Chapter 21
Other Networking Services
This chapter rounds out the coverage of IP services by covering a variety of important topics you need to know for the CCNA 200-301 exam, including syslog, SNMP, FTP, TFTP, QoS, and remotely accessing devices by using SSH.
This chapter covers the following essential terms and components:
▸ Syslog
▸ SNMP version 2
▸ SNMP version 3
▸ PHBs
▸ Classification
▸ Marking
▸ Queueing
▸ Congestion
▸ Policing
▸ Shaping
▸ SSH
▸ FTP
▸ TFTP
Topic: Describe the use of syslog and SNMP features
CramSaver
If you can correctly answer these CramSaver questions, save time by skimming the ExamAlerts in this section and then completing the CramQuiz at the end of this section and the Review Questions at the end of the chapter. If you are in doubt at all, read everything in this chapter!
1. What is the default status of monitor and buffer logging on a Cisco network device such as a router?
_________
2. What syslog severity level is Emergency?
_________
3. What version of SNMP provides robust security mechanisms?
_________
Network devices, including Cisco devices, typically engage in system-logging capabilities, commonly termed syslog. System logging allows devices to report on their health and important events that might be transpiring. In Cisco networking, we commonly call syslog simply logging. These log messages can vary from the mundane to the critical. Example 21.1 shows the default logging configuration on a Cisco router.
ExamAlert
You can configure the timestamp information in your syslog messages by using the service timestamps command. You can ensure that the timestamps include detail down to the millisecond level, thanks to the msec optional keyword.
Example 21.1 The Default Logging Configuration of a Cisco Router
R2#
R2# show logging
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 16 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 16 messages logged, xml disabled,
filtering disabled
Logging Exception size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 19 message lines logged
Log Buffer (8192 bytes):
*Aug 28 15:54:39.063: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
*Aug 28 15:54:56.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Aug 28 15:54:56.995: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Aug 28 15:54:57.003: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
...
Notice that, by default, logging is enabled and that syslog messages are stored in a buffer for later analysis. Specifically, notice that three forms of logging are enabled by default:
▸ Console logging: Console logging involves console syslog messages such as *Aug 28 15:54:56.995: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up that you see when you are connected to the device using the console port.
▸ Monitor logging: Monitor logging allows users who are connected remotely (using Telnet or SSH) into the device to see console messages as well.
▸ Buffer logging: Buffer logging stores logs in a buffer (local memory) and permits viewing of messages at a later date, as Example 21.1 demonstrates.
ExamAlert
Even if a feature is typically on by default (for example, console logging), you should not make assumptions in the exam environment. Console logging might be disabled in a running configuration.
Notice from the sample log messages shown in Example 21.1 that syslog messages follow a specific format with fields including the following:
▸ A timestamp: In this case, *Aug 28 15:54:57.003:
▸ The component that generated the message: In this case, %LINK (technically termed the “facility”)
▸ A severity level: In this case, 3
▸ A mnemonic for the message: In this case, UPDOWN
▸ A description: In this case, Interface FastEthernet1/0, changed state to up
The possible severity levels for messages are very important, especially since you can filter the logging to the various destinations by using these levels. Table 21.1 shows the syslog severity levels used by Cisco equipment.
Table 21.1 The Syslog Severity Levels
Keyword |
Level |
Description |
|---|---|---|
Emergency |
0 |
System unusable |
Alert |
1 |
Immediate action required |
Critical |
2 |
Critical event |
Error |
3 |
Error event |
Warning |
4 |
Warning event |
Notification |
5 |
Normal but significant condition |
Informational |
6 |
Informational message |
Debug |
7 |
Used for debugging the software |
Example 21.2 shows a sample configuration involving logging on a Cisco router.
Example 21.2 A Sample Syslog Configuration on a Cisco Router
R2# R2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)# logging console 6 R2(config)# logging buffered 4 R2(config)# logging monitor warning R2(config)# logging host 10.1.1.3 R2(config)# end R2#
The commands in Example 21.2 have the following effects:
▸ logging console 6: Limits console syslog messages to levels 6 through 0.
▸ logging buffered 4: Limits buffer syslog messages to levels 4 through 0.
▸ logging monitor warning: Limits monitor syslog messages to levels 4 through 0; note that you can use the severity level’s shorthand or the level number.
▸ logging host 10.1.1.3: Sends syslog messages to a syslog server (located at 10.1.1.3) for storage.
Simple Network Management Protocol (SNMP) eases the management of network devices. Monitoring and configuration are both possible using this technology.
SNMP version 2c is excellent and has been used for many years, but it lacks security features. In fact, it uses a simple plaintext community string (password) for security protection.
SNMP version 3 addresses the security concerns present in previous versions. This version provides robust authentication, authorization, and integrity verification—if desired. With SNMP version 3, you have several options for your security settings, as shown in Table 21.2.
