINEPROTOseverity level: 5mnemonic: UPDOWNdescription:?Line protocol on Interface GigabitEthernet0/1, changed state to upThe timestamp is pretty much self explanatory, without it you would never know when an event has occured. It is possible to disable it and/or replace it with sequence numbers. Here’s a quick example:R1(config)#no service timestamps R1#%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively downHere’s how to enable sequence numbers:R1(config)#service sequence-numbers R1#000045: %SYS-5-CONFIG_I: Configured from console by console000046: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to upThe syslog is basically the process that generated the syslog message. If you look at some of the syslog messages above, you can see %LINEPROTO which keeps track of line protocols, %SYS for general system messages and %LINK for interfaces that went up or down.The severity level is an important one, it tells us how important the message is. Not everything that happens on your router or switch is equally important. I’ll get back to this in a bit.The mnemonic is a short code for the message. For example, “UPDOWN” for interfaces that go up or down. “CHANGED” for when the interface status changes and so on. These can be useful if you are glancing over some syslog messages, looking for particular message types.Syslog Severity LevelsLet’s take a closer look at the severity levels. There are different severity levels for logging information. An interface that goes down is probably more important to know than a message that tells us we exited the global configuration. In total there are 8 severity levels:0. Emergency1. Alert2. Critical3. Error4. Warning5.?Notice6. Informational7. Debugthe lower the number, the more important the syslog message is. Alert and emergency are used when something bad is going on, like when your router runs out of memory and a process crashes. The critical, error and warning messages are used for important events like interfaces that go down. Here’s an example:R1#*Feb 14 12:02:38: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively downAbove you can see the 5 for an interface that administratively shut down. Here’s an interface that is back up:R1#*Feb 14 12:03:36: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to upThis is considered an important event with severity level 3.If you are debugging something on the router, then you probably want to see your debug messages on your console but maybe you don’t want to send those same messages to your syslog server or to the router’s local syslog history. Cisco IOS allows you to define what syslog messages you want to see, save or send to the syslog server. For example:R1(config)#logging console ? <0-7> Logging severity level alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) discriminator Establish MD-Console association emergencies System is unusable (severity=0) errors Error conditions (severity=3) filtered Enable filtered logging guaranteed Guarantee console messages informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) xml Enable logging in XML <cr>With the logging console command, I can decide what severity levels I want to see on the console. The default is to show everything up to debug messages which is fine:R1(config)#logging console debugging I can do the same thing for syslog messages when you are logged in through telnet or SSH:R1(config)#logging monitor debugging Since the local storage of the router or switch is limited, perhaps you want to store only warnings and higher severity levels:R1(config)#logging buffered warnings You can verify this with the following command:R1#show logging history Syslog History Table:1 maximum table entries,saving level warnings or higher 44 messages ignored, 0 dropped, 0 recursion drops 12 table entries flushed SNMP notifications not enabled entry number 13 : LINK-3-UPDOWN Interface FastEthernet0/1, changed state to up timestamp: 41783579And to our syslog server, let’s send everything except debugging messages:R1(config)#logging trap informationalConclusionYou have now learned:What syslog is and what syslog messages look like.How to send syslog messages to a buffer in RAM or to an external syslog server.What the structure of a syslog message is.The different severity levels of syslog messages.How to change what severity levels you show for the console, terminal lines (telnet or SSH) and to the external syslog server.Introduction to SNMPImagine you have a large network that has many switches and routers, a dozen servers and hundreds of workstations…wouldn’t it be great if you could monitor all those devices somehow? Using a?NMS (Network Management System)?it’s possible to monitor all devices in your network. Whenever something bad happens (like an interface that goes down) you will receive an e-mail or text message on your phone so you can respond to it immediately.Sounds good?Back in the 80s some smart folks figured out that we should have something to monitor all IP based network devices. The idea was that most devices like computers, printers and routers share some characteristics. They all have an interface, an IP address, a hostname, buffers and so on.They created a database with variables that could be