Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 10: Network Management, image, image, image, image, image, image,…
Module 10: Network Management
10.1. Device Discovery with CDP
10.1.1 CDP Overview
CDP (Cisco Discovery Protocol)
is a
Layer 2 proprietary protocol
used on Cisco devices (routers and switches) to gather information about
directly connected Cisco neighbors
.
It operates regardless of the Layer 3 protocol (IP) running, making it useful for initial network mapping and troubleshooting.
10.1.2 Configure and Verify CDP
CDP is typically
enabled by default
globally on Cisco devices, but can be enabled or disabled globally using the
'cdp run'
command.
It can also be controlled on a
per-interface basis
using the
'no cdp enable'
command for security or traffic control.
10.1.3 Discover Devices by Using CDP
The
'show cdp neighbors'
command displays neighbor details, including the
neighbor's hostname
,
local interface
,
neighbor's platform/model
,
neighbor's capabilities
(e.g., router, switch), and the
neighbor's interface
.
This information is crucial for quickly mapping the network topology.
10.2. Device Discovery with LLDP
10.2.1 LLDP Overview
LLDP (Link Layer Discovery Protocol)
is a
vendor-neutral (open standard)
Layer 2 protocol that performs the same function as CDP: discovering devices on the network.
Because it is open standard, it allows
interoperability
and device discovery between equipment from different manufacturers.
10.2.2 Configure and Verify LLDP
LLDP is often
disabled by default
on Cisco devices and must be enabled globally using the
'lldp run'
command.
It can be controlled on an interface to send, receive, or both, using the
'lldp transmit'
and
'lldp receive'
commands.
10.2.3 Discover Devices by Using LLDP
The
'show lldp neighbors'
command displays neighbor information, including the
neighbor's chassis ID
,
local interface
,
neighbor's port ID
, and
neighbor's system name/description
.
This command is used to quickly and effectively map heterogeneous network topologies.
10.3. NTP (Network Time Protocol)
10.3.1 Time and Calendar Services
Accurate time synchronization is
critical
for all network operations, including security logging, troubleshooting, and forensic analysis.
Incorrect time stamps make it impossible to correlate events across multiple devices.
10.3.2 NTP Operation
NTP
is a Layer 4 (UDP port 123) protocol that synchronizes the clock of network devices to a
centralized time source
(NTP server).
It uses a hierarchical structure called
Stratum
, where lower numbers indicate closer proximity and greater accuracy to the authoritative source.
10.3.3 Configure and Verify NTP
Configuration involves identifying a reliable NTP server and using the
'ntp server ip-address'
command on the client device.
Verification is done using the
'show ntp associations'
and
'show clock detail'
commands to confirm synchronization status and source.
10.4. SNMP (Simple Network Management Protocol)
10.4.1 Introduction to SNMP
SNMP
is an application-layer protocol used to
exchange management information
between network devices (agents) and a centralized
NMS (Network Management System) server
.
It allows network administrators to monitor, manage, and troubleshoot network devices remotely.
10.4.2 SNMP Operation
The NMS sends
GET
requests to query device data, and the device's
SNMP agent
returns the requested information.
The agent also uses unsolicited messages called
Traps
to alert the NMS of significant events.
10.4.3 SNMP Agent Traps
Traps
are immediate, unrequested notifications sent by the SNMP agent to the NMS when a
critical event
occurs (e.g., interface failure, reboot).
Traps are essential for
real-time alerting
and require less overhead than constant polling.
10.4.4 SNMP Versions
SNMPv1
and
SNMPv2c
use community strings for simple security and offer basic functionality.
SNMPv3
is the
most secure version
, adding robust authentication, integrity, and encryption to protect management data.
10.4.6 Community Strings
Community Strings
act as a password for SNMPv1 and SNMPv2c access, allowing
read-only
(e.g., 'public') or
read-write
(e.g., 'private') access to the device's MIB.
They offer weak security as they are sent in clear text.
10.4.7 MIB Object ID
The
MIB (Management Information Base)
is a hierarchical database that defines all variables a device can manage or report.
An
Object ID (OID)
is the unique numerical address used to precisely identify a specific piece of information within the MIB (e.g., interface status or CPU load).
10.4.8 SNMP Polling Scenario
Polling
is the process where the NMS server periodically sends
GET
requests to devices to check their current status (e.g., every 5 minutes).
This method provides a comprehensive, though non-real-time, view of the network's health.
10.4.9 SNMP Object Navigator
The
Object Navigator
is a tool or database used to look up and interpret the vast number of
Object IDs
defined in the MIB hierarchy.
It helps administrators find the specific OIDs needed to monitor particular device metrics.
