Cisco CCNA 200-301 – Network Device Management Part 2

3. Terminal Monitor and Logging Synchronous

In this lecture you’ll learn about how to configure syslog through a lab demo. The lab topology is really simple. I’ve just got my router R one with IP address, ten dot O dot O dot one. And I’ve got my syslog server at ten dot O dot O dot 100. That’s marked as the NMS system in the diagram. It’s the network monitoring system. Okay? So right now I’m going to tell you about that terminal monitor command, the last thing that we covered in the last lecture.

So if you have a look at my PC here, I’m actually on ten o dot O dot 100 now, and I’ve got a continuous ping that is pinging the R one router. And what I’m going to do is I’m going to open up a telnet session to the router. So I’m opening up putty and I’m going to telnet to 1001, and I’m going to log in here with my password and enable and put the password in there as well. And while I’m here, I want to have a console session open in the background.

So this big window here I’m connected over a console session, and this smaller window is the telnet session that I just opened. So I want to see you to see how the logging is going to be different here. So in my telnet session, I’m going to debug Ipicmp and what this is going to do, it’s going to debug those pings that are coming in. I should see output every time that a ping is received and output every time that I reply as well. And because it’s a debug, it’s going to be updating continuously in real time.

But the thing is that I haven’t entered the terminal monitor command yet, so it’s not going to show up in my telnet session. So when I hit enter here, you’ll see that logging is enabled on the console by default. So in the big window in the background, the console, I can see the debugging output showing up in there.

But in my telnet window, because logging is not enabled by default and telnet, I don’t see anything. And this can be really confusing when you first start working with debugs, because you enter a debug command and you’ll get no output and you’ll think, oh, I’m not receiving any pings, it’s going to be something like that.

But actually it’s just that you haven’t turned on the logging output. So the way that you do that is in your telnet window or your SSH window, the command at the enable prompt is terminal monitor. So I’ll do that and now I should see there you go, the debugs start coming in. Okay? So whenever you’re debugging in a telnet or SSH session, remember put in the terminal monitor command so you can actually see the output.

Okay? The way to stop the debugging, if you want to turn off all debugging, then you can type in undebug all or the short way is just you all and that will turn off all debugging. You might see a little bit of output come in after that, just as it’s finishing up, that is the debugging turned off. Okay, so that was the terminal monitor command. The other thing that I told you about at the end was logging synchronous. So let’s go into our console window here and I’ll go configt.

And what I’ll do is currently Interface Fast 30 is shut down. So I will do a no shot and then as soon as I enter that command, I’m going to start entering a new command. So I’ll do do show IP interface. Okay, you see what happened there? So in the middle of me typing a command, I’m seeing some logging output there and it makes it really hard to see exactly where I am in that command. It’s confusing. So I’m like, where was I in that command? And usually what you’ll end up doing is you’ll just end up hitting the backspace to clear it and hit Enter and then start the command again.

And it’s a little bit annoying. So what you can do to prevent that behavior is go to your console line. So I’ll go line Console Zero and enter logging synchronous there. And I also want to do it for when I’m connected in over SSH or telnet. So I’ll go line VTY 15 and hit the up arrow to Enter and logging synchronous there as well. So now what happens? I’ll do the same thing. So I will do a shut this time and then start I need to go to the interface. So Interface Fast 30, I’ll do a shutdown and then start typing Do Show IP interface. So you see what happened now, it doesn’t put the logging output right in the middle of my line, making it hard to see where I am. It still shows the logging output, but once it’s done that, it prints where I was at again in a new line, so I can see exactly where I was.

So a couple of things you always want to do there. So that was always enable logging synchronous on your console and your VTi lines and also when you’re debugging over a Telnet or SSH session, remember putting the command Terminal Monitor? Okay, so that was those first two commands. I think this video has been going a little well already, so let’s wrap this one up here and I’ll cover doing the syslog configuration in the next lecture.

4. Syslog Lab Demo

In this lecture, you’ll see how to configure syslog with a lab demo. I’m using the same simple topology again. I’ve got my Router R one@ten. o dot O dot one and I’ve got my NMS network monitoring system at ten dot O dot O dot 100 that’s going to act as the syslog server. And I’m actually on ten dot O dot O dot 100 right now. I’ve currently got a console session open with router. You can see that there. And I’m going to open up a telnet session as well.