used to monitor different items of network devices and this resulted in?SNMP (Simple Network Management Protocol).SNMP runs on the application layer and consists of a?SNMP manager?and a?SNMP agent. The SNMP manager is the software that is running on a pc or server that will monitor the network devices, the SNMP agent runs on the network device.The database that I just described is called the?MIB (Manament Information Base)?and an object?could be the interface status on the router (up or down) or perhaps the CPU load at a certain moment. An object in the MIB is called an?OID (Object Identifier).The SNMP manager will be able to send periodic polls to the router and it will use store this information. This way it’s possible to create graphs to show you the CPU load or interface load from the last 24 hours, week, month or whatever you like.It’s also possible to configure your network devices through SNMP. This might be useful to configure a large amount of switches or routers from your network management system?so you don’t have to telnet/ssh into each device separately to make changes.The packet that we use to poll information is called a?SNMP GET message?and the packet that is used to write a configuration is a?SNMP SET work Management?SystemTo give you an example of what a NMS looks like, I’ll show you some screenshots of?Observium.Observium is a free SNMP based network monitoring platform which can monitor Cisco, Linux, Windows and some other devices. It’s easy to install so if you never worked with SNMP or monitoring network devices before I can highly recommend giving it a try. You can download it at? MessagesAll the information that Observium shows us is retrieved by using?SNMP GET messages:The NMS will send SNMP GET messages to request the current state of certain OIDs?every few minutes or so. This is great for monitoring the temperature or traffic statistics but the downside of using these SNMP GET messages is that it might take a few minutes for the NMS to discover that an interface is down.Besides using SNMP GET messages, a SNMP agent can also send?SNMP traps. A trap is a notification that it?sent immediately?as soon as something occurs, for example an interface that goes down:As soon as something bad happens (like the interface that goes down) the SNMP agent will send a SNMP trap immediately to the NMS. The NMS will respond by sending you an e-mail, text message or a notification on the screen.These SNMP trap messages sound like a good idea but there’s one problem with them…there is?no acknlowledgment?for the SNMP trap, so you never know if the trap made it to the NMS or not. SNMP version 3 deals with this problem with an alternative message which uses an acknowledgment called the?inform message.OID (Object Identifier)We can use a NMS to monitor one of our network devices but how do we exactly know what to monitor? There are so many things we could check for…a single interface on a router has over 20 things we could check: input/output errors, sent/received packets, interface status, and so on. Each of these things to check has a different OID (Object Identifier).Since there are so many OIDs, the MIB is organized into a hierarchy that looks like a tree. In this tree you will find a number of branches with OIDs that are based on RFC standards but you will also find some vendor specific variables. Cisco for example, has variables to monitor EIGRP and other Cisco protocols.Let me give you an example of this tree by showing where the ‘hostname’ and ‘domainname’ objects are located. These objects can be used to discover the hostname and domainname of the router.The tree starts with the “iso” branch and then we drill our way down to org, dod, internet, private, enterprises, cisco, local, lcpu and there we find the hostname and domainname objects. Note that the branches have numbers…instead of typing out the names I can just use the numbers.1.3.6.1.4.1.9.2.1.3 will be used to get information about the hostname and 1.3.6.1.4.1.9.2.1.4 for the domainname.The MIB is huge and knowing where to find the right objects can be troublesome, that’s why most NMSes have a nice GUI that lets you select the things you want to monitor without having to worry about the object numbers.If you want to test SNMP you don’t have to install a NMS, you can use SNMPGET which is a free tool that you can download here:’s an example of SNMPGET?where I use a linux host to query a router that has been configured for SNMP:# snmpget -v2c -c MYSTRING 192.168.1.1 1.3.6.1.4.1.9.2.1.3.0iso.3.6.1.4.1.9.2.1.3.0 = STRING: "Router"The community string that I used is MYSTRING, the IP address of the router is 192.168.1.1 and the object I’m interested in is 1.3.6.1.4.1.9.2.1.3. As a result the router reports its hostname. Here’s another example for the domainname:# snmpget -v2c -c MYSTRING 192.168.1.1 1.3.6.1.4.1.9.2.1.4.0 iso.3.6.1.4.1.9.2.1.4.0 = STRING: "localdomain"I didn’t configure any domainname on this router so the result is “localdomain”.SNMP VersionsSNMP has three versions:Version 1Version 2cVersion 3Version 1 is so old that it’s very unlikely that you will encounter it on a production network. Version 1 and 2 both use?community-strings?as a password to authenticate access to the