Back to Dashboard
Module 20
Network Management and Monitoring
โ Previous Module
Next Module โ
# ๐ CCNA 200-301 - Video 20: Network Management and Monitoring ## Deep Study Notes --- ## ๐ Learning Objectives By the end of this video, you should understand: - SNMP (Simple Network Management Protocol) for device monitoring - Syslog for logging and event management - NetFlow and IPFIX for traffic analysis - SPAN and RSPAN for traffic monitoring - Network management best practices - Troubleshooting with monitoring tools --- ## ๐ง Core Concepts ### 1. Network Management Overview **FCAPS Model (ISO Network Management Framework):** | Category | Description | Examples | |----------|-------------|----------| | **F**ault Management | Detect, log, and respond to network problems | Syslog, SNMP traps, alerts | | **C**onfiguration Management | Track and manage device configurations | Backups, version control, compliance | | **A**ccounting Management | Track resource usage | NetFlow, IPFIX, billing data | | **P**erformance Management | Monitor network performance | SNMP polling, throughput, latency | | **S**ecurity Management | Control access to network resources | AAA, firewalls, VPNs, logging | ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ NETWORK MANAGEMENT TOOLS โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ SNMP (Simple Network Management Protocol) โ โ โ โ Polling, traps, MIBs โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ SYSLOG โ โ โ โ Logging, events, debug messages โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ NETFLOW/IPFIX โ โ โ โ Traffic analysis, flow data โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ SPAN/RSPAN โ โ โ โ Traffic mirroring, packet capture โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 2. SNMP (Simple Network Management Protocol) **Definition:** SNMP is a protocol for collecting and organizing information about managed devices on IP networks. **SNMP Components:** ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ SNMP ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ NMS (Network Management Station) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ SNMP Manager โ โ โ โ (Polling, receiving traps, visualization) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ SNMP (UDP 161 - Polling) โ โ โ SNMP (UDP 162 - Traps) โ โ โผ โ โ Managed Devices โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โ โ โ โ โ Router โ โ Switch โ โ Firewall โ โ โ โ โ โ SNMP Agent โ โ SNMP Agent โ โ SNMP Agent โ โ โ โ โ โ MIB Database โ โ MIB Database โ โ MIB Database โ โ โ โ โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **SNMP Components:** | Component | Description | |-----------|-------------| | **SNMP Manager** | Central system that monitors and manages devices (e.g., SolarWinds, PRTG) | | **SNMP Agent** | Software running on managed devices that responds to queries | | **MIB (Management Information Base)** | Database of managed objects (OIDs) | | **OID (Object Identifier)** | Unique identifier for each managed object | **SNMP Versions:** | Version | Features | Security | |---------|----------|----------| | **SNMPv1** | Basic functionality | Community strings (clear text) | | **SNMPv2c** | Enhanced features, bulk retrieval | Community strings (clear text) | | **SNMPv3** | Authentication, encryption, integrity | USM (User-based Security Model) | **SNMP Operations:** | Operation | Direction | Description | |-----------|-----------|-------------| | **GET** | Manager โ Agent | Retrieve specific OID value | | **GETNEXT** | Manager โ Agent | Retrieve next OID (walking MIB) | | **GETBULK** | Manager โ Agent | Retrieve large blocks of data (v2c/v3) | | **SET** | Manager โ Agent | Modify OID value (configure) | | **TRAP** | Agent โ Manager | Unsolicited alert (port 162) | | **INFORM** | Agent โ Manager | Confirmed trap (v2c/v3) | --- ### 3. SNMP Configuration **Basic SNMP Configuration:** ```cisco ! Configure SNMP community (read-only) Router(config)# snmp-server community public RO ! Configure SNMP community (read-write) Router(config)# snmp-server community private RW ! Configure SNMP location and contact