So you can see the difference with the logging in the console and over the VT wireline. So I’ll go to Putty and I’ll tell net to ten or one and log in here. Should I click in the right window and put in my password? Okay, so that’s been logged in over Telnet as well. And I’ll come to the bigger console window and I’ll do a show logging to look at the current state. This is at the defaults right now, so you can see that the default logging level is debugging and I’m going to be logging to the console and the buffer by default, not to the monitor, which is my telnet and my SSH session.

We can see that working if I go to the telnet session and I’ll go to Interface Fast 30, let’s check and see if it’s shut or not shut right now. So I’ll do show IP Interface Brief and 30, it’s not actually being used, it’s currently admin up. So let’s shut down that interface. And when I do that, we should see there’s the logging message showing up in the console window. It doesn’t show up in the telnet window because logging is not enabled to your VTY line by default. Okay, let’s do some configuring then. So you could see that we do have logging enabled to the console right now. Let’s turn that off. So I could do that in either window here, either in my telenor or my console window, I will go to Global Config and do no logging console to turn off logging to the console.

And I do want to enable logging to my telnet session and let’s make it logging to its monitor for your VTY lines. Let’s set it at level five. And also I’m going to make sure that terminal monitor is enabled in here as well. Now if I go back to Interface Fast 30 and I will do a no shut on there now and you’ll see that it should get logged to my telnet session there it is there and it didn’t get logged to the console session because I disabled logging on there.

Okay, another thing I’ll do is let’s just configure logging to the buffer as well. So for that I will say logging buffer, let’s make it seven, which is what it was at already anyway. And if I now do a show on logging, I can see that logging is disabled to the console, I’ve got it set to level five, which is notifications to monitor logging, which is for my telnet and SSH sessions. And buffer logging is at the debugging level. You can also see how many messages were received in each of them as well. They’re different values there because I’ve been playing with the logging values.

Okay. Also while we’re in here at Michele logging, if I hit the space bar to scroll down, you’ll see all of my logging events are in the logging buffer. I did a debug of ICMP earlier when I was doing a ping. So that’s where you see all of those ICMP events in there. Also the interface going up and down that I was just doing a minute ago as well. Okay? So that’s pretty much it for our internal logging and configuring that. Let’s also do some external logging as well. So right now I have installed the free Kiwi Syslog server on my PC here, which is at ten or 100. I haven’t done any logging to it yet, so let’s set that up now. So I’ll go back onto the command line on my router and at Global Config, I’ll set logging to my Syslog server at 100 100 and I’ll set the severity level of events that I want to send there.

So I’ll say Logging trap and I’ll choose the debugging level. And now if I go back to that interface fast 30, I’ll do a do show IP interface brief again, I can see it’s currently administratively shut down. So I’ll do a no shut down on that interface and I should see that getting logged. So I see it being logged here in my telnet session and I also see it being logged on this log server. Well, and if I then do a shut down again, I’ll see that being logged in both locations as well. Okay, so that was how to configure Syslog. See you in the next lecture.

5. SNMP Simple Network Management Protocol

This lecture you’ll learn about SNMP which is the simple network management protocol. It’s an open standard for network monitoring and you’ll see it being used on nearly all vendors devices, not just routers and switches servers, everything else as well. The terminology for SNMP there is an SNMP manager which is the SNMP server and it can collect and organize information from an SNMP agent which is SNMP software which runs on managed devices such as routers and switches.

So that’s the official terminology, but real world you won’t hear people talking about SNMP manager and SNMP agent. The manager will be called an SNMP server or an NMS system is commonly used which is Network Management system and the managed device is just an SNMP managed device. The SNMP manager of the server can pull information from the device with a Get command or the device can push it to the server with a trap. So for example the manager could query to get traffic statistics from the device, or the device could report an HSRP state change. For example, if one of the routers in an HSRP pair went down the router could push a notification push a trap to the NMS server.

About that, the standard also includes support for modifying agent information from the SNMP manager to change device behavior. But that’s not used so commonly. So most often the NMS server will pull information from the devices or the devices will send a trap to notify the SNMP manager that something happened. There is an MIB is used as the database for the information data variables on SNMP managed systems, for example the state of an interface or the state of OSPF or Rip, et cetera. Those variables are organized into an MIB, the Management information Base, which is the database of things that you can gather information about on your different devices.