SNMP agent. These community-strings are sent in?clear-text?which makes SNMP version 1 and 2 very insecure.SNMP version 3 is a better choice nowadays because it supports username based authentication instead of a community-string and also supports encryption. There are 3 different security modes:noAutoNoPriv: username authentication but no encryption.authNoPriv: MD5 or SHA authentication but no encryption.authPriv: MD5 or SHA authentication and encryption.Even if you decide to use SNMP version 3 without authentication or encryption, you can still track activity down to a username.ConclusionIn this lesson you have learned how SNMP allows us to monitor our network devices. The only thing left is to configure this on your network devices which I have covered in other lessons:How to configure SNMPv2 on Cisco IOS router.How to configure SNMPv3 on Cisco IOS router.I hope you enjoyed this lesson, if you have any questions feel free to leave a comment.How to configure SNMPv2 on Cisco IOS RouterBesides?syslog?there is another method to store logging information to an external server.?SNMP (Simple Network Management Protocol)?can be used to collect statistics from network devices including Cisco routers and switches.SNMP consists of 2 items:NMS (Network Management System)SNMP AgentsThe NMS is the external server where you want to store logging information. The SNMP agents run on the network devices that we want to monitor. The NMS can query a SNMP agent to collect information from the network device. SNMP has multiple versions, the most popular ones being:SNMP version 2cSNMP version 3SNMP version 3 offers security through authentication and encryption which SNMP version 2c does not. SNMP version 2c however is still pretty common. Let me show you a simple example for SNMP version 2c:Router(config)#snmp-server community TSHOOT roFirst we’ll have to configure a community string. Think of this as a password that the SNMP agent and NMS have to agree upon. I called mine “TSHOOT”. The ro stands for read-only. SNMP isn’t just for retrieving information; we can also use it to configure our network devices. Let’s continue…Router(config)#snmp-server location AmsterdamRouter(config)#snmp-server contact info@These two steps are not required but it’s useful to specify a location and contact. This way you’ll at least know where the device is located whenever you receive information through SNMP. The messages that the SNMP agent sends to the NMS are called SNMP traps. Of course we want to send these to an external server so I’ll configure the IP address of the SNMP server:Router(config)#snmp-server host 192.168.12.2 version 2c TSHOOTI also have to specify the SNMP version and the community string. Last but not least, let's activate the traps:Router(config)#snmp-server enable trapsIf I use the snmp-server enable traps command it will enable all SNMP traps:Router#show run | include trapssnmp-server enable traps snmp authentication linkdown linkup coldstart warmstartsnmp-server enable traps vrrpsnmp-server enable traps ds1snmp-server enable traps ttysnmp-server enable traps eigrpsnmp-server enable traps casasnmp-server enable traps xgcpsnmp-server enable traps bulkstat collection transfersnmp-server enable traps isdn call-informationsnmp-server enable traps isdn layer2This is only a portion of everything that you’ll see in the running-configuration. This is a great way to test SNMP but on a production network it’s better to take a look at the different traps and only enable the ones you feel are necessary. One of the SNMP traps in the example above is related to EIGRP. If anything happens with the EIGRP routing protocol a SNMP trap will be send towards the SNMP server.How to configure SNMPv3 on Cisco IOS RouterSNMPv3 is similar to SNMPv1 or SNMPv2 but has a completely different security model. SNMPv1 and SNMPv2 use a?community-string?that is used as the password and there’s no authentication or encryption.SNMPv3 is able to use both authentication and encryption and has a new security model that works with users, groups and 3 different security levels. Users will be applied to a group and access policies will be applied to a group so that you can determine what groups have read or read-write access and which MIBs (Management Information Bases) they should be able to access.Security LevelsSNMP offers 3 different security levels:noAuthNoPrivAuthNoPrivAuthPrivAuth stands for?Authentication?and Priv for?Privacy?