Table 21.2 SNMP Version 3 Security Levels
Level |
Authentication/Encryption |
Description |
|---|---|---|
noAuthNoPriv |
Username/no encryption |
Username match for authentication |
authNoPriv |
MD5 or SHA/no encryption |
Authentication and no encryption |
authPriv |
MD5 or SHA/DES |
Both authentication and encryption |
CramQuiz
1. What level of logging is appropriate for an event where an immediate action is required?
A. Emergency
B. Critical
C. Error
D. Alert
2. How can you configure your Cisco router so that severity levels 5 through 0 log messages are stored in a buffer?
A. logging buffered 5
B. logging level 5 buffer
C. logging 5 buffered
D. logging buffered 5 0
3. What version of SNMP uses a simple plaintext password?
A. Version 1
B. Version 2c
C. Version 3
D. Version 4
CramQuiz Answers
1. D is correct. The Alert syslog level in Cisco indicates that an immediate action is required.
2. A is correct. The command logging buffered 5 allows you to filter the buffer for log messages at a level of 0 through 5.
3. B is correct. SNMP versions 2 and 2c use a simple plaintext password.
Topic: Explain the forwarding per-hop behavior (PHB) for QoS, such as classification, marking, queueing, congestion avoidance, policing, and shaping
CramSaver
1. What QoS approach ensures that resources are available for voice and video applications through the use of predetermined assignments?
_________
2. What QoS marking is used in Ethernet frames?
_________
3.What link QoS mechanism buffers traffic by default when it exceeds a certain rate?
_________
There are three main approaches you can take to quality of service (QoS) in your organization:
▸ Best effort (BE): Using this approach, you overprovision the bandwidth in the network as you do not use any special QoS settings or tools; most Cisco devices default to a first-in, first-out (FIFO) approach to packet queueing and forwarding in the BE configuration.
▸ Integrated Services (IntServ): With this approach, Resource Reservation Protocol (RSVP) is used to reserve resources on devices in the path to carry important or fragile traffic forms; this approach is no longer popular as it requires special signaling protocols and requires tight integration across the entire path of the traffic (which more often than not spans several non-homogeneously administered networks).
▸ Differentiated Services (DiffServ): This approach is the most popular today; it begins with traffic marking and classification to identify and group traffic that must be treated in a special manner. Traffic receives special treatment in a hop-by-hop approach based on predefined and configured per-hop behaviors (PHBs).
Marking traffic for a certain QoS treatment can be done at several layers of the OSI model:
▸ Layer 2: Class of service (CoS)
▸ Layer 2.5: The Experimental Use field in MPLS
▸ Layer 3: Type of service (ToS) for IPv4 and traffic class for IPv6
Should a router or switch trust the markings of incoming packets and frames? Is the directly connected device marking the packets properly? Such considerations are included in device trust. Devices you are trusting become the trust boundary in the network. Any packets arriving from outside the trust boundary should have any QoS marking ignored and cleared.
QoS seeks to control several potential issues in a network experiencing congestion. Prioritization of traffic is done in order to avoid problems with packet loss, packet delay (latency), and jitter (variations in delay).
QoS is very popular in networks today because more and more networks are converged. This means they feature two or more of the following traffic forms:
▸ Voice: Voice over IP permits calls to occur over the same network as data traffic; no longer are special equipment and special links required for voice traffic.
▸ Video: Video over IP is becoming more and more popular for the transmission of video traffic.
▸ Data: Data traffic could include critical transactional data and scavenger class data, such as gaming or social media traffic.
Remember that with Differentiated Services, traffic is classified and marked, and then it is treated in a special manner on a hop-by-hop basis, based on the traffic’s marking. Tools for this special treatment include the following:
▸ Shaping tools: Shaping permits you to control the rate of traffic on a link; traffic above a specified threshold is buffered in an attempt to send it at a later time, when there is less traffic on the link.
▸ Policing tools: Policing is similar to shaping; with policing, however, traffic in excess of a specified rate is dropped by default.
▸ Congestion management tools: There are several tools in this category. Class-based weighted fair queueing (CBWFQ) seeks to prioritize traffic based on markings, while low-latency queueing (LLQ) adds to the CBWFQ system a strict priority queue (PQ) that is reserved for voice traffic in a typical implementation.
▸ Congestion avoidance tools: Tools in this category seek to avoid congestion altogether before it becomes an issue. Link fragmentation and interleaving (LFI) is a popular example of a congestion avoidance tool. Large packets are fragmented so that more importantly marked packets can be interwoven between the fragments. Another interesting approach is weighted random early detection (WRED). With WRED, low-priority packets are randomly dropped when interfaces start to approach a congested level, in the hopes that the traffic’s sender will notice the drop and slow down.