10.5. Syslog (System Logging Protocol)
10.5.1 Introduction to Syslog
Syslog
is a standard protocol used by network devices to
send system messages and event notifications
to a centralized logging server.
Centralized logging is essential for
troubleshooting, auditing, and security analysis
as it provides a single location for chronological event data.
10.5.2 Syslog Operation
Devices (syslog clients) send messages using the
UDP protocol (port 514)
to the syslog server (syslog receiver).
Messages can be directed to the
console
,
terminal lines
,
internal buffer
, or the
external syslog server
.
10.5.3 Syslog Message Format
A Syslog message contains a
priority value
(combining Facility and Severity), a
timestamp
, the
hostname/IP
of the sending device, and the
message text
.
The
Severity Level
(0-7) indicates the urgency of the event (e.g., Emergencies (0) to Debugging (7)).
10.5.4 Syslog Facilities
Facilities
categorize the source of the message (e.g., system alerts, interface messages, routing protocols).
Examples include
local7
(often used for debugging),
security
, and
link
(for interface-related events).
10.5.5 Configure Syslog Timestamp
It is
crucial to configure timestamps
on log messages to ensure proper chronological correlation of events across different devices.
The command
'service timestamps log datetime'
is used to enable date and time information in the log output.
10.6. Router and Switch File Maintenance
10.6.1 Router File Systems
Cisco routers use various file systems, primarily
Flash memory
to store the
IOS image
and
NVRAM
to store the
startup configuration file
.
RAM
holds the actively running
running configuration file
.
10.6.2 Switch File Systems
Similar to routers, switches use
Flash memory
for the IOS image and
NVRAM
for the startup configuration.
They also use a portion of the Flash file system to store the
VLAN database
file.
10.6.3 Use a Text File to Back Up a Configuration
The simplest backup method is using the
'show running-config'
command and capturing the output via
terminal emulation software
(e.g., PuTTY) into a local text file.
This creates a simple, readable backup of the active configuration.
10.6.4 Use a Text File to Restore a Configuration
A configuration is restored by
pasting the saved text file
(from Section 10.6.3) line-by-line back into the router's global configuration mode prompt.
This overwrite method must be used carefully, as it immediately changes the active running configuration.
10.6.5 Use TFTP to Back Up and Restore a Configuration
The most robust method uses a
TFTP (Trivial File Transfer Protocol) server
to transfer files across the network.
Commands like
'copy running-config tftp'
back up the config, and
'copy tftp running-config'
restores it, providing a reliable, network-based solution.
10.6.6 USB Ports on a Cisco Router
Modern Cisco routers often include
USB ports
that can be used for various maintenance tasks.
A USB flash drive can be formatted and used as an
external storage device
for file backups and restorations.
10.6.7 Use USB to Back Up and Restore a Configuration
The USB drive is treated as another flash file system device (e.g.,
usbflash0:
) within the router's file system.
Files can be copied to and from the USB drive using the
'copy'
command, similar to copying to or from the router's internal flash.
10.6.8 Password Recovery Procedures
Procedures exist to recover access to a device when the console password is forgotten. This generally involves interrupting the
boot process
and changing a
configuration register value
.
This allows the device to boot without loading the startup configuration, enabling access to reset passwords.
10.6.9 Password Recovery Example
Provides a step-by-step example of the password recovery process, which typically requires
physical access
to the device and a console cable connection.
It demonstrates how to bypass the saved configuration and then reset the secret/enable passwords.
10.7. IOS Image Management
10.7.1 Managing Cisco IOS Images
Introduces the processes necessary to
back up and upgrade
the
Cisco IOS (Internetwork Operating System)
software on routers and switches.
Proper image management is crucial for maintaining security patches and adding new features.
10.7.2 TFTP Servers as a Backup Location
TFTP (Trivial File Transfer Protocol) servers
are the standard, most common location for storing and distributing IOS images across a network.
TFTP is simple but
unsecured
, so it should be used within a trusted network segment.
10.7.3 Backup IOS Image to TFTP Server Example
To back up the currently running IOS image from a device's Flash memory to a TFTP server, the command
'copy flash tftp'
is used.
This command requires specifying the
filename
and the
TFTP server's IP address
.
10.7.4 Copy an IOS Image to a Device Example
To upgrade or install a new IOS image, the
'copy tftp flash'
command is used to transfer the file from the TFTP server to the device's Flash memory.
This command is used for major
IOS upgrades
or to recover from a corrupted image.
10.7.5 The boot system Command
The
'boot system [filename]'
command is used to explicitly tell the router which
IOS image file
(stored in Flash) to load when the device next reboots.
This is essential after an upgrade to ensure the device loads the new image instead of defaulting to the oldest or wrong one.