(encryption).noAuthNoPriv =?no authentication and no encryption.AuthNoPriv =?authentication but no encryption.AuthPriv =?authentication AND encryption.SNMPv1 and SNMPv2?only support noAuthNoPriv?since they don’t offer any authentication or encryption. SNMPv3 supports?any?of the three security levels. When you decide to use noAuthNoPriv for SNMPv3 then the username will?replace the community-string.The community-string for SNMPv1 and SNMPv2 is send in clear-text. SNMPv3 is far more secure because it doesn’t send the user passwords in clear-text but uses MD5 or SHA1 hash-based authentication, encryption is done using DES, 3DES or AES.Let’s take a look at a simple SNMPv3 configuration example on a Cisco IOS router.Configuration ExampleFirst we’ll create a new group and select a security model:R1(config)#snmp-server group MYGROUP ? v1 group using the v1 security model v2c group using the v2c security model v3 group using the User Security Model (SNMPv3)We’ll call our group “MYGROUP” and of course we will select SNMPv3 as the security model. Next step is to select the security level:R1(config)#snmp-server group MYGROUP v3 ? auth group using the authNoPriv Security Level noauth group using the noAuthNoPriv Security Level priv group using SNMPv3 authPriv security levelBy using the?priv?parameter we will select the AuthPriv security level. There are a number of options for security levels:R1(config)#snmp-server group MYGROUP v3 priv ? access specify an access-list associated with this group context specify a context to associate these views for the group match context name match criteria notify specify a notify view for the group read specify a read view for the group write specify a write view for the group <cr>The first item is the access-list, you can use this to select what IP addresses or subnets should be permitted for users. Optionally you can select certain views:If you don’t specify a read view then?all MIB objects are accessible. Use this if you want to limit the number of MIBs that your NMS (Network Management Software) can monitor.Without a write view then nothing is writable, you will have read-only access.The notify view is used to send notifications to members of the group. If you don’t specify any then it will be disabled by default.To keep this example simple we won’t use any views for now, this means that we’ll have full read access to all MIBs:R1(config)#snmp-server group MYGROUP v3 privThe next step is to create a user account:R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123 Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait...We'll create a new user called "MYUSER" and assign it to the "MYGROUP" group. We use SNMPv3 as the security model and use MD5 for authentication. This user will use "MYPASS123" as the password. Encryption is done using AES 128-bit and the encryption key is "MYKEY123".This router is now SNMPv3 enabled and we can monitor it using SNMPv3 from a NMS. Let's try if we can get access...VerificationUser accounts are not stored in the configuration, take a look below:R1#show running-config | incl snmpsnmp-server group MYGROUP v3 privAbove you only see the group configuration, user accounts can be found with another command:R1#show snmp user User name: MYUSEREngine ID: 800000090300C200128F0000storage-type: nonvolatile activeAuthentication Protocol: MD5Privacy Protocol: AES128Group-name: MYGROUPHere you can see the username, security options and to which group the user belongs. We can also check the group configuration:R1#show snmp group groupname: ILMI security model:v1 readview : *ilmi writeview: *ilmi notifyview: <no notifyview specified> row status: activegroupname: ILMI security model:v2c readview : *ilmi writeview: *ilmi notifyview: <no notifyview specified> row status: activegroupname: MYGROUP security model:v3 priv readview : v1default writeview: <no writeview specified> notifyview: <no notifyview specified> row status: activeAbove you can see that we have our group called "MYGROUP" and that we use the default read view. If you are a Linux user you can use the excellent snmpwalk command-line utility that tests if your router can be accessed using SNMP. It works for SNMPv1, v2 and v3:rene@linux ~ $ snmpwalk -v3 -u MYUSER -l AuthPriv -a md5 -A MYPASS123 -x aes -X MYKEY123 192.168.82.138iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)Technical Support: (c) 1986-2012 by Cisco Systems, piled Sun 09-Sep-12 04:01 by prod_rel_team"iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.576iso.3.6.1.2.1.1.3.0 = Timeticks: (27513) 0:04:35.13iso.3.6.1.2.1.1.4.0 = ""iso.3.6.1.2.1.1.5.0 = STRING: "R1.rmcs.local"iso.3.6.1.2.1.1.6.0 = ""iso.3.6.1.2.1.1.7.0 = INTEGER: 78iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.4.1.9.7.129iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.4.1.9.7.115iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.4.1.9.7.265iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.4.1.9.7.112iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.4.1.9.7.106iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.4.1.9.7.47[output omitted]RMON Absolute VS DeltaRMON can be used to monitor certain SNMP MIBs and generate an event for a certain threshold. One of the things you have to do when configuring RMON is choosing between?absolute?or?delta?sampling. In short, this is the difference between the two:Delta: values that?always?constantly increase OR constantly decrease.Absolute: values that can increase or decrease.Delta should be used for values that will always increase or decrease (one of the two), for example interface counters like the number of input errors, CRC errors, output packets, interface resets etc. These are values that will?always increase?unless you reset the interface counters. I can’t think of any counters on a Cisco router or switch that?always?decrease.Absolute should be used for values that increase or decrease over a certain amount of time, a good example is CPU usage. You probably want to receive a notification?each