CramQuiz
1. What marking is done at Layer 3?
A. Type of service
B. Class of service
C. Experimental bits
D. BECN
2. What does it mean to trust a device in a QoS environment?
A. To forward the traffic from the device, regardless of priority
B. To honor the QoS markings
C. To rewrite any layer 2 markings
D. To always provide LLQ to the device’s traffic
CramQuiz Answers
1. A is correct. The Type of Service field in an IPv4 header permits the marking of traffic at Layer 3.
2. B is correct. Device trust refers to honoring QoS markings of packets arriving from a trusted device.
Topic: Using SSH and FTP/TFTP in a network
CramSaver
1. What is the secure alternative to the Telnet protocol for accessing devices remotely?
_________
2. TFTP relies on what transport layer protocol and port number?
_________
For a long time, Telnet was the method for remotely accessing a Cisco network device and applying a configuration at the command line of that device. Unfortunately, Telnet provides no security. In fact, the protocol sends the information from a local system to the remote Cisco device in plaintext. (Have you noticed by now that any time this book mentions plaintext, it is not a good thing?)
An alternative remote access protocol that is commonly used and recommended today is Secure Shell (SSH). Secure Shell takes care of secure authentication and encryption for the desired remote access.
Follow these steps to configure a Cisco device to support SSH:
Use the hostname command to ensure that the device has a hostname set.
Use the ip domain-name command to ensure that there is a domain name configured on the device.
Configure the required RSA key by using the command crypto key generate rsa.
In your VTY lines, ensure that SSH is the only supported method (instead of Telnet) by using the command transport input ssh. Take care to apply this command (or at least the transport input none command) to all the available VTY lines.
Use the command ip ssh version 2 to ensure that the SSH version is 2.
For decades, File Transfer Protocol (FTP) was used to move files from one location to another over private intranets or even the pubic Internet. In fact, I still use this protocol today when delivering chapters of this text to Pearson for publishing. FTP uses the reliable TCP in its operation, along with ports 20 and 21.
You might think that FTP is of no use to Cisco networking devices, and you would be partially correct. Cisco devices to this day love to use a variation of FTP for downloading new IOS images and configuration files. This variation of FTP is called Trivial File Transfer Protocol (TFTP). It has far less overhead compared to FTP as it relies on UDP in its operation. It uses port 69.
CramQuiz
1. What command creates the RSA key for use with SSH?
A. crypto key generate rsa
B. ssh key rsa generate
C. get ssh key rsa
D. ip ssh generate key rsa
2. What is a typical use for TFTP in a modern Cisco network?
A. To download the VLAN.dat file
B. To download a startup configuration during a VoIP phone’s bootup
C. To download IOS images to the device
D. To back up (upload) the current running config onto a TFTP server
CramQuiz Answers
1. A is correct. You generate the required RSA key by using the command crypto key generate rsa.
2. C is correct. TFTP is often used for downloading IOS images and configurations to Cisco devices.
Review Questions
1. What command allows you to see the syslog configuration that is currently in place on a Cisco router?
A. show syslog
B. show logging
C. show logging enable
D. show logging detail
2. You see the syslog message *Nov 16 00:23:23.003: %SYS-6-CLOCKUPDATE: System clock has been updated from 14:20:35 EDT Sun Aug 28 2021 to 19:23:23 EST Thu Nov 15 2022, configured from console by console. What facility produced the message?
A. %SYS-6-CLOCKUPDATE
B. CLOCKUPDATE
C. %SYS
D. 6
3. What command permits you to send log messages to a device at 10.1.1.3?
A. logging 10.1.1.3
B. logging trap level 2 10.1.1.3
C. logging host 10.1.1.3
D. logging host send 7 host 10.1.1.3
4. What approach to QoS involves marking and classifying traffic?
A. IntServ
B. DiffServ
C. BE
D. RSVP
5. What improvement does SNMP version 3 offer over SNMP v2c?
A. Monitoring with no overhead
B. Increased security
C. A reduction in server calls
D. ICMP IP SLA
6. What is the term for variation in delay?
A. Shaping
B. Packet loss
C. Latency
D. Jitter
7. LLQ is a form of what type of tool in QoS?
A. Congestion management
B. Policing
C. Shaping
D. Marking
Answers to Review Questions
1. B is correct. Use the simple show logging command to verify syslog settings, as well as to view the contents of the logging buffer.
2. C is correct. The facility precedes the severity level.
3. C is correct. Use logging host 10.1.1.3.
4. B is correct. The Differentiated Services (DiffServ) approach features classification and marking as a first step.
5. B is correct. SNMP version 3 provides security enhancements over earlier versions.
6. D is correct. Jitter refers to variation in delay. Jitter is always present, but large jitter is a major problem for voice and video traffic.
7. A is correct. Examples of congestion management QoS tools are CBWFQ and LLQ.
Hands-On Lab Practice Assignment
Configure SNMP
To complete this Hands-On Lab Practice Assignment, download the assigned Packet Tracer file from the book’s companion website and perform the lab on your locally installed version of Packet Tracer. For instructions on how to download and use the Packet Tracer files, see “Packet Tracer Hands-On Lab Practice Assignments” in the Introduction of this book.
Additional Resources
Simple Network Management Protocol (SNMP) Version 3
https://www.ajsnetworking.com/simple-network-management-protocol-snmp-version-3
Policing and Shaping
System Message Logging
https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html