Router(config)# snmp-server location "Data Center - Rack A1" Router(config)# snmp-server contact "Network Team - netadmin@example.com" ! Configure SNMP traps Router(config)# snmp-server enable traps Router(config)# snmp-server host 192.168.1.100 public ! Configure SNMPv3 Router(config)# snmp-server group SNMPv3Group v3 priv Router(config)# snmp-server user snmpuser SNMPv3Group v3 auth sha AuthPassword123 priv aes 128 EncryptPassword123 Router(config)# snmp-server host 192.168.1.100 version 3 priv snmpuser ``` **SNMP Verification Commands:** ```cisco Router# show snmp community Router# show snmp group Router# show snmp user Router# show snmp host Router# show snmp statistics ``` **Example Output:** ```cisco Router# show snmp community Community name: public Community Index: public Storage Type: permanent Active Community name: private Community Index: private Storage Type: permanent Active Router# show snmp group groupname: SNMPv3Group security model:v3 priv contextname: <no context specified> storage-type: permanent readview : <no readview specified> writeview: <no writeview specified> notifyview: <no notifyview specified> row status: active ``` --- ### 4. Syslog **Definition:** Syslog is a standard for message logging that allows network devices to send event messages to a central logging server. ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ SYSLOG ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Network Device (Sender) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ Syslog Client โ โ โ โ (Generates log messages) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ Syslog (UDP 514) โ โ โผ โ โ Syslog Server (Receiver) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ Syslog Server โ โ โ โ (Stores logs, alerts, reporting) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **Syslog Message Format:** ``` <priority>timestamp hostname facility/severity: message Example: <189>Mar 21 10:30:45 Router1 %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up ``` **Syslog Severity Levels:** | Level | Keyword | Description | Example | |-------|---------|-------------|---------| | **0** | emergencies | System unusable | Panic | | **1** | alerts | Immediate action needed | Critical condition | | **2** | critical | Critical conditions | Interface down | | **3** | errors | Error conditions | Routing error | | **4** | warnings | Warning conditions | Low memory | | **5** | notifications | Normal but significant | Interface up | | **6** | informational | Informational messages | Configuration change | | **7** | debugging | Debug-level messages | Debug output | **Syslog Facilities:** | Facility | Description | |----------|-------------| | **0** | kernel messages | | **1** | user-level messages | | **2** | mail system | | **3** | system daemons | | **4** | security/authorization | | **5** | syslogd internal | | **16-23** | local0 - local7 (custom) | --- ### 5. Syslog Configuration **Basic Syslog Configuration:** ```cisco ! Configure logging to local buffer Router(config)# logging buffered 16384 Router(config)# logging buffered informational ! Configure logging to console Router(config)# logging console warnings ! Configure logging to terminal (SSH/telnet) Router(config)# logging monitor informational ! Configure logging to syslog server Router(config)# logging host 192.168.1.100 Router(config)# logging trap notifications ! Configure logging source interface Router(config)# logging source-interface loopback 0 ! Configure timestamp Router(config)# service timestamps log datetime msec localtime show-timezone Router(config)# service timestamps debug datetime msec localtime show-timezone ! Configure message discrimination Router(config)# logging facility local7 Router(config)# logging origin-id hostname ``` **Syslog Verification Commands:** ```cisco Router# show logging Router# show logging history Router# show logging status Router# show logging configuration ``` **Example Output:** ```cisco Router# show logging Syslog logging: enabled (0 messages dropped, 0 messages rate-limited) Console logging: level warnings, 10 messages logged Monitor logging: level informational, 5 messages logged Buffer logging: level informational, 50 messages logged Trap logging: level notifications, 20 messages logged Logging to: 192.168.1.100 (udp port 514) Log Buffer (16384 bytes): Mar 21 10:30:45.123 EST: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up Mar 21 10:30:46.456 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up Mar 21 10:31:02.789 EST: %SYS-5-CONFIG_I: Configured from console by admin on vty0 ``` --- ### 6. NetFlow **Definition:** NetFlow is a Cisco protocol for collecting IP traffic information as flows. It provides visibility into network traffic patterns. ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ NETFLOW ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Network Device (Exporter) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ NetFlow Cache โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ Flow 1: Src=10.1.1.2, Dst=8.8.8.8, Port=80, Packets=150 โ โ โ โ โ โ Flow 2: Src=10.1.1.3, Dst=8.8.8.8, Port=443, Packets=80 โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ NetFlow Export (UDP 2055) โ โ โผ โ โ NetFlow Collector โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ NetFlow Collector โ โ โ โ (Stores flows, analysis, reporting) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **NetFlow Flow Definition:** A flow is identified by the following 7-tuple: | Field | Description | |-------|-------------| | Source IP | Source IP address | | Destination IP | Destination IP address | | Source Port | TCP/UDP source port | | Destination Port | TCP/UDP destination port | | Layer 3 Protocol | IP protocol (TCP, UDP, ICMP) | | ToS (Type of Service) | QoS marking | | Input Interface | Interface where flow entered | **NetFlow Versions:** | Version | Description | |---------|-------------| | **v5** | Most common, fixed format, 30 flow fields | | **v9** | Flexible format, template-based, supports more fields | | **IPFIX** | IETF standard (based on NetFlow v9) | --- ### 7. NetFlow Configuration **Basic NetFlow Configuration:** ```cisco ! Configure flow record (custom fields) Router(config)# flow record NETFLOW-RECORD Router(config-flow-record)# match ipv4 source address Router(config-flow-record)# match ipv4 destination address Router(config-flow-record)# match transport source-port Router(config-flow-record)# match transport destination-port Router(config-flow-record)# match ipv4 protocol Router(config-flow-record)# collect counter bytes Router(config-flow-record)# collect counter packets Router(config-flow-record)# collect timestamp sys-uptime first Router(config-flow-record)# collect timestamp sys-uptime last Router(config-flow-record)# exit ! Configure flow exporter Router(config)# flow exporter NETFLOW-EXPORTER Router(config-flow-exporter)# destination 192.168.1.100 Router(config-flow-exporter)# transport udp 2055 Router(config-flow-exporter)# source gigabitEthernet 0/0 Router(config-flow-exporter)# export-protocol netflow-v9 Router(config-flow-exporter)# exit ! Configure flow monitor Router(config)# flow monitor NETFLOW-MONITOR Router(config-flow-monitor)# record NETFLOW-RECORD Router(config-flow-monitor)# exporter NETFLOW-EXPORTER Router(config-flow-monitor)# cache timeout active 60 Router(config-flow-monitor)# cache timeout inactive 15 Router(config-flow-monitor)# exit ! Apply flow monitor to interface Router(config)# interface gigabitEthernet 0/0 Router(config-if)# ip flow monitor NETFLOW-MONITOR input Router(config-if)# ip flow monitor NETFLOW-MONITOR output Router(config-if)# exit ``` **NetFlow Verification Commands:** ```cisco Router# show flow monitor NETFLOW-MONITOR cache Router# show flow monitor NETFLOW-MONITOR statistics Router# show flow exporter NETFLOW-EXPORTER statistics ``` --- ### 8. SPAN and RSPAN **SPAN (Switched Port Analyzer):** Mirrors traffic from source ports to a destination port for analysis. **RSPAN (Remote SPAN):** Extends SPAN across multiple switches. ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ SPAN ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ Source Switch โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ Source Port (PC1) โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ Source VLAN (VLAN 10) โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโ โ โ โ โ โ โ โ โ โโโโโโโโโโโโผโโโโ โ โ โ โ Destination โโ โ โ โ โ Port โโ โ โ โ โ (to IDS) โโ โ โ โ โโโโโโโโโโโโโโโโ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ Traffic Flow: PC1 traffic โ Copy โ Destination port (IDS) โ โ Original traffic continues to destination (PC2) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **SPAN Configuration:** ```cisco ! Configure local SPAN session Switch(config)# monitor session 1 source interface gigabitEthernet 0/1 Switch(config)# monitor session 1 destination interface gigabitEthernet 0/24 ! Configure SPAN with VLAN source Switch(config)# monitor session 2 source vlan 10 rx Switch(config)# monitor session 2 destination interface gigabitEthernet 0/24 ! Configure SPAN with multiple sources Switch(config)# monitor session 3 source interface gigabitEthernet 0/1 , gigabitEthernet 0/2 Switch(config)# monitor session 3 destination interface gigabitEthernet 0/24 ! Configure SPAN with encapsulation Switch(config)# monitor session 4 source interface gigabitEthernet 0/1 Switch(config)# monitor session 4 destination interface gigabitEthernet 0/24 encapsulation replicate ``` **RSPAN Configuration:** ```cisco ! ========== SOURCE SWITCH ========== ! Create RSPAN VLAN SwitchA(config)# vlan 100 SwitchA(config-vlan)# remote-span SwitchA(config-vlan)# exit ! Configure RSPAN source SwitchA(config)# monitor session 1 source interface gigabitEthernet 0/1 SwitchA(config)# monitor session 1 destination remote vlan 100 ! ========== DESTINATION SWITCH ========== ! Create same RSPAN VLAN SwitchB(config)# vlan 100 SwitchB(config-vlan)# remote-span SwitchB(config-vlan)# exit ! Configure RSPAN destination SwitchB(config)# monitor session 1 source remote vlan 100 SwitchB(config)# monitor session 1 destination interface gigabitEthernet 0/24 ``` **SPAN Verification Commands:** ```cisco Switch# show monitor session 1 Switch# show monitor session all Switch# show running-config | include monitor ``` --- ### 9. Network Monitoring Best Practices **Monitoring Layers:** | Layer | What to Monitor | Tools | |-------|-----------------|-------| | **Physical** | Interface status, errors, utilization | SNMP, show interfaces | | **Data Link** | MAC table, STP state, VLANs | show mac address-table, show spanning-tree | | **Network** | Routing table, neighbor relationships | show ip route, show ip ospf neighbor | | **Transport** | TCP/UDP statistics | show ip traffic | | **Application** | Service availability, response time | NetFlow, synthetic tests | **Key Performance Indicators (KPIs):** | Metric | Description | Target | |--------|-------------|--------| | **Availability** | Uptime percentage | 99.999% (5 nines) | | **Latency** | Round-trip time | < 100 ms | | **Jitter** | Variation in latency | < 30 ms | | **Packet Loss** | Percentage of dropped packets | < 0.1% | | **Throughput** | Data transfer rate | Based on link speed | | **Utilization** | Bandwidth usage | < 70% average | --- ### 10. Troubleshooting with Monitoring Tools **Common Monitoring Use Cases:** ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ TROUBLESHOOTING WITH MONITORING โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ PROBLEM: Slow network performance โ โ โโโ SNMP: Check interface utilization (high utilization) โ โ โโโ NetFlow: Identify top talkers (who is using bandwidth) โ โ โโโ Syslog: Check for error messages โ โ โ โ PROBLEM: Intermittent connectivity โ โ โโโ SNMP: Check interface errors, discards โ โ โโโ Syslog: Look for flapping interfaces โ โ โโโ SPAN: Capture packets for analysis โ โ โ โ PROBLEM: Security incident โ โ โโโ Syslog: Authentication failures โ โ โโโ NetFlow: Unusual traffic patterns โ โ โโโ SPAN: Capture suspicious traffic โ โ โ โ PROBLEM: Configuration issue โ โ โโโ Syslog: Configuration change logs โ โ โโโ SNMP: Verify configuration with MIBs โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **Packet Capture (with SPAN):** ```cisco ! Configure SPAN to capture traffic Switch(config)# monitor session 1 source interface