time?when your CPU load hits a certain threshold (like 85%) and receive a notification when it goes below another threshold (10% or so), this is absolute sampling.Another example of absolute sampling could be the input or output rate of an interface as this can increase or decrease over the span of time. At one moment it might be 10.000 bits/sec, 10 minutes later it could be 5.000 bits/sec and 45 minutes later it might be 20.000 bits/sec.I hope this helps to understand the difference between the two. If you need some more examples just leave a comment.RMON Configuration ExampleIn this lesson?we’ll take a look at a simple RMON configuration where we want to receive a SNMP trap when we receive more than 200 unicast packets and also when we receive less than 10 unicast packets. When this occurs we will send a SNMP trap to a SNMP server. I will be using the following topology for this:Just two routers…I will configure R1 to use RMON and we’ll use R2 to generate traffic so that we can test things.ConfigurationFirst i’ll configure a SNMP server that should receive the SNMP trap, there is none in this example but it doesn’t matter:R1(config)#snmp-server host 192.168.12.254 MYTRAPSI’ll use a community called “MYTRAPS”. We can use the “ifInUcastPkts” MIB to track the number of unicast packets but we need to check the interface number:R1#show snmp mib ifmib ifindexFastEthernet0/0: Ifindex = 1Null0: Ifindex = 4VoIP-Null0: Ifindex = 3FastEthernet0/1: Ifindex = 2I want to monitor the FastEthernet0/0 interface as its connected to R2. Now we can create an alarm:R1(config)#rmon alarm 1 ifInUcastPkts.1 10 delta rising-threshold 200 1 falling-threshold 10 2The command above requires some explanation:First we create an alarm called “alarm 1”.Secondly I’m refering to MIB object ifInUcastPkts.1 where the .1 is the FastEthernet0/0 interface.The “10” means that the sampling interval is 10 seconds.Delta means we use “delta” sampling instead of “absolute” sampling. If you don’t know the difference take a look at my?delta vs absolute?lesson.The rising-threshold is set to 200 packets and when this occurs, it will launch “event 1”.The falling-threshold is set to 10 packets and when this occurs, it will launch “event 2”.With the alarm in place we can configure the events that should occur when the thresholds are met:R1(config)#rmon event 1 trap MYTRAP description "Above 200"R1(config)#rmon event 2 trap MYTRAP description "Below 10"The first event will generate a SNMP trap with description "Above 200" and the second event will generate a SNMP trap that says "Below 10".VerificationLet's see if our configuration is working...R2#ping 192.168.12.1 repeat 10000 timeout 0Type escape sequence to abort.Sending 10000, 100-byte ICMP Echos to 192.168.12.1, timeout is 0 seconds:......................................................................I'll send some quick pings from R2 towards R1. This is what you will see on R1:R1#%RMON-5-RISINGTRAP: Rising trap is generated because the value of ifInUcastPkts.1 exceeded the rising-threshold value 200As you can see it's sending a trap because it's receiving more than 200 packets. Once the pings stop and we don't receive any more traffic you will see another message on R1:R1# %RMON-5-FALLINGTRAP: Falling trap is generated because the value of ifInUcastPkts.1 has fallen below the falling-threshold value 10Show commandsThere's also a number of show commands you can use to check your configuration:R1#show snmp host Notification host: 192.168.12.254udp-port: 162type: trapuser: MYTRAPSsecurity model: v1Use show snmp host to check your SNMP configuration, this reveals the IP address, community-string and SNMP version.R1#show rmon alarms Alarm 1 is active, owned by config Monitors ifInUcastPkts.1 every 10 second(s) Taking delta samples, last value was 0 Rising threshold is 200, assigned to event 1 Falling threshold is 10, assigned to event 2 On startup enable rising or falling alarmAbove you can see the RMON alarm that we configured.R1#show rmon events Event 1 is active, owned by config Description is Above 200 Event firing causes trap to community MYTRAP, last event fired at 0y0w0d,00:33:40, Current uptime 0y0w0d,00:44:19Event 2 is active, owned by config Description is Below 10 Event firing causes trap to community MYTRAP, last event fired at 0y0w0d,00:33:50, Current uptime 0y0w0d,00:44:19And an overview with the events that we are using. I hope this simple example helps you to understand RMON, if you have any questions feel free to ask.RMON Statistics Collection on Cisco Catalyst SwitchMost network engineers who are familiar with RMON know to use the “alarms” and “events” to monitor things like the CPU loading hitting a certain threshold or looking for the number of incoming packets on an? interface. Cisco Catalyst switches support some RMON features that allow you to collect more information about packets that arrive on your interfaces. If you want to enable this then you have two options:Native Mode?(Analyze packets that are destined for your interface).Promiscuous Mode?