The SNMP manager and agent need to share the MIB so they know which variables can be reported on and different types of devices will have different MIBs because the kind of information you would want to gather from a Windows server would be different than the type of information you would gather from a router or a switch. So this diagram shows the architecture. We’ve got the SNMP manager which is our NMS server, and in the example there’s a couple of managed devices and they’re both running the SNMP agent software. So we’ve got a switch and router. They’ve got MIB which includes variables that are relevant to that type of device. The SNMP manager understands the MIB as well and the SNMP manager can send queries to the devices to gather information from them.

The devices can also send trap notifications to notify the SNMP manager that something happened. Also you’ve got that third option where the SNMP manager can actually push and change information on the devices not used. As commonly with the SNMP versions, there’s been three major versions. The first version was SNMP version one that uses plain text authentication between the manager and the agent. So the authentication is not encrypted. Anybody can read it if they’re sniffing that traffic. The method that is used for the authentication is community strings, which act like a password. SNMP version two C also uses plain text community strings for the authentication.

The main advantage of version two C over version one is that it supports bulk retrieval. So rather than having to send a new message for every piece of information it wants to get, it can send a request for multiple pieces of information at the same time. Makes it more efficient. And the latest version is SNMP version three. It does support strong authentication and encryption with the use of usernames and passwords.

It is the preferred version because it is secure, but it’s not supported on all devices. You’ll find a lot of devices that are still out there today don’t have support for SNMP version three yet. So in that case you would have to use SNMP version two C if you did want to enable SNMP. So talking about the authentication in version one and version two C, it uses community strings rather than the normal username and password that you’re used to. So the community string is used to authenticate the SNMP manager and the agent to each other.

It acts just like a password and the same community string value has to be set on both the agent and the manager. That’s how they authenticate to each other. There is both read-only and read write community strings. The readonly community is used by the manager to read information and the read write community is used if it wants to set information. So here’s a configuration example. And for the CCNA exam, this is the same with Syslog as well. You don’t need to know how to set up the Syslog server or the SNMP server because there’s lots of different vendors that offer software products for that. That’s obviously out of scope.

For the exam, the exam is testing you and how to configure the Cisco router and switches, not any external software. So this is how we would configure the configuration on a router for SNMP V two. First up we say Global config, SNMP server contact Neil@flatbox. com My email address, then SNMP server location flatbox lab. So that’s just purely informational and it’s optional if you want to set that. But your SNMP server is going to be monitoring lots of different devices, so it’s good if you’ve got some descriptive information about the device that will be sent to the manager. Next part of the config is our community strings, which are used for the authentication.

And we’re configuring both a read only and a read write community string. We’ve got SNMP server community flatbox one, which is we’re using as our read only string and SNMP server community flatbox two, which we’re going to use is the read write string. Then we need to configure where our SNMP server is. So we say SNMP server host 100. 100 is where the server is. And for communicating with that server, when we’re sending traps, we’re going to use our read only community string, which was flatbox one. Then we put in a command to actually send traps to that server. This is optional. If we did not have the SNMP server enable Traps config command, the server would still be able to query this router to pull information from it. But because we’re configuring traps, we’re also going to push information to the server as well. You’ll see, when we do the lab demo that there’s lots of different types of traps that you can send.

So you can send information about a change in the OSPF state, a change in the state of an interface, et cetera. Here we’re doing traps config, which means whenever anybody else goes to global configuration by entering the config T command, it’s going to send a notification about that to the server. Okay, last thing to tell you here is some SNMP security a best practice. We’ve said before, the SNMP is an open standard. It’s supported by nearly all vendors devices.

Most devices will use a default read only community string of public and a default read write community string of private. And attackers can use this to read or set information on your devices. If an attacker has got IP connectivity to the device and it’s been set up with SNMP enabled using the default community strings of public and private, then the attacker can use that to pool information about the device. There’s likely to be sensitive information there that they can then use to launch an attack against your devices.

So you do not want to leave that as the default setting. Best practice is to disable SNMP on devices if it’s not being used. And if you do want to use SNMP, use SNMP version three with secure passwords, because that is a secure way of implementing it. However, quite likely you will have devices that do not support version three. So in that case, use SNMP version two C, but use non default community strings. Don’t use public and private. Okay, that was it for.

• Category: Uncategorized