gigabitEthernet 0/1 Switch(config)# monitor session 1 destination interface gigabitEthernet 0/24 ! On analysis PC, use Wireshark to capture on interface connected to port 24 ! Or use tcpdump: # tcpdump -i eth0 -w capture.pcap ``` --- ## ๐ง Complete Configuration Examples ### Lab 1: SNMPv3 Configuration ```cisco ! Configure SNMPv3 on router hostname Router1 ! ! Create SNMPv3 group snmp-server group SNMP-GROUP v3 priv ! ! Create SNMPv3 user snmp-server user snmpadmin SNMP-GROUP v3 auth sha AdminPass123 priv aes 128 EncryptPass123 ! ! Configure SNMP location and contact snmp-server location "Main Data Center - Rack A" snmp-server contact "Network Operations - noc@example.com" ! ! Configure SNMP traps snmp-server enable traps snmp-server host 192.168.1.100 version 3 priv snmpadmin ! ! Configure logging logging host 192.168.1.101 logging trap notifications logging source-interface loopback 0 ! ! Configure timestamps service timestamps log datetime msec localtime service timestamps debug datetime msec localtime ! end ``` --- ### Lab 2: NetFlow Configuration ```cisco ! Configure NetFlow on router hostname Router1 ! ! Create flow record flow record NETFLOW-RECORD match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match ipv4 protocol collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last ! ! Create flow exporter flow exporter NETFLOW-EXPORTER destination 192.168.1.100 transport udp 2055 source gigabitEthernet 0/0 export-protocol netflow-v9 ! ! Create flow monitor flow monitor NETFLOW-MONITOR record NETFLOW-RECORD exporter NETFLOW-EXPORTER cache timeout active 60 cache timeout inactive 15 ! ! Apply to interfaces interface gigabitEthernet 0/0 ip flow monitor NETFLOW-MONITOR input ip flow monitor NETFLOW-MONITOR output ! interface gigabitEthernet 0/1 ip flow monitor NETFLOW-MONITOR input ip flow monitor NETFLOW-MONITOR output ! end ``` --- ### Lab 3: SPAN Configuration ```cisco ! Configure SPAN on switch hostname Switch1 ! ! Create SPAN session to monitor PC traffic monitor session 1 source interface gigabitEthernet 0/1 monitor session 1 destination interface gigabitEthernet 0/24 ! ! Create SPAN session to monitor VLAN traffic monitor session 2 source vlan 10 rx monitor session 2 destination interface gigabitEthernet 0/24 ! ! Create RSPAN VLAN vlan 100 remote-span ! ! Configure RSPAN source monitor session 3 source interface gigabitEthernet 0/1 monitor session 3 destination remote vlan 100 ! end ``` --- ## โ Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **SNMP** | UDP 161 (polling), UDP 162 (traps), v3 security | | **Syslog** | UDP 514, severity levels (0-7), facilities | | **NetFlow** | Flow definition, export over UDP 2055 | | **SPAN** | Traffic mirroring, local vs. remote | | **Monitoring** | FCAPS model, KPIs | ### Common Exam Scenarios: **Scenario 1:** "A network administrator needs to collect traffic statistics for billing purposes. Which protocol should be used?" - **Answer:** NetFlow (accounting management) **Scenario 2:** "Which SNMP version provides authentication and encryption?" - **Answer:** SNMPv3 **Scenario 3:** "A security analyst needs to capture traffic from a switch port for analysis. Which feature should be configured?" - **Answer:** SPAN (Switched Port Analyzer) --- ## ๐ Summary (1-Minute Revision) ``` NETWORK MANAGEMENT: SNMP: โโโ UDP 161: Polling (GET, SET) โโโ UDP 162: Traps (unsolicited alerts) โโโ SNMPv1/v2c: Community strings (clear text) โโโ SNMPv3: Authentication + encryption โโโ MIB/OID: Managed objects SYSLOG: โโโ UDP 514: Message transport โโโ Severity: 0-7 (emergencies to debug) โโโ Facilities: local0-local7 โโโ Message format: <priority>timestamp hostname facility/severity: message NETFLOW: โโโ Flow: 7-tuple (src/dst IP, port, protocol, ToS, interface) โโโ Export: UDP 2055 โโโ Versions: v5, v9, IPFIX โโโ Uses: Traffic analysis, top talkers, security SPAN/RSPAN: โโโ SPAN: Local traffic mirroring โโโ RSPAN: Remote traffic mirroring โโโ Source: Port, VLAN โโโ Destination: Port, VLAN FCAPS: โโโ Fault: Detection and logging โโโ Configuration: Device management โโโ Accounting: Usage tracking โโโ Performance: Monitoring metrics โโโ Security: Access control ``` --- ## ๐งช Practice Questions **1. Which UDP port does SNMP use for polling (GET/SET operations)?