(Analyze all packets that you encounter on the segment).You can enable this for switchports (layer 2) or routed ports (layer 3) but it’s impossible to enable it on SVI (switch virtual interface) interfaces. Here’s an example how you can enable it on your Catalyst switch:Switch(config)#interface fastEthernet 0/1Switch(config-if)#rmon ? collection Configure Remote Monitoring Collection on an interface native Monitor the interface in native mode promiscuous Monitor the interface in promiscuous modeFirst you need to decide whether you want to use the native or promiscuous mode. I’ll select promiscuous:Switch(config-if)#rmon promiscuousSecond step is to configure how often and how much statistics we want to collect:Switch(config-if)#rmon collection history 1 ? buckets Requested buckets of intervals. Default is 50 buckets interval Interval to sample data for each bucket. Default is 1800 seconds owner Set the owner of this RMON collection <cr>The “1” is the RMON collection control index, you can pick any value you like. By default RMON will sample data each 1800 seconds..this is a little too long for my example so I’ll reduce it to 5 seconds:Switch(config-if)#rmon collection history 1 interval 5Now let’s see if my switch has collected anything:Switch#show rmon statistics Collection 10006 on FastEthernet0/1 is active, and owned by config, Monitors ifIndex.10006 which has Received 34577 octets, 441 packets, 39 broadcast and 395 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions. # of dropped packet events (due to lack of resources): 0 # of packets received of length (in octets): 64: 65, 65-127: 368, 128-255: 5, 256-511: 1, 512-1023: 2, 1024-1518:0Above you see that it has captured 441 packets and it also shows the different packet sizes. You can also take a look at the samples that RMON has taken so far:Switch#show rmon history Entry 1 is active, and owned by Monitors ifIndex.10001 every 5 second(s) Requested # of time intervals, ie buckets, is 50, Sample # 1 began measuring at 04:03:20 Received 5002 octets, 58 packets, 4 broadcast and 54 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 Sample # 2 began measuring at 04:03:25 Received 4732 octets, 64 packets, 3 broadcast and 59 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0Above you can see the samples that are taken each 5 seconds. You can see that it’s working since sample 1 has captured 58 packets and sample 2 captured 64 packets 5 seconds later.That’s all I wanted to show you, hopefully this tutorial has been helpful to you! If you have any questions, feel free to leave a comment.Introduction to Cisco NetFlowNetwork management protocols like?SNMP?allow us to monitor our network. We can check things like cpu load, memory usage, interface status and even the load of an interface. Other tools like?NBAR?allow us to see what kind of protocols are used.One of the things we can’t do with those tools is tracking all flows in our network. A flow is a stream of packets that?share the same characteristics like source/destination port, source/destination address, protocol, type, service marking, Flow allows us to track these flows on our network. We can use this information to?solve problems like bottlenecks, identify what applications are used, how much bandwidth they use etc.For each of the flows, NetFlow will track the number of packets sent, bytes sent, packet sizes and more. You can configure your router to keep track of all flows and then export them to a central server where we analyze our traffic.In this lesson I will show you how to configure NetFlow on a Cisco IOS router and we will take a look at a NetFlow server.ConfigurationThis is the topology we will use:On the left side we have a host that will be browsing the Internet through R1. At the bottom there’s a?ntop?server. ?This is open source traffic analysis software that supports NetFlow so if you want to give this a try, it’s worth checking out.Configuring ntop is outside the scope of this lesson so I’ll focus on how to configure the router. First we have to specify the server:R1(config)#ip flow-export destination 192.168.1.1 2055The router will export all flows to 192.168.1.1 with destination UDP port 2055. NetFlow supports multiple versions so if you want to use a specific version, here’s how to do it:R1(config)#ip flow-export version 9I will configure the router to use version 9. Optionally, we can configure what interface the router should use to source the updates from:R1(config)#ip flow-export source FastEthernet 0/0The last thing we have to do is tell the router on what interfaces to track the flows:R1(config)#interface FastEthernet 0/1R1(config-if)#ip route-cache flowI will use the?ip route-cache flow?command for this. When you use this command, it will track all flows on the physical and all sub-interfaces. You can also use the?ip flow egress?or?ip flow ingress?commands if you only want to enable it on one sub-interface or in one direction.Everything is now in place, let’s verify our work.VerificationCisco IOS RouterOn our router we can check a couple of things to see if NetFlow is working. Here’s the first command:R1#show ip flow export Flow export v9 is enabled for main cache Export source and destination details : VRF ID : Default Source(1) 192.168.1.254 (FastEthernet0/0) Destination(1) 192.168.1.1 (2055) Version 9 flow records 433 flows exported in 28 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failuresAbove