** - A) UDP 161 - B) UDP 162 - C) UDP 514 - D) UDP 2055 <details> <summary>Answer</summary> <b>A) UDP 161</b> - SNMP manager sends GET/SET requests to UDP port 161 on agents. </details> **2. Which SNMP version provides authentication and encryption?** - A) SNMPv1 - B) SNMPv2c - C) SNMPv3 - D) SNMPv4 <details> <summary>Answer</summary> <b>C) SNMPv3</b> - SNMPv3 provides authentication, integrity, and encryption via USM. </details> **3. What is the syslog severity level for "emergencies" (system unusable)?** - A) Level 0 - B) Level 1 - C) Level 2 - D) Level 7 <details> <summary>Answer</summary> <b>A) Level 0</b> - Emergencies is severity level 0 (highest priority). </details> **4. Which UDP port does NetFlow use for flow export?** - A) UDP 161 - B) UDP 162 - C) UDP 514 - D) UDP 2055 <details> <summary>Answer</summary> <b>D) UDP 2055</b> - NetFlow exports flow records to UDP port 2055 by default. </details> **5. Which feature mirrors traffic from one switch port to another for analysis?** - A) SNMP - B) Syslog - C) SPAN - D) NetFlow <details> <summary>Answer</summary> <b>C) SPAN</b> - Switched Port Analyzer mirrors traffic for analysis. </details> **6. Which syslog facility is commonly used for custom network device logging?** - A) kernel - B) mail - C) local0-local7 - D) auth <details> <summary>Answer</summary> <b>C) local0-local7</b> - These facilities are reserved for custom application logging. </details> **7. What does MIB stand for in SNMP?** - A) Management Information Base - B) Managed Interface Block - C) Message Information Buffer - D) Management Integration Base <details> <summary>Answer</summary> <b>A) Management Information Base</b> - MIB is the database of managed objects accessible via SNMP. </details> **8. Which NetFlow version is the IETF standard (IPFIX)?** - A) v5 - B) v9 - C) v10 (IPFIX) - D) v7 <details> <summary>Answer</summary> <b>C) v10 (IPFIX)</b> - IPFIX is the IETF standard based on NetFlow v9. </details> **9. What is the purpose of RSPAN?** - A) Local traffic mirroring - B) Remote traffic mirroring across switches - C) Routing protocol - D) Flow export <details> <summary>Answer</summary> <b>B) Remote traffic mirroring across switches</b> - RSPAN extends SPAN across multiple switches. </details> **10. Which command configures logging to a syslog server?** - A) `logging host 192.168.1.100` - B) `syslog server 192.168.1.100` - C) `log server 192.168.1.100` - D) `system log 192.168.1.100` <details> <summary>Answer</summary> <b>A) `logging host 192.168.1.100`</b> - This configures the syslog server address. </details> **11. Which FCAPS category includes tracking resource usage for billing?** - A) Fault Management - B) Configuration Management - C) Accounting Management - D) Performance Management <details> <summary>Answer</summary> <b>C) Accounting Management</b> - Accounting tracks resource usage for billing and planning. </details> **12. What does the `snmp-server enable traps` command do?** - A) Disables SNMP traps - B) Enables SNMP trap generation - C) Configures trap destination - D) Sets trap community string <details> <summary>Answer</summary> <b>B) Enables SNMP trap generation</b> - This command enables the device to send SNMP traps. </details> --- ## ๐ Next Steps After completing Video 20, you should be ready for: - **Video 21:** Final Exam Review and Practice - **Video 22:** CCNA 200-301 Practice Labs **Lab Practice:** 1. Configure SNMPv3 on router and test with MIB browser 2. Configure syslog and view messages on server 3. Configure NetFlow and analyze traffic flows 4. Configure SPAN to capture traffic with Wireshark 5. Verify all configurations with show commands --- **This completes Video 20. Would you like me to continue with Video 21 (Final Exam Review and Practice), or do you have any questions about the material covered so far?** I'll create comprehensive deep notes for **Video 21: Final Exam Review and Practice** to help you consolidate all the knowledge from the CCNA 200-301 course. ---