you can see the version of NetFlow, the source, destination and how many flows have been exported. With the next command you can see?some information about the flows:R1#show ip cache flowIP packet size distribution (98406 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .013 .000 .001 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .010 .966 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes 37 active, 4059 inactive, 680 added 10154 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 secondsIP Sub Flow Cache, 34056 bytes 37 active, 987 inactive, 680 added, 680 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-WWW 262 0.1 360 1479 41.1 3.2 8.6TCP-other 153 0.0 21 1014 1.4 2.5 9.2UDP-other 228 0.0 1 153 0.0 0.0 15.4Total: 643 0.2 152 1461 42.7 1.9 11.2SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsFa0/1 52.17.234.27 Fa0/0 10.56.102.41 06 0050 C1AA 1 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsFa0/1 23.52.59.27 Fa0/0 10.56.102.41 06 0050 C21D 5 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 F244 1 Fa0/1 185.54.150.17 Fa0/0 10.56.102.41 06 0050 C228 3 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 D424 1 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 D4C1 1 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 D4D4 1 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 C4F5 1 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 E92E 1 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 C93C 1 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 CD0E 1 Fa0/1 31.22.80.141 Fa0/0 10.56.102.41 06 0050 C21F 46 Fa0/1 31.22.80.141 Fa0/0 10.56.102.41 06 0050 C225 40 Fa0/1 31.22.80.141 Fa0/0 10.56.102.41 06 0050 C224 36 Fa0/1 31.22.80.141 Fa0/0 10.56.102.41 06 0050 C223 42 Fa0/1 31.22.80.141 Fa0/0 10.56.102.41 06 0050 C222 48 Fa0/1 31.22.80.141 Fa0/0 10.56.102.41 06 0050 C220 57 Fa0/1 8.8.8.8 Local 10.56.102.41 11 0035 DDDA 1 Fa0/1 74.125.71.138 Fa0/0 10.56.102.41 06 01BB C1FF 2 Fa0/1 74.125.71.138 Fa0/0 10.56.102.41 06 01BB C21E 8 Fa0/1 213.239.154.20 Fa0/0 10.56.102.41 06 01BB C21C 8 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C227 2 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C226 3 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C227 1 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C226 1 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsFa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C221 3 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C221 4 Fa0/1 213.239.154.20 Fa0/0 10.56.102.41 06 0050 C217 12 Fa0/1 213.239.154.20 Fa0/0 10.56.102.41 06 0050 C217 3 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C219 42 Fa0/1 213.239.154.20 Fa0/0 10.56.102.41 06 0050 C21B 3 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C21A 10 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C218 58 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C219 11 Fa0/1 213.239.154.20 Fa0/0 10.56.102.41 06 0050 C21B 3 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C21A 92 Fa0/1 213.239.154.21 Fa0/0 10.56.102.41 06 0050 C218 9 Fa0/1 74.125.71.154 Fa0/0 10.56.102.41 06 0050 C229 4Above you can see some of the flows. The output above is useful to check if NetFlow is working on the router but it’s far more interesting to look at the flows on the external server.Ntop ServerTo show you what makes Netflow so useful, let me show you some screenshots of Ntop.?Here you can see the top talkers of all flows:Ntop can also show you the network load:You can also see the throughput for each application:You can also see the different packet sizes that are used in your flows:ConclusionNetFlow is a great protocol to get an insight in your network traffic. It's the equivalent of a "phone bill" that specifies all calls that were made, where these calls took place, the duration, etc. Only this time, we are tracking all IP packets on the network.AAA Local Command AuthorizationCisco IOS allows authorization of commands without using an external TACACS+ server. Cisco routers and switches work with privilege levels, by default there are 16 privilege levels and even without thinking about it you are probably already familiar with 3 of them:Level 0: Only a few commands are available, the most used command is probably ‘enable’.Level 1:?This is the default exec user level. You can use some of the show commands but you won’t be able to configure anything.Level 15: The highest privilege level, also known as “enable mode” or “privileged mode“.Higher privilege levels will support all the commands of the lower privilege levels. For example, privilege level 8 will include all the commands of level 0 – 7.Privilege level 15 will have all the commands of level 0 – 14 and so on.Creating different privilege levels is a good idea if you work with different user groups. You probably only want your senior network engineers to have privilege level 15 and your junior network engineers a lower privilege level so they don’t have access to all commands.If you want to assign commands to a certain privilege level, you have a couple of options:You can assign some privilege level 15 commands to level 1 so that all users that are allowed to log in to the router can use them.You can move some commands from level 1 to a higher level so that you can disallow some commands for level 1 users.You can create a new privilege level and assign some level 15 commands to it.When you are going to assign commands to different privilege levels you need to understand that IOS has two modes:Exec ModeConfiguration ModeExec mode will look like this:Router#And configuration mode looks like this:Router(config)#Each “mode” also has different “sub-modes” like the interface configuration:Router(config-if)#Commands also have a certain structure that you need to understand. Basically commands look like this:command sub-command [arguments] [arguments-values] [options]To give you an example, think about configuring an IP address:Rack1SW1(config-if)#ip address 192.168.1.1 255.255.255.0We can break it down like this:ip?= command.address?= sub-command.192.168.1.1 255.255.255.0?= arguments.secondary?= options (not shown in my example)When I assign a command to a privilege level, I can select the entire “ip” command or only the “ip address” sub-command. If I give someone the entire “ip” command they can also configure things like “ip unreachables” or “ip arp” and so on.Let’s take a look at a couple of examples of moving commands and creating new privilege levels shall we?ConfigurationFirst we’ll check what our privilege level is, you can do it like this:Router>show privilegeCurrent privilege level is 1Use the show privilege command to check your privilege level. By default once you are logged in you will be in level 1. Let’s go to enable mode now:Router>enableRouter#show privilege Current privilege level is 15And as you can see enable has privilege level 15.We’ll start with a simple example. I’m going to give privilege level 1 users the power to use the show running-configuration command. This is how we do it:Router(config)#privilege exec level 1 show running-configAll level 1 users now are able to use the show running-config command. Not a very wise idea but it’ll work:Router>show running-config Building configuration...Current configuration : 53 bytes!boot-start-markerboot-end-marker!We can also take commands away from the level 1 users. Let’s say I don’t want them to use “show ip arp”. We’ll do it like this:Router(config)#privilege exec level 15 show ip arp Level 1 users will discover that they can’t use show ip arp anymore:Router>show ip arp ^% Invalid input detected at '^' marker.Now you have seen how to add or remove commands to a certain privilege level. How about we create a user with a new privilege level that has access only to a couple commands? We’ll create a new user account that is allowed to do these things:Shutdown or no shutdown an interface.Use the debug ip routing command.Disable all debuggingUse the show running-configuration command.I will create a new username for this with a new privilege level, here’s how to do it:Router(config)#username JUNIOR privilege 8 password CISCOFirst we’ll create a new user account called JUNIOR. I’ll assign this user privilege level 8. Now we’ll add some commands to it:Router(config)#privilege exec level 8 configure terminalRouter(config)#privilege exec level 8 debug ip routing Router(config)#privilege exec level 8 undebug all Router(config)#privilege exec level 8 show running-configThe commands above are for exec mode. I still have to add some commands for the configuration mode:Router(config)#privilege configure level 8 interfaceRouter(config)#privilege interface level 8 shutdownRouter(config)#privilege interface level 8 no shutdownThe commands above will allow the user to go into the interface configuration and use the shutdown and no shutdown command.Let's test our new user account:Router(config)#line con 0Router(config-line)#login localDon't forget to enable local authentication or we won't get a username/password prompt...Router con0 is now availablePress RETURN to get started.User Access VerificationUsername: JUNIORPassword:After entering the credentials we can check the privilege level:Router#show privilege Current privilege level is 8The level is looking good. Let's try some debug commands:Router#debug ? all Enable all debugging ip IP informationRouter#debug ip ? routing Routing table eventsThe only debug we can use is debug ip routing. What about the configuration commands?Router#configure terminal Router(config)#interface fastEthernet 0/1Router(config-if)#?Interface configuration commands: default Set a command to its defaults exit Exit from interface configuration mode help Description of the interactive help system no Negate a command or set its defaults shutdown Shutdown the selected interfaceThese are the only commands available. Let's shut the interface:Router(config)#interface fastEthernet 0/1Router(config-if)#shutdownIf this user tries the show running-configuration command it won't see the entire configuration but only the commands that the privilege level is allowed to use:Router#show running-config Building configuration...Current configuration : 930 bytes!boot-start-markerboot-end-marker!!interface Loopback0!interface FastEthernet0/1 shutdownThere's more in the configuration but this user is only allowed to see the shutdown command. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download